Office 365 eDiscovery

In my last post I walked through how to create a Preservation policy. I explained that the Preservation policy should be used when you want to keep a large amount of general data for an extended period of time. But what if you don’t want a general solution and need to target more specific messages? eDiscovery should be your go to solution.

eDiscovery cases give us a powerful solution for searching and exporting data from an Office 365 tenant. It also gives us the ability to capture data that we don’t want users to delete. This is a very useful feature in a situation of a legal case requiring data storage in your Office 365 tenant and unlike a Preservation policy, the hold will last only for the duration of the eDiscovery case.

Currently, we have the ability to create eDiscovery searches through the Exchange Online Admin Center or the Security & Compliance Center. The difference being that eDiscovery searches performed from the EAC only capture Email messages and and Skype for Business message transcripts. Whereas eDiscovery cases created from the Security & Compliance Center have the option to include Email messages, Skype message transcripts, and sites.  It’s also important to note that as of July 1, 2017 the EAC will no longer support creating new eDiscovery searches. Because of this, I am going to focus on eDiscovery cases created through the Security & Compliance Center.

Permissions are an important aspect to the eDiscovery process. We are able to assign permissions to users according to their role in the eDiscovery case. The 2 permissions that are applicable to an eDiscovery case are:

  • Reviewer
  • eDiscovery Manager
    • eDiscovery Manager
    • eDiscovery Administrator

A user that is granted the Reviewer permission will be able to view any eDiscovery cases they have been given access to. They won’t be able to create or edit any new or existing cases. The eDiscovery Manager permission is required to create and edit an eDiscover case. Within this permission there are two sub-permissions. eDiscovery Manager and eDiscovery Administrator. The two permissions are similar in that they both allow a user create, manage, and view eDiscovery cases. The difference is that the eDiscovery Manager permission only allows users to manage cases that they created or have been given access to. An eDiscovery Administrator has the ability to view and manage ANY eDiscovery case that is created in the tenant. So to move forward, ensure that you assign the correct permissions to any account that will be involved with the eDiscovery case.

The first step in creating an eDiscovery case through the Security & Compliance center is to configure the permissions. For the purposes of this example I will give my user account the eDiscovery Manager permission and I’ll give another account a Reviewer permission.

From the Security & Compliance Center select permissions. Choose eDiscovery Manager and select the pencil icon to add a user account to the permissions. As stated before, you have a Manager and Administrator role to choose from.


We can add Reviewer permissions using the same method.


Now that the permissions are set, lets create a new eDiscover case. From the Security & Compliance Center, select Search & investigation and eDiscovery. Select the + to create a new case. Give the new case a meaningful name, and select the users that will have access to the case. In our case, we have one Manager and one Reviewer. Click Finish to create the eDiscovery Case.


Now we need to Edit the case to set up the desired Holds and Searches. Lets start by creating a new Hold. We can give it a name and select the Mailboxes and Sites that we want to be included in the Hold.


Next, we can provide some keywords to limit the hold to only items containing the specified keywords. If we want to place everything on hold, we can just leave the keywords blank.


We now have a Hold configured in our Case. We can now create a search to allow us view and export the data associated with the eDiscovery Policy. The location of the search can be specified. If we wanted to create separate searches for mailboxes and sites, we can split that out here. In my case I’m including all Case content in one search. You’ll see an option for including items that weren’t indexed. There are a few reasons for this. Messages that are encrypted by a 3rd party encryption technology won’t be indexed because the contents can’t be read. Also, certain file types like videos will be excluded as well as there isn’t any data in the file that can be indexed. As much data as possible will still be included for you to manually look at. This data won’t show up during a search preview, but will be available in the export.


Again, we have the option to create a query used for the search. To search all content, leave this blank.


Now that the Search has been created, we can preview the results by clicking Preview search results in the right pane. To update the search to include any changes since it was created, you will need to start the search. We have two options for exporting from the case. We can export the results or we can export a report of the results.

Exporting the results provides us with the actual data collected by the eDiscovery case. We are given a few options for the export data.


Exporting a report provides us with summary of the data that was collected from the eDiscovery case. And as before, we have a few options for the export.

Once the exports have been created, you will need to go to the Exports page to access and download them. Select the export that you want to download and click Download exported results from the right pane.


This opens a summary page that contains an export key. This key is required by the eDiscovery Export Tool to access and download the required export.