หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
This article explains how eDiscovery handles cloud (modern or linked) attachments versus traditional (classic) attachments. Cloud attachments are links to files stored in SharePoint or OneDrive rather than embedded copies. Because a cloud attachment points to a live file stored in Microsoft 365 services that you can modify after sharing, eDiscovery offers options to collect the live file, the version that you shared, or multiple versions to preserve context. You can collect cloud attachments as part of the export or add to review set workflow.
Collect cloud attachments
eDiscovery supports the following options for the collection of modern attachments:
- Live version of the linked document at the moment of collection.
- Version at the time of sharing.
- Other version options (collect all versions or specific shared versions).
Regardless of the location of the modern attachment, the process attributes the Custodian property to the owner of the message. For example, if User A shares a linked attachment with User B that resides in User C's OneDrive and you collect the message from User B's mailbox, the linked attachment belongs to User B (custodian) and not User C.
To enable the collection of cloud attachments, select the Access links (cloud attachments) in messages option so linked content is included in Add to review set and export workflows.
Important
Including attachments increases the size and quantity of export results.
Once the workflow processes completes, you can group the modern attachment and parent message or email together by using Group by conversations and related items filter and the Is modern attachment column value.
Considerations and unsupported scenarios
Before collecting cloud attachments, review the following considerations and scenarios:
- Plain text emails aren't supported. Only HTML emails are processed.
- Encrypted emails and messages don't support modern attachment extraction.
- Non-clickable links aren't supported. Links that aren't clickable aren't processed. Most links in emails are rewritten to clickable safelinks by the Exchange backends for opt-in tenants.
- Malformed URLs aren't supported. URLs that don't parse correctly aren't stamped.
- Maximum message body length. If the body length is greater than 100,000 characters, any content (modern attachment link) beyond this limit isn't considered.
- Maximum URL length. URLs longer than 2,048 characters are skipped.
- Maximum total property size. If the total property size exceeds 1 MB, it's dropped.
- Maximum number of links per message. Only the first 50 links in a message are processed. Other links beyond 50 are ignored.
- If a message is forwarded and the modern attachment link is expired or stale, the extraction doesn't work. Similarly, if the modern attachment file is renamed or moved, the link isn't extracted.
- Teams shared channel messages and posts don't support modern attachment link extraction. Users need to include the shared channel site and include the file manually as part of their collection.
- Cloud attachments are treated as part of the parent's message, not separate entities.
- If an email or Teams message matches the condition of a search, its linked cloud attachments are retrieved - even if the file doesn't meet the condition of the search.
- If an email or Teams message matches the condition of a search, its linked cloud attachments are retrieved - even if the file resides outside the compliance boundary.
- Advanced indexing isn't applied to cloud attachment files referenced within emails or messages. This limitation means the content of the cloud attachment file itself isn't processed by advanced indexing or OCR.
Collecting the version shared in cloud attachments
By default, the eDiscovery workflow for collecting cloud attachments only includes adding the most current version of a cloud attachment to a review set or for export. This workflow means the version you collect and add to a review set or export might be different from the version that was originally shared in the cloud attachment. So, content that was present in the cloud attachment at the time it was shared might be removed and doesn't exist in the current version that's added to the review set or exported.
Use retention labels to preserve the version of a document at the time when it was shared as a cloud attachment. To do this, create a retention label, choose the option to apply the label to cloud attachments, and then automatically apply the label to documents stored in SharePoint and OneDrive. After you set up this configuration, a copy of a document is created at the time when the file is shared. Also, if the document is modified and shared again as a cloud attachment, the modified version is also preserved. If the file is modified and shared again, a new copy of the file as a new version is preserved.
Preserving the shared versions of cloud attachments helps you scope the preservation and collection of potentially relevant content to the specific version of the document that you shared rather than the current live version. After you implement this retention solution, both the current live version of a cloud attachment and the version that you shared in the cloud attachment are collected and added to a review set or exported.
For instructions on setting up a retention label and automatically applying it to cloud attachments, see Auto-apply labels to cloud attachments.
Additionally, the current live version and the version that you shared have the same GroupID property value, which is the same as the GroupID for the parent object (such as an email message or a Teams chat conversation). This property value lets you group cloud attachments with the item in which you shared them.
After you implement the retention label and auto-apply the label to SharePoint documents, select the option to collect cloud attachments when adding items to a review set. When you collect the cloud attachments, both the current live version and the version that was originally shared are added to the review set or exported.
View in eDiscovery reports
eDiscovery includes a Process manager that lists all processes scoped for each area. Each process in the Process manager list contains a detailed report .zip file that contains detailed information about the process once the process completes.
Summary CSV report
All reporting packages include a Summary-*the date/time of the report*.csv file. This file includes information related to cloud attachments. This report includes information about the following items:
- Cloud attachments
- Cloud attachments versions
- Cloud attachment versions at time of sharing
For more information about these areas, see Summary CSV: Information.
Items CSV report
Reporting packages also include an Items CSV report. In the items.csv file, you can:
- Filter on all modern attachments by using the property Is modern attachment =
True. - Correlate modern attachment with its parent email or message through group ID and the property Has attachment =
True.