eDiscovery FAQ

Here are some frequently asked questions about eDiscovery in Office 365, Exchange 2013, SharePoint 2013, and Lync 2013.

Overview   

What is eDiscovery?

How does eDiscovery work in Microsoft Office 365, SharePoint, Exchange, and Lync?

What does a typical Microsoft eDiscovery solution look like?

What is the Electronic Discovery Reference Model (EDRM)?

Requirements, Limitations, and Configuration   

Which service plans or licenses do I need for eDiscovery?

What types of content can be discovered?

What are unsearchable items?

Are there limits on how many content sources can be searched?

Does the eDiscovery Center work with different product versions?

How do I set up an eDiscovery Center?

What is the typical life-cycle of an eDiscovery case? What is the typical life-cycle of an eDiscovery case?

What type of permissions does a user need to perform eDiscovery?

Can you limit what mailboxes can be searched by a specific person?

Can you audit search and hold actions?

Resources   

Where can I find more information about eDiscovery?

Overview

Q: What is eDiscovery?

A: eDiscovery, or electronic discovery, is the process used by organizations to find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation.

Q: How does eDiscovery work in Microsoft Office 365, SharePoint, Exchange, and Lync?

A: The eDiscovery Center is a SharePoint site collection where cases are defined, sources to be tracked are identified, holds on content are placed or removed, queries are issued, and results reviewed and exported.

Some key features of the SharePoint eDiscovery Center are:

  • Manage Cases   An eDiscovery administrator or user creates, manages and uses eDiscovery cases through the eDiscovery Center (EDC).

  • Work with Multiple Types of Content   Preserve, search, and export documents, email messages, OneNote files, webpages, community posts, microblogs, Lync IMs, and more, providing they are crawled indexed by search.

  • Identify Content Sources   Content sources that might be relevant, such as e-mail messages and documents, are added to one or more collections of source content called eDiscovery Sets.

  • Perform In-Place Hold   A copy of the content can be preserved in-place and in real time, while people continue to work on the original content.

  • Create and Run Queries   Enable you to get relevant content and statistics quickly to help you answer questions fast.

  • Export Content   After you review your results, relevant content can be transferred out of the system into an offline and portable format.

Exchange In-Place Holds and Litigation Holds   Let you to place mailboxes content on hold indefinitely, based on a query, or based on a time period. Key features include:

  • Place user mailboxes on hold and preserve mailbox items immutably.

  • Preserve mailbox items deleted by users or automatic deletion processes such as messaging records management (MRM).

  • Use query-based In-Place Hold to search for and retain items matching specified criteria.

  • Preserve items indefinitely or for a specific duration.

  • Place a user on multiple holds for different cases or investigations.

  • No user impact – In-Place Hold is transparent to users.

  • In-Place eDiscovery searches include items placed on hold.

eDiscovery Case holds in the Office 365 Security & Compliance Center   Let you place a hold on Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business sites, and the mailbox and site for Office 365 groups. For more information, see Manage eDiscovery cases in the Office 365 Security & Compliance Center.

Q: What does a typical Microsoft eDiscovery solution look like?

A: People create, manage and use eDiscovery cases through the eDiscovery center (EDC). The EDC is a SharePoint 2013 site collection where cases are defined, sources to be tracked are identified, queries are issued, query results reviewed and holds on content are placed or removed. To see a large model of the technical flow for eDiscovery, download eDiscovery Flow Across SharePoint, Exchange, Lync, and File Shares.

Q: What is the Electronic Discovery Reference Model (EDRM)?

A: The Electronic Discovery Reference Model (EDRM) provides guidance for the stages involved in the eDiscovery process for electronically stored information (ESI). The EDRM stages include:

  • Information Management

  • Identification

  • Preservation

  • Collection

  • Processing

  • Review

  • Analysis

  • Production

  • Presentation

When content is exported from the eDiscovery Center in SharePoint, it is exported in a standard EDRM format that is often used by other eDiscovery programs. An Electronic Discovery Reference Model XML manifest is included in the export to provide metadata about the exported items. After export:

  • Exchange content, including archived Lync content, is stored in PST files.

  • SharePointcontent and file share content is downloaded in the native format.

  • SharePoint pages are captured as MHT files.

  • SharePoint lists are stored as CSV files.

Return to top

Requirements, Limitations, and Configuration

Q: Which service plans or licenses do I need for eDiscovery?

A: The following service plans and products provide eDiscovery features.

Office 365 Options

Feature

Office 365 Small Business

Office 365 Small Business Premium

Office 365 Midsize Business

Office 365 Enterprise E1

Office 365 Education E1

Office 365 Government E1

Office 365 Enterprise E3

Office 365 Education E3

Office 365 Government E3

Office 365 Enterprise E4

Office 365 Education E4

Office 365 Government E4

Office 365 Enterprise K1

Office 365 Government K1

eDiscovery Center (SharePoint Online)

No

No

No

Yes

Yes

Yes

No

Litigation Hold (Exchange Online)

No

No

No

No

Yes

Yes

No

In-Place Hold (Exchange Online)

No

No

No

No

Yes

Yes

No

In-Place eDiscovery (Exchange Online)

No

No

Yes

Yes

Yes

Yes

Yes

eDiscovery Case holds (Office 365 Security & Compliance Center)

No

No

No

No

Yes

Yes

No

 

SharePoint Online Standalone Options

Feature

SharePoint Online Plan 1

SharePoint Online Plan 2

eDiscovery Center

No

Yes

 

Exchange Online Standalone Options

Feature

Exchange Online Plan 1

Exchange Online Plan 2

Exchange Online Kiosk

Litigation Hold

No

Yes

No

In-Place Hold

No

Yes

No

In-Place eDiscovery

Yes

Yes

Yes

 

SharePoint 2013 Options

Feature

SharePoint Foundation

SharePoint Server 2013 Standard CAL

SharePoint Server 2013 Enterprise CAL

In-Place Hold

No

No

Yes

 

Exchange Server 2013 Options

Feature

Exchange Server 2013

Litigation Hold

Yes

In-Place Hold

Yes

In-Place eDiscovery

Yes

Return to top

Q: What types of content can be discovered?

A: SharePoint content that has been crawled by search, including structured content like documents and list items, as well as blogs, wikis, and newsfeeds. In order to be discovered, the content must be indexed by search. Messaging items in Exchange and Lync conversations that are archived in Exchange can also be discovered. Types of content include:

  • Exchange items, such as messages, site and individual mailboxes, calendar items, and tasks that are indexed by Exchange search

  • Lync conversations that have been archived in Exchange

  • Documents, newsfeed posts, and other SharePoint content

  • Content on file shares that has been indexed by SharePoint search (SharePoint Server 2013 only)

  • Content on OneDrive for Business that has been indexed by SharePoint search

For more information about which content is indexed and troubleshooting search, see:

Q: What are unsearchable items?

A: Unsearchable items are mailbox items that can’t be indexed by Exchange Search or that were only partially indexed. Unsearchable items are typically files attached to email message. Here are a few reasons why files can’t be indexed for search:

  • The filter to index the file type isn’t installed.

  • The file type is disabled for indexing.

  • A file is encrypted with non-Microsoft technologies.

  • A file is password-protected.

Your organization may be required to identify and perform additional processing on these items to see what they are and what they contain. To include unsearchable items in the results of an eDiscovery search, you can use the unsearchable items option when you copy or export search results. For example, to include unsearchable items when exporting search results using the eDiscovery Center in SharePoint, select the Include items that are encrypted or have an unrecognized format option.

For more information, see:

Return to top

Q: Are there limits on how many content sources can be searched?

A: Yes, here are the limits on the number of sources that can be searched in a single eDiscovery search. There are different limits based on whether the search is initiated from SharePoint, Exchange, or the Office 365 Security & Compliance Center.

Note: There are no practical limits on the number of searches that you can create. However, for In-Place eDiscovery searches in Exchange, you can only run two searches at the same time.

SharePoint

  • SharePoint sites: Unlimited (when you search all sites in the organization); otherwise, the limit is 100 if you select individual sites to search.

  • Exchange mailboxes: 10,000 (when you search distribution groups or search all mailboxes in the organization); otherwise, the limit is 1,500 if you select individual mailboxes to search.

  • Keywords/search terms: 500

Exchange Online

  • Exchange mailboxes: 10,000*

  • Keywords/search terms: 500

Note: * Archive mailboxes are counted against the source mailbox limit. That means you can search a maximum of 5,000 mailboxes if the corresponding archive mailbox is enabled for all 5,000 mailboxes.

For more information, see Search limits for In-Place eDiscovery in Exchange Online

Exchange Server 2013

  • Exchange mailboxes: 10,000*

  • Keywords/search terms: 500

Note: * Archive mailboxes are counted against the source mailbox limit. That means you can search a maximum of 5,000 mailboxes if the corresponding archive mailbox is enabled for all 5,000 mailboxes.

Office 365 Security & Compliance Center

  • Exchange mailboxes: No limit

  • SharePoint sites: No limit

  • Keywords/search terms: 500

For more information, see Limits for Content Search in the Office 365 Security & Compliance Center.

Q: Does the eDiscovery Center work with different product versions?

A: The following table lists which sources can be searched, held, and exported. The content must be indexed by servers running on plans or versions of Office 365, SharePoint, and Exchange that contain eDiscovery features.

Search

Search

In-Place Hold

In-Place Hold

Export

Export

Source

On-Premises

Office 365

On-Premises

Office 365

On-Premises

Office 365

SharePoint 2013

Yes

Yes

Yes

Yes

Yes

Yes

Exchange 2013

Yes

Yes

Yes

Yes

Yes

Yes

Exchange 2010

No

No

No

No

No

No

SharePoint 2010

Yes

No

No

No

Yes

No

SharePoint 2007

Yes

No

No

No

Yes

No

Lync 2013 (when archived in Exchange 2013)

Yes

Yes

Yes

Yes

Yes

Yes

Lync 2010

No

No

No

No

No

No

Indexed File shares

Yes

No

No

No

Yes

No

Indexed Content from external systems

No

No

No

No

No

No

Q: How do I set up an eDiscovery Center in SharePoint?

A: You must be an administrator to set up an eDiscovery Center. Create a new site collection that uses the eDiscovery template, configure the appropriate permissions and groups, and configure Exchange connectivity. The following articles explain how:

A key step in setting up eDiscovery is to add Exchange or Exchange Online as a result source. Because the eDiscovery Center is based on a site collection, this configuration must be made at the site collection level or higher, and not at the site level. For more information see Configure result sources for search in SharePoint Server 2013 and Manage result sources.

Return to top

Q: What is the typical life-cycle of an eDiscovery case? What is the typical life-cycle of an eDiscovery case?

A: Following are various stages involved in working with eDiscovery cases in SharePoint 2013 and in the Office 365 Security & Compliance Center:

  • Create eDiscovery Case    An eDiscovery case is a logical object that acts as a container for holding things like queries, holds, and search results. In the eDiscovery Center, an eDiscovery case is a collaboration site that you can use to organize information related to the eDiscovery request. In the Office 365 Security & Compliance Center, an eDiscovery case provides the same functionality. From within an eDiscovery case, you can search for content, apply a hold to content, export content, and view the status of holds and exports that are associated with the case.

  • Place holds    Applying hold means preserving a copy of the original content to prevent it from modification or deletion. Hold is used to retain the content in its original form at the time when hold is applied. When users apply an in-place hold to a site or mailbox, content in the site or mailbox remains in its original location.

  • Search for content    Search queries are used to narrow and refine the content you need for a particular case. Efficient queries reduce the overall volume and increases relevancy of content to be processed. In a query, additional filters such as by keywords, start and end dates, domains, authors or senders etc. can be added to narrow down the content discovery.

  • Export    When you are ready to deliver your eDiscovery content to an authority or want to work on it with another legal program, you can export content from a case.

  • Release holds    Once all the relevant information is gathered from the sources, the holds can be released.

  • Close cases    When all the proceedings are completed and information is no more required, the case can be closed. 

Q: What type of permissions does a user need to perform eDiscovery?

A: eDiscovery is a powerful tool that can potentially expose sensitive information from SharePoint and Exchange content across your entire organization. A user must be authorized to perform an eDiscovery search in SharePoint and Exchange. Permissions to perform eDiscovery searches must be controlled and monitored depending on security and compliance requirements in you organization. An eDiscovery manager must be able to view all content that is potentially discoverable. In SharePoint, we recommend that you create a security group for eDiscovery users, and add the appropriate users to the security group. Then you can grant permissions to the security group, instead of individual users. Choose a name for the security group, and record the name in the worksheet. Also record which users will be members of the security group. For more information, see Plan for eDiscovery in SharePoint Server 2013 and Permissions planning for sites and content in SharePoint 2013.

In SharePoint Online, you can use the eDiscovery Center to search all OneDrive for Business sites in your organization for certain keywords, sensitive information, and other search criteria. Each user in your organization is the owner of their OneDrive for Business site, which is located in the site collection named https://domain-my.sharepoint.com. By default, an Office 365 global administrator or compliance manager can’t use the eDiscovery Center to search any OneDrive for Business sites. To search a OneDrive for Business site, administrators or compliance managers must be a site collection administrator for that OneDrive for Business site. For more information, see Assign eDiscovery permissions to OneDrive for Business sites.

In Exchange or Exchange Online, you need to add a user to the Discovery Management role group. Adding users to the Discovery Management role group allows them to use In-Place eDiscovery to search all Exchange 2013 mailboxes and access potentially sensitive email content in user mailboxes. Check with your organization’s legal or HR departments before assigning this permission to any user. For more information, see Assign eDiscovery permissions in Exchange.

In the Office 365 Security & Compliance Center, you can assign different levels of eDiscovery-related permissions to users. For more information, see Assign eDiscovery permissions in the Office‍ 365 Security & Compliance Center.

Q: Can you limit what mailboxes can be searched by a specific person?

A: Yes, you can use a custom management scope to let specific people or groups search a subset of mailboxes in an Exchange Server 2013 or Exchange Online organization. For example, you might want to let a discovery manager search only the mailboxes of users in a specific location or department. You can do this by creating a custom management scope that uses a recipient filter to control target specific recipients based on recipient type or other recipient properties. For eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a custom scope is distribution group membership. Any other recipient property can’t be used to create a custom scope for eDiscovery searches. For details, see Create a custom management scope for In-Place eDiscovery searches.

For Content Search in the Office 365 Security & Compliance Center, you can use search permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your Office 365 organization. For more information, see Configure permissions filtering for Content Search.

Q: Can you audit search and hold actions?

A: You can audit in-place search and holds for Exchange items in the Exchange Admin Center. In the SharePoint eDiscovery Center, you can audit actions on SharePoint content. You can also audit the holds and searches that are run as long as you configure auditing to interact with search in advance. The searches against Exchange do not include the specific mailboxes that were searched, however. For more information on configuring audit settings in SharePoint, see Configure audit settings for a site collection.

Return to top

Resources

Q: Where can I find more information about eDiscovery?

A: The following articles and other resources provide information about eDiscovery and related technologies:

eDiscovery Overview

Office 365

eDiscovery in Office 365

Exchange

SharePoint

Lync

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×