eDiscovery (Premium) in Office 365 explained

Advanced eDiscovery in Office 365

eDiscovery (Premium) requirements & permissions

eDiscovery (Premium) is not a part of every tenant. To experience its goodness, you need either an E5 subscription with the E5 Compliance add-on or E3 with the E5 eDiscovery and Audit add-on. You need to assign the required licenses to all users who would benefit from the feature (to the users performing the search, that is).

Another important requirement to keep in mind is permissions. Back in the day, eDiscovery mechanism was based on the permissions from the Exchange admin center. Currently, the Microsoft Purview compliance portal has its own, independent Permissions settings page. To manage eDiscovery cases, a user needs to be assigned an eDiscovery role group – eDiscovery Manager. This role group is a particular one, as it has two very distinct subgroups:

eDiscovery Manager – this role group allows its members to create and manage eDiscovery cases, as long as they have created the case or have been added as members to the case.

eDiscovery Administrator – is a role group which allows full access to each and every eDiscovery case, without necessarily being a member of said case.

Managers will not be able to see the cases they have not created or been assigned to. Administrators have full access to all cases – better assign those permissions with care. There is also one role which plays an important role while dealing with eDiscovery:

Reviewer – reviewers can be assigned as members of a case. They cannot create eDiscovery cases, run content search or even preview results of the search – they can only access and analyze the case data in eDiscovery (Premium). This is the most restrictive eDiscovery-related role, but without it, users cannot access any part of eDiscovery at all.

Like with the Exchange admin center, this Microsoft 365 module offers a fully-customizable RBAC experience. As a result, apart from those default role groups, you can define custom role groups with the permissions you choose.

What does eDiscovery mechanism do?

eDiscovery includes many options devoted to searching, collecting, preserving and exporting data. Here are its key parts:

eDiscovery case. A case is the most basic eDiscovery tool. eDiscovery cases allow you to control who can see and access a certain investigation.

Litigation hold. Whenever a mailbox or another resource (for example, a SharePoint site) is subject to a litigation hold, it means that its content is protected. Owner of a mailbox on a litigation will be able to delete items, but unable to purge them. It means that as long as a mailbox is on a litigation hold, it is not possible to permanently delete an email or any other item. As long as the litigation hold is active, deleted items will go to a specific subfolder in Recoverable Items folder: DiscoveryHold. Its contents can be searched with eDiscovery content search or using Search-Mailbox cmdlet.

Content search. Content search can use various filters and criteria to search for specific content in mailboxes, SharePoint sites, or in Public Folders. It can also be used as a means to a manual local backup. Data which meets the specified requirements can be exported to PST files, which can be imported back into mailboxes later on for revision or restoring purposes.

eDiscovery, Premium or not, allows administrators to search, analyze and export specific data form an Office 365 organization. While the purpose and general idea of both mechanisms is the same, there are some important differences in how they achieve the same goal.

How is eDiscovery (Premium) different from eDiscovery?

The easiest way to see the differences between an eDiscovery case and an premium case is to take a look at both in the Microsoft Purview compliance portal. After noticing a slightly different layout, it is time to get into details.

Standard eDiscovery case has 5 tabs: Home, Searches, Hold, Exports and Settings.

The first conclusion is that a standard eDiscovery case gives a chance to:

  • put mailboxes, SharePoint locations and Public Folders on hold,
  • search for items related to a case
  • export the results

eDiscovery (Premium) adds the following tabs:

  • Data sources allows you to specify the users who might have relevant information about the case matter (these are called custodians). In standard eDiscovery case, they would be simply added to the Legal hold. Additionally, you can define non-custodial data sources from SharePoint and Exchange Online.
  • Collections tool lets you built queries to search for content that is relevant to your case in the previously added sources (custodians, non-custodial sources). To configure the queries, you can use keywords, properties, and conditions.
  • Review Sets results of a content search (or multiple searches) can be added to a review set for further analysis.
  • Communications provides an easy tool to send notifications to custodians. The case manager can ask the custodians to preserve any information that might be useful for discovery.
  • Processing lets you follow the status of processing for indexing case’s content.
  • Jobs basically lists all jobs performed in the eDiscovery case together with their current status, creation and completion dates.
  • Settings has three sections. While first two can be modified in a standard eDiscovery case, the third (Search & analytics) gives some extra options. Case information tab allows manager to modify basic case information, like name, number, description and status. Access & permissions gives an option to add or remove users in charge of the case. Search & analytics is where the best part is.

Search & analytics in eDiscovery (Premium)

The Search & analytics section gives you options which can potentially speed up the discovery process. For example:

Near duplicates / email threading significantly decreases the amount of documents and threads exported for revision. So when someone replies to an email which is a “hit” eDiscovery will not return 20 consequent emails, but only one conversation. Optical Character Recognition allows Microsoft 365 to find text in graphical files to add it to a Review Set later on. OCR supports GIF, JPG,PNG and TIFF.

eDiscovery (Premium) also makes use of machine learning mechanisms to limit search results to items which are most probably relevant to the case. The system can be trained by accessing a certain review set, clicking the Analytics icon and choosing Manage predictive coding from drop-down menu.

The Manage predictive coding AI-based feature in eDiscovery (Premium)

How to run an eDiscovery (Premium) case

In the next article, How to create an eDiscovery (Premium) case, I present how to run an eDiscovery (Premium) case and make use of all the premium features mentioned in the article above. Be sure to read it if you want to see the premium features in action.

Suggested reading:

Tools for Exchange Server

Recommended articles

How to migrate from Exchange Server 2016/2019 to Microsoft 365

How to migrate from Exchange Server 2016/2019 to Microsoft 365

Migrating Exchange data to the cloud is not rocket science – explore your options and launch the migration stress-free. As you may already know, Exchange Server 2016 and 2019 have reached end of life and are no longer officially supported by Microsoft. If your organization still uses either of these platforms to manage email, contacts, calendars, and tasks, keep in mind that: Your environment may become vulnerable to newly discovered security threats – Microsoft will no longer provide security updates for Exchange 2016 and 2019 (unless you’ve enrolled in the Extended Security Update program, which ends in October 2026). Your emails may get blocked – Microsoft has started to throttle and block emails sent from unsupported Exchange Server versions to Exchange Online (as I covered in this article). That said, migrating to a supported platform is now the only viable long-term option for keeping your organization’s email environment secure, supported, and fully operational. If your organization wants or needs to keep things on‑premises (and continue using Microsoft’s solutions for that), upgrading to Exchange Server Subscription Edition (SE) is the only path forward. But given Microsoft’s clear preference for its cloud services – evident in the faster rollout of new features and the many security capabilities available exclusively in Microsoft 365 (Office 365) – now is a great time to leave your on‑prem environment behind and migrate to Exchange Online as part of Microsoft 365. While switching over to a new platform might seem like a rough ride, I’ll show you some easy ways to follow when migrating mailboxes from Exchange Server 2016/2019 to Microsoft 365. How to prepare for email migration to Microsoft 365 Before you start the migration process, you need to make sure your environment is ready for the move. For this purpose, you can use this guide in the Microsoft 365 admin center – it will help you connect your organization to Microsoft 365 and integrate your existing user accounts with Microsoft Entra ID. Microsoft also recommends completing the steps below: Set up an SPF record to determine valid email sources for your organization’s Microsoft 365 domain. Set up the Exchange Online Protection service as a means of protection against spam and malware. If you’re behind on updates, make sure to install the latest Cumulative Update (CU). And here is my quick, less obvious Microsoft 365 migration checklist: Verify if your software will work in Microsoft 365 (especially when it comes to server software). Microsoft 365 migration might be the time you learn that there is crucial legacy software that half the company uses and which is hard to replace. Encourage the whole company to clean up projects. It’s much easier to do this before the migration and start fresh. Gather as much information about your on‑premises environment as possible. For example, you might need to recreate access roles and permissions from scratch in the cloud or set up mail flow rules. Without prior research, it will be much more difficult. Verify if you need to migrate service accounts. There can be a lot of them on‑premises and in most cases, you won’t need them after the move. Review mailbox size limits in Exchange Online before migration to see which licenses you’ll need and whic
How to connect and remotely manage Microsoft 365 with PowerShell

How to connect and remotely manage Microsoft 365 with PowerShell

Microsoft 365 web interface was designed to make it easier to manage your tenant right down to its administrative bowels. On the one hand it really is quick and simple to navigate, on the other it definitely lacks some advanced configuration options so loved by sysadmins. Luckily there is the mighty PowerShell coming to the rescue! You should already know its potential, which can also be utilized in Microsoft 365. Find out how.
New-ComplianceSearch: how to use the newer version of Search-Mailbox

New-ComplianceSearch: how to use the newer version of Search-Mailbox

Microsoft retired the Search-Mailbox cmdlet – now what? Discover how to use New-ComplianceSearch, its key advantages and how to make the switch seamlessly.

Comments

  1. “The quoted passage refers to the users performing the search. ”

    Thanks for the this. What is your source for this please? We’re struggling to find any official written Microsoft source confirming whether the license is required only by those performing the search, or if the subjects of the searches also need the E5 license.

    We even asked M365 Copilot, and it referred to your article right here lol.

    • avatar
      Adam the 32-bit Aardvark says:

      I’m afraid I’m unable to quote anything relevant from Microsoft’s documentation. The licensing info has always been tricky to come by. It’s all based on manual testing – you can add any active mailbox and even unlicensed shared mailbox as the source for eDiscovery searches. Adding custodians and litigation holds on mailboxes is another story, there’s a bit more information on that in my other article: https://www.codetwo.com/admins-blog/office-365-litigation-hold-vs-retention-policy/

  2. “you need to assign the required licenses to all users who would benefit from the feature.”

    Does that mean the people performing the search (HR / legal) or the rest of the business that could be searched or have requested a search. e.g. Please tell me everything that has been said about me as part of GDPR?

    • avatar
      Adam the 32-bit Aardvark says:

      The quoted passage refers to the users performing the search. I’ve added additional info in the article to make this clear.

  3. avatar
    Michael Brueggemann says:

    You say “To experience its goodness, you need either an E5 subscription with the E5 Compliance add-on or E3 with the E5 eDiscovery and Audit add-on.”
    Is it that only the staff in the “eDiscovery Manager” group needs the add-on or is an add-on license required for all users in the tenant?

    • avatar
      Adam the 32-bit Aardvark says:

      Thanks for pointing that out. I’ve added additional info in the article that also answers your question: you need to assign the required licenses to all users who would benefit from the feature.

  4. In O365, sometimes I have to look for all emails between two users.
    However, the search results includes other participants in thousands of emails.

    Is there anyway to set a condition like “Participants includes ONLY these two users”?

    • avatar
      Adam the 32-bit Aardvark says:

      While creating a data collection in your eDiscovery case, in the Conditions step, you can use Sender and Participant fields to exclude irrelevant users.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.