Understand eDiscovery and content search capabilities

  • 3 minutes

Searching for content is one of the most common tasks information security administrators perform in Microsoft Purview. Whether you're investigating a data leak, responding to a legal inquiry, or reviewing user activity, having the ability to locate and export relevant data quickly is essential. eDiscovery provides a structured, secure way to search across Microsoft 365 services and support security and compliance efforts.

What is eDiscovery?

eDiscovery is a feature in the Microsoft Purview portal that enables authorized users to create cases, search for content, place holds to preserve data, and export results. It's designed to support internal investigations, legal obligations, regulatory audits, and incident response.

Although the interface is labeled simply as "eDiscovery," the features available depend on the organization’s licensing. When advanced tools like review sets or custodian management aren't enabled, the functionality available is typically part of the default feature set included with enterprise plans.

Licensing and access

To use eDiscovery, users must be assigned the appropriate role in Microsoft Purview, such as eDiscovery Manager or eDiscovery Administrator. These roles allow access to the eDiscovery > Cases area, where cases are created and managed.

Key licensing notes:

  • Core eDiscovery features are included in Microsoft 365 E3 and E5 plans.
  • Advanced features might require separate licensing.

Before beginning any investigation or search, it's important to confirm both the necessary permissions and the correct license are in place.

Common scenarios for using eDiscovery

eDiscovery is typically used when content must be located across Microsoft 365 workloads for review, export, or preservation. Common scenarios include:

  • Internal investigations: Searching messages, documents, and files related to a human resources or security incident.
  • Regulatory or legal requests: Locating content required to comply with litigation, investigations, or regulatory reviews.
  • Data subject requests: Identifying and collecting personal data as part of a subject rights request.
  • Incident response: Reviewing user activity or communications after a potential breach or misuse of data.

Understanding when and why to use eDiscovery builds the foundation for conducting effective searches and supporting your organization's compliance and security goals.