Find sensitive data stored in SharePoint Online sites

Compliance officers, paralegals, or others performing a legal audit often need to assess the degree of risk posed by sensitive and personal data stored on SharePoint sites. Data loss prevention (DLP) in SharePoint Online provides you with a way to identify that data, so you can work with document owners to reduce any risk to your organization. This topic will help you perform the following tasks.

Grab a cup of coffee. From start to finish, this process might take a while. Estimate 60–90 minutes if you haven't previously set up an eDiscovery Center. If your organization is already using eDiscovery (electronic discovery), this process shouldn’t take long.

Before you begin, get acquainted with eDiscovery and DLP in SharePoint Online

eDiscovery center welcome page

The eDiscovery Center is a SharePoint site collection where you can plan and manage eDiscovery cases. An eDiscovery case is a subsite that you can use to organize information related to an eDiscovery request. DLP in SharePoint lets you identify sensitive information with a query as part of a case. Querying for sensitive information represents a small portion of the total functionality of the eDiscovery Center. If you’re interested in learning more about eDiscovery, read Plan and manage eDiscovery cases. If your organization doesn’t already have an eDiscovery Center, see Set up an eDiscovery Center in SharePoint Online to create one.

Note: eDiscovery and DLP are premium features that require SharePoint Online Plan 2.

Step 1: Assign permissions to the eDiscovery Center

Tip: If you’ve set up an eDiscovery Center and assigned the proper permissions, you can skip this step and go to Step 2: Open the eDiscovery Center.

Permissions are a big deal. And to run a query in the eDiscovery Center, you need lots of different types of permissions. Assigning permissions to multiple people for Exchange Online, SharePoint Online, the eDiscovery Center, and each site collection could take a long time.

If you only want to use the eDiscovery Center, you might wonder why you need all those other permissions. The eDiscovery Center is a site collection, and like any other site collection, you have to be given permissions to access it. Access to the eDiscovery Center, however, grants no special, automatic access to other site collections, to documents, or to content. To gain access to data stored on other site collections and in skydrive, you'll need to be granted admin permissions for each. Multiply that action times the number of admins in your organization, and you can see how it makes sense to optimize the process. Because the security group that you'll create in the next set of tasks is powerful, choose its members carefully.

Important: If you want to search for sensitive data stored on One Drive for Business sites, you need to assign specific permissions for that task. For details on how to assign eDiscovery permissions to One Drive for Business sites, see the Assign eDiscovery permissions to OneDrive for Business sites topic.

Create a security group for eDiscovery managers

Creating a security group makes it easier to manage who has access to different areas of Exchange Online and SharePoint Online because you can assign permissions to the security group rather than to individual members. Follow these steps to create a security group in Exchange Online.

  1. In the Office 365 admin center, choose Admin > Admin centers > Exchange.

  2. In the Exchange admin center (EAC), go to Recipients > Groups. Check whether a security group that's been assigned owner permissions for the eDiscovery Center in SharePoint Online group appears in the list. If the group is in the list, you can skip to Step 2: Open the eDiscovery Center.

  3. Click New > Security group.

  4. On the New security group page, complete the following boxes:

    • Display name: This name appears in the shared address book and in the Groups list in the EAC. Use a name that identifies the purpose of the group; for example, eDiscovery Managers.

    • Alias: Type the alias for the security group. It must be unique in your Office 365 organization.

    • Email address: The name that you typed in the Alias box is used to automatically generate the portion of the email address that appears to the left of the @ symbol. You can change the alias portion of the email address if necessary.

    • Description: You can use this box to describe the eDiscovery-related purpose of the security group.

  5. Under Members, click Add.

  6. Select people that you want to be members of this group, and then click Add. When you finish adding members, click OK to return to the New security group page.

  7. Select the Owner approval is required check box so that you can manage the membership of this group and control who can use the eDiscovery Center.

  8. Click Save.

Assign eDiscovery permissions in SharePoint Online

Now that you have a security group, make that group part of the site collection owners group for the eDiscovery Center.

  1. In the eDiscovery Center, go to Settings > Site settings.

  2. On the Site Settings page, under Users and Permissions, click Site permissions.

  3. Click the <name of site collection>Owners group for the site collection.

  4. In the New list, click Add Users.

  5. In the Invite people box, type the <name of the eDiscovery managers’ security group>, and then click Share.

Next, let's add site collection administrator permission to the eDiscovery security group. Repeat these steps for each site collection in your organization.

  1. Go to the top-level site in the site collection, and then click Settings > Site settings

  2. On the Site Settings page, under Users and Permissions, click Site Collection Administrators

  3. Type the <name of the eDiscovery managers’ security group> in the Site collection administrators box, and then click OK.

Follow these steps to give members of the eDiscovery manager's security group read permissions to crawl log information for your organization.

  1. In the Office 365 admin center, choose Admin > SharePoint.

  2. In the SharePoint admin center, click Search.

  3. On the Search administration page, click Crawl Log Permissions.

  4. In the Crawl Log Permissions box, type the <name of the eDiscovery manager's security group>, and then click OK

Step 2: Open the eDiscovery Center

  1. Sign in to the Office 365 admin portal.

  2. In the Admin menu, choose SharePoint.

  3. Click the link to the eDiscovery Center on the site collections link page. Your eDiscovery Center URL will look similar to this:

    Site collection page with eDiscovery highlighted
  4. To open the eDiscovery Center, click the URL in the Web Site Address box. 

Step 3: Create an eDiscovery case

Cases are where you can run queries and export them for analysis. Follow these steps to create a case.

  1. In the eDiscovery Center, click Create new case. Create a new case icon First step icon

  2. Type a <title and description> for your case. We recommend that you use the name of the type of sensitive information that you’re trying to locate with this case. For a list of information types that you can use in your query, check the sensitive information types inventory. In this example, you might want to title the case CreditCardNumbers because later you’ll search for credit card numbers in the query.

    Steps for creating a new case
  3. In the Web Site Address box, type the last part of the URL you want for the case. Each case gets its own URL, so feel free to make this as unique and helpful as you’d like.


    • Use the case name for the URL.

    • Bookmark your case URL for future use. This can save you time because you won’t need to navigate to the case.

  4. Under Select a template, select eDiscovery Case.

  5. Under User Permissions, select whether to keep the same permissions as the parent site or use unique permissions. If specific people need access to this case but not to others, choose Use unique permissions.

  6. You can optionally choose to display the site on the Quick Launch or in the top link bar on the eDiscovery Center.

  7. Click Create.

Step 4: Query for sensitive data within a site

Go to your case menu by using the URL you created. The case menu is specific to the case you're working on and won't show other cases that are in the eDiscovery Center. (When querying for sensitive data, you only need to pay attention to two sections on this page-- Queries eDiscovery Sets.) Querying takes two steps: creating a query and running a query.

Create a query

Search and Export with new item option highlighted
  1. Under Queries, create a new item.

    Create a new query page
    • Give the query a name. 

    • Add your desired query term from the DLP sensitive information types inventory to the Query box. For example, you can use the following query to search for documents that contain five or more credit card numbers.

      SensitiveType:”Credit Card Number|5..”

      To learn how to form a DLP-specific query, see the Form a query to find sensitive data stored on sites topic. (Remember, you can only use sensitive types from the sensitive information types inventory. You can’t use custom sensitive types.)

    • Optionally, you can specify a start and end date.

    • Save the query, and the DLP-specific query is now in the Query list.

  2. Choose add location.

  3. Copy the URL of the site collection.

    • To search everything in a site collection, use the base URL of that site.

    • Select the check box to verify.

    • You have the option to add several locations.

    Notes: There are a few limitations to searching site collections.

    • You can search a specific site collection but not everything.

    • You can only search sites that have an admin assigned to them. If there’s not an admin assigned, then the admin group won’t have the proper permissions to search the sites.

  4. Save the scope.

The new sources are now in the query window.

Step 5: View and export the results of a query

You’ve made it. Now you can actually see the results of the query you’ve been building this whole time.

  1. Click Search to see the results on the bottom of the page.

    Important: Watch out for the default tab, which shows the results for Exchange, but there won’t be any results. Click the SharePoint tab and you’ll see the query data.

  2. Click the Export button to view the data in a spreadsheet. For more information about exporting your data, see Export eDiscovery content and create reports.

  3. Click Save if you want to keep the query.

For more information

Form a query to find sensitive data stored on sites

Assign eDiscovery permissions to OneDrive for Business sites

Searching and using keywords in eDiscovery

Sensitive information types inventory

Data loss prevention technical overview

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!