Manage holds in eDiscovery (Premium)
You can use a Microsoft Purview eDiscovery (Premium) case to create holds to preserve content that might be relevant to your case. Using the eDiscovery (Premium) hold capabilities, you can place holds on custodians and their data sources. Additionally, you can place a non-custodial hold on mailboxes and OneDrive for Business sites. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for a Microsoft 365 group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you release the custodian, remove a specific data location, or delete the hold policy entirely.
For long term data retention not related to eDiscovery investigations, it is strongly advised to use retention policies and retention labels. For more information, see Learn about retention policies and retention labels.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
View custodian-based holds
In some cases, you may have a set of custodians that you've identified and have decided to preserve their data during the case. In eDiscovery (Premium), when these custodians are placed on hold, the user and their selected data sources are automatically added to a custodian hold policy.
To view the custodian hold policy:
- In the Microsoft Purview compliance portal, select eDiscovery > Premium to display the list of cases in your organization.
- Go to the Sources tab to add custodians within your case. To learn how you can add and place custodians on hold within an eDiscovery (Premium) case, see Add Custodians to a case. If you have already added custodians and placed them on hold, go to step 3.
- Go to the Holds tab and select CustodianHold(HoldId) and ensure the hold is placed successfully.
View non-custodial holds
In some cases, you may have a set of data that isn't tied to a specific custodian, but you need to identify the data as relevant to the case and preserve it. When these non-custodial sources are placed on hold in eDiscovery (Premium), the selected data sources are automatically added to a non-custodial hold policy.
To view a non-custodial hold for an eDiscovery (Premium) case:
- In the compliance portal, select eDiscovery > Premium to display the list of cases in your organization.
- Select the Sources tab to add non-custodial locations within your case. To learn how you can add and place non-custodial data on hold within an eDiscovery (Premium) case, see Add non-custodial data sources to an eDiscovery (Premium) case. If you've already added non-custodial location and placed them on hold, go to step 3.
- Select the Holds tab and select NCDSHold(HoldId) and ensure hold is placed successfully.
Placing custodial and non-custodial locations on hold preserves all the content in the locations. For steps to place query-based hold in eDiscovery (Premium), see Create eDiscovery holds in a eDiscovery (Standard) case.
When you create a query-based hold, all content from selected locations is initially placed on hold. After the timer job in either Exchange or SharePoint runs, any content that doesn't match the specified query is cleared from the hold. After the character count across all queries on a single location exceeds 10,000 characters, the entire location is placed on hold.
If the SMTP address of the user changes after you place the user's mailbox on hold, the mailbox remains on hold. To use the new SMTP address to place hold, create a new hold.
Place a hold on Microsoft Teams and Microsoft 365 groups
Microsoft Teams is built on Microsoft 365 groups. Therefore, placing them on hold in eDiscovery (Premium) is similar. Keep the following things in mind when placing Microsoft 365 groups and Microsoft Teams on hold:
To place content located in Microsoft 365 groups and Microsoft Teams on hold, you have to specify the mailbox and SharePoint site that associated with a group or team.
Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for a Microsoft 365 group or Microsoft Team. This is a good way to get the URL for the site that's associated with a Microsoft 365 group or a Microsoft Team. For example, the following command displays selected properties for a Microsoft 365 group named Senior Leadership Team:
Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl DisplayName : Senior Leadership Team Alias : seniorleadershipteam PrimarySmtpAddress : email@example.com SharePointSiteUrl : https://contoso.sharepoint.com/sites/seniorleadershipteam
To run the Get-UnifiedGroup cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
When a user's mailbox is searched, any Microsoft 365 group or Microsoft Team that the user is a member of won't be searched. Similarly, when you place a Microsoft 365 group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive for Business sites of group members aren't placed on hold unless you explicitly add them as custodians or place their data sources hold. Therefore, if you need to place a Microsoft 365 group or Microsoft Team on hold for a specific custodian, consider mapping the group site and group mailbox to the custodian (See Managing Custodians in eDiscovery (Premium)). If the Microsoft 365 group or Microsoft Team isn't attributable to a single custodian, consider adding the source to a non-custodial hold.
To get a list of the members of a Microsoft 365 group or Microsoft Team, you can view the properties on the Home > Groups page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:
Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddress
To run the Get-UnifiedGroupLinks cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
Channel conversations that are part of a Microsoft Teams channel are stored in the mailbox that's associated with the Team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you have to place the Microsoft Team mailbox and SharePoint site on hold to retain conversations and files in a channel.
Alternatively, conversations that are part of the Chat list in Microsoft Teams are stored in the mailbox of the user's who participate in the chat. Files that a user shares in Chat conversations are stored in the OneDrive for Business site of the user who shares the file. Therefore, you have to place the individual user mailboxes and OneDrive for Business sites on hold to retain conversations and files in the Chat list.
Every Microsoft Team or team channel contains a Wiki for note-taking and collaboration. The Wiki content is automatically saved to a file with a .mht format. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can place the content in the Wiki on hold by placing the team's SharePoint site on hold.
The capability to retain Wiki content for a Microsoft Team or team channel (when you place the team's SharePoint site on hold) was released on June 22, 2017. If a team site is on hold, the Wiki content will be retained starting on that date. However, if a team site is on hold and the Wiki content was deleted before June 22, 2017, the Wiki content was not retained.
Manage hold status errors
You may encounter errors while placing a hold on custodial or non-custodial data sources. The following table lists the errors that you may encounter and the recommended resolution.
|Hold error types
|Policy deployment interrupted
|A system error indicating a problem was encountered while applying the hold.
|Select Retry hold action on the custodial/non-custodial data source flyout page command bar to retry the hold application.
|Indicates the SharePoint location associated with the requested hold request isn't accessible and may be read only.
|Contact your SharePoint site administrator to configure the site as writable and retry the hold with Retry hold action on the custodial/non-custodial data source flyout page command bar.
|Site not found.
|Indicates the SharePoint location associated with the requested hold may have been moved, deleted, or the site URL may not exist.
|Check the site URL and confirm if the SharePoint site exists. Once confirmed, edit the custodial/non-custodial data source for the site and retry the hold action.
|Mailbox not found
|Indicates the mailbox associated with the requested hold isn't a valid mailbox.
|Verify the email address and check that it's a valid Exchange Online mailbox. Once confirmed, edit the custodial/non-custodial data source for the mailbox and then retry the hold action.
|Distribution group has too many members
|Indicates the distribution group associated with the requested hold has more than 1,000 email addresses. Currently, a distribution group having more than 1,000 email addresses can't be expanded to be placed on hold.
|Add the individual email addresses as custodial or non-custodial data sources or split the distribution group into groups with less than 1,000 email addresses and retry the hold action.
|Invalid email address or URL
|Indicates the location associated with the requested hold has an invalid email address or site URL.
|Specify a valid email address or URL that exists within your organization.