eDiscovery in Microsoft 365

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft 365 to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business conversations, and Yammer teams. You can search mailboxes and sites in the same eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyze content by using the Advanced eDiscovery solution in Microsoft 365.

Microsoft 365 provides the following eDiscovery tools:

Note

Advanced eDiscovery (classic) (also called Advanced eDiscovery v1.0), which is the version of Advanced eDiscovery available in a Core eDiscovery case by clicking Switch to Advanced eDiscovery, is being retired. Its functionality has been replaced by the Advanced eDiscovery solution in Microsoft 365. For more information about the retirement of Advanced eDiscovery v1.0, see Retirement of legacy eDiscovery tools.

The following table contains links to topics that will help you use the Content Search tool.

Topic Description
Run a Content Search
Learn how to use the Content Search tool to search mailboxes, public folders, Microsoft 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business locations, and Skype for Business conversations in your organization in a single search.
Keyword queries and search conditions for Content Search
Learn about the email and file properties and search conditions you can use to search for content in mailboxes and sites in your organization.
View keyword statistics for Content Search results
Learn how to use search statistics to display and compare the statistics for one or more content searches, and to configure new and existing searches to return statistics for each keyword in the search query.
Export search results
Learn how to export the results of a Content Search.
Configure permissions filtering for Content Search
Learn how to use permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization.
Export a Content Search report
Learn how to download the export report without having to export the actual search results.
Content Search limits
Learn about the limits of the Content Search tool, such as the maximum number of searches that you can run at one time.
Unindexed items in Content Search
Learn about unindexed items in Exchange and SharePoint that you can include in the estimated search result statistics when you run a search. You can also include unindexed items when you export search results.
Search for and delete email messages
Learn how to use Content Search to search for and delete an email message from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email.
Use Content Search to search the mailbox and OneDrive accounts for a list of users
Learn how to use a script to search the mailbox and One Drive for Business site for a group of users. See Create a list of all OneDrive locations for steps on how to quickly generate a list of email addresses that you can use for the source content locations when you create and run content searches.
Use Content Search for targeted collections
Learn how to use the Windows PowerShell script in this article to perform targeted collections using Content Search. A targeted collection means you want to search a specific folder because you're confident that items responsive to a case (or privileged items) are located in that folder. Use the script in this article to obtain the folder ID or path for the specific mailbox or site folders that you want to search.

Core eDiscovery

The following table contains links to topics that will help you use Core eDiscovery cases. You can use Core eDiscovery cases to add eDiscovery managers who can access the case, place an eDiscovery hold on content locations relevant to the case, search for content, and export the search results from the case.

Topic Description
Get started with Core eDiscovery Learn how to assign eDiscovery permissions and create Core eDiscovery cases. This topic also provides an overview of the Core eDiscovery workflow.
Create an eDiscovery hold Learn how to create eDiscovery holds that associated with a Core eDiscovery case to preserve content relevant to the case you're investigating.
Search for content in a Core eDiscovery case Learn how to search for content that's relevant to a case. You can quickly create searches that search the content locations on hold.
Export content from a Core eDiscovery case Learn how to export and download content from a Core eDiscovery case.
Close, reopen, and delete a Core eDiscovery case Learn how to manage the lifecycle of a Core eDiscovery case.
Assign eDiscovery permissions Learn how to assign permissions to users so they can search for content, place content locations on hold, and perform other eDiscovery-related tasks.
Set up compliance boundaries for Core eDiscovery Learn how to use compliance boundaries to create logical boundaries within an organization that control the content locations that an eDiscovery manager can search.

Advanced eDiscovery

The Advanced eDiscovery solution in Microsoft 365 (also called Advanced eDiscovery v2.0) builds on the existing eDiscovery and analytics capabilities in Office 365. This eDiscovery solution provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage custodians and the entire legal hold notification workflow to communicate with custodians involved in a case.

Topic Description
Overview of Advanced eDiscovery This article introduces Advanced eDiscovery v2.0 and provides a high-level overview of the built-in workflow of Advanced eDiscovery and how it aligns to the eDiscovery process outlined by the Electronic Discovery Reference Model .
Get started with Advanced eDiscovery Learn how to get started using Advanced eDiscovery, including the required licensing and necessary eDiscovery permission. This article shows you how to create an Advanced eDiscovery case and provides a walk-through of the Advanced eDiscovery workflow.
Work with custodians Learn about working with custodians in an Advanced eDiscovery. This topic links to step-by-step instructions to add custodians to a case, managing custodians in a case, and viewing custodian activity in Microsoft 365 by searching the audit log.
Work with communications Learn about managing the legal hold notification process in Advanced eDiscovery. This includes creating and automating the notification workflow and how a user acknowledged a hold notification.
Work with processing errors Learn about Advanced indexing and how to remediate indexing errors in content from custodial and non-custodial content locations, such as Exchange mailboxes, SharePoint sites, and OneDrive accounts. You can bulk-remediate errors and then upload remediated files to a review set or remediate individual processing errors within a review set.
Collect data for a case Learn about searching for content in custodial content locations, and then adding relevant case data to a review set. When you copy content to a review set, the data is copied from the original content locations to a Microsoft-provided Azure Storage location. This provides a static set of documents for the review process.
Manage review sets Learn about reviewing case data in a review set. This includes viewing, querying, filtering, and tagging documents in a review set.
Analyze data in a review set Learn about running analysis on the documents in a review set. The results of running analysis include near-duplication detection, email threading, and themes identification.
Export case data Learn about exporting data from a case for external review.