Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery in Office 365 to search for content in Exchange Online mailboxes, Office 365 groups, Microsoft teams, SharePoint Online sites, and Skype for business conversations. If you only need to search mailboxes, you can use In-Place eDiscovery in the Exchange admin center. If you need to search mailboxes and sites in the same eDiscovery search, you can use Content Search in the Office 365 Security & Compliance Center. In both cases, you can identify, hold, and export content found in mailboxes and sites.
Are you managing multiple Office 365 tenants? If yes, read our guide, 15 Tricks to Succeed in Managing Multiple Office 365 Tenants to help you save time. Click here to learn how.
Office 365 provides eDiscovery capabilities within the Security and Compliance Center. To utilize these components there are 5 core steps that you need to follow.
5 Steps You Need to Follow to Use eDiscovery Within Office 365
1) Assign Security & Compliance Permissions for eDiscovery
If users want to be able to perform any of the eDiscovery tasks, they must be assigned to specific role groups within the Security & Compliance Center. There are two role groups that a user can be added to, namely Reviewer and eDiscovery Manager.
This has the most restrictive eDiscovery-related permissions. Members of this group can only see and open the list of the cases on the eDiscovery page in the Security & Compliance Center that they are members of. They can’t create cases, add members to a case, create holds or searches, export search results, or prepare results for Advanced eDiscovery. However, members can access cases in Advanced eDiscovery to perform analysis tasks.
Members of this role group can create and manage eDiscovery cases. They can add and remove members to a case, place content locations on hold, create and edit content searches associated with a case, export the results of a content search, and prepare search results for analysis in Advanced eDiscovery.
Assign the permissions to access the Permissions menu within the Security & Compliance center.
Select the desired permission and choose the edit icon to launch and modify. Once the page is loaded, use the add button (+) to add users to the eDiscovery Manager and Administrator role.
For adding eDiscovery Reviewers, repeat the process but this time select the Review role group to edit. Now the permissions are set and assigned users can now complete varying tasks within the eDiscovery Center.
2) Create an eDiscovery Case
To create a new case, you must first access the Security & Compliance Center, click Search & investigation, eDiscovery, and then click + Create a case.
The right panel will appear and ask for a name and description for the case.
Press the Save button. The new case will then be displayed on the main eDiscovery site.
3) Add Users to the eDiscovery Case
After you create a new case, the next step is to add members to the case. Only users that are members of the Reviewer or eDiscovery Manager role groups can be added as a member of the case. In the Security & Compliance Center, click Search & investigation, then eDiscovery to display the list of cases in your organization.
Click the name of the case that you want to add members to. The Manage this case fly out page will then be displayed. Click the + Add button to add users as eDiscovery members.
Select the users from the populated list of eDiscovery Managers, then press the Add button to update the case.
Once the users have been added, and only if they are successfully added to the case, the site will confirm the additions.
4) Place Existing Content on Legal Hold
You can use an eDiscovery case to create holds to preserve content that might be relevant to the case. You can place a hold on the mailboxes and OneDrive for Business sites of people who are custodians in the case. You can also place a hold on the group mailbox, SharePoint site, as well as OneDrive for Business site for an Office 365 Group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams.
When you place content locations on hold, it will stay there until you remove the hold from the content location or until you delete the hold. When you create a hold, you have the following options to scope the content that is held in the specified content locations:
- You create an infinite hold where all content is placed on hold. Alternatively, you can create a query-based hold where only content that matches a search query is placed on hold.
- You can specify a date range to hold only the content that was sent, received, or created within that date range. Alternatively, you can hold all content regardless of when it was sent, received, or created.
To add a hold, navigate to the Security & Compliance Center, click Search & investigation, then eDiscovery to display the list of cases in your organization. Click Open next to the case that you want to create the holds in. On the homepage for the case, choose the Hold menu item.
On the Hold page, click the New + button.
On the Create a new hold page, give the hold a name. The name of the hold must be unique in your organization.
Choose the content locations that you want to place on hold. You can place mailboxes, sites, and public folders on hold. To add a SharePoint, press the + button, then type the URL you want to put on hold, followed by the pressing the Add button.
When finished adding the required mailboxes, sites and public folders, click the Next button. To create a query-based hold with conditions, complete the keyword list. Simply type values that you want to search for, or leave blank to put all content on legal hold.
Extra conditions can also be added, such as searching for specific values of various properties for mail and SharePoint content.
After configuring a query-based hold, click Finish to create the hold. This process may take some time to complete as it will not only enable the hold but also filter the content for the hold to the query that you defined earlier.
Information about the new hold is displayed in the details pane on the Holds page for the selected hold. This information includes the number of mailboxes and sites on hold as well as statistics about the content that was placed on hold, such as the total number and size of items placed on hold and the last time the hold statistics were calculated. These hold statistics help you identify how much content related to the eDiscovery case is being held.
You can get the latest hold statistics at any time by clicking Update statistics to rerun a search estimate that calculates the current number of items on hold. If necessary, click Refresh in the toolbar to update the hold statistics in the details pane.
5) Create and Run a Content Search
After an eDiscovery case is created and any custodians related to the case are placed on hold, you can create and run one or more Content Searches that are associated with the case.
Content Searches associated with a case aren’t listed on the Search page in the Security & Compliance Center. This means that Content Searches associated with a case can only be accessed by case members who are also members of the eDiscovery Manager role group.
In the Security & Compliance Center, click Search & investigation, then eDiscovery to display the list of cases in your organization. Click the Open button next to the case that you want to create a Content Search in. Once the case has loaded, select the Search menu item.
To add a search, click the + button. A new window will load, and then type a name for the search.
Choose the content locations that you want to search. If the content has been placed on Hold, the first option can be selected. If you wish to search other locations, not on hold, such as mailboxes, sites, and public folders, then you can select either Search everywhere or Custom location selection.
To perform a wider search, select the Search everywhere, then select all options.
Choosing the Custom location selection enables you to select the mailboxes and sites that you want to search. When you select this option, the list of mailboxes and sites is pre-populated with the content locations that are placed on hold within the case. You can also choose to search all public folders in your organization.
After you selected the content locations to search, click Next, then add any keywords and conditions to create the search query. You have the ability to utilize Sensitive Type syntax and a simple list of terms.
You also have the ability to add conditions similar to how they worked when searching and placing content on Hold. Once you have saved the search, it will run synchronously, in the same way that the Hold search works. You can get the latest search statistics at any time by clicking Update statistics to rerun a search estimate that calculates the current number of items found based on the query you defined. If necessary, click Refresh in the toolbar to update the search statistics in the details pane.
After a search is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive for business sites, copies of native Office documents and other documents are exported.
With the ability to not just search content, place content on hold, export and analyze the content, eDiscovery in Office is now more powerful than ever before.