Manage eDiscovery cases in the Office 365 Security & Compliance Center

You can use eDiscovery cases in the Office 365 Security & Compliance Center to control who can create, access, and manage eDiscovery cases in your organization. An eDiscovery case allows you to add members to a case, control what types of actions that specific case members can perform, place a hold on content locations relevant to a legal case, and associate multiple Content Searches with a single case. You can also export the results of any Content Search that is associated with a case. eDiscovery cases are a good way to limit who has access to Content Searches and search results for a specific legal case in your organization.

Use the following workflow to set up and use eDiscovery cases in the Security & Compliance Center.

Step 1: Assign eDiscovery permissions to potential case members

Step 2: Create a new case and add members

Step 3: Place mailboxes and sites on hold

Step 4: Create and run a Content Search associated with the case

Step 5: Export the results of a Content Search associated with a case

(Optional) Step 6: Close a case

(Optional) Step 7: Re-open a closed case

More information about eDiscovery cases

Video - play

Here's a video that shows you how to assign permissions, create a case and add members, run a Content Search, and place content locations on hold.

Step 1: Assign eDiscovery permissions to potential case members

The first step is to assign the appropriate eDiscovery-related permissions to people so you can add them to an eDiscovery case in Step 2. You have to be a member of the Organization Management role group (or be assigned the Role Management role) to assign eDiscovery permissions. The following list describes the eDiscovery-related role groups in the Security & Compliance Center.

  • Reviewer      This role group has the most restrictive eDiscovery-related permissions. Members of this group can only see and open the list of the cases on the eDiscovery page in the Security & Compliance Center that they are members of. They can't create cases, add members to a case, create holds, or create Content Searches.

  • eDiscovery Manager      Members of this role group can create and manage eDiscovery cases. They can add and remove members to a case, place content locations on hold, create and edit Content Searches associated with a case, and export the results of a Content Search. There are two sub-groups in this role group. The difference between these subgroups is based on scope.

    • eDiscovery Manager      Can view and manage the eDiscovery cases they create or are a member of. If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on eDiscovery page in the Security & Compliance Center.

    • eDiscovery Administrator      Can perform all case management tasks that an eDiscovery Manager can do. Additionally, an eDiscovery Administrator can:

      • View all cases that are listed on the eDiscovery page.

      • Manage any eDiscovery case in the organization after they add themself as a member of the case.

      • Perform administrative tasks in Advanced eDiscovery, such as setting up users, creating cases, and importing data. This is because a person who is an eDiscovery Administrator in the Security & Compliance Center is automatically added as an administrator in Advanced eDiscovery.

        See the More information section for reasons why you may want an eDiscovery Administrator in your organization.

Important: If a person isn't a member of one of these eDiscovery-related role groups, or isn't a member of a role group that's assigned the Reviewer role, you can't add them as a member of an eDiscovery case.

To assign eDiscovery permissions:   

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Permissions, and then do one of the following based on the eDiscovery permissions that you want to assign.

    • To assign Reviewer permissions, select the Reviewer role group, and then click Edit Edit icon . Under Members, click Add Add Icon , select the user that you want to add to the Reviewer role group, and then click Add.

    • To assign eDiscovery Manager permissions, select the eDiscovery Manager role group, and then click Edit Edit icon . Under eDiscovery Manager, click Add Add Icon , select the user that you want to add as an eDiscovery Manager, and then click Add.

    • To assign eDiscovery Administrator permissions, select the eDiscovery Manager role group, and then click Edit Edit icon . Under eDiscovery Administrator, click Add Add Icon , select the user that you want to add as an eDiscovery Administrator, and then click Add.

  4. After you've added all the users, click OK, and then click Save to save the changes to the role group.

Return to top

Step 2: Create a new case and add members

The next step is to create a new eDiscovery case and add members to it. You must be a member of the eDiscovery Managers role group to create eDiscovery cases. The eDiscovery Manager who creates a case is automatically added as a member of that case. Only members can view an eDiscovery case or manage the case if that member is also an eDiscovery Manager. As previously explained, a person who is assigned eDiscovery Administrator permissions can view and manage any eDiscovery case in the organization.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click New Add Icon .

  4. On the New Case page, give the case a name and description. The name of the case must be unique in your organization.

    The case name and description will be displayed in the list of cases on the eDiscovery page.

  5. Under Who should have access to this case?, click Add Add Icon to add members to the new case.

  6. First, select yourself from the list of user and then click Add. Then add other users to the case.

    As previous explained, only users that are members of the Reviewer or eDiscovery Manager role group can be added to a case. If you want to add a user who isn't listed on the Select users page, you'll have to assign them eDiscovery permissions before you can add them as a member of the case.

  7. After you've added all the members, click OK.

  8. Click Finish to create the new eDiscovery case.

Return to top

Step 3: Place mailboxes and sites on hold

You can use an eDiscovery case to create holds to preserve content that might be relevant to the case. You can place a hold on the mailboxes and OneDrive for Business sites of people who are custodians in the case. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for an Office 365 Group. Similarly, you can also place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold.

When you create a hold, you have the following options to scope the content that is held in the specified content locations:

  • You create an infinite hold where all content is placed on hold. Alternatively, you can create a query-based hold where only content that matches a search query is placed on hold.

  • You can specify a date range to hold only the content that was sent, received, or created within that date range. Alternatively, you can hold all content regardless of when it was sent, received, or create.

Tip: To quickly place the mailboxes and OneDrive for Business sites of a list of users on hold, see Use a script to add users to a hold in an eDiscovery case in the Office 365 Security & Compliance Center.

To create a hold for an eDiscovery case:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, go to Search & investigation > eDiscovery.

  4. Select the case that you want to create the holds in, and then click Edit Edit icon .

  5. On the case page, click Holds, and then click New Add Icon .

  6. On the Create a new hold page, give the hold a name. The name of the hold must be unique in your organization.

  7. Choose the content locations that you want to place on hold. You can place mailboxes and sites on hold.

    Choose the content locations to place on hold
    1. Mailboxes   Click Add Add Icon to specify mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for an Office 365 Group and Microsoft Teams.

      Note: When you click Add Add Icon to specify mailboxes to place on hold, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add people to this list, type a name (a minimum of 3 characters) in the search box and click Search Search icon .

    2. Sites   Click Add Add Icon to specify SharePoint and OneDrive for Business sites to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for an Office 365 Group and Microsoft Teams.

    See the More information section for tips on putting Office 365 Groups and Microsoft Teams on hold.

  8. When you're done adding mailboxes and sites to the hold, click Next.

  9. To create a query-based hold with conditions, complete the following. Otherwise, just click Finish to hold all content.

    Create a query-based hold by specifying keywords and conditions
    1. In the box under What do you want us to look for?, type a search query in the box so that only the content that meets the search criteria is placed on hold. You can specify keywords, message properties, or document properties, such as file names. You can also use more complex queries that use a Boolean operator, such as AND, OR, or NOT. If you leave the keyword box empty, then all content located in the specified content locations will be placed on hold.

    2. Under Conditions, click Add condition to add one or more conditions to narrow the search query for the hold. Each condition adds a clause to the KQL search query that is created and run when you create the hold. For example you can specify a date range so that email or site documents that were created within the date ranged are placed on hold. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be placed on hold.

    For more information about creating a search query and using conditions, see Keyword queries and search conditions for Content Search.

  10. After configuring a query-based hold, click Finish to create the hold.

Hold statistics

After a while, information about the new hold is displayed in the details pane on the Holds page for the selected hold. This information includes the number mailboxes and sites on hold and statistics about the content that was placed on hold, such as the total number and size of items placed on hold and the last time the hold statistics were calculated. These hold statistics help you identify how much content related that's related to the eDiscovery case is being held.

Hold statistics are displayed in the details pane for the selected hold

Keep the following things in mind about hold statistics:

  • The total number of items on hold indicates the number of items from all content sources that are placed on hold. If you've created a query-based hold, this statistic indicates the number of items that match the query.

  • The number of items on hold also includes unindexed items that are found in the content locations. If you create a query-based hold, only the unindexed items that aren't excluded by the query are included in the statistics. For more information about unindexed items, see Unindexed items in Content Search in Office 365.

  • You can get the latest hold statistics by clicking Update statistics to re-run a search estimate that calculates the current number of items on hold. If necessary, click Refresh Refresh icon in the toolbar to update the hold statistics in the details pane.

  • It's normal for the number of items on hold to increase over time because users whose mailbox or site is on hold are typically sending or receiving new email message and creating new SharePoint and OneDrive for Business documents.

Return to top

Step 4: Create and run a Content Search associated with the case

After an eDiscovery case is created and any custodians related to the case are placed on hold, you can create and run one or more Content Searches that are associated with the case. Content Searches associated with a case aren't listed on the Search page in the Security & Compliance Center. This means that Content Searches associated with a case can only be accessed by case members who are also members of the eDiscovery Manager role group.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. On the Searches page, click New Add Icon .

  6. On the New search page, type a name for the search. Content Searches associated with a case must have names that are unique within your Office 365 organization.

  7. Choose the content locations that you want to search. You can search mailboxes, sites, and public folders in the same search.

    Search case content locations, all content locations, or select specific content locations
    1. All case content   Select this option to search all the content locations that have been placed on hold in the case. If the case contains multiple holds, the content locations from all holds will be searched when you select this option. Additionally, if a content location was placed on a query-based hold, only the items that are on hold will be searched when you run the content search that you're creating in this step. For example, if a user was placed on query-based case hold that preserves items that were sent or created before a specific date, only those items would be searched by using the search criteria of the content search. This is accomplished by connecting the case hold query and the content search query by an AND operator. See the More information section at the end of this article for more details about searching case content.

    2. Search everywhere   Select this option to search all content locations in your organization. When you select this option, you can choose to search all Exchange mailboxes (which includes the mailboxes for all Office 365 Groups and Microsoft Teams), all SharePoint and OneDrive for Business sites (which includes the sites for all Office 365 Groups and Microsoft Teams), and all public folders.

    3. Custom location selection   Select this option to select the mailboxes and sites that you want to search. When you select this option, the list of mailboxes and sites is pre-populated with the content locations that are placed on hold within the case.

      Select specific content locations to search

      But if you select this option and search any content location that's on hold, any query from a query-based case hold won't be applied to the search query. In other words, all content in a location is searched, not just the content that is preserved by a query-based case hold.

      You can remove the pre-populated case content locations or add new ones. If you choose this option, you also have flexibility to search all content locations for a specific service (such as searching all Exchange mailboxes) or you can search specific content locations for a service. You can also choose whether or not to search the public folders in your organization.

    Keep these things in mind when adding content locations to search:

    • When you click Add Add Icon to specify mailboxes to search, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add recipients to this list, type a name (a minimum of 3 characters) in the search box and click Search Search icon .

    • You can add inactive mailboxes, Office 365 Groups, Microsoft Teams, and distribution groups to the list of mailboxes to search. Dynamic distribution groups aren't supported. If you add Office 365 Groups or Microsoft Teams, the group or team mailbox is searched; the mailboxes of the group members aren't searched.

    • If you don't want to include any mailboxes or sites in a search, select Choose specific mailboxes to search or Choose specific sites to search, but don't add mailboxes or sites to the list.

    • To add sites click Add Add Icon and then type the URL for each site that you want to search. You can also add the URL for the SharePoint site for Office 365 Groups and Microsoft Teams.

  8. Click the Include items that have an unrecognized format, are encrypted, or weren't indexed for other reasons if you want to include unindexed items in the statistics of the estimated search results. The number of unindexed items that don't meet the search criteria will be included in the search statistics displayed in the details pane. If an unindexed item matches the search query (because other message or document properties meet the search criteria), it won't be included in the estimated number of unindexed items. However, if an unindexed item is excluded by the search criteria, it won't be included in the estimate of the search results. Unindexed items aren't available for previewing. For more information, see Unindexed items in Content Search in Office 365.

  9. After you selected the content locations to search, click Next.

  10. On the New search page, you can add keywords and conditions to create the search query.

    Create a search query with keywords and conditions
    1. In the box under What do you want us to look for?, type a search query in the box. You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use a more complex queries that use a Boolean operator, such as AND, OR, NOT, NEAR, or ONEAR. You can also search for sensitive information (such as social security numbers) in documents, or search for documents that have been shared externally. If you leave the keyword box empty, then all content located in the specified content locations will be included in the search results.

    2. Under Conditions, add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search. A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.

    For more information about creating a search query and using conditions, see Keyword queries for Content Search.

  11. Click Search to save the search settings and start the search.

    The search is started. After a while, an estimate of the search results displayed in the details pane. The estimate includes the total size and number of items for the search results. After the search is completed, you can preview the search results. If necessary, click Refresh Refresh icon to update the information in the details pane.

Return to top

Step 5: Export the results of a Content Search associated with a case

After a search is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files. When you export content from SharePoint and OneDrive for Business sites, copies of native Office documents and other documents are exported. A manifest file (in XML format) that contains information about every search result is also exported.

You can export the results of a single search or you can export the results of multiple searches.

Return to top

Export the results of a single search associated with a case

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. In the list of searches for the case, click the search that you want to export search results from, and then click Export Export search results icon , and then click Export the results.

    The Export search results page is displayed. The workflow to export the results from a Content Search associated with a case is that same as exporting the search results for a search on the Content search page. For step-by-step instructions, see Export search results from the Office 365 Security & Compliance Center.

    Note: When you export search results, you have the option to enable de-duplication so that only one copy of an email message is exported even though multiple instances of the same message might have been found in the mailboxes that were searched. For more information about de-duplication and how duplicate items are identified, see De-duplication in eDiscovery search results.

    After you start the export, the Exports page for the eDiscovery case is displayed and shows the export job that you just created.

  6. In the details pane for the export job, click Results to display the status of the export job and the percentage of items that have been transferred to an Azure storage area in the Microsoft cloud.

    When all items have been transferred, click Download exported results to download the search results to your local computer. For more information, see Step 2 in Export search results from the Office 365 Security & Compliance Center

Note: If your organization has an Office 365 E5 subscription, you can also prepare the results a single search for analysis in Advanced eDiscovery. For step-by-step instructions, see Prepare search results for Office 365 Advanced eDiscovery.

Return to top

Export the results of multiple searches associated with a case

As an alternative to exporting the results of single Content Search associated with a case, you can also export the results of multiple searches from the same case in a single export. Exporting the results of multiple searches is faster and easier than exporting the results one search at a time.

Note: You can only export the results of multiple searches for searches that are associated with an eDiscovery case. You can't export the results of multiple searches listed on the Content search page in the Security & Compliance Center.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery, and then click the case that you want to associate a Content Search to.

  4. Click Edit Edit icon , and then click Searches.

  5. In the list of searches for the case, select two or more searches that you want to export search results from.

    Note: To select multiple searches, press Ctrl as you click each search. Or you can select multiple adjacent searches by clicking the first search, holding down the Shift key, and then clicking the last search.

  6. After you select the searches, click Export Export search results icon , and then click Export the results.

  7. The Export the search results for n searches page is displayed, where n is the number of searches that you're exporting results for.

    The workflow to export the results from multiple content searches associated with a case is the same as exporting the search results for a single search on the Content search page. For step-by-step instructions, see Export search results from the Office 365 Security & Compliance Center.

    Note: When you export search results from multiple searches associated with a case, you also have the option to enable de-duplication so that only one copy of an email message is exported even though multiple instances of the same message might have been found in the mailboxes that were searched in one or more of the searches. For more information about de-duplication and how duplicate items are identified, see De-duplication in eDiscovery search results.

    After you start the export, the Exports page for the eDiscovery case is displayed and shows the export job that you just created. Note that the searches that were included in the export job are listed in the Searches column.

  8. In the details pane for the export job, click Results to display the status of the export job and the percentage of items that have been transferred to an Azure storage area in the Microsoft cloud.

    When all items have been transferred, click Download exported results search results to download the search results to your local computer. For more information, see Step 2 in Export search results from the Office 365 Security & Compliance Center

More information about exporting the results of multiple searches

  • When you export the results of multiple searches, the search queries from all the searches are combined by using OR operators, and then the combined search is started. The estimated results of the combined search are displayed in the details pane of the selected export job. The search results are then transferred to the Azure storage area in the Microsoft cloud. The status of the transfer is also displayed in the details pane. As previously stated, after all the search results have been transferred, you can download them to your local computer.

  • The maximum number of keywords from the search queries for all searches that you want to export is 500. (this is the same limit for a single Content Search). That’s because the export job combines all the search queries by using the OR operator. If you exceed this limit, an error will be returned. In this case, you'll have to export the results from fewer searches or simplify the search queries of the searches that you want to export.

  • The search results that are exported are organized by the content source the item was found in. That means a content source will in the exports results might have items returned by different searches. For example, if you chose to export email messages in one PST file for each mailbox, the PST file might have results from multiple searches.

  • If the same email item or document from the same content location is returned by more than one of the searches that you export, only one copy of the item will be exported.

  • You can't edit an export for multiple searches after you create it. For example, you can't add or remove searches from the export. You'll have to create a new export job to change which search results are exported. After a export job is created, you only can download the results to a computer, restart the export, or delete the export job.

  • If you restart the export, any changes to the queries of the searches that make up the export job won't affect the search results that will be retrieved. When you restart an export, the same combined search query job that was run when the export job was created will be run again.

  • If you restart an export from the Exports page in an eDiscovery case, the search results that are transferred to the Azure storage area will overwrite the previous results; the previous results there were transferred won't be available to be downloaded.

  • Preparing the results of multiple searches for analysis in Advanced eDiscovery isn't available. You can only prepare the results of a single search for analysis in Advanced eDiscovery.

Return to top

(Optional) Step 6: Close a case

When the legal case or investigation supported by an eDiscovery case in the Security & Compliance Center is completed, you can close the case. Here's what happens when you close a case:

  • If the case contains any content locations on hold, those holds will be turned off. This might result in content being permanently deleted or purged, either by the user or by an automated process, such as a deletion policy.

  • Closing a case only turns off the holds that are associated with that case. If other holds are place on a content location (such as a Litigation Hold. a Preservation Policy, or a hold from a different eDiscovery case) those holds will still be maintained.

  • The case is still listed on the eDiscovery page in the Security & Compliance Center. The details, holds, searches, and members of a closed case are retained. To view these, just select the case and click Edit Edit icon .

  • You can edit a case after it's closed. For example, you can add or removing members, create Content Searches, and export search results. The primary difference between active and closed cases is that holds are turned off when a case is closed.

To close a case:

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery.

  4. Select the case that you want to close, and then click Edit Edit icon .

  5. On the Details page, click Close case.

    A warning is displayed saying that the holds associated with the case will be turned off.

  6. Click Yes to close the case.

    The status on the Details page is changed from Active to Closing.

  7. On the eDiscovery page, click Refresh Refresh icon to update the status of the closed case.

    When the process is complete, the status is changed to Close, and information about when the case was closed and who closed it is displayed in the details pane. It might take up to 60 minutes for closing process to complete.

Return to top

(Optional) Step 7: Re-open a closed case

When you re-open a case, any holds that were in place when the case was closed won't be automatically reinstated. After the case is re-opened, you'll have to go to the Holds page and turn on the previous holds. To turn a hold on, select it and click Turn it on in the details pane.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the Security & Compliance Center, click Search & investigation > eDiscovery.

  4. Select the case that you want to re-open, and then click Edit Edit icon .

  5. On the Details page, click Reopen case.

    A warning is displayed saying that the holds that were associated with the case when it was close won't be turned on automatically.

  6. Click Yes to re-open the case.

    The status on the Details page is changed from Closed to Active.

Return to top

More information

  • What about cases in the eDiscovery Center in SharePoint Online?   For convenience, you can access the eDiscovery Center from the eDiscovery page the Security & Compliance Center. eDiscovery cases in the Security & Compliance Center and cases in the eDiscovery Center in SharePoint Online are completely different objects, and their underlying architecture is also different. As a result, existing cases in the eDiscovery Center can't be migrated to the Security & Compliance Center. If you have existing cases in the eDiscovery Center, we recommend that you continue to manage them in the eDiscovery Center until they are completed and you close them. If you have to support a new legal investigation in your organization, we recommend that you use eDiscovery cases in the Security & Compliance Center.

  • Why create an eDiscovery Administrator?   As previously explained, an eDiscovery Administrator is member of the eDiscovery Manager role group who can view and access all eDiscovery cases in your organization. This ability to access all the eDiscovery cases has two important purposes:

    • If a person who is the only member of an eDiscovery case leaves your organization, no one (including members of the Organization Management role group or another member of the eDiscovery Manager role group) can access that eDiscovery case because they aren't a member of a case. In this situation, there would be no way to access the data in the case. But because an eDiscovery Administrator can access all eDiscovery cases in the organization, they can view the case in the Security & Compliance Center and add themselves or another eDiscovery manager as a member of the case.

    • Because an eDiscovery Administrator can view and access all eDiscovery cases, they can audit and oversee all cases and associated Content Searches. This can help to prevent any misuse of Content Searches or eDiscovery cases. And because eDiscovery Administrators can access potentially sensitive information in the results of a Content Search, you should limit the number of people who are eDiscovery Administrators.

    Finally, as previous explained, eDiscovery Administrators in the Security & Compliance Center are automatically added as administrators in Office 365 Advanced eDiscovery. That means a person who is an eDiscovery Administrator can perform administrative tasks in Advanced eDiscovery, such as setting up users, creating cases, and adding data to cases.

  • What are the licensing requirements to place content locations on hold?   In general, organizations require an Office 365 E3 subscription or higher to place content locations on hold. To place mailboxes on hold, an Exchange Online Plan 2 license is required. For more information, see this FAQ.

  • What else should you know about searching all case content in Step 4?   As previously explained, you can search all the content locations that have been placed on hold in the case. When you do this, only the content that matches the hold criteria is search. If there is no hold criteria, all content is searched. If content locations are on a query-based hold, only the content that matches both hold criteria (from the hold placed in Step 3) and the search criteria (from the search in Step 4) is returned with the search results.

    Here are some other things to keep in mind when searching all case content:

    • If a content location is part of multiple holds within the same case, the hold queries are combined by an OR operator when you search that content location using the all case content option. Similarly, if a content location is part of two different holds, where one is query-based and the other is an infinite hold (where all content is placed on hold), then all content will be search because of the infinite hold.

    • If a content search is for a case and you've configured it to search all case content and then you change a hold (by adding or removing a content location or changing the hold query), the search configuration is updated with those changes. However, you have to re-run the search after the hold is change to update the search results.

    • If multiple case holds are placed on a content location in an eDiscovery case and you select to search all case content, the maximum number of keywords for that search query is 500. That’s because the content search combines all the query-based holds by using the OR operator. If there are more than 500 keywords in the combined hold queries and the content search query, then all content in the mailbox is searched, not just that content that matches the any of query-based case holds.

    • If a case hold has a status of Turning on, you can still search the case content locations while the hold is being turned on.

  • What about placing a hold on Office 365 Groups and Microsoft Teams?   Microsoft Teams are built on Office 365 Groups. Therefore, placing them on hold in an eDiscovery case is very similar. Keep the following things in mind when placing Office 365 Groups and Microsoft Teams on hold.

    • To place content located in Office 365 Groups and Microsoft Teams on hold, you have to specify the mailbox and SharePoint site that associated with a group or team.

    • Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for an Office 365 Group or Microsoft Team. This is a good way to get the URL for the site that's associated with an Office 365 Group or a Microsoft Team. For example, the following command displays selected properties for an Office 365 Group named Senior Leadership Team:

      Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl
      
      DisplayName            : Senior Leadership Team
      Alias                  : seniorleadershipteam
      PrimarySmtpAddress     : seniorleadershipteam@contoso.onmicrosoft.com
      SharePointSiteUrl      : https://contoso.sharepoint.com/sites/seniorleadershipteam
      

      Note: To run the Get-UnifiedGroup cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

    • When a user's mailbox is searched, any Office 365 Group or Microsoft Team that the user is a member of won't be searched. Similarly, when you place an Office 365 Group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive for Business sites of group members aren't placed on hold unless you explicitly add them to the hold. Therefore, if you the need to place an Office 365 Group or Microsoft Team on hold for a legal reasons, consider adding the mailboxes and OneDrive for Business sites for group and team members on the same hold.

    • To get a list of the members of a Office 365 Group or Microsoft Team, you can view the properties on the Home > Groups page in the Office 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:

      Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddress 

      Note: To run the Get-UnifiedGroupLinks cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

    • Conversations that are part of a Microsoft Teams channel are stored in the mailbox that's associated with the Microsoft Team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you have to place the Microsoft Team mailbox and SharePoint site on hold to preserve conversations and files in a channel.

      Alternatively, conversations that are part of the Chat list in Microsoft Teams are stored in the mailbox of the user's who participate in the chat. And files that a user shares in Chat conversations are stored in the OneDrive for Business site of the user who shares the file. Therefore, you have to place the individual user mailboxes and OneDrive for Business sites on hold to preserve conversations and files in the Chat list. That's why it's a good idea to place a hold on the mailboxes of members of a Microsoft Team in addition to placing the team mailbox (and site) on hold.

  • How do I find the URL for OneDrive for Business sites?    To collect a list of the URLs for the OneDrive for Business sites in your organization so you can add them to a hold or search associated with an eDiscovery case, use the script in Step 2 in Assign eDiscovery permissions to OneDrive for Business sites. This script creates a text file that contains a list of all OneDrive for Business sites. To run this script, you'll have to install and use the SharePoint Online Management Shell (see Step 1 in the previous topic). Be sure to append the URL for your organization’s MySite domain to each OneDrive for Business site that you want to search. This is the domain that contains all your OneDrive for Business; for example, https://contoso-my.sharepoint.com. Here's an example of a URL for a user's OneDrive for Business site: https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com.

Return to top

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×