A Primer to Microsoft 365 eDiscovery Solutions

15 Apr 2025

8 min read

Himanshu

Article at a glance

Microsoft 365's built-in eDiscovery tools have limitations that can lead to incomplete data retrieval:

eDiscovery searches in Microsoft 365 may miss critical data due to complex query parameters and storage limitations, increasing the risk of incomplete legal or compliance records.

Native eDiscovery tools lack automation for continuous data capture, which may result in gaps in the data collection process.

eDiscovery or Electronic Discovery is the process of identifying, reviewing, analyzing, tagging, and preserving ESI (Electronically Stored Information) to be presented as potential evidence in a legal case. ESI can be documents, emails, instant messages, chats, accounting data, websites, etc. that could be presented as evidence in a lawsuit.

There are several third-party eDiscovery tools that help enterprises with the Discovery process. However, to make things simpler, productivity tools like Microsoft 365 come with a native eDiscovery tool to help organizations quickly search and export relevant information stored in their cloud.

Microsoft eDiscovery lets administrators and eDiscovery managers create cases to collect and preserve necessary data. Users with relevant permissions can run a search to identify content stored in different Microsoft services. Organizations can also place a hold on specific locations to preserve sensitive files, documents, or messages indefinitely. Once a hold is placed, the file then becomes inaccessible to the owner and collaborators, and it cannot be modified or deleted until the hold is removed.

1. Why do you need eDiscovery?

Below are two reasons why an organization would need an eDiscovery tool:

i. Legal compliance: Organizations in the U.S. must comply with the Federal Rules of Civil Procedure (FRCP), which govern how evidence, including digital data, must be handled during civil lawsuits. In 2006, the FRCP was updated to include Electronically Stored Information (ESI) as discoverable material, this means companies must be able to produce emails, messages, and documents when requested in a legal context.

ii. Managing ESI: In today’s digital-first environment, businesses are consuming and generating data at an unprecedented pace. In fact, data usage among small and mid-sized businesses has now exceeded traditional thresholds, with many surpassing 50 TB to 100 TB of stored data as operations become increasingly cloud-driven and distributed.

Without the right systems in place, collecting and producing this data during legal proceedings can be overwhelming, time-consuming, and prone to errors. Implementing comprehensive eDiscovery solutions ensures that businesses can navigate the complexities of data management and compliance with confidence.

2. What are the data sources covered by Microsoft eDiscovery?

Microsoft Purview eDiscovery lets you search for and preserve content across several Microsoft 365 services. It covers:

Emails and public folders in Exchange Online
Files and documents stored in SharePoint Online and OneDrive for Business
Group content from Microsoft 365 Groups
Messages and files from Yammer (in enterprise mode)

When it comes to Microsoft Teams, the data is stored across multiple places:

Channel messages and shared files are saved in the team’s mailbox and SharePoint site.
Private channel content is kept in separate, dedicated mailboxes and SharePoint sites.
1:1 and group chats are stored in each participant’s mailbox, while files shared in these chats go into the sender’s OneDrive.

3. What are the types of eDiscovery solutions available?

Microsoft 365 includes a few built-in tools under the Microsoft Purview Portal for eDiscovery which include Content Search, eDiscovery (Standard), and eDiscovery (Premium).

Content Search is the simplest of the three. It allows administrators to run keyword-based searches across Microsoft 365 services like Exchange Online, SharePoint, and OneDrive. While it’s useful for locating specific content quickly, it doesn’t offer case management features or legal hold capabilities.
eDiscovery (Standard) offers some additional structure. With it, users can create cases, apply legal holds to preserve data, and export content for offline review. It can support internal audits or low-risk investigations but may require manual effort to manage and track the entire process.
eDiscovery (Premium) includes some more advanced features that may be helpful in larger or more complex scenarios. This version introduces tools like review sets for organizing search results and basic analytics (like duplicate detection).

While these tools offer basic coverage for discovery tasks, they aren’t designed for continuous protection or full data recovery.

3.1. What is Microsoft 365 eDiscovery (Standard)?

Microsoft 365’s eDiscovery (Standard), previously referred to as Core eDiscovery, builds upon the basic capabilities of the Content Search tool. Core (Standard) eDiscovery allows administrators and users with relevant permissions to create an eDiscovery case, search for content located in different Microsoft services, preview and export the search results, add managers to the case, place holds, etc.

3.1.1. How to create a eDiscovery (Standard) Case?

Step 1: Go to the Microsoft Purview portal and sign in with an account that has been assigned eDiscovery permissions.
Step 2: In the left navigation menu, select “Standard Cases” under “eDiscovery”.

Step 3: Select the case to navigate to the case page and take further action.

Step 4: Provide a unique name for the case and optionally include a description.

Step 5: Click Save to create the case.

Once the case is created, it will appear in the list. You can click on the case name to begin working with it adding members, running searches, or placing holds.

3.1.2. How to run an eDiscovery search in a eDiscovery (Standard) case?

The eDiscovery Search tool can be used to search for content across Microsoft 365 data sources using keywords and conditions. The results of the search can then be exported to a local computer.

Step 1: Open your case from the eDiscovery (Standard) dashboard.
Step 2: Click “Searches'' from the top menu bar. Click “+New Search”.

Step 3: Type a name and description (optional) for the new search. Click “Next”.
Step 4: Choose the location to search for content. Example: - Specific users, groups, or teams under Exchange mailboxes - Specific sites and OneDrive accounts or add the URL for a Microsoft Team, Office 365 Groups, or Yammer Groups SharePoint site. Click “Next”.

Step 5: Add conditions for the search if needed. This could include specific keyword(s) and add conditions to search for the keyword. Click “Next”.

Step 6: Review the search and click “Submit”. Once the content search run is complete, administrators can take further action like “Edit search,” “Rerun search,” etc. They can also export the search results as a .csv or a compressed .zip file by clicking “Export results”.

3.1.3. How to create a hold in a Core eDiscovery case?

Step 1: From the eDiscovery (Standard) dashboard, open your case.
Step 2: Select the “Holds” tab, then click “+ Create”.
Step 3: Give the hold a name and optional description, then click Next.

Step 4: Select the locations you want to preserve content from (e.g., mailboxes, SharePoint sites, OneDrive accounts).

Step 5: Optionally, you can add a query to apply a targeted hold. This preserves only content matching specific criteria.

Step 6: Review the settings and click “Submit”. The hold will be created based on the chosen location or the query and or condition.

It takes up to 24 hours for a hold to take effect.

Once the hold is in place, it can be removed by an administrator whenever needed. When a hold is removed, Microsoft adds a 30-day delay hold as a grace period before any data is permanently deleted. You can find the most up-to-date steps and details in Microsoft’s official guide to getting started with eDiscovery (Standard).

3.2. What is Microsoft 365 Advanced (Premium) eDiscovery?

Microsoft 365 eDiscovery (Premium) enhances the capabilities of Core eDiscovery by providing a comprehensive, end-to-end workflow for managing internal and external investigations. It enables organizations to identify, preserve, collect, review, analyze, and export content relevant to legal cases or compliance requirements.

eDiscovery (Premium) also helps manage custodians and legal hold notification workflows to communicate with custodians involved in any specific case.

Advanced eDiscovery Glossary:

Custodian – Custodians are users/people whose content an organization wants to specifically search for and gather as evidence in any legal case.

Non-custodial data sources – When a new collection is created, administrators can add non-custodial data sources. These could be sites or groups or any other sources that need to be included in the search.

Review sets – In Advanced eDiscovery, data can be added to review sets where it can be reviewed, analyzed, tagged, and exported.

Collections – Using collections, administrators can search for and collect live data from the Microsoft data sources.

3.2.1. Advanced eDiscovery and EDRM

EDRM or Electronic Discovery Reference Model is a framework that covers the standards for the process of discovering Electronically Stored Information.

On a high level, the workflow of Advanced eDiscovery mimics that of the EDRM. Below is the Electronic Discovery Reference Model that presents a conceptual view of the eDiscovery process that can be replicated in an Advanced eDiscovery case.

3.2.2. How to create an eDiscovery Premium case?

Step 1: Go to the Microsoft Purview portal and sign in.
Step 2: Click “Premium Cases” under eDiscovery from the left-hand side menu bar.
Step 3: Click “Cases” on the menu bar on the top and click “+ Create a case”.

Step 4: Enter a case name, case number, and a description (optional). Administrators can further add members to configure the analytical settings related to the case and the format. Click "Save".

3.2.3. How to create collections in an eDiscovery Premium case?

In Microsoft Purview’s eDiscovery Premium, a collection is similar to a search in eDiscovery (Standard), but with more flexibility and control over what content you gather. Collections let you pull together data from specific custodians or sources and prepare it for review or export.

To create a collection, follow the below steps:

Step 1: Go to the Microsoft Purview compliance portal and select Advanced eDiscovery from the left-hand menu.
Step 2: Click “+ Create a case” or choose an existing case. Click “Collections” on the top menu bar and click “+ New collection”.

Step 3: Enter the name and description (optional) of the collection, add custodians, non-custodial data sources, additional locations, conditions for the collection, save the collection as draft or add it directly to a review set. Admins can review the collections once the collection process is done.

3.3. Access permissions in Microsoft 365 eDiscovery

To access the features available within Microsoft eDiscovery a user needs appropriate permissions. These permissions can be assigned by the Compliance Administrator or the Global Administrator.

Apart from the Compliance Administrator and the Global Administrator, users in the eDiscovery Manager and eDiscovery Administrator role group can perform eDiscovery related tasks.

eDiscovery manager and eDiscovery administrator are sub-groups that fall under the eDiscovery manager compliance center role. Users can be added to these sub-groups by navigating to the eDiscovery manager group under the Permissions page.

eDiscovery Manager: An eDiscovery manager can only manage the case that they create. They can create and manage Core and Advanced eDiscovery cases, create case holds, run searches, preview, and export search results, add and remove members, and access case data.

eDiscovery Administrator: An eDiscovery administrator can perform all the tasks that the eDiscovery manager can. Additionally, an eDiscovery administrator can access all the Core and Advanced eDiscovery cases listed in the compliance center.

The sub-groups can then be edited individually to add users to either of the roles by navigating to Settings> Role Groups> eDiscovery Manager> Edit. To learn more about roles and permissions in eDiscovery read the official support article from Microsoft.

4. Is eDiscovery a backup solution?

Despite the data preservation capabilities, Microsoft eDiscovery is not a backup solution. Missing features like single-click restore, automated backup with snapshots, granular restore features, etc., are a few reasons why organizations should not use eDiscovery as an alternative to a backup solution like SysCloud.

To know more about how eDiscovery is different from a third-party cloud backup tool, click here.

Ensure Seamless Data Protection and Business Continuity!

Use SysCloud to back up all the Microsoft 365 apps with unlimited retention! Easily locate emails and documents from your backup archives using smart search and restore data from any point-in-time backup snapshot.

Learn more

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial