Categories

In this article

  • Why do you need eDiscovery?
  • What are the data sources covered by Microsoft eDiscovery?
  • What is Microsoft 365 Core eDiscovery?
  • What is Microsoft 365 Advanced eDiscovery?
  • Access permissions in Microsoft 365 eDiscovery
  • Is eDiscovery a backup solution?

A Primer to Microsoft 365 eDiscovery Solutions

26 Oct 2021
8 min read

eDiscovery or Electronic Discovery is the process of identifying, reviewing, analyzing, tagging, and preserving ESI (Electronically Stored Information) to be presented as potential evidence in a legal case. ESI can be documents, emails, instant messages, chats, accounting data, websites, etc. that could be presented as evidence in a lawsuit.
There are several third-party eDiscovery tools that help enterprises with the Discovery process. However, to make things simpler, productivity tools like Microsoft 365 come with a native eDiscovery tool to help organizations quickly search and export relevant information stored in their cloud.
Microsoft eDiscovery lets administrators and eDiscovery managers create cases to collect and preserve necessary data. Users with relevant permissions can run a search to identify content stored in different Microsoft services. Organizations can also place a hold on specific locations to preserve sensitive files, documents, or messages indefinitely. Once a hold is placed, the file then becomes inaccessible to the owner and collaborators, and it cannot be modified or deleted until the hold is removed.

1. Why do you need eDiscovery?

Below are two reasons why an organization would need an eDiscovery tool:

i. The Federal Rules of Civil Procedure: The Federal Rules of Civil Procedure (FRCP), established in 1934, are a set of rules that are focused on governing procedures for managing civil lawsuits in the United States district courts. A variety of important changes to the FRCP went into effect in December 2006. These included an expansion of discoverable material to include all ESI that might be relevant in a legal action

ii. Collecting ESI: Companies of all sizes generate a significant amount of data. Even small and medium-sized generate and manage almost 47.81 TB of data on an average, and this is expected to grow significantly in the coming years. The rapid growth of ESI illustrates the problem that a company might face during a legal proceeding to search, collect, and produce electronically stored data as relevant evidence.

2. What are the data sources covered by Microsoft eDiscovery?

Microsoft eDiscovery helps organizations search and preserve content stored in Exchange Mailboxes and Public folders, SharePoint Sites, OneDrive for Business, Groups, and Yammer.

eDiscovery data sources

3. What are the types of eDiscovery solutions available?

Microsoft eDiscovery includes Content Search, Core (Standard) eDiscovery, and Advanced (Premium) eDiscovery. The below diagram illustrates the basic features available with either.

Types of Microsoft eDiscovery
In a Core eDiscovery case, organizations can run content searches, and place holds to preserve content indefinitely.
Using an Advanced eDiscovery case, organizations can collect, review, analyze, and export data, manage custodians, and add notification workflows to communicate with these custodians. 
Using the eDiscovery search tool available with Core (Standard) and Advanced (Premium) eDiscovery, organizations can search for content across Microsoft 365 data sources and export the search results to a local computer.

3.1. What is Microsoft 365 Core (Standard) eDiscovery?

Microsoft Core (Standard) eDiscovery builds on the basic capabilities of the Content Search tool. Core (Standard) eDiscovery allows administrators and users with relevant permissions to create an eDiscovery case, search for content located in different Microsoft services, preview and export the search results, add managers to the case, place holds, etc.

3.1.1. How to create a Core eDiscovery Case?

  • Step 1: Navigate to the Security and Compliance center.

  • Step 2: Click “Core eDiscovery” under the “eDiscovery” drop-down on the navigation menu on the left-hand side of the screen.

  • Step 3: Type a case name and a description (optional) and click “Save”

Create core eDiscovery case
  • Step 4: Select the case to navigate to the case page and take further action.

Core eDiscovery case
The eDiscovery Search tool can be used to search for content across Microsoft 365 data sources using keywords and conditions. The results of the search can then be exported to a local computer.
  • Step 1: Navigate to the Security and Compliance center. Click “Core eDiscovery” under the eDiscovery drop-down on the navigation menu bar on the left-hand side of the screen.

  • Step 2: Click “Searches'' from the top menu bar. Click “+New Search”.

Create core eDiscovery search
  • Step 3: Type a name and description (optional) for the new search. Click “Next”.

  • Step 4: Choose the location to search for content. Example: - Specific users, groups, or teams under Exchange mailboxes - Specific sites and OneDrive accounts or add the URL for a Microsoft Team, Office 365 Groups, or Yammer Groups SharePoint site. Click “Next”.

Run new core eDiscovery search
  • Step 5: Add conditions for the search if needed. This could include specific keyword(s) and add conditions to search for the keyword. Click “Next”.

Run new core eDiscovery search
  • Step 6: Review the search and click “Submit”. Once the content search run is complete, administrators can take further action like “Edit search,” “Rerun search,” etc. They can also export the search results as a .csv or a compressed .zip file by clicking “Export results”. 

Actions

3.1.3. How to create a hold in a Core eDiscovery case?

  • Step 1: Navigate to the Security and Compliance center

  • Step 2: Click “Core eDiscovery” under the “eDiscovery” drop-down on the navigation menu on the left-hand side of the screen.

  • Step 3: Create an eDiscovery case or open an existing case.

  • Step 4: Click “Hold” on the top menu bar. Click “+Create”.

Create eDiscovery hold
  • Step 5: Enter a name for the hold and provide a description (optional). Click “Next”.

  • Step 6: Choose the location (SharePoint sites, Exchange mailboxes or Exchange public folders). Click “Next”.

Core eDiscovery hold
  • Step 7: Enter the search query. Administrators can add a specific keyword and choose conditions to search for the query if needed.

Core eDiscovery hold conditions
  • Step 8: Review the settings and click “Submit”. The hold will be created based on the chosen location or the query and or condition.

Once the hold is in place, it can be removed by an administrator whenever needed. When a hold is removed, a 30-day grace period is applied (called a delay hold) to prevent the content from being deleted.

3.2. What is Microsoft 365 Advanced (Premium) eDiscovery?

Microsoft Advanced (Premium) eDiscovery builds on the existing case management, preservation, search, and export functionalities of Core eDiscovery. With Advanced (Premium) eDiscovery, administrators can identify, collect, review, analyze, preserve, and export content relevant to any internal or external investigations. They can also collect data from any service, move it into review sets where they can add filters, search the content, tag and analyze it, and remove irrelevant content. from further review.
Advanced (Premium) eDiscovery also helps manage custodians and legal hold notification workflows to communicate with custodians involved in any specific case.

3.2.1. Advanced eDiscovery and EDRM

EDRM or Electronic Discovery Reference Model is a framework that covers the standards for the process of discovering Electronically Stored Information.
On a high level, the workflow of Advanced eDiscovery mimics that of the EDRM. Below is the Electronic Discovery Reference Model that presents a conceptual view of the eDiscovery process that can be replicated in an Advanced eDiscovery case.

The Electronic Discovery Reference Model

eDiscovery reference model workflow

A Typical Advanced eDiscovery Case Workflow

Advanced eDiscovery Workflow

3.2.2. How to create an Advanced eDiscovery case?

  • Step 1: Navigate to the security and compliance center.

  • Step 2: Click “Advanced eDiscovery” under eDiscovery from the left-hand side menu bar.

  • Step 3: Click “Cases” on the menu bar on the top and click “+ Create a case”.

New Advanced eDiscovery case
  • Step 5: Enter a case name, case number, and a description (optional). Administrators can further add members to configure the analytical settings related to the case and the format. Click "Save".

Analytical settings

3.2.3. How to create collections in an Advanced eDiscovery case?

A collection in Advanced eDiscovery is like a content search run in a Core eDiscovery case.
To create a collection, follow the below steps:
  • Step 1: Navigate to the security and compliance center and click “Advanced eDiscovery” under eDiscovery on the left-hand side menu bar.

  • Step 2: Click “+ Create a case” or choose an existing case. Click “Collections” on the top menu bar and click “+ New collection”.

New Advanced eDiscovery collection
  • Step 3: Enter the name and description (optional) of the collection, add custodians, non-custodial data sources, additional locations, conditions for the collection, save the collection as draft or add it directly to a review set. Admins can review the collections once the collection process is done.

Advanced eDiscovery collection

3.3. Access permissions in Microsoft 365 eDiscovery

To access the features available within Microsoft eDiscovery a user needs appropriate permissions. These permissions can be assigned by the Compliance Administrator or the Global Administrator on the Security and Compliance center.

Apart from the Compliance Administrator and the Global Administrator, users in the eDiscovery Manager and eDiscovery Administrator role group can perform eDiscovery related tasks.

eDiscovery manager and eDiscovery administrator are sub-groups that fall under the eDiscovery manager compliance center role. Users can be added to these sub-groups by navigating to the eDiscovery manager group under the Permissions page.

eDiscovery Manager: An eDiscovery manager can only manage the case that they create. They can create and manage Core and Advanced eDiscovery cases, create case holds, run searches, preview, and export search results, add and remove members, and access case data.

eDiscovery Administrator: An eDiscovery administrator can perform all the tasks that the eDiscovery manager can. Additionally, an eDiscovery administrator can access all the Core and Advanced eDiscovery cases listed in the compliance center.

eDiscovery managers and administrators
The sub-groups can then be edited individually to add users to either of the roles by navigating to Compliance Center> Permissions> eDiscovery Manager> Edit role group.

eDiscoveru manager

4. Is eDiscovery a backup solution?

Despite the data preservation capabilities, Microsoft eDiscovery is not a backup solution. Missing features like single-click restore, automated backup with snapshots, granular restore features, etc., are a few reasons why organizations should not use eDiscovery as an alternative to a backup solution like SysCloud. To know more about how eDiscovery is different from a third-party cloud backup tool, click here.

In this article

  • Why do you need eDiscovery?
  • What are the data sources covered by Microsoft eDiscovery?
  • What is Microsoft 365 Core eDiscovery?
  • What is Microsoft 365 Advanced eDiscovery?
  • Access permissions in Microsoft 365 eDiscovery
  • Is eDiscovery a backup solution?
svg

Start enjoying faster and easier backups, today

Avoid costly data retention gaps and minimize time to recovery with SysCloud's cloud backup.Start 30-Day Free Trial
Certifications
Certifications