Learn about the eDiscovery (preview) workflow

The eDiscovery (preview) workflow helps you more quickly identify, investigate, and take action on electronic stored information (ESI) in your organization. Identifying and taking action on ESI items with eDiscovery (preview) uses the following improved workflow:

eDiscovery workflow diagram.

Step 1: Escalate from trigger event

Trigger events are activities that are escalated in your organization and prompt the creation of a new case in eDiscovery (preview). These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that may benefit from the search, investigation, and mitigation actions included with eDiscovery (preview).

Step 2: Create and manage cases

A case in eDiscovery (preview) contains all searches, holds, and review sets related to a specific investigation. This may include responding to regulatory, investigation, and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery (preview) also supports new case creation integration with Microsoft Purview Insider Risk Management cases.

Step 3: Search, evaluate results, and refine

After you create a case, use the built-in search tools in eDiscovery (preview) to search the content locations in your organization. You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build multiple search queries that return search results with the data that's most likely relevant to the case. You can also:

  • View search statistics that may help you refine a search query to narrow the results.
  • Preview the search results to quickly verify whether the relevant data is being found.
  • Revise queries and rerun searches.

Step 4a: Actions from search results

  • Export search results: After a search in an eDiscovery case is successfully completed, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive sites, copies of native Office documents and other documents are exported.
  • Create review sets: A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, and analyze. You can also track and report on what content gets added to the review set.

Step 4b: Create holds

To preserve and protect data that's relevant to an investigation, you can place an eDiscovery hold on the data sources associated with a case. Premium eDiscovery features will also include a built-in communications workflow soon so you can send hold notifications to users and track their acknowledgments.

After creating a case, you can immediately place a hold on the content locations of the people of interest in your investigation. You can also create query-based holds if needed. Content locations include Exchange mailboxes, SharePoint sites, OneDrive accounts, and mailboxes and sites associated with Microsoft Teams and Microsoft 365 Groups. While placing a hold is optional, creating a hold preserves content that may be relevant to the case during the investigation.

When you create a hold, you can preserve all content in specific content locations or you can create a query-based hold to preserve only the content that matches a hold query. In addition to preserving content, another good reason to create holds is to quickly search the content locations on hold (instead of having to select each location to search) when you create and run searches in the next step. After you complete your investigation, you can release any hold that you created. For more information, see Manage holds in eDiscovery.

Step 5: Review and take action from review sets

  • Search for content: In most cases, it's useful to dig deeper into the content in a review set and organize it to facilitate a more efficient review. Using filters and queries in a review set helps you focus on a subset of documents that meet the criteria of your review.
  • Run analytics: eDiscovery provides integrated analytics tool that helps you further cull data from the review set that you determine isn't relevant to the investigation. In addition to reducing the volume of relevant data, eDiscovery also helps you save legal review costs by letting you organize content to make the review process easier and more efficient. For more information, see Analyze data in a review set in eDiscovery.
  • Tag items: Organizing content in a review set is important to complete various workflows in the eDiscovery process. This organization often includes identifying relevant content, culling unnecessary content, and identifying content that must be reviewed by an expert or attorney. When experts, attorneys, or other users review content in a review set, their opinions related to the content can be captured by using tags. Tags provide structure and organization items included in an investigation. For more information, see Tag documents in a review set in eDiscovery.
  • Create a Query report (preview): Generate and download a consolidated report on multiple queries for a review set. This report lets you quickly see the total count and volume of filtered items on a particular keyword search or multiple compound KeyQL queries.
  • Add items from the review set to another review set: In some cases, it may be necessary to select documents from one review set and work with them individually in another review set.
  • Export items: After you search for and find data that's relevant to your investigation, you can export it out of your Microsoft 365 organization for review by people outside of the investigation team. In addition to the exported data files, the export package contains an export report, a summary report, and an error report. For more information, see Export documents from a review set in eDiscovery.

Workflow components

Cases

A case contains all searches, holds, and review sets related to a specific investigation. This may include responding to regulatory, investigation, and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery (preview) also supports new case creation integration with Microsoft Purview Insider Risk Management cases.

Data sources

Data sources define where searches are performed and where holds can be applied. Data sources organize data locations in a hierarchical tree structure with two levels. For example, for a user or group, the user or group would be the top level and mailboxes, OneDrive sites, and other sites would be the second level as they relate to the user or group. For a Microsoft Teams group, the second level would consist of the group mailbox, group site, shared channels/sites, private channels/sites, and other channels or sites as they relate to the Teams group.

Data sources in eDiscovery (preview) are divided into three separate groups:

  • Users: Users are people in your organization with Microsoft 365 accounts and includes any mailbox, OneDrive site, or any other sites associated with the individual user.

  • Groups: Groups include group mailboxes, group sites, and shared and private Teams and SharePoint sites or channels.

  • Organization-wide sources: Organization-wide sources include:

    • All people and groups: Includes all users and all groups in your organization.
    • All public folders: Includes all content in Exchange public folders mailboxes.

You can search for specific data sources or data locations using inputs like a user or group's name, mailbox SMTP address, and OneDrive or SharePoint site URL. When the search is created using specific data sources, only the locations specified in the data source are searched. If the organization-wide source All people and groups is used, the search covers all the Exchange mailboxes, OneDrive, and SharePoint sites.

Real-time data source sync helps ensure that you're always informed about the latest changes in data locations associated with users and groups. You can query if any specific data sources are added to a search, if a hold has newly provisioned data locations, or if data locations are removed. For example, if a private channel is created for a Teams group, the sync feature on the data source panel alerts you of the new location, allowing you to quickly and easily include it in searches or holds. This ensures that new data doesn't go unnoticed and is included in your investigations. This also helps prevent potential data loss from location changes.

Frequent collaborators

When selecting people as a data source for searches, you can quickly find other users that frequently collaborate with the selected user. Frequent collaborators are the top ten users who are most relevant to the selected user and you can select the mailboxes and sites for these users as data sources for searches.

Exports and downloads

After a search associated with a eDiscovery (preview) case is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive sites, copies of native Office documents and other documents are exported.

If you've added the search results to a review set from a case, you can also export review set content to a download package. This package is configurable and includes options to export selected documents only, all filtered documents, or all documents in the review set.

Holds and hold policies

You can use an eDiscovery (preview) case to create hold policies to preserve content that might be relevant to the investigation with an eDiscovery hold. You can place a hold on the Exchange mailboxes and OneDrive accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups. When you place content locations on hold, content is preserved until you remove the content location from the hold or until you delete the hold.

If needed, you can also place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also placed on hold.

Permissions

If you want people to use any of the eDiscovery-related features in the Microsoft Purview portal, you have to assign them the appropriate permissions. The easiest way to assign roles is to add the person the appropriate role group on the Role groups page in the Microsoft Purview portal.

Tip

You can view your own permissions on the eDiscovery (preview) overview page in the Microsoft Purview portal. You must have at least one role assigned for your permissions to be displayed.

Processes

eDiscovery (preview) includes a Process report that lists all activities that count towards case concurrency and daily limits in eDiscovery for a defined time period. Processes in eDsicovery (preview) are activities associated with specific tasks that support cases, searches, and review sets. Processes are triggered by user actions when using these components.

eDiscovery administrators and eDiscovery Managers (preview) can access this report. Process managers help you view information that is automatically scoped to cases, searches, review sets, and holds.

Review sets

A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.

Searches

Use search to quickly find content relevant to a case. This includes email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the search tools to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups.

You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build search queries that return search results with the data that's most likely relevant to the case.

You can also:

  • View search statistics and sample items that may help you refine a search query to narrow the results.
  • Preview the search results to quickly verify whether the relevant data is being found.
  • Revise a query and rerun the search.
  • Export the search results or add the search results to a review set.

Search samples

Samples from a search provide a representative sample of items returned by the defined search criteria. Viewing details about individual items can help you determine if the search needs to be refined or if the representative items support adding the search results to a review set or an export file.

Search statistics

Statistics from a search provide insights for data volume, the content locations that contain results, and the number of hits for search query condition, and more. These insights can help to inform if the search should be revised to narrow or expand the scope of the search before moving on the review and analyze stages in the eDiscovery workflow.

Trigger events

Trigger events are activities that are escalated in your organization and prompt the creation of a new case in eDiscovery (preview). These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that may benefit from the search, investigation, and mitigation actions included with eDiscovery (preview).

Ready to get started?