Advanced eDiscovery in Office 365 explained

First, it is crucial to understand what eDiscovery (Electronic discovery, e-Discovery) is. There are two most important meanings:

Legal perspective – eDiscovery is the electronic aspect of hunting for electronically stored information in case of a law suit or investigation. It also relates to legislation which regulates this aspect. eDiscovery applies to all systems.

Microsoft 365/ Office 365 perspective – eDiscovery is a mechanism, or a set of features, designed to help with searching, collecting and exporting data from Microsoft 365 organizations. As the name suggests, the primary purpose of eDiscovery (mechanism) is to help in case of litigation and to comply with the legal definition of eDiscovery. This article is about the Office 365 / Microsoft 365 mechanism and its premium version – Advanced eDiscovery – in particular.

Advanced eDiscovery in Office 365

Advanced eDiscovery requirements & permissions

Advanced eDiscovery is not a part of every tenant. To experience its goodness, you need either an E5 subscription, or E3 with the Advanced Compliance add-on. At least that would be the case if the feature was not subject to a public preview since May 17th, 2019.

Another important requirement to keep in mind is permissions. Back in the day, eDiscovery mechanism based on the permissions from the Exchange Admin Center. Currently, Security & Compliance Center has its own, independent Permissions tab. To manage eDiscovery cases, a user needs to be assigned an eDiscovery role group – eDiscovery Manager. This role group is a particular one, as it has two very distinct subgroups:

eDiscovery Manager – this role group allows its members to create and manage eDiscovery cases, as long as they have created the case or have been added as members to the case.

eDiscovery Administrator – is a role group which allows full access to each and every eDiscovery case, without necessarily being a member of said case.

Managers will not be able to see the cases they have not created or been assigned to. Administrators have full access to all cases – better assign those permissions with care. There are also two roles which play an important role while dealing with eDiscovery:

Reviewer – Reviewers can be assigned as members of a case. They cannot create eDiscovery cases, run content search or even preview results of the search – they can only access and analyze the case data in Advanced eDiscovery. This is the most restrictive eDiscovery-related role, but without it, users cannot access any part of eDiscovery at all.

Like with Exchange Online Admin center, this Microsoft 365 module offers a fully-customizable RBAC experience. As a result, apart from those default role groups, you can define custom role groups with the permissions you choose.

What does eDiscovery mechanism do?

eDiscovery includes many options devoted to searching, collecting, preserving and exporting data. Here are its key parts:

eDiscovery case. A case is the most basic eDiscovery tool. eDiscovery cases allow you to control who can see and access a certain investigation.

Litigation hold. Whenever a mailbox or another resource (for example, a SharePoint site) is subject to a litigation hold, it means that its content is protected. Owner of a mailbox on a litigation will be able to delete items, but unable purge them. It means that as long as a mailbox is on a litigation hold, it is not possible to permanently delete an email or any other item. As long as the litigation hold is active, deleted items will go to a specific subfolder in Recoverable Items folder: DiscoveryHold. Its contents can be searched with eDiscovery content search or using Search-Mailbox cmdlet.

Content search. Content search can use various filters and criteria to search for specific content in mailboxes, SharePoint sites, or in Public Folders. It can also be used as a means to a manual local backup. Data which meets the specified requirements can be exported to PST files, which can be imported back into mailboxes later on for revision or restoring purposes.

eDiscovery, Advanced or not, allows administrators to search, analyze and export specific data form an Office 365 organization. While the purpose and general idea of both mechanisms is the same, there are some important differences in how they achieve the same goal.

How is Advanced eDiscovery different from eDiscovery?

The easiest way to see the differences between an eDiscovery case and an advanced case is to take a look at both in the Security & Compliance Center. After noticing a slightly different layout, it is time to get into details.

Standard eDiscovery case has 4 tabs: Home, Holds, Searches and Exports.

The first conclusion is that a standard eDiscovery case gives a chance to:

  • put mailboxes, SharePoint locations and Public Folders on hold,
  • search for items related to a case
  • export the results

Advanced eDiscovery adds the following tabs:

  • Custodians specifies the users who might have relevant information about the case matter. In standard eDiscovery case, they would be simply added to the Legal hold.
  • Communications provides an easy tool to send notifications to custodians. The case manager can ask the custodians to preserve any information that might be useful for discovery.
  • Processing
  • Review Sets results of a content search (or multiple searches) can be added to a review set for further analysis.
  • Jobs – basically lists all jobs performed in the eDiscovery case together with their current status, creation and completion dates.
  • Settings has three sections. While first two can be modified in a standard eDiscovery case, the third (Search & analytics) gives some extra options. Case information tab allows manager to modify basic case information, like name, number, description and status. Access & permissions gives an option to add or remove users in charge of the case. Search & analytics is where the best part is.

Search & analytics in Advanced eDiscovery

The Search & analytics section gives you options which can potentially speed up the discovery process. For example:

Near-duplicates detection significantly decreases the amount of documents and threads exported for revision. Email threading analyzes emails as threads, so when someone replies to an email which is a “hit” eDiscovery will not return 20 consequent emails, but only one conversation. OCR allows Microsoft 365 to find text in graphical files to add it to a Review Set later on. OCR supports GIF, JPG,PNG and TIFF.

Advanced eDiscovery also makes use of machine learning mechanisms to limit search results to items which are most probably relevant to the case. The system can be trained by accessing a certain review set, clicking Manage review set and choosing the Relevance tile.

Advanced eDiscovery - manage review set - Relevance

How to run an Advanced eDiscovery case

In the next article, How to create an Advanced eDiscovery case, I present how to run an Advanced eDiscovery case and make use of all the premium features mentioned in the article above. Be sure to read it if you want to see the premium features in action.

Suggested reading:

Tools for Exchange Server

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.