Compliance administrators in organizations may often be required to respond to legal investigations to locate and preserve information contained in your Office 365 locations. eDiscovery and content search tools within the Microsoft 365 Security and Compliance Center will provide you with these capabilities.
In this chapter, we will show you how these tools can be used to manage the search and investigation capabilities within your Microsoft 365 environment. You will learn how to implement content searches and eDiscovery to manage any required legal investigations. We will also demonstrate how to delegate eDiscovery roles to other users so they can also use eDiscovery tools with appropriate permissions. Finally, we will look at how to place content locations on hold, as well as export and analyze the results of content searches.
We shall cover these topics in the following order:
First, we will examine eDiscovery and content searches.
eDiscovery is a feature within Microsoft 365 that allows you to identify and provide information that pertains to any legal cases that may be in progress within your organization. Compliance administrators are able to set controls for who is able to create and manage eDiscovery cases in your environment in order to search for content within the following Office 365 locations:
There are three main components of eDiscovery available in the Security and Compliance Center, as follows:
Let's look at each of these solutions in turn, starting with eDiscovery cases.
eDiscovery cases allow you to control who is able to view and access an investigation. These cases are a collection of holds, searches, and exports, all contained within a single location. Cases can be created and executed from the Security and Compliance center by members of the eDiscovery Manager role group. Members of the Reviewer group can also view eDiscovery cases. Members of the eDiscovery Administrators role group have full access to all created eDiscovery cases. With eDiscovery cases, you can add sources, create holds and queries, export case results, and manage the life cycle of your case.
Content searches compliment eDiscovery cases and consist of searches and exports, but not holds. With content search, you are able to carry out powerful searches against your Office 365 services and locations, as well as associate your search with an existing eDiscovery case in order to identify specific information and preview, view, and export the results for analysis. This feature is particularly useful when you need to conduct large-scale searches across multiple Office 365 locations. In order to be able to perform searches, you must be a member of the eDiscovery Manager role group.
Advanced eDiscovery is only available if you have Office 365 E5, Microsoft 365 E5, or Office 365 E3 with the Advanced Compliance add-on, and provides enhanced analytical and communication capabilities that will enable you to more effectively analyze your search results.
With basic eDiscovery, it is possible to apply holds to Office 365 locations, carry out searches for items relevant to a case, and export any search and case results.
Advanced eDiscovery provides additional functionality that allows you to do the following:
In this section, we introduced you to the principles of Content search, eDiscovery, and Advanced eDiscovery in Microsoft 365. We explained that eDiscovery comes in two flavors, basic and advanced, and that content searches can be executed in conjunction with the eDiscovery cases that may be set up by eDiscovery managers.
We will explain these features in further detail as we progress through this chapter. Next, we will show you how to assign eDiscovery permissions in the Security and Compliance Center in order to control who has access to the powerful search and investigation features within your Microsoft 365 environment.
Before you start using the eDiscovery cases and content hold features, it is important to assign the appropriate permissions to the users who need to have access to these tools. In this section, we will demonstrate how to do this from the Security and Compliance Center by adding users to the correct role group from the permissions page. The role that is used to control access is called eDiscovery Manager. This role also contains two subgroups, as follows:
In order to assign eDiscovery permissions, you will need to be a member of the Organization Management role. To assign such permissions from the Security and Compliance Center, we need to take the following steps:
It is also possible to assign users eDiscovery permissions by adding them to the following role groups:
Important note
More detailed information on all of the role groups that relate to eDiscovery can be found in the References section at the end of this chapter, under Assigning eDiscovery permissions in the Security and Compliance Center.
In addition to using the Security and Compliance Center to assign role groups to users, it is also possible to use the Security and Compliance Center PowerShell to set a mail-enabled security group. This group will be a member of the eDiscovery Managers subgroup within the main eDiscovery Manager role group.
However, the same ability does not apply to the eDiscovery Administrators subgroup, and there is a separate command called Add-eDiscoveryCaseAdmin that allows you to make a user an eDiscovery Administrator. This will only work if the user has already been assigned the Case Management role (which is a member of the Organization Management role).
An example of how to complete this task is shown in the following steps:
Connect-IPPSession -userprincipalname [email protected]
Add-eDiscoveryCaseAdmin -User [email protected]
Important note
More detailed information on using the Security and Compliance Center PowerShell can be found in the references section at the end of this chapter, under Adding an eDiscovery Case Admin.
In this section, we have explained how to assign users to eDiscovery-related role groups from the Permissions section of the Security and Compliance Center. You also learned that you can assign these roles using the Security and Compliance Center PowerShell. We showed you the four main role groups that are related to eDiscovery and the two subgroups that exist within the eDiscovery Manager role group.
Next, we will look at setting up eDiscovery cases, how to perform a content search, and how to place locations on hold.
Now that you understand the principals and prerequisites for creating eDiscovery cases and content searches within Microsoft 365, let's go ahead and demonstrate the process of creating an eDiscovery case, placing locations on hold, and performing a content search. We will start with eDiscovery cases, which will also incorporate the step of placing some locations on hold.
To create an eDiscovery case from the Security and Compliance Center, we need to complete the following steps:
For SharePoint sites, OneDrive accounts, Office 365 group sites, and Teams sites, you can filter your choices by Site.
Finally, if you wish to place a hold on Exchange public folders, you can move the toggle switch from None to All. These options are shown in the following screenshot:
Important note
When a hold is applied, it will take up to 24 hours to take effect.
Next, we will examine how to create a content search that will be associated with our eDiscovery case.
Now that we have created our eDiscovery case and applied holds to locations, we can perform a content search. This will be associated with the case.
Important note
We discussed content searches earlier in this book in Chapter 15, Personal Data Protection in Microsoft 365. Content searches that are created and associated with eDiscovery cases will not appear in the Search page of the Security and Compliance Center – they will only be accessible from the eDiscovery page.
In order to configure a content search and associate it with our eDiscovery case, we need to complete the following steps:
In this section, you learned how to set up eDiscovery cases and place content on hold, as well as how to run a content search associated with your eDiscovery case hold settings and view the results.
In the final section of this chapter, we will show you how to export the results of your eDiscovery associated content searches.
Now that you have run your eDiscovery case with content search, you can export the search results using a Windows 7 or above computer, using Internet Explorer or the Microsoft Edge browser, and with Microsoft .NET Framework 4.7 installed. Should your device not meet these requirements, you will be unable to complete this process.
In order to successfully export your search results, you must also be assigned the Export Management role in the Security and Compliance Center. This role is part of the eDiscovery Manager role group, so if you are a member of this group, you will have the required permissions.
In order to complete the export process, you will need to carry out the following steps:
You can view and analyze the reports that you have downloaded in Excel. The two main files you can review are called Export Summary and Results. These CSV files will contain the details that were requested in the search.
So, in this section, you learned that once you have created an eDiscovery case and associated a content search with your case, you are able to export the results by using a Windows Computer with either Internet Explorer or the Microsoft Edge browser. When generating the report, the eDiscovery Export Tool is installed and opened on your computer. You can download your reports to the chosen folder by copying and pasting the export key provided by the report generator.
In this chapter, we introduced you to the principles of search and investigation within your Microsoft 365 environment. You learned that you need to assign the eDiscovery Manager role to any users who you want to manage eDiscovery cases, and that you can then create eDiscovery cases from the Security and Compliance Center in order to place holds on your Office 365 locations.
Once an eDiscovery case had been created, we showed you how content searches can be associated with your eDiscovery case and applied to the held locations. These content searches can be set up with additional keywords and conditions in order to narrow down your search results.
Finally, we demonstrated that once a search was completed, we are able to preview the search results, as well as export reports to our local computer using the eDiscovery export tool, and then open and analyze the downloaded reports in Excel.
In the next chapter, we will discuss the steps required to plan for data privacy compliance in Microsoft 365. You will also learn how to access and interpret reports and dashboards that contain relevant GDPR data. Finally, we will show you how to conduct data subject requests from users who wish to review the personal information that the organization has stored for them.
a. Compliance Administrator
b. Security Administrator
c. Organization Management
d. eDiscovery Manager
e. Reviewer
a. Office 365 E5
b. Office 365 E1
c. Office 365 E3
d. Office 365 E3 with Advanced Compliance add-on
e. Office 365 F1
f. Exchange Online (Plan 2)
a. True
b. False
a. Search | Content Search
b. eDiscovery | eDiscovery
c. Search | Audit Log Search
d. Permissions
a. True
b. False
a. Internet Explorer
b. Google Chrome
c. Windows 7
d. Windows 10
e. Microsoft Edge
f. Microsoft Excel
a. True
b. False
a. 48 hours
b. 12 hours
c. 24 hours
d. 96 hours
a. True
b. False
a. Specific Locations
b. All Locations
c. Locations on Hold
Please refer to the following links for more information:
3.128.198.36