What you should know about eDiscovery in SharePoint Online

Sriram Varadarajan
Enterprise Architect
Published On :   25 Jul 2016
Visit Count
Today :  1    Total :   3776
Plan, Migrate, Secure, Report
SharePoint & Office 365 Tool. Simple & Easy to Use. 15-Day Trial!

Sharegate: Kick-Ass Tool
Think Your SharePoint & Office 365 Are Secure ? Find Out Now!


  • eDiscovery: Process of identifying and delivering electronic information that can be used as an evidence
  • eDiscovery Center: New type of site collection that serves as a portal for managing eDiscovery cases
  • eDiscovery Cases: A collaboration site (sub site) that can be used to organize information related to eDiscovery requests (list items)
  • From this central location (eDiscovery Center) we can create cases to identify, hold, search and export content from SharePoint sites, Exchange mail boxes and searchable file shares
  • The hold ensures that a copy of the content is preserved, while still allowing users to work with their content (Preservation Hold Library)

Get Started

  • Microsoft recommends to create a security group that contains the legal team members
  • To discover Exchange mailboxes, authentication between Exchange and SharePoint needs to be configured (area that needs to be explored)
  • Grant legal users appropriate permissions for site collections (SCA) and exchange mail boxes that they must perform eDiscovery actions on.

Managing an eDiscovery case:

The two primary components of an eDiscovery case are
eDiscovery sets
  • To find and preserve content, create an eDiscovery set (SP List Item) and it contains the following,
    • Sources – Location to be searched (Exchange Mailbox, SPO or File Shares)
    • Filter – Search criteria (search terms, date range and authors name)
    • An option for In-Place hold
  • To find and export content, create an query (SP List Item) and it contains the following,
  • Sources – Location to be searched (Exchange Mailbox, SPO, eDiscovery sets or File Shares)
  • Filter – Search criteria, resembles a filter in an eDiscovery set, however in a query it can also use stemming
After running an query we can
  • See the statics about the items that were found
  • Preview the results
  • Filter the results by message type (Exchange) or by file type (SharePoint)
  • Export the results of query
  • The content that you export by using a query is formatted according to the Electronic Data Reference Model (EDRM) specification so that it can be imported into a review tool. An export can include the following:
    • Documents
    • Lists
    • Pages
    • Exchange objects
    • Crawl log errors

An XML manifest that provides an overview of the exported information

How eDiscovery works:

  • The Search Service Application is a key component of the search system in SPO
  • eDiscovery center can be associated with a SSA
  • Any content that’s indexed by the Search service application can be discovered from the eDiscovery Center
  • If SSA is configured to crawl file shares then eDiscovery center can discover content from file shares
  • If Exchange mail box is added as a result source to SSA, then Exchange mail boxes can be discovered from eDiscovery center and can be put on hold

In-Place Holds:

  • When an in-place hold is applied to a site (sub sites included), content in the site remains in its original location
  • Users can still work with the content, but a copy of the content as it was at the time that you initiated the hold is preserved
  • Any new content that’s created or added to the site after it was put on hold will be discoverable, and will be preserved if it’s deleted
  • By using in-place holds in SPO, users do not even have to know that their content is on hold
  • When a hold is placed on a SharePoint site, a preservation hold library is created, if one does not already exist
  • A user will receive an error if they try to delete a library, list, or site collection that’s on hold
  • The Information Management Retention timer job cleans up the preservation hold library


  • Once content sources or queries are added to an eDiscovery case, changing the regional settings for the site is not supported
  • Adding a large distribution group (of 100 names or larger) as a content source may time out or take a long time to process. Distribution groups of 1,500 or more users cannot be added. The workaround is to identify other ways to find the content involved with the distribution group’s mailbox, such as keywords or the author or sender of the item
  • In order for content to be discovered, it must be crawled by search

Lifecycle of an eDiscovery case:

  • Create the site to manage a case
  • Add sources
  • Place sources on hold
  • Create queries
  • Export case content
  • Close case

My Next article would talk about placing office 365 group in to Legal hold.

SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.

Protect Your SharePoint