Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The eDiscovery (preview) workflow helps you more quickly identify, investigate, and take action on electronic stored information (ESI) in your organization. Identifying and taking action on ESI items with eDiscovery (preview) uses the following improved workflow:
Trigger events are activities that are escalated in your organization and prompt the creation of a new case in eDiscovery (preview). These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that may benefit from the search, investigation, and mitigation actions included with eDiscovery (preview).
A case in eDiscovery (preview) contains all searches, holds, and review sets related to a specific investigation. This may include responding to regulatory, investigation, and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery (preview) also supports new case creation integration with Microsoft Purview Insider Risk Management cases.
After you create a case, use the built-in search tools in eDiscovery (preview) to search the content locations in your organization. You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build multiple search queries that return search results with the data that's most likely relevant to the case. You can also:
To preserve and protect data that's relevant to an investigation, you can place an eDiscovery hold on the data sources associated with a case. Premium eDiscovery features will also include a built-in communications workflow soon so you can send hold notifications to users and track their acknowledgments.
After creating a case, you can immediately place a hold on the content locations of the people of interest in your investigation. You can also create query-based holds if needed. Content locations include Exchange mailboxes, SharePoint sites, OneDrive accounts, and mailboxes and sites associated with Microsoft Teams and Microsoft 365 Groups. While placing a hold is optional, creating a hold preserves content that may be relevant to the case during the investigation.
When you create a hold, you can preserve all content in specific content locations or you can create a query-based hold to preserve only the content that matches a hold query. In addition to preserving content, another good reason to create holds is to quickly search the content locations on hold (instead of having to select each location to search) when you create and run searches in the next step. After you complete your investigation, you can release any hold that you created. For more information, see Manage holds in eDiscovery.
A case contains all searches, holds, and review sets related to a specific investigation. This may include responding to regulatory, investigation, and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery (preview) also supports new case creation integration with Microsoft Purview Insider Risk Management cases.
Data sources define where searches are performed and where holds can be applied. Data sources organize data locations in a hierarchical tree structure with two levels. For example, for a user or group, the user or group would be the top level and mailboxes, OneDrive sites, and other sites would be the second level as they relate to the user or group. For a Microsoft Teams group, the second level would consist of the group mailbox, group site, shared channels/sites, private channels/sites, and other channels or sites as they relate to the Teams group.
Data sources in eDiscovery (preview) are divided into three separate groups:
Users: Users are people in your organization with Microsoft 365 accounts and includes any mailbox, OneDrive site, or any other sites associated with the individual user.
Groups: Groups include group mailboxes, group sites, and shared and private Teams and SharePoint sites or channels.
Organization-wide sources: Organization-wide sources include:
You can search for specific data sources or data locations using inputs like a user or group's name, mailbox SMTP address, and OneDrive or SharePoint site URL. When the search is created using specific data sources, only the locations specified in the data source are searched. If the organization-wide source All people and groups is used, the search covers all Exchange mailboxes, OneDrive, and SharePoint sites.
Real-time data source sync helps ensure that you're always informed about the latest changes in data locations associated with users and groups. You can query if any specific data sources are added to a search, if a hold has newly provisioned data locations, or if data locations are removed.
For example, if a private channel is created for a Teams group, the sync feature on the data source panel alerts you of the new location, allowing you to quickly and easily include it in searches or holds. This ensures that new data doesn't go unnoticed and is included in your investigations. This also helps prevent potential data loss from location changes.
When selecting people as a data source for searches, you can quickly find other users that frequently collaborate with the selected user. Frequent collaborators are the top ten users who are most relevant to the selected user and you can select the mailboxes and sites for these users as data sources for searches.
After a search associated with a eDiscovery (preview) case is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive sites, copies of native Office documents and other documents are exported.
If you've added the search results to a review set from a case, you can also export review set content to a download package. This package is configurable and includes options to export selected documents only, all filtered documents, or all documents in the review set.
You can use an eDiscovery (preview) case to create hold policies to preserve content that might be relevant to the investigation with an eDiscovery hold. You can place a hold on the Exchange mailboxes and OneDrive accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups. When you place content locations on hold, content is preserved until you remove the content location from the hold or until you delete the hold.
If needed, you can also place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also placed on hold.
If you want people to use any of the eDiscovery-related features in the Microsoft Purview portal, you have to assign them the appropriate permissions. The easiest way to assign roles is to add the person the appropriate role group on the Role groups page in the Microsoft Purview portal.
Tip
You can view your own permissions on the eDiscovery (preview) overview page in the Microsoft Purview portal. You must have at least one role assigned for your permissions to be displayed.
eDiscovery (preview) includes a Process report that lists all activities that count towards case concurrency and daily limits in eDiscovery for a defined time period. Processes in eDsicovery (preview) are activities associated with specific tasks that support cases, searches, and review sets. Processes are triggered by user actions when using these components.
eDiscovery administrators and eDiscovery Managers (preview) can access this report. Process managers help you view information that is automatically scoped to cases, searches, review sets, and holds.
A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.
Use search to quickly find content relevant to a case. This includes email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the search tools to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups.
You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build search queries that return search results with the data that's most likely relevant to the case.
You can also:
Samples from a search provide a representative sample of items returned by the defined search criteria. Viewing details about individual items can help you determine if the search needs to be refined or if the representative items support adding the search results to a review set or an export file.
Statistics from a search provide insights for data volume, the content locations that contain results, and the number of hits for search query condition, and more. These insights can help to inform if the search should be revised to narrow or expand the scope of the search before moving on the review and analyze stages in the eDiscovery workflow.
Trigger events are activities that are escalated in your organization and prompt the creation of a new case in eDiscovery (preview). These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that may benefit from the search, investigation, and mitigation actions included with eDiscovery (preview).
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register now