Microsoft 365 eDiscovery – How this can help you in the Records Management World

Records are only useful if they can be found. With the explosion of information being created increasing day by day, the need to be able to locate and retain information in Microsoft 365 is essential. eDiscovery features give you the tools to be able to search for, report on, manage and export information held across a Microsoft 365 tenant and should be the tools of choice within Microsoft 365 when compiling and responding to information requests of all types.

In this article, we will look at the different eDiscovery tools, comparative features, license requirements as well as best practice usage tips.  We will also introduce the new Priva Data Subject Rights Request tool.

Whilst Microsoft Search is very powerful it (rightly) only shows you content to which you have access in your normal work. When carrying out any kind of investigation additional tools and permissions are needed to search across locations not normally available, such as the mailboxes of multiple users. This is where the eDiscovery tools come in.

There are a number of tools in Microsoft 365 which can be used to carry out investigations. These are:

  • Content Search
  • eDiscovery (Standard)
  • eDiscovery Premium
  • User Data Search

Plus the new Microsoft Priva Subject Rights Requests.

The Content Search functionality is core to each eDiscovery tool as it provides the basic search interface, however standard eDiscovery and premium eDiscovery have different additional functionality to the Core Search.

The features of the different eDiscovery solutions are summarised in the following table which is sourced from the Microsoft Docs article on eDiscovery (see further reading at the end of this article)

Content SearcheDiscovery  (Standard)

(additional to Content Search)

eDiscovery (Premium)

(additional to Standard)

Search for data/content

Keyword queries and search conditions

Export search results

Role based permissions to use

Case management

Legal hold

Search & Export

Custodian Management

Legal hold notifications

Advanced indexing

Review sets filtering

OCR

Conversation Threading

Collection Statistics & Reporting

Tagging

Analytics

Predictive coding models

Error Remediation

Computed document metadata

Transparency of long running jobs

 

By default, no user or administrator has permission to carry out eDiscovery searches and so anyone using these tools needs to be assigned permission to do so. The tools give wide access to all data in the Microsoft 365 environment within an organization (the tenant) and as such all generate informational alert emails which are sent to the administrators within an organization.

Content Search

In this walkthrough, we are conducting a search to check for content related to a new project. This content has been spread across multiple Teams, including private channels and in direct 1:1 chat with files having been created and saved in various locations.

Navigate to the Purview portal and choose Content Search. Although Content Search is an eDiscovery function it is not included in the eDiscovery sub menu, as it is a feature which is common to all Microsoft 365 subscription levels, whereas eDiscovery tools need E3 or E5 level licensing.

Click New search, then complete the Name and Description for the search you want to perform.

Click Next then choose the locations to be searched.

Click Next and then create your search using a combination of keywords and conditions such as creation date, sender, etc.

Click Next and review the summary of the setting you have specified before clicking Submit to start the search.

Next, you will see confirmation that the search has been created and is in progress. Click Done. How long it takes till the results are available will depend on the volume of content being searched.

When you click Done you will return to the Content Search page and will be able to see the status of your new search.

Note that an alert has been sent to all Global Admins that an eDiscovery Search has been started. This is the default behaviour.

Once the search is showing as completed, click on the search name to load the results.

You can see the search statistics, showing how many items have been found across each location searched.

Before exporting results you can click Review sample to check the information which has been found to verify your search worked as expected.

You can then export the results or a report on the results from the Actions menu.

If you choose to export the results then you will be presented with options of how you want to export the discovered data.

Don’t forget to scroll before clicking the Export button as there are further options, which never seem to fit on one screen.

Your export will be prepared and once ready will be found under Export on the main Content Search screen.  Click on the name of the search you want to export data from.

You will need the Export Key, so be sure to copy it! Click Download results to start the download of the exported results.

You should see a pop up asking to open the file.  This is the specific tool used for eDiscovery, called the eDiscovery Export Tool.

Install the application.

The next prompt will ask for that Export key and the location you want to save the exported pst and file folders too.

Once extracted you will be able to open the file folder and add the PST files to Outlook to review. Remember Teams messages will be in the PST files in the Teams Chat folder.

Alternatively, you can export reports on the content found using the Export Report option from the Actions menu.  Like with exporting the results, once created the reports are downloaded from the Export tab and use the same eDiscovery tool for secure download, thus also use the Export key to unencrypt the downloaded data.

The downloaded reports are in the folder you specified.

User Data Search

User Data Search was previously called Data Subject Requests, however, the new name is a more accurate reflection of the functionality, given that it can only be used to search for information about a current user within your tenant. User Data Search constructs the search queries automatically when the user is entered as the person who filed the request. Once the search is complete the results can be previewed, exported, and reported upon in the same way as with Content Search.

eDiscovery Standard

Two main features differentiate standard eDiscovery from content search. These are the ability to have multiple searches within the same case and the ability to place locations on hold to prevent the deletion of content while carrying out the investigation. eDiscovery (standard) also uses the same review, report and export features that are part of content search.

eDiscovery Premium

eDiscovery premium is intended for use in larger organisations and therefore is optimised for searching large amounts of content of which the person carrying out the investigation has no prior knowledge. Therefore, as well as the ability to place locations on hold and combine multiple searches as in eDiscovery standard, eDiscovery premium also includes additional features such as settings to establish the similarity threshold between data, the ability to divide search results down into review sets, the ability to define the content being searched by the custodian of the data or the owner of the data rather than just the locations containing information.

Common Features

Across content search and both eDiscovery tools searches, reporting, data export and also the ability to review results are common features and the skills needed to use these features are the same across all three tools.  The main differences between the eDiscovery tools over Content Search are

  • Ability to combine searches to take in more locations or use more targeted search queries to return more accurate results.
  • Ability to put the locations and content under investigation on hold to prevent it from disappearing whilst you carry out your investigation. Obviously where content is already subject to retention then the additional hold settings will ensure content is retained during the investigation only. Once the investigation is over then the retention settings will take precedence.

Licensing

Content Search is a core feature of Microsoft 365.  To use eDiscovery you need a Microsoft 365 or Office 365 licence at E3 or above. In the academic licences this is A3 and above and for government licensing G3 and above. Microsoft 365 Business Premium only allows the use of Standard eDiscovery for searching data stored in Exchange. In summary, you need:

  • eDiscovery Standard
    • E3/A3/G3
    • Microsoft 365 Business Premium (Exchange Only)
  • eDiscovery Premium
    • E5/A5/G5

Microsoft Priva Subject Rights Requests

Subject Rights Request in Microsoft 365 was announced in October 2021 with the privacy risk management and is a new tool focused on carrying out subject rights requests from anyone related to your organization. Whilst e-Discovery did include ‘Data Subject Requests’ this only carries out searches in respect of Microsoft 365 users within your tenant. That feature is now renamed ‘user data search’ and a Subject rights requests feature is part of Microsoft Priva Privacy Management, which is an add-on license for all Microsoft 365 and Office 365 plans.

You can learn more about Microsoft Priva Subject Rights Requests here.

Further Reading

Microsoft Purview eDiscovery solutions

Conduct an eDiscovery investigation of content in Microsoft Teams

Export Content search results

Use the eDiscovery Export Tool in Microsoft Edge

Office 365 Data Subject Requests for the GDPR and CCPA

Licensing Guidelines for Microsoft Purview eDiscovery