Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Cases
A case contains all searches, holds, and review sets related to a specific investigation. This investigation might include responding to regulatory and litigation requests. You can also assign members to a case to control who can access the case and view the contents of the case. eDiscovery also supports new case creation integration with Microsoft Purview Insider Risk Management cases.
There are two general types of cases in eDiscovery:
- Cases created in eDiscovery using Create case on the Cases dashboard
- A single Content Search case created in eDiscovery using Create case* on the Content Search dashboard.
Content Search case
Starting on May 26, 2025, all content searches are contained in a single eDiscover case named Content search and the Content Search option in the eDiscovery (classic) experience in the Microsoft Purview portal is retired. The new Content Search option in the new eDiscovery experience displays a set of all existing content searches in your organization and contains any new content searches that you create in the Microsoft Purview portal.
Data sources
In eDiscovery, the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. eDiscovery users select a user or group, which creates a data source and eDiscovery automatically identifies and organizes relevant data stored across platforms. The data source gathers locations related to the user or group (mailboxes, OneDrive sites, SharePoint sites) and adds the locations in the data source hierarchy. eDiscovery users refine the scope by selecting or excluding specific locations as needed.
Exports and downloads
After a search associated with a eDiscovery case is successfully run, you can export the search results. When you export search results, mailbox items are downloaded in PST files or as individual messages. When you export content from SharePoint and OneDrive sites, copies of native Office documents and other documents are exported.
If search results are added to a review set from a case, you can also export review set content to a download package. This package is configurable and includes options to export selected documents only, all filtered documents, or all documents in the review set.
Holds and hold policies
You can use an eDiscovery case to create hold policies to preserve content that might be relevant to the investigation with an eDiscovery hold. You can place a hold on the Exchange mailboxes and OneDrive accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups. When you place content locations on hold, content is preserved until you remove the content location from the hold or until you delete the hold.
If needed, you can also place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also placed on hold.
Permissions
If you want people to use any of the eDiscovery-related features in the Microsoft Purview portal, you have to assign them the appropriate permissions. The easiest way to assign roles is to add the person the appropriate role group on the Role groups page in the Microsoft Purview portal.
Tip
You can view your own permissions on the eDiscovery overview page in the Microsoft Purview portal. You must have at least one role assigned for your permissions to be displayed.
Processes
eDiscovery includes a Process report that lists all activities that count towards case concurrency and daily limits in eDiscovery for a defined time period. Processes in eDsicovery (preview) are activities associated with specific tasks that support cases, searches, and review sets. User actions trigger processes when using these components.
eDiscovery administrators and eDiscovery Managers (preview) can access this report. Process managers help you view information that is automatically scoped to cases, searches, review sets, and holds.
Review sets
A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.
Searches
Use search to quickly find content relevant to a case. Searches might include email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the search tools to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups.
You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build search queries that return search results with the data that's most likely relevant to the case.
You can also:
- View search statistics and sample items that might help you refine a search query to narrow the results.
- Preview the search results to quickly verify whether the relevant data is being found.
- Revise a query and rerun the search.
- Export the search results or add the search results to a review set.
Search samples
Samples from a search provide a representative sample of items returned by the defined search criteria. Viewing details about individual items can help you determine if the search needs to be refined or if the representative items support adding the search results to a review set or an export file.
Search statistics
Statistics from a search provide insights for data volume, the content locations that contain results, and the number of hits for search query condition, and more. These insights can help to inform if the search should be revised to narrow or expand the scope of the search before moving on the review and analyze stages in the eDiscovery workflow.
Trigger events
Trigger events are activities that are escalated in your organization and start the creation of a new case in eDiscovery. These events can be requests from internal or external partners, integrated events associated with alerts in other Microsoft Purview solutions (for example, Insider Risk Management cases), or any other activity that might benefit from the search, investigation, and mitigation actions included with eDiscovery.