Manage eDiscovery cases in the Office 365 Security & Compliance Center

You can use eDiscovery cases in the Office 365 Security & Compliance Center to control who can create, access, and manage eDiscovery cases in your organization. An eDiscovery case allows you to add members to a case, control what types of actions that specific case members can perform, place a hold on content locations relevant to a legal case, and associate multiple Content Searches with a single case. You can also export the results of any Content Search that is associated with a case. eDiscovery cases are a good way to limit who has access to Content Searches and search results for a specific legal case in your organization.

Use the following workflow to set up and use eDiscovery cases in the Security & Compliance Center.

Step 1: Assign eDiscovery permissions to potential case members

Step 2: Create a new case and add members

Step 3: Place mailboxes and sites on hold

Step 4: Create and run a Content Search associated with the case

Step 5: Export the results of a Content Search associated with a case

(Optional) Step 6: Close a case

(Optional) Step 7: Re-open a closed case

More information about eDiscovery cases

Video - play

Here's a video that shows you how to assign permissions, create a case and add members, run a Content Search, and place content locations on hold.

Step 1: Assign eDiscovery permissions to potential case members

The first step is to assign the appropriate eDiscovery-related permissions to people so you can add them to an eDiscovery case in Step 2. You have to be a member of the Organization Management role group (or be assigned the Role Management role) to assign eDiscovery permissions. The following list describes the eDiscovery-related role groups in the Security & Compliance Center.

  • Reviewer      This role group has the most restrictive eDiscovery-related permissions. Members of this group can only see and open the list of the cases on the eDiscovery page in the Security & Compliance Center that they are members of. They can't create cases, add members to a case, create holds, or create Content Searches.

  • eDiscovery Manager      Members of this role group can create and manage eDiscovery cases. They can add and remove members to a case, place content locations on hold, create and edit Content Searches associated with a case, and export the results of a Content Search. There are two sub-groups in this role group. The difference between these subgroups is based on scope.

    • eDiscovery Manager      Can view and manage the eDiscovery cases they create or are a member of. If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on eDiscovery page in the Security & Compliance Center.

    • eDiscovery Administrator      Can perform all case management tasks that an eDiscovery Manager can do. Additionally, an eDiscovery Administrator can:

      • View all cases that are listed on the eDiscovery page.

      • Manage any eDiscovery case in the organization after they add themself as a member of the case.

      • Perform administrative tasks in Advanced eDiscovery, such as setting up users, creating cases, and importing data. This is because a person who is an eDiscovery Administrator in the Security & Compliance Center is automatically added as an administrator in Advanced eDiscovery.

        See the More information section for reasons why you may want an eDiscovery Administrator in your organization.

Important: If a person isn't a member of one of these eDiscovery-related role groups, or isn't a member of a role group that's assigned the Reviewer role, you can't add them as a member of an eDiscovery case.

To assign eDiscovery permissions:   

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Permissions, and then do one of the following based on the eDiscovery permissions that you want to assign.

    • To assign Reviewer permissions, select the Reviewer role group, and then click Edit Edit icon . Under Members, click Add Add Icon , select the user that you want to add to the Reviewer role group, and then click Add.

    • To assign eDiscovery Manager permissions, select the eDiscovery Manager role group, and then click Edit Edit icon . Under eDiscovery Manager, click Add Add Icon , select the user that you want to add as an eDiscovery Manager, and then click Add.

    • To assign eDiscovery Administrator permissions, select the eDiscovery Manager role group, and then click Edit Edit icon . Under eDiscovery Administrator, click Add Add Icon , select the user that you want to add as an eDiscovery Administrator, and then click Add.

  4. After you've added all the users, click OK, and then click Save to save the changes to the role group.

Return to top

Step 2: Create a new case and add members

The next step is to create a new eDiscovery case and add members to it. You must be a member of the eDiscovery Managers role group to create eDiscovery cases. The eDiscovery Manager who creates a case is automatically added as a member of that case. Only members can view an eDiscovery case or manage the case if that member is also an eDiscovery Manager. As previously explained, a person who is assigned eDiscovery Administrator permissions can view and manage any eDiscovery case in the organization.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click New Add Icon .

  4. On the New Case page, give the case a name and description. The name of the case must be unique in your organization.

    The case name and description will be displayed in the list of cases on the eDiscovery page.

  5. Under Who should have access to this case?, click Add Add Icon to add members to the new case.

  6. First, select yourself from the list of user and then click Add. Then add other users to the case.

    As previous explained, only users that are members of the Reviewer or eDiscovery Manager role group can be added to a case. If you want to add a user who isn't listed on the Select users page, you'll have to assign them eDiscovery permissions before you can add them as a member of the case.

  7. After you've added all the members, click OK.

  8. Click Finish to create the new eDiscovery case.

Return to top

Step 3: Place mailboxes and sites on hold

You can use an eDiscovery case to create holds to preserve content that might be relevant to the case. You can place a hold on the mailboxes and OneDrive for Business sites of people who are custodians in the case. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for an Office 365 group. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold.

When you create a hold, you have the following options to scope the content that is held in the specified content locations:

  • You create an infinite hold where all content is placed on hold. Alternatively, you can create a query-based hold where only content that matches a search query is placed on hold.

  • You can specify a date range to hold only the content that was sent, received, or created within that date range. Alternatively, you can hold all content regardless of when it was sent, received, or create.

To create a hold for an eDiscovery case:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, go to Search & investigation > eDiscovery.

  4. Select the case that you want to create the holds in, and then click Edit Edit icon .

  5. On the case page, click Holds, and then click New Add Icon .

  6. On the Create a new hold page, give the hold a name. The name of the hold must be unique in your organization.

  7. Choose the content locations that you want to place on hold. You can place mailboxes and sites on hold.

    Choose the content locations to place on hold
    1. Mailboxes   Click Add Add Icon to specify mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the mailbox for an Office 365 group.

      Note: When you click Add Add Icon to specify mailboxes to place on hold, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add people to this list, type a name (a minimum of 3 characters) in the search box and click Search Search icon .

    2. Sites   Click Add Add Icon to specify SharePoint and OneDrive for Business sites to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for an Office 365 group.

      Tip: To collect a list of the URLs for the OneDrive for Business sites in your organization, use the script in Step 2 in Assign eDiscovery permissions to OneDrive for Business sites. This script creates a text file that contains a list of all OneDrive for Business sites. To run this script, you'll have to install and use the SharePoint Online Management Shell (see Step 1 in the previous topic). Be sure to append the URL for your organization’s MySite domain to each OneDrive for Business site that you want to search. This is the domain that contains all your OneDrive for Business; for example, https://woodgrovebank-my.sharepoint.com. Here's an example of a URL for a user's OneDrive for Business site: https://woodgrovebank-my.sharepoint.com/personal/clayn_woodgrovebank_onmicrosoft.com.

  8. When you're done adding mailboxes and sites to the hold, click Next.

  9. To create a query-based hold with conditions, complete the following. Otherwise, just click Finish to hold all content.

    Create a query-based hold by specifying keywords and conditions
    1. In the box under What do you want us to look for?, type a search query in the box so that only the content that meets the search criteria is placed on hold. You can specify keywords, message properties, or document properties, such as file names. You can also use more complex queries that use a Boolean operator, such as AND, OR, or NOT. If you leave the keyword box empty, then all content located in the specified content locations will be placed on hold.

    2. Under Conditions, click Add condition to add one or more conditions to narrow the search query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example you can specify a date range so that email or site documents that were created within the date ranged are placed on hold. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be placed on hold.

    For more information about creating a search query and using conditions, see Keyword queries and search conditions for Content Search.

  10. After configuring a query-based hold, click Finish.

Return to top

Step 4: Create and run a Content Search associated with the case

After an eDiscovery case is created and any custodians related to the case are placed on hold, you can create and run one or more Content Searches that are associated with the case. Content Searches associated with a case aren't listed on the Search page in the Security & Compliance Center. This means that Content Searches associated with a case can only be accessed by case members who are also members of the eDiscovery Manager role group.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. On the Searches page, click New Add Icon .

  6. On the New search page, type a name for the search. Content Searches associated with a case must have names that are unique within your Office 365 organization.

  7. Choose the content locations that you want to search. You can search mailboxes, sites, and public folders in the same search.

    Search case content locations, all content locations, or select specific content locations
    1. All case content   Select this option to search all the content locations that have been placed on hold in the case. If the case contains multiple holds, the content locations from all holds will be searched when you select this option. Additionally, if a content location was placed on a query-based hold, only the items that are on hold will be searched when you run the content search that you're creating in this step. For example, if a user was placed on query-based case hold that preserves items that were sent or created before a specific date, only those items would be searched by using the search criteria of the content search. This is accomplished by connecting the case hold query and the content search query by an AND operator. See the More information section at the end of this article for more details about searching case content.

    2. Search everywhere   Select this option to search all content locations in your organization. When you select this option, you can choose to search all Exchange mailboxes (which includes the mailboxes for all Office 365 groups), all SharePoint and OneDrive for Business sites (which includes the sites for all Office 365 groups), and all public folders.

    3. Custom location selection   Select this option to select the mailboxes and sites that you want to search. When you select this option, the list of mailboxes and sites is pre-populated with the content locations that are placed on hold within the case.

      Select specific content locations to search

      But if you select this option and search any content location that's on hold, any query from a query-based case hold won't be applied to the search query. In other words, all content in a location is searched, not just the content that is preserved by a query-based case hold.

      You can remove the pre-populated case content locations or add new ones. If you choose this option, you also have flexibility to search all content locations for a specific service (such as searching all Exchange mailboxes) or you can search specific content locations for a service. You can also choose whether or not to search the public folders in your organization.

    Keep these things in mind when adding content locations to search:

    • When you click Add Add Icon to specify mailboxes to search, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add recipients to this list, type a name (a minimum of 3 characters) in the search box and click Search Search icon .

    • You can add inactive mailboxes, Office 365 groups, and distribution groups to the list of mailboxes to search. Dynamic distribution groups aren't supported. If you add an Office 365 group, the group mailbox is searched; the mailboxes of the group members aren't searched.

    • If you don't want to include any mailboxes or sites in a search, select Choose specific mailboxes to search or Choose specific sites to search, but don't add mailboxes or sites to the list.

    • To add sites click Add Add Icon and then type the URL for each site that you want to search. You can also add the URL for the SharePoint site for Office 365 groups.

      Tip: To collect a list of the URLs for the OneDrive for Business sites in your organization, use the script in Step 2 in Assign eDiscovery permissions to OneDrive for Business sites. This script creates a text file that contains a list of all OneDrive for Business sites. To run this script, you'll have to install and use the SharePoint Online Management Shell (see Step 1 in the previous topic). Be sure to append the URL for your organization’s MySite domain to each OneDrive for Business site that you want to search. This is the domain that contains all your OneDrive for Business; for example, https://contoso-my.sharepoint.com. Here's an example of a URL for a user's OneDrive for Business site: https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com.

  8. Click the Include items that have an unrecognized format, are encrypted, or weren't indexed for other reasons if you want to include unindexed items in the statistics of the estimated search results. The number of unindexed items that don't meet the search criteria will be included in the search statistics displayed in the details pane. If an unindexed item matches the search query (because other message or document properties meet the search criteria), it won't be included in the estimated number of unindexed items. However, if an unindexed item is excluded by the search criteria, it won't be included in the estimate of the search results. Unindexed items aren't available for previewing. For more information, see Unindexed items in Content Search in Office 365.

  9. After you selected the content locations to search, click Next.

  10. On the New search page, you can add keywords and conditions to create the search query.

    Create a search query with keywords and conditions
    1. In the box under What do you want us to look for?, type a search query in the box. You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use a more complex queries that use a Boolean operator, such as AND, OR, NOT, NEAR, or ONEAR. You can also search for sensitive information (such as social security numbers) in documents, or search for documents that have been shared externally. If you leave the keyword box empty, then all content located in the specified content locations will be included in the search results.

    2. Under Conditions, add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.

    For more information about creating a search query and using conditions, see Keyword queries for Content Search.

  11. Click Search to save the search settings and start the search.

    The search is started. After a while, an estimate of the search results displayed in the details pane. The estimate includes the total size and number of items for the search results. After the search is completed, you can preview the search results. If necessary, click Refresh Refresh icon to update the information in the details pane.

Return to top

Step 5: Export the results of a Content Search associated with a case

After a search is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files. When you export content from SharePoint and OneDrive for Business sites, copies of native Office documents and other documents are exported. A manifest file (in XML format) that contains information about every search result is also exported.

You can export the results of a single search or you can export the results of multiple searches.

Return to top

Export the results of a single search associated with a case

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. In the list of searches for the case, click the search that you want to export search results from, and then click Export Export search results icon , and then click Export the results.

    The Export search results page is displayed. The workflow to export the results from a Content Search associated with a case is that same as exporting the search results for a search on the Content search page. For step-by-step instructions, see Export search results from the Office 365 Security & Compliance Center.

    After you start the export, the Exports page for the eDiscovery case is displayed and shows the export job that you just created.

  6. In the details pane for the export job, click Results to display the status of the export job and the percentage of items that have been transferred to an Azure storage area in the Microsoft cloud.

    When all items have been transferred, click Download exported results to download the search results to your local computer. For more information, see Step 2 in Export search results from the Office 365 Security & Compliance Center

Note: If your organization has an Office 365 E5 subscription, you can also prepare the results a single search for analysis in Advanced eDiscovery. For step-by-step instructions, see Prepare search results for Office 365 Advanced eDiscovery.

Return to top

Export the results of multiple searches associated with a case

As an alternative to exporting the results of single Content Search associated with a case, you can also export the results of multiple searches from the same case in a single export. Exporting the results of multiple searches is faster and easier than exporting the results one search at a time.

Note: You can only export the results of multiple searches for searches that are associated with an eDiscovery case. You can't export the results of multiple searches listed on the Content search page in the Security & Compliance Center.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. In the list of searches for the case, select two or more searches that you want to export search results from.

    Note: To select multiple searches, press Ctrl as you click each search. Or you can select multiple adjacent searches by clicking the first search, holding down the Shift key, and then clicking the last search.

  6. After you select the searches, click Export Export search results icon , and then click Export the results.

  7. The Export the search results for n searches page is displayed, where n is the number of searches that you're exporting results for.

    The workflow to export the results from multiple content searches associated with a case is the same as exporting the search results for a single search on the Content search page. For step-by-step instructions, see Export search results from the Office 365 Security & Compliance Center.

    After you start the export, the Exports page for the eDiscovery case is displayed and shows the export job that you just created. Note that the searches that were included in the export job are listed in the Searches column.

  8. In the details pane for the export job, click Results to display the status of the export job and the percentage of items that have been transferred to an Azure storage area in the Microsoft cloud.

    When all items have been transferred, click Download exported results search results to download the search results to your local computer. For more information, see Step 2 in Export search results from the Office 365 Security & Compliance Center

More information about exporting the results of multiple searches

  • When you export the results of multiple searches, the search queries from all the searches are combined by using the OR and then the combined search is started. The estimated results of the combined search are displayed in the details pane of the selected export job. The search results are then transferred the Azure storage area in the Microsoft cloud. The status of the transfer is also displayed in the details pane. As previously stated, after all the search result have been transferred, you can download them to your local computer.

  • The maximum number of keywords from the search queries for all searches that you want to export is 500. (this is the same limit for a single Content Search). That’s because the export job combines all the search queries by using the OR operator. If you exceed this limit, an error will be returned. In this case, you'll have to export the results from fewer searches or simplify the search queries of the searches that you want to export.

  • The search results that are exported are organized by the content source the item was found in. That means a content source will in the exports results might have items returned by different searches. For example, if you chose to export email messages in one PST file for each mailbox, the PST file might have results from multiple searches.

  • If the same email item or document from the same content location is returned by more than one of the searches that you export, only one copy of the item will be exported.

  • You can't edit an export for multiple searches after you create it. For example, you can't add or remove searches from the export. You'll have to create a new export job to change which search results are exported. After a export job is created, you only can download the results to a computer, restart the export, or delete the export job.

  • If you restart the export, any changes to the queries of the searches that make up the export job won't affect the search results that will be retrieved. When you restart an export, the same combined search query job that was run when the export job was created will be run again.

  • If you restart an export from the Exports page in an eDiscovery case, the search results that are transferred to the Azure storage area will overwrite the previous results; the previous results there were transferred won't be available to be downloaded.

  • Preparing the results of multiple searches for analysis in Advanced eDiscovery isn't available. You can only prepare the results of a single search for analysis in Advanced eDiscovery.

Return to top

(Optional) Step 6: Close a case

When the legal case or investigation supported by an eDiscovery case in the Security & Compliance Center is completed, you can close the case. Here's what happens when you close a case:

  • If the case contains any content locations on hold, those holds will be turned off. This might result in content being permanently deleted or purged, either by the user or by an automated process, such as a deletion policy.

  • Closing a case only turns off the holds that are associated with that case. If other holds are place on a content location (such as a Litigation Hold. a Preservation Policy, or a hold from a different eDiscovery case) those holds will still be maintained.

  • The case is still listed on the eDiscovery page in the Security & Compliance Center. The details, holds, searches, and members of a closed case are retained. To view these, just select the case and click Edit Edit icon .

  • You can edit a case after it's closed. For example, you can add or removing members, create Content Searches, and export search results. The primary difference between active and closed cases is that holds are turned off when a case is closed.

To close a case:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery.

  4. Select the case that you want to close, and then click Edit Edit icon .

  5. On the Details page, click Close case.

    A warning is displayed saying that the holds associated with the case will be turned off.

  6. Click Yes to close the case.

    The status on the Details page is changed from Active to Closing.

  7. On the eDiscovery page, click Refresh Refresh icon to update the status of the closed case.

    When the process is complete, the status is changed to Close, and information about when the case was closed and who closed it is displayed in the details pane. It might take up to 60 minutes for closing process to complete.

Return to top

(Optional) Step 7: Re-open a closed case

When you re-open a case, any holds that were in place when the case was closed won't be automatically reinstated. After the case is re-opened, you'll have to go to the Holds page and turn on the previous holds. To turn a hold on, select it and click Turn it on in the details pane.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery.

  4. Select the case that you want to re-open, and then click Edit Edit icon .

  5. On the Details page, click Reopen case.

    A warning is displayed saying that the holds that were associated with the case when it was close won't be turned on automatically.

  6. Click Yes to re-open the case.

    The status on the Details page is changed from Closed to Active.

Return to top

More information

  • What about cases in the eDiscovery Center in SharePoint Online?   For convenience, you can access the eDiscovery Center from the eDiscovery page the Security & Compliance Center. eDiscovery cases in the Security & Compliance Center and cases in the eDiscovery Center in SharePoint Online are completely different objects, and their underlying architecture is also different. As a result, existing cases in the eDiscovery Center can't be migrated to the Security & Compliance Center. If you have existing cases in the eDiscovery Center, we recommend that you continue to manage them in the eDiscovery Center until they are completed and you close them. If you have to support a new legal investigation in your organization, we recommend that you use eDiscovery cases in the Security & Compliance Center.

  • Why create an eDiscovery Administrator?   As previously explained, an eDiscovery Administrator is member of the eDiscovery Manager role group who can view and access all eDiscovery cases in your organization. This ability to access all the eDiscovery cases has two important purposes:

    • If a person who is the only member of an eDiscovery case leaves your organization, no one (including members of the Organization Management role group or another member of the eDiscovery Manager role group) can access that eDiscovery case because they aren't a member of a case. In this situation, there would be no way to access the data in the case. But because an eDiscovery Administrator can access all eDiscovery cases in the organization, they can view the case in the Security & Compliance Center and add themselves or another eDiscovery manager as a member of the case.

    • Because an eDiscovery Administrator can view and access all eDiscovery cases, they can audit and oversee all cases and associated Content Searches. This can help to prevent any misuse of Content Searches or eDiscovery cases. And because eDiscovery Administrators can access potentially sensitive information in the results of a Content Search, you should limit the number of people who are eDiscovery Administrators.

    Finally, as previous explained, eDiscovery Administrators in the Security & Compliance Center are automatically added as administrators in Office 365 Advanced eDiscovery. That means a person who is an eDiscovery Administrator can perform administrative tasks in Advanced eDiscovery, such as setting up users, creating cases, and adding data to cases.

  • What are the licensing requirements to place content locations on hold?   In general, organizations require an Office 365 E3 subscription or higher to place content locations on hold. To place mailboxes on hold, an Exchange Online Plan 2 license is required. For more information, see this FAQ.

  • What else should you know about searching all case content in Step 4?   As previously explained, you can search the the content locations that have been placed on hold in the case. When you do this, only the content that matches the hold criteria is search. If there is no hold criteria, all content is searched. If contents are on a query-based hold, only the content that matches both hold criteria (from the hold placed in Step 3) and the search criteria (from the search in Step 4) is returned with the search results.

    Here are some other things to keep in mind when searching all case content:

    • If a content location is part of multiple holds within the same case, the hold queries are combined by an OR operator when you search that content location using the all case content option. Similarly, if a content location is part of two different holds, where one is query-based and the other is an infinite hold (where all content is placed on hold), then all content will be search because of the infinite hold.

    • If a content search is for a case and you've configured it to search all case content and then you change a hold (by adding or removing a content location or changing the hold query), the search configuration is updated with those changes. However, you have to re-run the search after the hold is change to update the search results.

    • If multiple case holds are placed on a content location in an eDiscovery case and you select to search all case content, the maximum number of keywords for that search query is 500. That’s because the content search combines all the query-based holds by using the OR operator. If there are more than 500 keywords in the combined hold queries and the content search query, then all content in the mailbox is searched, not just that content that matches the any of query-based case holds.

    • If a case hold has a status of Turning on, you can still search the case content locations while the hold is being turned on.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×