A Primer to Microsoft 365 eDiscovery Solutions

26 Oct 2021

8 min read

Article at a glance

Microsoft 365's built-in eDiscovery tools have limitations that can lead to incomplete data retrieval:

eDiscovery searches in Microsoft 365 may miss critical data due to complex query parameters and storage limitations, increasing the risk of incomplete legal or compliance records.

Native eDiscovery tools lack automation for continuous data capture, which may result in gaps in the data collection process.

eDiscovery or Electronic Discovery is the process of identifying, reviewing, analyzing, tagging, and preserving ESI (Electronically Stored Information) to be presented as potential evidence in a legal case. ESI can be documents, emails, instant messages, chats, accounting data, websites, etc. that could be presented as evidence in a lawsuit.

There are several third-party eDiscovery tools that help enterprises with the Discovery process. However, to make things simpler, productivity tools like Microsoft 365 come with a native eDiscovery tool to help organizations quickly search and export relevant information stored in their cloud.

Microsoft eDiscovery lets administrators and eDiscovery managers create cases to collect and preserve necessary data. Users with relevant permissions can run a search to identify content stored in different Microsoft services. Organizations can also place a hold on specific locations to preserve sensitive files, documents, or messages indefinitely. Once a hold is placed, the file then becomes inaccessible to the owner and collaborators, and it cannot be modified or deleted until the hold is removed.

1. Why do you need eDiscovery?

Below are two reasons why an organization would need an eDiscovery tool:

i. The Federal Rules of Civil Procedure: The Federal Rules of Civil Procedure (FRCP), established in 1934, are a set of rules that are focused on governing procedures for managing civil lawsuits in the United States district courts. A variety of important changes to the FRCP went into effect in December 2006. These included an expansion of discoverable material to include all ESI that might be relevant in a legal action

ii. Collecting ESI: Companies of all sizes generate a significant amount of data. Even small and medium-sized generate and manage almost 47.81 TB of data on an average, and this is expected to grow significantly in the coming years. The rapid growth of ESI illustrates the problem that a company might face during a legal proceeding to search, collect, and produce electronically stored data as relevant evidence.

2. What are the data sources covered by Microsoft eDiscovery?

Microsoft eDiscovery helps organizations search and preserve content stored in Exchange Mailboxes and Public folders, SharePoint Sites, OneDrive for Business, Groups, and Yammer.

Messages and files shared within a Microsoft Teams channel (including a private channel) get stored in Exchange Online mailboxes and SharePoint Site associated with the team, respectively. The messages and files shared on 1:1 chat is stored in individual users’ mailboxes and OneDrive accounts. Click here to learn more about data storage in Microsoft Teams.

3. What are the types of eDiscovery solutions available?

Microsoft eDiscovery includes Content Search, Core (Standard) eDiscovery, and Advanced (Premium) eDiscovery. The below diagram illustrates the basic features available with either.

In a Core eDiscovery case, organizations can run content searches, and place holds to preserve content indefinitely.

Using an Advanced eDiscovery case, organizations can collect, review, analyze, and export data, manage custodians, and add notification workflows to communicate with these custodians.

Using the eDiscovery search tool available with Core (Standard) and Advanced (Premium) eDiscovery, organizations can search for content across Microsoft 365 data sources and export the search results to a local computer.

3.1. What is Microsoft 365 Core (Standard) eDiscovery?

Microsoft Core (Standard) eDiscovery builds on the basic capabilities of the Content Search tool. Core (Standard) eDiscovery allows administrators and users with relevant permissions to create an eDiscovery case, search for content located in different Microsoft services, preview and export the search results, add managers to the case, place holds, etc.

3.1.1. How to create a Core eDiscovery Case?

Step 1: Navigate to the Security and Compliance center.
Step 2: Click “Core eDiscovery” under the “eDiscovery” drop-down on the navigation menu on the left-hand side of the screen.
Step 3: Type a case name and a description (optional) and click “Save”

Step 4: Select the case to navigate to the case page and take further action.

3.1.2. How to run an eDiscovery search in a Core eDiscovery case?

The eDiscovery Search tool can be used to search for content across Microsoft 365 data sources using keywords and conditions. The results of the search can then be exported to a local computer.

Step 1: Navigate to the Security and Compliance center. Click “Core eDiscovery” under the eDiscovery drop-down on the navigation menu bar on the left-hand side of the screen.
Step 2: Click “Searches'' from the top menu bar. Click “+New Search”.

Step 3: Type a name and description (optional) for the new search. Click “Next”.
Step 4: Choose the location to search for content. Example: - Specific users, groups, or teams under Exchange mailboxes - Specific sites and OneDrive accounts or add the URL for a Microsoft Team, Office 365 Groups, or Yammer Groups SharePoint site. Click “Next”.

Step 5: Add conditions for the search if needed. This could include specific keyword(s) and add conditions to search for the keyword. Click “Next”.

Step 6: Review the search and click “Submit”. Once the content search run is complete, administrators can take further action like “Edit search,” “Rerun search,” etc. They can also export the search results as a .csv or a compressed .zip file by clicking “Export results”.

3.1.3. How to create a hold in a Core eDiscovery case?

Step 1: Navigate to the Security and Compliance center
Step 2: Click “Core eDiscovery” under the “eDiscovery” drop-down on the navigation menu on the left-hand side of the screen.
Step 3: Create an eDiscovery case or open an existing case.
Step 4: Click “Hold” on the top menu bar. Click “+Create”.

Step 5: Enter a name for the hold and provide a description (optional). Click “Next”.
Step 6: Choose the location (SharePoint sites, Exchange mailboxes or Exchange public folders). Click “Next”.

Step 7: Enter the search query. Administrators can add a specific keyword and choose conditions to search for the query if needed.

Step 8: Review the settings and click “Submit”. The hold will be created based on the chosen location or the query and or condition.

It takes up to 24 hours for a hold to take effect.

Once the hold is in place, it can be removed by an administrator whenever needed. When a hold is removed, a 30-day grace period is applied (called a delay hold) to prevent the content from being deleted.

3.2. What is Microsoft 365 Advanced (Premium) eDiscovery?

Microsoft Advanced (Premium) eDiscovery builds on the existing case management, preservation, search, and export functionalities of Core eDiscovery. With Advanced (Premium) eDiscovery, administrators can identify, collect, review, analyze, preserve, and export content relevant to any internal or external investigations. They can also collect data from any service, move it into review sets where they can add filters, search the content, tag and analyze it, and remove irrelevant content. from further review.

Advanced (Premium) eDiscovery also helps manage custodians and legal hold notification workflows to communicate with custodians involved in any specific case.

Advanced eDiscovery Glossary:

1. Custodian- Custodians are users/people whose content an organization wants to specifically search for and gather as evidence ins any legal case.

2. Non-custodial data sources- When a new collection is created, administrators can add non-custodial data sources. These could be sites or groups or any other sources that need to be included in the search.

3. Review sets- In Advanced eDiscovery, data can be added to review sets where it can be reviewed, analyzed, tagged, and exported.

Collections- Using collections, administrators can search for and collect live data from the Microsoft data sources.

3.2.1. Advanced eDiscovery and EDRM

EDRM or Electronic Discovery Reference Model is a framework that covers the standards for the process of discovering Electronically Stored Information.

On a high level, the workflow of Advanced eDiscovery mimics that of the EDRM. Below is the Electronic Discovery Reference Model that presents a conceptual view of the eDiscovery process that can be replicated in an Advanced eDiscovery case.

A Typical Advanced eDiscovery Case Workflow

3.2.2. How to create an Advanced eDiscovery case?

Step 1: Navigate to the security and compliance center.
Step 2: Click “Advanced eDiscovery” under eDiscovery from the left-hand side menu bar.
Step 3: Click “Cases” on the menu bar on the top and click “+ Create a case”.

Step 5: Enter a case name, case number, and a description (optional). Administrators can further add members to configure the analytical settings related to the case and the format. Click "Save".

3.2.3. How to create collections in an Advanced eDiscovery case?

A collection in Advanced eDiscovery is like a content search run in a Core eDiscovery case.

To create a collection, follow the below steps:

Step 1: Navigate to the security and compliance center and click “Advanced eDiscovery” under eDiscovery on the left-hand side menu bar.
Step 2: Click “+ Create a case” or choose an existing case. Click “Collections” on the top menu bar and click “+ New collection”.

Step 3: Enter the name and description (optional) of the collection, add custodians, non-custodial data sources, additional locations, conditions for the collection, save the collection as draft or add it directly to a review set. Admins can review the collections once the collection process is done.

3.3. Access permissions in Microsoft 365 eDiscovery

To access the features available within Microsoft eDiscovery a user needs appropriate permissions. These permissions can be assigned by the Compliance Administrator or the Global Administrator on the Security and Compliance center.

Apart from the Compliance Administrator and the Global Administrator, users in the eDiscovery Manager and eDiscovery Administrator role group can perform eDiscovery related tasks.

eDiscovery manager and eDiscovery administrator are sub-groups that fall under the eDiscovery manager compliance center role. Users can be added to these sub-groups by navigating to the eDiscovery manager group under the Permissions page.

eDiscovery Manager: An eDiscovery manager can only manage the case that they create. They can create and manage Core and Advanced eDiscovery cases, create case holds, run searches, preview, and export search results, add and remove members, and access case data.

eDiscovery Administrator: An eDiscovery administrator can perform all the tasks that the eDiscovery manager can. Additionally, an eDiscovery administrator can access all the Core and Advanced eDiscovery cases listed in the compliance center.

The sub-groups can then be edited individually to add users to either of the roles by navigating to Compliance Center> Permissions> eDiscovery Manager> Edit role group.

4. Is eDiscovery a backup solution?

Despite the data preservation capabilities, Microsoft eDiscovery is not a backup solution. Missing features like single-click restore, automated backup with snapshots, granular restore features, etc., are a few reasons why organizations should not use eDiscovery as an alternative to a backup solution like SysCloud. To know more about how eDiscovery is different from a third-party cloud backup tool, click here.

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial