Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides a summary of the key features and components in Microsoft Purview eDiscovery. Use this article to learn about what each feature and component does and to find links to more detailed guidance. For information about the overall eDiscovery workflow, see Learn about the eDiscovery workflow.
Cases
A case contains all searches, holds, and review sets related to a specific investigation. This investigation might include responding to regulatory and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery also supports new case creation integration with Microsoft Purview Insider Risk Management cases.
Two general types of cases exist in eDiscovery:
- Cases you create in eDiscovery by using Create case on the Cases dashboard
- A single Content Search case you create in eDiscovery by using Create case on the Content Search dashboard.
Content Search case
All content searches are contained in a single eDiscovery case named Content search. The Content Search option in the eDiscovery (classic) experience in the Microsoft Purview portal is retired.
The new Content Search option in the new eDiscovery experience displays a set of all existing content searches in your organization and contains any new content searches that you create in the Microsoft Purview portal.
Cloud attachments
Cloud attachments are links to documents and files shared in Microsoft Teams messages, Outlook emails, and other Microsoft 365 services. Instead of attaching a traditional copy of a file, users share a link to the file stored in SharePoint or OneDrive. eDiscovery can collect these cloud attachments and include them in search results and review sets, ensuring that shared content is preserved and available for review.
Data sources
In eDiscovery, the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. eDiscovery users select a user, group, or bulk add list of SMTP addresses or URLs, which creates data sources and eDiscovery automatically identifies and organizes relevant data stored across platforms. The data source gathers locations related to the user or group (mailboxes, OneDrive sites, SharePoint sites) and adds the locations in the data source hierarchy. eDiscovery users refine the scope by selecting or excluding specific locations as needed.
Decryption
eDiscovery supports decryption of content protected with Microsoft encryption technologies. When you add email messages and attachments encrypted with Microsoft Purview Message Encryption, and documents protected with sensitivity labels or Azure Rights Management, to search results or review sets, the system automatically decrypts them. This capability ensures that protected content is available for review and analysis without requiring manual decryption steps.
Exports and downloads
After a search associated with an eDiscovery case runs successfully, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive sites, you export copies of native Office documents and other documents. Search export packages expire 14 days after creation and must be downloaded before they're automatically deleted.
If you add search results to a review set from a case, you can also export review set content to a download package. This package is configurable and includes options to export selected documents only, all filtered documents, or all documents in the review set.
Holds and hold policies
Use an eDiscovery case to create hold policies that preserve content relevant to the investigation by applying an eDiscovery hold. Place a hold on the Exchange mailboxes and OneDrive accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups. When you place content locations on hold, you preserve content until you remove the content location from the hold or delete the hold. Use the hold management dashboard to view hold status, modify holds, and track hold policies across cases. You can also use the hold report to view information about holds associated with all eDiscovery cases in your organization.
If needed, you can also place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also placed on hold.
Permissions and licensing
To use any of the eDiscovery-related features in the Microsoft Purview portal, assign the appropriate permissions. The easiest way to assign roles is to add the person to the appropriate role group on the Role groups page in the Microsoft Purview portal.
Both admins and users working with eDiscovery cases require a Microsoft 365 Enterprise E3 or E5 license. If an admin account doesn't also have a Microsoft SharePoint E3 license, some SharePoint capabilities might be limited. License both admins and users appropriately. Some eDiscovery capabilities also require pay-as-you-go billing configuration. Additionally, if the admin account has any conditional access Entra policy some operations might be restricted, see Troubleshoot sign-in problems with Conditional Access to troubleshoot policy issues.
Tip
You can view your own permissions on the eDiscovery overview page in the Microsoft Purview portal. You must have at least one role assigned for your permissions to be displayed.
Processes
eDiscovery includes a Process report that lists all activities that count towards case concurrency and daily limits in eDiscovery for a defined time period. Processes in eDiscovery (preview) are activities associated with specific tasks that support cases, searches, and review sets. User actions trigger processes when using these components.
eDiscovery administrators and eDiscovery Managers (preview) can access this report. Process managers help you view information that is automatically scoped to cases, searches, review sets, and holds.
Review sets
A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.
Key review set capabilities include:
- Search and filter content using the query condition builder to focus on specific subsets of documents.
- Use the Advanced review set explorer (preview) to run Kusto Query Language (KQL) queries directly against review set data for advanced filtering, aggregation, and visualization.
- Group and view items using different grouping options and specialized viewers to examine item details.
- Tag items to organize content, identify relevant documents, and track review progress using customizable tag structures.
- Run analytics to identify near-duplicate documents, email threads, and themes, helping reduce the volume of content to review.
- Export items from a review set to a download package for use outside of eDiscovery.
Searches
Use search to quickly find content relevant to a case. Searches find content across Exchange mailboxes, SharePoint sites and OneDrive locations, Microsoft Teams conversations, and Copilot and AI application data.
Create and run different searches that are associated with the case. Build search queries using the condition builder for a guided experience, or use Keyword Query Language (KQL) for advanced query syntax with autocompletion support.
You can also:
- View search statistics for insights on data volume, content locations, and query hit counts to help you refine your search.
- View search samples to examine a representative set of items returned by the search criteria.
- Preview the search results to quickly verify whether the relevant data is being found.
- Revise a query and rerun the search.
- Export the search results or add the search results to a review set.
Trigger events
Trigger events are activities that escalate in your organization and start the creation of a new case in eDiscovery. These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that might benefit from the search, investigation, and mitigation actions included with eDiscovery. For more information, see Learn about the eDiscovery workflow.