eDiscovery FAQ
Caution |
---|
We've moved the eDiscovery FAQ to support.office.com. This version of the FAQ on Wiki is no longer being maintained, and will eventually be removed. The on-going eDiscovery investments are being made primarily in Office 365, specifically in the Security & Compliance Center. Here’s a landing page with links to eDiscovery-related help topics: https://support.office.com/en-US/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bfce |
This article addresses frequently asked questions about eDiscovery in Office 365, Exchange 2013, SharePoint 2013, and Lync 2013.
Overview
Q: What is eDiscovery?
A: eDiscovery, or electronic discovery, is the process used by organizations to find, preserve, analyze, and package electronic content (often referred to as eletronically stored information or ESI) for a legal request or investigation.
Q: How does eDiscovery work in Microsoft Office 365, SharePoint, Exchange, and Lync?
A: The eDiscovery Center is a SharePoint site collection where cases are defined, sources to be tracked are identified, holds on content are placed or removed, queries are issued, and results reviewed and exported.
Some key features of the SharePoint eDiscovery Center are:
- Manage Cases - An eDiscovery administrator or user creates, manages and uses eDiscovery cases through the eDiscovery Center (EDC).
- Work with Multiple Types of Content: Preserve, search, and export documents, email messages, OneNote files, webpages, community posts, microblogs, Lync IMs, and more, providing they are crawled indexed by search.
- Identify Content Sources: Content sources that might be relevant, such as e-mail messages and documents, are added to one or more collections of source content called eDiscovery Sets.
- Perform In-Place Hold: A copy of the content can be preserved in-place and in real time, while people continue to work on the original content.
- Create and Run Queries: Enable you to get relevant content and statistics quickly to help you answer questions fast.
- Export Content: After you review your results, relevant content can be transferred out of the system into an offline and portable format.
Exchange In-Place holds enable you to place mailboxes content on hold indefinitely, based on a query, or based on a time period. Key features include:
- Place user mailboxes on hold and preserve mailbox items immutably
- Preserve mailbox items deleted by users or automatic deletion processes such as messaging records management (MRM)
- Use query-based In-Place Hold to search for and retain items matching specified criteria
- Preserve items indefinitely or for a specific duration
- Place a user on multiple holds for different cases or investigations
- No user impact – In-Place Hold is transparent to users.
- In-Place eDiscovery searches include items placed on hold
Q: What does a typical Microsoft eDiscovery solution look like?
A: People create, manage and use eDiscovery cases through the eDiscovery center (EDC). The EDC is a SharePoint 2013 site collection where cases are defined, sources to be tracked are identified, queries are issued, query results reviewed and holds on content are placed or removed.
To see a larger version of the technical flow for eDiscovery, download the eDiscovery Flow Across SharePoint, Exchange, Lync, and File Shares model.
Q: What is the Electronic Discovery Reference Model (EDRM)?
A. The Electronic Discovery Reference Model (EDRM) provides guidance for the stages involved in the eDiscovery process for electronically stored information (ESI). The EDRM stages include:
- Information Management
- Identification
- Preservation
- Collection
- Processing
- Review
- Analysis
- Production
- Presentation
When content is exported from the eDiscovery Center in SharePoint, it is exported in a standard EDRM format that is often used by other eDiscovery programs. An Electronic Discovery Reference Model XML manifest is included in the export to provide metadata about the exported items. After export:
- Exchange content, including archived Lync content, is stored in PST files.
- SharePoint content and file share content is downloaded in the native format.
- SharePoint pages are captured as MHT files.
- SharePoint lists are stored as CSV files.
Requirements, Limitations, and Configuration:
Q: Which service plans or licenses do I need for eDiscovery?
A: The following are the service plans and products that provide eDiscovery features.
Office 365 Options
Feature | Office 365 Midsize Business | Office 365 Enterprise E1
Office 365 Education A2 Office365 Government G1 |
Office 365 Enterprise E3
Office 365 Education A3 Office365 Government G3 |
Office 365 Enterprise E4
Office 365 Education A4 Office365 Government G4 |
Office 365 Enterprise K1
Office 365 Government K1 |
eDiscovery Center (SharePoint Online) | No | No | Yes | Yes | No |
In-Place Hold (Exchange Online) | No | No | Yes | Yes | No |
In-Place eDiscovery(Exchange Online) | Yes | Yes | Yes | Yes | Yes |
SharePoint Online Standalone Options
Feature | SharePoint Online Plan 1 | SharePoint Online Plan 2 |
eDiscovery Center | No | Yes |
Exchange Online Standalone Options
Feature | Exchange Online Plan 1 | Exchange Online Plan 2 | Exchange Online Kiosk |
In-Place Hold | No | Yes | No |
In-Place eDiscovery | Yes | Yes | Yes |
SharePoint On-Premises Options
Feature | SharePoint Foundation | SharePoint Server 2013 Standard CAL | SharePoint Server Enterprise CAL |
eDiscovery Center | No | No | Yes |
Exchange On-Premises Options
Feature | Exchange Server 2013 |
In-Place Hold | Yes |
In-Place eDiscovery | Yes |
Q: What types of content can be discovered?
A: SharePoint content that has been crawled by search, including structured content like documents and list items, as well as blogs, wikis, and newsfeeds. In order to be discovered, the content must be indexed by search. Types of content include:
- Exchange items, such as messages, site and individual mailboxes, calendar items, and tasks that are indexed by Exchange search
- Lync conversations that have been archived in Exchange
- Documents, newsfeed posts, and other SharePoint content
- Content on file shares that has been indexed by SharePoint search
- Content on SkyDrive Pro that has been indexed by SharePoint search
For more information about which content is indexed and troubleshooting search, see:
- Default crawled file name extensions and parsed file types in SharePoint Server 2013
- Overview of crawled and managed properties in SharePoint Server 2013
- File formats indexed by Exchange Search
- View search diagnostics in SharePoint Server 2013
Q: Are there limits on how much content can be discovered?
A: Yes, here are the limits:
SharePoint eDiscovery Center
SharePoint sources | Exchange sources | Keywords/search terms | Number of searches |
100 | 1,500 | 500 | No hard limit |
Q: Does the eDiscovery Center work with different product versions?
A: The following defines which sources can be searched, held, and exported. The content must be indexed by servers running on plans or versions of Office 365, SharePoint, and Exchange that contain eDiscovery features.
Search |
In-Place Hold |
Export |
||||
Source |
On-Premises |
Office 365 |
On-Premises |
Office 365 |
On-Premises |
Office 365 |
SharePoint 2013 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Exchange 2013 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Exchange 2010 |
No |
No |
No |
No |
No |
No |
SharePoint 2010 |
Yes |
No |
No |
No |
Yes |
No |
SharePoint 2007 |
Yes |
No |
No |
No |
Yes |
No |
Lync 2013 (when archived in Exchange 2013) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Lync 2010 |
No |
No |
No |
No |
No |
No |
Indexed File shares |
Yes |
No |
No |
No |
Yes |
No |
Indexed Content from external systems |
No |
No |
No |
No |
No |
No |
Q: How do I set up an eDiscovery Center?
A: You must be an administrator to set up an eDiscovery Center. Create a new site collection that uses the eDiscovery template, configure the appropriate permissions and groups, and configure Exchange connectivity. The following articles explain how:
- Configure Exchange for SharePoint eDiscovery Center
- Configure eDiscovery in SharePoint 2013
- Set up an eDiscovery Center in SharePoint Online
A key step in setting up eDiscovery is to add Exchange or Exchange Online as a result source. Because the eDiscovery Center is based on a site collection, this configuration must be made at the site collection level or higher, and not at the site level. For more information see Configure result sources for search in SharePoint Server 2013 and Manage result sources.
Q: What is the typical life-cycle of an eDiscovery case?
A: Following are various stages involved in working with eDiscovery case in SharePoint 2013:
- Create eDiscovery Case: An eDiscovery case is a logical object that acts as a container for holding things like queries, preservations and content. An eDiscovery case is a collaboration site that you can use to organize information related to the eDiscovery request. From within an eDiscovery case, you can search for content, apply a hold to content, export content, and view the status of holds and exports that are associated with the case.
- Place Legal Hold: Applying hold means preserving a copy of the original content to prevent it from modification or deletion. Hold is used to retain the content in its original form at the time when hold is applied. When users apply an in-place hold to a site or mailbox, content in the site or mailbox remains in its original location. Let’s look into preservation hold library and various content sources that can be put on hold.
- Refine Content: Queries are used to narrow down and refine the content you need for a particular case. Efficient queries reduce the overall volume and increases relevancy of content to be processed. In a query, additional filters such as by keywords, start and end dates, domains, authors or senders etc. can be added to narrow down the content discovery.
- Export: **** When you are ready to deliver your eDiscovery content to an authority or want to work on it with another legal program, you can export content from a case.
- Release Holds: Once all the relevant information is gathered from the sources, the holds can be released.
- Close Case: When all the proceedings are completed and information is no more required, the case can be closed.
Q: What type of permissions does a user need to perform eDiscovery?
A: eDiscovery is a powerful tool that can potentially expose sensitive information from SharePoint and Exchange content across your entire organization. A user must be authorized to perform an eDiscovery search in SharePoint and Exchange. Permissions to perform eDiscovery searches must be controlled and monitored depending on security and compliance requirements in you organization.
An eDiscovery manager must be able to view all content that is potentially discoverable. In SharePoint, we recommend that you create a security group for eDiscovery users, and add the appropriate users to the security group. Then you can grant permissions to the security group, instead of individual users. Choose a name for the security group, and record the name in the worksheet. Also record which users will be members of the security group. For more information, see Plan for eDiscovery in SharePoint Server 2013 and Permissions planning for sites and content in SharePoint 2013.
In Exchange or Exchange Online, you need to add a user to the Discovery Management role group. Adding users to the Discovery Management role group allows them to use In-Place eDiscovery to search all Exchange 2013 mailboxes and access potentially sensitive email content in user mailboxes. Check with your organization’s legal or HR departments before assigning this permission to any user. For more information, see Add a User to the Discovery Management Role Group.
Q. Can you audit search and hold actions?
A: You can audit in-place search and holds for Exchange items in the Exchange Admin Center. In the SharePoint eDiscovery Center, you can audit actions on SharePoint content.
You can also audit the holds and searches that are run as long as you configure auditing to interact with search in advance. The searches against Exchange do not include the specific mailboxes that were searched, however. For more information on configuring audit settings in SharePoint, see Configure audit settings for a site collection. Return to Top
Resources
Q: Where can I find more information about eDiscovery?
A: The following articles and other resources provide information about eDiscovery and related technologies:
eDiscovery Overview
- SharePoint eDiscovery Scenario
- Intro to eDiscovery in SharePoint, Exchange, and Lync 2013 blog post
- eDiscovery content pivot
- eDiscovery Flow Across SharePoint, Exchange, Lync, and File Shares model
Exchange
- In-place eDiscovery and in-place hold in the new Exchange
- In-place eDiscovery
- In-place hold
- In-place archiving
- File formats indexed by Exchange Search
- Message Properties indexed by Exchange Search
- Create a Discovery mailbox
- Create an In-Place eDiscovery Search
- Start or Stop an In-Place eDiscovery Search
- Estimate, preview or copy search results
- Create or Remove an In-Place Hold
- Search and Delete Messages
- Achieving Immutability with Exchange Online and Exchange Server 2013
- Programmability: eDiscovery in EWS in Exchange 2013
SharePoint
- What’s new in eDiscovery in SharePoint Server 2013
- Overview of eDiscovery and in-place holds in SharePoint Server 2013
- Plan for eDiscovery
- Download the eDiscovery planning worksheet
- Configure Exchange for SharePoint eDiscovery Center
- Configure eDiscovery in SharePoint
- Set up an eDiscovery Center in SharePoint Online
- Add a user to the Discovery Management Role Group
- Plan, create, and manage eDiscovery cases
- Add content to an eDiscovery case and place sources on hold
- Create and run eDiscovery queries
- Searching and using keywords in eDiscovery
- Export eDiscovery content and create reports
- Programmability: eDiscovery in SharePoint 2013
- Programmability: Keyword Query Language (KQL) syntax reference