Share via

Data sources in eDiscovery

In Microsoft 365, data is stored across three platforms: Exchange, Teams, and SharePoint. These platforms serve as the backbone for organizing and managing data within Microsoft 365 applications. Most Microsoft 365 apps store data in one or more of the following containers:

  • Users: Data associated with individual users, such as their mail, 1:1 Teams messages, and OneDrive files.
  • Groups: Data owned by the organization or a group of users within an organization. These groups are often referred to as Unified Groups or Teams.

In eDiscovery, the concept of data source streamlines the process of identifying and managing data across Microsoft 365 platforms. eDiscovery users select a user or group, which creates a data source and eDiscovery automatically identifies and organizes relevant data stored across platforms. The data source gathers locations related to the user or group (mailboxes, OneDrive sites, SharePoint sites) and adds the locations in the data source hierarchy. eDiscovery users refine the scope by selecting or excluding specific locations as needed.

A user data source typically includes:

  • User mailbox
  • OneDrive site

Unified groups are classified into three types, each covering specific data locations:

  • Teams: Includes Exchange mailbox storage for Teams chats and emails, as well as all associated SharePoint sites for channels and the team
  • Yammer: Includes Exchange mailbox storage for Yammer messages.
  • Classic: Includes only SharePoint sites.

eDiscovery users can also use organization-wide sources to perform search across your organization. Organization-wide sources include:

  • All people and groups: Includes all users and all groups in your organization.
  • All public folders: Includes all content in Exchange public folders mailboxes.

It's a common case where a set of user mailboxes must be searched and the list is managed as a distribution list. Adding distribution lists are supported and only the Exchange mailboxes listed in the group are searched.

You can search for specific data sources or data locations using user or group's names, mailbox Simple Mail Transfer Protocol (SMTP) addresses, and OneDrive or SharePoint site URLs. When a search is created using specific data sources, only the locations specified in the data source are searched.

If the organization-wide source All people and groups is used, the search covers all Exchange mailboxes, OneDrive, and SharePoint sites. If the eDiscovery user wants to search all exchange mailboxes only, select mailboxes under All people and groups and deselect the sites. If you need to search all SharePoint and OneDrive sites only, select sites under All people and groups and deselect the mailboxes.

Real-time data source sync helps ensure that you're always informed about the latest changes in data locations associated with users and groups. You can query if any specific data sources are added to a search, if a hold includes newly provisioned data locations, or if data locations are removed.

For example, if a private channel is created for a Teams group, the sync feature on the data source panel alerts you of the new location, allowing you to quickly and easily include it in searches or holds. This sync ensures that new data doesn't go unnoticed and is included in your investigations. This sync also helps prevent potential data loss from location changes.

To learn more about the using data sources effectively, check out the following video:

Adding data sources to cases

Tip

Want to try premium eDiscovery features? See the subscription requirements for Microsoft 365 Enterprise E5 licensing.

After you enable premium eDiscovery features for a case, complete the following steps to add data sources to a case:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.

  2. Select the eDiscovery solution card and then select Cases in the left nav.

  3. Select a case, then select the Data sources tab to add data sources to the case. Once sources are added to this tab, these data sources are available to choose from in all searches and holds in the case.

  4. Select Add and pick choices from the following data source areas:

    Note

    When searching for sources, some sources might show up with a ? in front of the source and labeled as Unverified. These sources (sites or mailboxes) couldn't be verified as a valid source when selected. These mailboxes or sites are external or the site is private or locked. Adding unverified sources to searches or holds is supported and verification for these sources is tried again when the search is run. Final search and hold results are included in the location .csv file in the process report.

    1. The left side of the pane displays the Filter options for sources

    2. In the Scope items by section, only All sources in the tenant (default) is available. Select any data source available in your organization.

    3. Use on of the following options in the Show for filter to help scope your sources in the Search section:

      • All people and groups (default)
      • People only
      • Groups only

    4. If applicable, select Exclude inactive users to reduce the scope of sources to only currently active users in your organization.

    5. After you filter data sources, use the search control and selectors in the Search section to add specific data sources, users, and groups to the search query. Enter the specific users, groups, or organization locations you want to add in the search field and select Search.

    Search for people using the following values:

    • First and family name of the user display name (for example, John Smith)
    • First name only
    • User SMTP address
    • User alias
    • Exchange GUID
    • URL of the user's OneDrive site

    Search for groups using the following values:

    • Group mailbox SMTP address
    • URL of group site. The URL of a Teams channel site resolves the Teams group as a data source.

    If you add a distribution group, the list of group members isn't listed and the group is added to the search as a data source mailbox. When the search is run, the distribution group member mailboxes are expanded and fully searched.

    To confirm the mailboxes searched for the distribution group members, use the Locations_the date/time of the report information in the Process report after the search is completed. To confirm group membership before running the search, select the ellipse menu for the group and Members.

  5. Select Add to add the data source to the selected case. This data source is now available when adding data sources for searches and holds in the case.

Important

Management of individual data resources for a data source is only available when adding the case-level data source to an individual search and hold in the case. For example, to include or exclude mailboxes or sites in a search or hold for data source configured at the case level, add the case-level data source to the search or hold, then select Manage.

Adding data sources to searches and holds

Complete the following the steps to add data sources to the specific search or hold:

  1. In a new search or hold, select Add sources or select + and select Add data sources in the drop-down. This allows you to search and select specific data sources to search or hold against.

    If the search needs to be performed against organizational-wide mailboxes or sites, select Add tenant-side sources in the empty search or select the + button and choose an organizational-wide source from the dropdown.

    Note

    Organizational-wide sources are only available in searches not holds.

  2. The left side of the pane displays the Filter options for sources. Use filters to scope the data sources by:

    • All sources in the tenant (default): Use this option to search from data sources available in your organization.

    • All sources in this case: Use this option to choose from data sources added at the case level. This option allows you to quickly use data sources added to the case in a search or hold without having to search across your entire organization.

    • Use on of the following options in the Show for filter to help scope your sources in the Search section:

      • All people and groups (default)
      • People only
      • Groups only

    • If applicable, select Exclude inactive users to reduce the scope of sources to only currently active users.

    • Use Locations to include control to specify if the selected data sources added to the search or hold include:

      -Mailboxes and sites (default): Selected people or group sources includes the mailbox and site to the search or hold. This means selecting the user includes both the mailbox and OneDrive for the user. Selecting a Microsoft 365 group includes the group mailbox and all associated group sites.

      • Mailboxes only: Only mailbox associated with the select user or group is included. OneDrive and SharePoint sites aren't included.
      • Sites only: Only sites associated with the select user or group are included. Mailboxes aren't included.

  3. After you've filtered the data sources, use the search control and selectors in the Search section to add specific data sources, users, and groups to the search query. Enter the specific users, groups, or organization locations you want to add in the search field and select Search.

  4. Select Save and close to add the data source to the current search or hold.

  5. Alternatively, select Manage to fine-tune the relevant mailboxes and sites under the selected sources. The Manage view provides a detailed view of all mailboxes and sites associated with each source, displaying details such as the mailbox SMTP address and site URL. For Teams sources, it also includes the corresponding channel names and type information.

Other considerations

  • If you add a distribution group, the list of group members isn't listed and it's added to the search as a data source mailbox. When the search is run, the distribution group member mailboxes are expanded and fully searched. To confirm the mailboxes searched for the distribution group members, use the Locations_the date/time of the report information in the Process report after the search is completed. To confirm group membership before running the search, select the ellipsis menu for the group and members.

    If the membership of the distribution group changes after adding it as a data source in the search, run the search again to include items for the current members of the group. Each time the search is run, current members are included and former members are excluded.

  • In the Manage sources view, some selected sources might not display associated sites. This can happen for several reasons:

    • OneDrive Not Provisioned: If a user doesn't have OneDrive provisioned, their source includes only a mailbox and not a OneDrive site.
    • Deleted Users: If a user has been removed from the directory, their OneDrive site might still exist but is no longer linked to their user object. It won’t appear under their source in the Manage view.

Data source options

After sources are added to a search or hold, you can edit the sources or explore to related sources as needed. Select the ellipsis next to the source you want to edit or remove.

The following options are available in User or group options:

  • Manage data source
  • Include/remove a mailbox
  • Include/remove sites

You can explore and add related sources from existing sources in a search or hold. These options give you the ability to investigate potentially relevant sources and bring in more sources to a specific search or hold.

For users added in the Data Sources pane, you can explore the following connections:

  • Manager
  • Direct reports
  • Frequent collaborators
  • Groups the user owns
  • Groups the user is a member of

Exploring these relationships can help you quickly identify and include relevant individuals and data sources in a search scope. Use Manage to fine-tune whether to include only mailboxes, only sites, or both related sources in a search or hold.

Manager

This option allows you to explore upward in the reporting chain. Selecting the user’s manager helps include supervisory or decision-making context in your investigation.

Direct reports

Explore downward in the organization hierarchy for the user. This is useful when the selected user is a manager or team lead, and you want to include their team member's communications or content.

Frequent collaborators

Find other users that frequently collaborate with the selected user. Frequent collaborators are the top 10 users who are most relevant to the selected user and you can select the mailboxes and sites for these users as data sources for searches.

Groups the user owns

This shows groups that the selected user is listed as an owner. These groups might contain shared content or communications relevant to the investigation.

Groups the user is a member of

This includes all groups the user is a member of, even if they aren't the owner. These groups might provide additional context or shared data sources.

Group members

When a group is added in the Data Sources pane, you can explore and expand the group to view its members. This allows you to:

  • Identify individual users within the group that might hold relevant data.
  • Select specific members as additional data sources for targeted searches.

This feature helps when investigating shared content or communications originating from collaborative groups such as Microsoft 365 Groups, Teams, or distribution lists.

Note

The list of group members and groups that a user is in or owns is capped at 100. If a user is included in more than 100 groups owns more than 100 groups or if a group has more than 100 members, only the first 100 members are displayed.