Protiviti / SharePoint Blog

SharePoint Blog

April 20
Introduction to Office 365 eDiscovery


eDiscovery (Electronic Discovery) is the process of identifying, finding and capturing electronic information to be utilized as evidence in legal cases. eDiscovery is one of many features built into the Office 365 Security and Compliance Center. eDiscovery allows authorized users to search, investigate and place Office 365 content and conversations on hold for a legal purposes. Content can be found and held based on its location, content conditions, as well as keywords/phrases within the following services:

  • SharePoint Online documents
  • Email content
  • OneDrive for Business documents
  • Group / Shared Mailbox content
  • Microsoft Teams content
  • Skype for Business conversations

Basic eDiscovery in Office 365 is fairly intuitive and we will break down the process in the following 4 steps:

  1. Office 365 eDiscovery Roles
  2. Creating & Managing eDiscovery Cases
  3. Placing Content Locations on Hold
  4. Performing Content Searches and Exporting Results

As a note, Microsoft is currently rolling out modern user experience within eDiscovery. Tenants all will get this new user interface at different times, with the option to return to the classic experience if users choose. Screen shots within this blog will show the modern user experience, but note that changes are constantly happening and pictures here might vary from what you experience in your tenant. Some functionality is slightly different between the two experiences, but mostly it is the same tools and features displayed differently to the users.

1. Office 365 eDiscovery Roles

As a first step, the appropriate permissions must be assigned to allow users the ability to interact with the eDiscovery Center and cases. A user has to be a member of the Organization Management role group (or be assigned the Role Management role; or a Global Admin) in the Office 365 Security & Compliance Center to assign eDiscovery permissions. eDiscovery managers will then have the ability to create and manage case, and add users to eDiscovery cases. eDiscovery roles are broken into two groups, Reviewers and Managers (which are further distinguied as either Managers or Admins).

eDiscovery roles and the corresponding permissions are as follows:

Role Description Allowed Activities Activities Not Allowed
Reviewer Reviewers can only see and open cases on the eDiscovery page that they have been made members of by a Manager or Admin.


  1. View / open their cases


  • Create cases
  • Add members to a case
  • Place content on hold
  • Create searches
  • Export results
  • Prepare Advanced eDiscovery results
eDiscovery Manager Managers can create eDiscovery cases and manage all activities of cases that they are members of.

Can (only for their cases):

  • View / open their cases
  • Add / delete case members
  • Place content on hold
  • Create / edit content searches in case
  • Export content search results
  • Prepare results for Advanced eDiscovery


  1. View / open other cases (cases they are not members of)
eDiscovery Admin Administrators can perform all case management tasks that an eDiscovery Manager can do, while also having access to ALL eDiscovery cases and the ability to perform all Advanced eDiscovery tasks.

Can (for all cases):

  • View / open ALL cases
  • Add / delete case members
  • Place content on hold
  • Create / edit content searches in case
  • Export content search results
  • Prepare results for Advanced eDiscovery

eDiscovery Roles are assigned by an authorized user (Global Admin / Org. Manager) in the Office 365 Security & Compliance Center. To get to here, navigate to Select the desired role and edit that role within the management panel.


Once all of the necessary users have been assigned the appropriate roles within the Security & Compliance Center, eDiscovery Managers can begin to create / manage eDiscovery cases and add users to those cases.

2. Creating & Managing eDiscovery Cases

Before creating and managing eDiscovery cases, it is important to understand that a "case" is simply a logical container or grouping of content holds, searches and results within eDiscovery. Case can have one to many holds and searches within them.


To begin performing eDiscovery work, from the Security & Compliance Center, select the Search & Investigation on the left-hand menu and click "eDiscovery". eDiscovery Managers and Admins can create new cases at the top of the page by selecting Create a case, then providing a name and description for the case.


Upon creation, Managers can quickly perform the following tasks from the case management fly-out:

  • Add / remove / search for case members
  • Edit the name / description
  • Close / delete the case


Opening the case will give the manager full access to the case and the eDiscovery features. From the case management page, users can complete the next 3 activities:

(3) Creating and managing Holds
(4) Creating and managing Searches
(5) Exporting Search Results and preparing them for Advanced eDiscovery


3. Placing Content Locations on Hold

Within a case, the first thing the user should do is create a hold on content. A hold simply preserves content from being modified or deleted through the discovery process. Content on-hold cannot be deleted by any user, while the files and their contents are under review. Office 365 users will not know if content they are working with is on hold.

To create a hold, a user must:

  1. Create, name and describe the hold
  2. Determine the hold location across:
    • Exchange Email: If an item is deleted in Exchange, the content will be placed in the hidden "Recoverable Items" folder
    • SharePoint Sites / OneDrive for Business Sites: If an item is deleted in SharePoint / OneDrive for Business, the content will be placed in the hidden "Preservation Hold" library
    • Exchange Public Folder
  3. Create a query for the hold
  4. Review and create the hold

Hold Queries follow the KQL Syntax which leverages boolean and other operators, as well as symbols for performing search. Read more on the KQL Syntax.

We often recommend to our clients to leverage locations for holds, but not queries (or at least not extremely specific ones). If your query is too narrow for a hold and it may not preserve content that it should. That content could be modified or deleted while you better-configure your query. The best approach is to preserve more content with your hold, then narrow the content analyzed through your searches.


4. Performing Content Searches and Exporting Results


Once holds have been created, eDiscovery Managers can then configure their search(es) that are relevant for the legal matter.

The query editing screen allows users to configure search elements (keywords, conditions, and locations) and execute a search. Search will apply query keywords to all content properties (file title, body, etc.) Users may also preview & export search results.

See below the Keyword and Condition areas:


The Search will also allow the Manager to preview the results returned, as seen below:


Once you are satisfied with the Search results, Managers can (from he quick managemnt fly-out > "more" drop-down) export the results for analysis, export a high-level statistics report, or prepare results for Advanced eDiscovery (we'll go into this more in another blog poste).

* Users with eDiscovery Permissions (Managers, Security & Compliance Admins, etc.) can also perform queries through the Content Search tool (Security & Compliance > Search & Investigation > Content Search). This enables you to freely search and configure queries without having to manage full eDiscovery cases. This is a good way to practice KQL syntax and refine search queries.

Exporting Search Results

Once you are ready to export the results of an eDiscovery Search, you will have several options regarding the format and structure of the output. Case Managers will have options around the following:

  • Handling of result items that have unrecognized format, are encrypted, or were not indexed for other reasons
    • Include items with unrecognized formats, are encrypted, or un-indexed items
    • Exclude items with unrecognized formats, are encrypted, or un-indexed items
    • Only export items with unrecognized formats, are encrypted, or un-indexed items
  • Handling of Exchange (Email) output
    • One PST per mailbox
    • One PST file for all messages
    • One PST file containing all messages in a single folder
    • Separate all messages individually
  • De-duplication of Exchange content (finds similar/duplicate emails and combines email threads into one item)
  • Including SharePoint file versions
    • If versioning is already enabled in SharePoint: all versions of an on-hold item will be copied into the Preservation Hold Library
    • If versioning is NOT enabled in SharePoint: all versions of the on-hold item AFTER the hold is applied will be copied into the Preservation Hold Library


5. Closing / Re-Opening Cases

I know what you're thinking, this was promised to be done in 4 steps, but I'm including step number 5 to close out the process for basic eDiscovery. All cases will eventually be closed, potentially re-opened, and ultimately deleted at some point. It's important to consider the effects of the holds, search results and cases themselves under each action. Below are the ramifications of each outcome of the case:

  • Closed: all holds are turned off and held content is released. Files that had previously been deleted while on hold are then released, which can result in a loss of that content. All configurations for the case are maintained and can be re-opened at any time.

  • Re-opened: existing holds and searches will be re-enabled, however, items changed while the case was closed are not retained.

  • Delete: a deleted case will lose all configuration settings permanently. All holds, searches and result exports will be deleted.

I hope you found this blog insightful and provided you with some tools to start working with eDiscovery in Office 365.

Quick Launch

© Protiviti 2021. All rights reserved.   |   Privacy Policy