How Does eDiscovery Work Within Microsoft 365?

Microsoft 365 Apps

Content sprawl causes IT and security administrators many problems and complicates the management and control of information. However, Microsoft 365 provides tools to prevent content sprawl from happening. These tools are part of the Microsoft Purview eDiscovery services. In this article, we’ll explain how eDiscovery works within Microsoft 365.

When working with Microsoft 365, content sprawl may become inevitable within an organization. It will eventually happen as users store documents and files within multiple services such as SharePoint Online, OneDrive for Business, Microsoft Teams, and every other app that allows users to save content.

If your organization ever needs to identify specific types of content across all Microsoft 365 services as part of a legal challenge or litigation, the Microsoft Purview eDiscovery services can come to the rescue. However, before you start exploring these specific tools, you first need to understand what is eDiscovery.

What is eDiscovery in Microsoft 365?

eDiscovery is short for electronic discovery in the context of a legal case or investigation. As part of legal proceedings, organizations may need to provide relevant information, records, and any other electronic evidence related to a case.

You can conduct eDiscovery either offline, on a specific computer, or on a computer network. The data collected during an eDiscovery process may include any type of electronic information including documents, emails, texts, and even social media posts.

So, why should you care about eDiscovery? Well, because Microsoft 365 supports such a wide variety of data sources, you need to ensure that your organization can retrieve content and data when required. 

What tools does Microsoft 365 provide for eDiscovery?

The Microsoft 365 ecosystem provides core tools and capabilities for eDiscovery under the brand “Microsoft Purview” brand. These tools include Content Search, eDiscovery Standard, and eDiscovery Premium. We’ll have more details on these three sets of tools later.

To use any Microsoft Purview eDiscovery solutions, you’ll need the appropriate license. The great thing, though, is that you can use different licenses depending on the roles you’ll assign to members in your organization.

Microsoft 365 eDiscovery permissions

If you want people in your organization to use eDiscovery-related tools, you’ll need to assign them the appropriate permissions. The main roles are eDiscovery Manager and eDiscovery Administrator.

eDiscovery Managers can use eDiscovery search and export tools. They can also perform the following actions:

  • Creating and managing cases.
  • Adding and removing members to a case.
  • Creating case holds.
  • Executing searches associated with a case.

 eDiscovery Administrators can perform all the tasks of an eDiscovery Manager, but they can also perform the following tasks:

  • Accessing all cases listed in both eDiscovery Standard and Premium.
  • Accessing case data for any case in an organization.
  • Managing any eDiscovery cases after adding themselves as a member. 
  • Removing members from an eDiscovery case.

As an IT admin, you should aim to limit the number of users with eDiscovery Administrator permissions.

The 3 eDiscovery solutions within Microsoft 365

Microsoft Purview provides three different sets of eDiscovery solutions: Content search, eDiscovery Standard, and eDiscovery Premium

Content search

The Content search tool can search for content across services and export the results to a local computer. Users can also use keywords, search conditions, and access search statistics.

Content search is the basic eDiscovery tool within Microsoft 365
The Content search tool

To utilize Content Search, you’ll need any of the following licenses:

  • Microsoft 365 E1
  • Microsoft 365 G1
  • Microsoft 365 F1, F3, or F5 Security add-on
  • Microsoft 365 Business Premium
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Basic
  • Office 365 Education A1
  • Office 365 E1

eDiscovery Standard

eDiscovery Standard includes the basic search and export features of Content search, but it adds the creation of eDiscovery cases and their assignment to eDiscovery managers. The latter can only access the cases they are members of.

eDiscovery Standard also allows associated searches and exports within a case. It also enables you to place an eDiscovery hold on content locations relevant to the case.

eDiscovery Standard adds case management features
eDiscovery Standard adds case management features

To utilize eDiscovery Standard, you need any of the following licenses:

  • Microsoft 365 E3
  • Microsoft 365 G3
  • Microsoft 365 Business Premium
  • Microsoft 365 F5 Compliance add-on or the F5 Security and Compliance add-on
  • Microsoft 365 Education A3 or Office 365 Education A3
  • Office 365 E3

eDiscovery Premium

eDiscovery Premium services provide additional steps for identifying, preserving, collecting, reviewing, analyzing, and exporting relevant content to the organization’s internal and external investigations. It allows the management and copying of data into review sets.

With eDiscovery Premium, you can also filter, search, and tag content to cull non-relevant information. eDiscovery Premium also includes analytics and machine learning-based coding models to assist users in investigating content.

eDiscovery Premium services provide additional steps for identifying and managing data
eDiscovery Premium services provide additional steps for identifying and managing data

There are many more features available within eDiscovery Premium. To use this tier, you’ll need any of the following licenses:

  • Microsoft 365 E5
  • Office 365 E5
  • Microsoft 365 E3 with M365 E5 Compliance add-on
  • Microsoft 365 E3 with M365 E5 eDiscovery and Audit add-on
  • Microsoft 365 G5
  • Microsoft 365 G5 with M365 G5 Compliance add-on
  • Microsoft 365 G5 with M365 G5 eDiscovery and Audit add-on
  • Microsoft 365 F5 Compliance add-on
  • Microsoft 365 F5 Security and M365 F5 Compliance add-on
  • Microsoft 365 Education A5 or Office 365 Education A5

Conclusion

As of today, organizations using Microsoft 365 need to manage risk levels for organizational data. They also need to comply with corporate security policies as content grows and changes. All this requires diving deep into an organization’s content and looking for keywords, patterns, and sensitive data types.

To get started with eDiscovery, you’ll need to ensure you have the correct licensing. You can find more information about the Microsoft Purview eDiscovery solutions on the Microsoft Learn website.