Back to Capabilities of Microsoft Compliance Solutions

eDiscovery Solutions in Microsoft Purview

5 minutes 5 Questions

eDiscovery (Electronic Discovery) solutions in Microsoft Purview provide organizations with powerful tools to identify, collect, preserve, and analyze electronic data for legal investigations, regulatory inquiries, and compliance purposes. Microsoft Purview offers a tiered approach to eDiscovery wi…

eDiscovery Solutions in Microsoft Purview: A Complete Guide for SC-900

Why eDiscovery Solutions in Microsoft Purview Matter

In today's digital-first world, organizations generate massive volumes of electronic data across emails, documents, chat messages, and more. When legal proceedings, regulatory investigations, or internal audits arise, organizations must be able to efficiently identify, collect, preserve, and review relevant electronic information. This process is known as electronic discovery (eDiscovery). Failure to properly manage eDiscovery can result in legal penalties, regulatory fines, and reputational damage. Microsoft Purview provides built-in eDiscovery solutions that allow organizations to search, hold, and export content across Microsoft 365 services in a compliant and defensible manner.

What Is eDiscovery in Microsoft Purview?

eDiscovery in Microsoft Purview is a set of tools and capabilities within the Microsoft Purview compliance portal that help organizations find, preserve, collect, process, review, and export electronic content for legal or compliance purposes. The content sources include Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business accounts, Microsoft Teams messages, Yammer conversations, and more.

Microsoft Purview offers three tiers of eDiscovery capabilities:

1. Content Search
Content Search is the most basic eDiscovery tool. It allows compliance officers and administrators to search for content across Microsoft 365 services using keyword queries, date ranges, senders, recipients, and other conditions. Key features include:
- Searching across all Microsoft 365 content locations (mailboxes, sites, public folders)
- Using Keyword Query Language (KQL) for advanced search queries
- Previewing and exporting search results
- No legal hold capabilities at this tier

2. eDiscovery (Standard)
Previously known as Core eDiscovery, this tier builds upon Content Search and adds case management and legal hold capabilities. Key features include:
- Case management: Organize searches and exports into discrete cases for different legal matters
- Legal holds (eDiscovery holds): Place content locations on hold to preserve content relevant to a case and prevent deletion or modification
- Associating searches with specific cases
- Managing who has access to specific cases through role-based access control
- Exporting search results for external review

3. eDiscovery (Premium)
Previously known as Advanced eDiscovery, this is the most feature-rich tier and provides an end-to-end workflow for managing eDiscovery processes. Key features include:
- Custodian management: Identify and manage custodians (people of interest) and their associated data sources
- Legal hold notifications: Automate the process of sending, tracking, and escalating legal hold notices to custodians
- Advanced indexing: Re-indexes custodian data for deeper and more accurate searches, including processing of partially indexed items
- Review sets: Collect relevant content into a review set where you can filter, search, tag, annotate, and redact documents
- Analytics: Leverages machine learning and AI capabilities to reduce the volume of data for review, including:
  - Near-duplicate detection: Groups nearly identical documents together
  - Email threading: Reconstructs email conversations and identifies unique messages
  - Themes: Analyzes documents to identify dominant themes across the dataset
  - Relevance scoring (predictive coding): Uses machine learning to prioritize documents likely to be relevant
- Conversation reconstruction: Reconstructs Teams and Yammer conversations into threaded views
- Collection from non-Microsoft 365 sources: Import data from third-party sources for review
- Export with metadata: Export content with full metadata and load files compatible with third-party review tools

How eDiscovery Works in Microsoft Purview

The general eDiscovery workflow in Microsoft Purview follows these steps:

Step 1: Identify and Preserve
Identify the people (custodians) and data sources relevant to a legal matter. Place legal holds on these content locations to ensure data is preserved and cannot be deleted or tampered with. In eDiscovery (Premium), hold notifications can be automated and tracked.

Step 2: Collect and Search
Use search tools to query content across Microsoft 365 services. Create search queries using keywords, date ranges, file types, senders, and other conditions. In eDiscovery (Premium), collected data is added to a review set for further processing.

Step 3: Process and Analyze
In eDiscovery (Premium), collected data is processed, indexed, and analyzed. The analytics capabilities (near-duplicate detection, email threading, themes) help reduce the volume of content that must be manually reviewed.

Step 4: Review
Review the collected content within review sets. Use filtering, tagging, annotation, and redaction tools to identify responsive and privileged documents. Relevance scoring helps prioritize the most important documents.

Step 5: Export
Export the final set of relevant documents for production to opposing counsel, regulators, or for internal use. Exports include content files, metadata, and load files in industry-standard formats.

Key Concepts to Understand

- Legal Hold (eDiscovery Hold): A mechanism to preserve content in place. When a hold is placed on a mailbox or site, content cannot be permanently deleted by users. Held content is retained even if users try to delete it.
- Custodian: A person who may have control over or access to documents relevant to a legal matter. eDiscovery (Premium) provides formal custodian management.
- Review Set: A static collection of content gathered into a secure Azure Storage location for review and analysis. Only available in eDiscovery (Premium).
- Compliance boundaries: Logical boundaries that control which content locations an eDiscovery manager can search, useful in multi-national or multi-department organizations.

Permissions and Roles

To use eDiscovery tools, users must be assigned appropriate roles in the Microsoft Purview compliance portal:
- eDiscovery Manager: Can create and manage cases, add members, place holds, create searches, and export results. Can only access their own cases.
- eDiscovery Administrator: Has all the permissions of an eDiscovery Manager but can also access and manage ALL cases in the organization.
- Members of the Organization Management role group can assign eDiscovery permissions.

Licensing Requirements

- Content Search: Available with most Microsoft 365 and Office 365 subscriptions
- eDiscovery (Standard): Requires Microsoft 365 E3/G3/F3 or Office 365 E3/G3 (or equivalent)
- eDiscovery (Premium): Requires Microsoft 365 E5/G5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on

Comparison Table: eDiscovery Tiers

Content Search: Search across M365 | No case management | No legal holds | No review sets | No analytics
eDiscovery (Standard): Search across M365 | Case management | Legal holds | No review sets | No analytics
eDiscovery (Premium): Search across M365 | Case management | Legal holds + custodian notifications | Review sets | Analytics (near-duplicate detection, email threading, themes, relevance)

Exam Tips: Answering Questions on eDiscovery Solutions in Microsoft Purview

1. Know the Three Tiers and Their Differences
The SC-900 exam frequently tests your understanding of the differences between Content Search, eDiscovery (Standard), and eDiscovery (Premium). Remember: Content Search = search and export only; Standard adds case management and holds; Premium adds custodians, review sets, analytics, and hold notifications.

2. Understand Legal Holds
Be clear that legal holds are available starting from eDiscovery (Standard), NOT from Content Search. If a question asks about preserving content for a legal investigation, the answer involves eDiscovery (Standard) at minimum.

3. Review Sets and Analytics = eDiscovery (Premium)
If a question mentions review sets, near-duplicate detection, email threading, themes, predictive coding, or custodian management, the answer is always eDiscovery (Premium).

4. Recognize the Workflow
Be familiar with the general eDiscovery workflow: Identify → Preserve → Collect → Process → Review → Export. Questions may describe a scenario and ask which step or feature applies.

5. Permissions Matter
Remember the difference between eDiscovery Manager (manages their own cases) and eDiscovery Administrator (can access all cases). If a question asks about a compliance officer needing access to all cases in the organization, the answer is eDiscovery Administrator.

6. Watch for Keywords in Questions
- "Search for content across Microsoft 365" → Content Search or any eDiscovery tier
- "Preserve data" or "legal hold" → eDiscovery (Standard) or (Premium)
- "Manage custodians" or "hold notifications" → eDiscovery (Premium)
- "Review and analyze collected data" or "reduce data volume for review" → eDiscovery (Premium)
- "Near-duplicate detection" or "email threading" → eDiscovery (Premium) analytics

7. Don't Confuse eDiscovery Holds with Retention Policies
eDiscovery holds are used for legal purposes and are tied to specific cases. Retention policies (from Microsoft Purview Data Lifecycle Management) are used for broader data governance. The exam may try to test whether you can distinguish between these two concepts.

8. Remember the Portal
eDiscovery solutions are accessed through the Microsoft Purview compliance portal (compliance.microsoft.com) or the newer Microsoft Purview portal (purview.microsoft.com). The exam may reference either.

9. Focus on Concepts, Not Deep Technical Details
The SC-900 is a fundamentals-level exam. You are expected to understand what eDiscovery does and when to use each tier, not how to configure advanced search queries or set up review sets step by step.

10. Practice Scenario-Based Thinking
Many SC-900 questions present a scenario and ask you to choose the right solution. For example: "Your legal team needs to search for emails related to a lawsuit and ensure the data cannot be deleted. Which eDiscovery solution should you use?" → The answer is eDiscovery (Standard) because it provides both search capabilities and legal holds. If the question additionally mentions the need for advanced analytics or review sets, then the answer shifts to eDiscovery (Premium).

By understanding the purpose, tiers, features, and workflow of eDiscovery solutions in Microsoft Purview, you will be well-prepared to answer related questions confidently on the SC-900 exam.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Security, Compliance, and Identity Fundamentals + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3043 Superior-grade Microsoft Security, Compliance, and Identity Fundamentals practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-900: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More eDiscovery Solutions in Microsoft Purview questions

45 questions (total)

Start 45 question test