Delen via


Learn about eDiscovery (preview)

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic stored information (ESI) that can be used as evidence in investigations and legal cases. You can use Microsoft Purview eDiscovery (preview) to identify, review, and manage content in Microsoft 365 services to support your investigations. Supported Microsoft 365 services include:

  • Exchange Online
  • Microsoft Teams
  • Microsoft 365 Groups
  • OneDrive
  • SharePoint
  • Viva Engage

You can search mailboxes and sites in the same eDiscovery search, and then export the search results. You can use eDiscovery cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage cases and analyze content using premium eDiscovery features.

Microsoft Purview portal & previous portal experiences

eDiscovery (preview) is available in the Microsoft Purview portal. The classic eDiscovery experience is available in both the Microsoft Purview portal (for a limited time) and in the Microsoft Purview compliance portal.

The Microsoft Purview compliance portal is scheduled for retirement on December 13, 2024 and classic eDiscovery experience support in the Microsoft Purview portal is scheduled for retirement in 2025.

eDiscovery (preview) in the Microsoft Purview portal

Depending on the licensing and subscriptions for your organization, you have access to specific eDiscovery or premium eDiscovery features in the Microsoft Purview portal. All Content search features are now included within the search experience within eDiscovery (preview). However, eDiscovery (preview) doesn't currently support all features available in eDiscovery (Standard) and eDiscovery (Premium) in the compliance portal.

For a summary of eDiscovery features supported only in the compliance portal or when you enable the classic eDiscovery expereince in eDiscovery (preview), see the Microsoft Purview compliance portal-only eDiscovery features section later in this article.

Classic eDiscovery experience in the Microsoft Purview portal

For a limited time, you can choose to enable the classic eDiscovery experience found in the Microsoft Purview compliance portal in the Microsoft Purview portal. Selecting this user experience option allows you to configure and manage your eDiscovery investigations using the workflow and tools you're already familiar with while you transition to using the updated workflow and new management tools and experience in the Microsoft Purview portal.

These options determine the workflow, tools, and information you see when working with eDiscovery. These options are available for a limited time and apply only to the eDiscovery experience in the Microsoft Purview portal.

eDiscovery in the Microsoft Purview compliance portal

eDiscovery (preview) customers can continue to use and manage existing Content search, eDiscovery (Standard), and eDiscovery (Premium) features in the compliance portal. Changes made in the Microsoft Purview portal and the compliance portal for searches, cases, review sets, and holds in the same organization are visible in both portals. However, depending on the currently supported features and your organization's licensing and subscriptions and the user experience configured for eDiscovery in the Microsoft Purview portal, you may or may not have access to these features in the Microsoft Purview portal.

To continue to use the compliance portal in the original standalone experience, disable the New Microsoft Purview portal toggle on the Microsoft Purview portal or log directly into the following eDiscovery solution pages in the compliance portal:

  • eDiscovery (Standard): compliance.microsoft.com/classicediscovery
  • eDiscovery (Premium): compliance.microsoft.com/advancedediscovery

Important

The Microsoft Purview compliance portal is scheduled for retirement by the end of 2024.

Notable changes in eDiscovery (preview)

For customers that are already familiar with previous versions of eDiscovery, there are several notable differences when using eDiscovery (preview) in the Microsoft Purview portal:

  • Advanced indexing: When a custodian or noncustodial data source is added to a case in previous versions of eDiscovery, any content deemed as partially indexed or had indexing errors needs to be reindexed to determine if the contents are relevant to defined search conditions. The reindexing process was called Advanced indexing. As more partially and unindexed items were added to data sources (user's mailbox, OneDrive account, etc.) you would need to separately update the index for specific custodian or noncustodial data sources.

    In eDiscovery (preview), Advanced indexing runs automatically during each search scoped for statistics results and when you add results to a review set or export search results, depending on the indexing options you've chosen for the process. Separate reindexing of data sources prior to the search process is no longer needed. This just in time indexing process helps avoid issues with stale indices that may result in indexing and search running sequentially and separately in the classic experience. Running (or rerunning) a search automatically updates all indexes.

  • Collections: In previous versions of eDiscovery, collections provided managers with estimates of the content that may be relevant to cases. These estimates allowed managers to make quick, informed decisions about the size and scope of content relevant to cases. Once added to a review set in the compliance portal, the collection is immutable.

    In eDiscovery (preview), Statistics in searches have replaced collections. Statistics results in searches now allow managers to review important insights about the items included in the results and the relevance to the case. Searches aren't immutable in eDiscovery (preview), even after the results are added to a review set. Searches can be updated at any time. Adding only a sample of the collection into review set and deleting a search has been removed in eDiscovery (preview).

  • Content search: Content search in the compliance portal was a separate solution from eDiscovery used for basic searches for content. Results from content search were estimated numbers of locations and search results that you could preview or export to a local computer.

    In the Microsoft Purview portal, all Content search functionality is now included in a system generated eDiscovery case by default for all members of the eDiscovery manager and Administrator role groups. If you need to limit access to content searches, use Case settings to remove or add members to the case to manage access to these searches.

    The content search case has the same capability as other user-created cases. You can create holds, review sets, and more in the content search case, depending on your subscription.

  • Custodians: In previous versions of eDiscovery, custodians (users) were the primary component of the eDiscovery workflow. Custodians were potential persons of interest in an investigation that you added to cases.

    In eDiscovery (preview), cases are the primary component of the eDiscovery workflow. People, groups, and data sources are still added to cases, but the case is the central organizing unit.

  • Export updates: The new export flow in eDiscovery (preview) supports a unified export structure across premium and non-premium feature exports, faster export performance, detailed reporting, and flexible export options.

  • Jobs: In previous versions of eDiscovery, tasks, activities, and reports associated with workflow components were called jobs. These events and reports are now referred to as processes in eDiscovery (preview).

Features and capabilities

The following table compares key eDiscovery (preview) capabilities and features:

Capability eDiscovery feature support Premium eDiscovery feature support
Search for content Supported. Supported.
Keyword queries and search conditions Supported. Supported.
Search statistics Supported. Supported.
Export search results Supported. Supported.
Role-based permissions Supported. Supported.
Case management Supported. Supported.
Place content locations on hold Supported. Supported.
Advanced indexing Supported.
Review sets Supported.
Support for cloud attachments and SharePoint versions Supported.
Optical character recognition Supported.
Conversation threading Supported.
Search statistics and reports Supported.
Review set filtering Supported.
Tagging Supported.
Analytics Supported.
Computed document metadata Supported.
Transparency of long-running processes Supported.
Full reporting for all processes Supported.
Enhanced data source mapping Supported.

Here's a description of each eDiscovery (preview) capability.

  • Search for content: Search for content that's stored in Exchange mailboxes, OneDrive accounts, SharePoint sites, Microsoft Teams, Microsoft 365 Groups, and Viva Engage Teams. Searches include content generated by other Microsoft 365 apps that store data in mailboxes and sites.
  • Keyword queries and search conditions: Create Keyword Query Language (KeyQL) search queries to search for content keywords that match query criteria. You can also include conditions to narrow the scope of your search.
  • Search statistics and samples: After you run a search, you can view statistics of the estimated search results, such as the number and total size of items matching your search criteria. You can also view a representative sample of the items included in the search results.
  • Export search results: Export search results to a local computer in your organization. When you export search results, items are copied from their original content location and packaged. Then you can download those items in the export package to a local computer.
  • Case management. An eDiscovery case contains all searches, holds, and review sets related to a specific investigation. You can also assign members to a case to control who can access the case and view the contents of the case.
  • Role-based permissions: Use role-based access control (RBAC) permissions to control what eDiscovery-related tasks that different users can perform. You can use a built-in eDiscovery-related role group or create custom role groups that assign specific eDiscovery permissions.
  • Place content locations on hold: Preserve content relevant to your investigation by placing a hold on the content locations in a case. Holds let you secure electronically stored information from inadvertent (or intentional) deletion during your investigation.
  • Advanced indexing: When a search, review set, or export process is run, the associated content locations where items are partially indexed are reindexed in a process called Advanced indexing. Advanced indexing ensures any content deemed as partially indexed is reprocessed to make it fully searchable when you collect data for an investigation.
  • Review sets: Add relevant data to a review set. A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.
  • Support for cloud attachments and SharePoint versions: When you add content to a review set, you can include cloud attachments or linked files. The target file of a cloud attachment or linked file is added to the review set. You also can add all versions of a SharePoint document to a review set.
  • Optical character recognition (OCR): When content is added to a review set, OCR functionality extracts text from images, and includes the image text with the content that's added to a review set. This lets you search for image text when you query the content in the review set.
  • Conversation threading: When chat messages from Teams and Viva Engage conversations are added to a review set, you can collect the entire conversation thread. The entire chat conversation that contains items that match the search criteria is added to the review set. This lets you review chat items in the context of the back-and-forth conversation.
  • Search statistics and reports: After you create a search or add the search results to a review set, you can view a rich set of statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results.
  • Review set filtering: After content is added to a review set, you can apply filters to display only the set of items that match your filtering criteria. Then you can save the filter sets as a query, which lets you quickly reapply the saved filters. Review set filtering and saved queries help you quickly select content items that are most relevant to your investigation.
  • Tagging: Tags also help you omit nonrelevant content and identify the most relevant content. When experts, attorneys, or other users review content in a review set, their opinions related to the content can be captured by using tags. For example, if the intent is to exclude unnecessary content, a user can tag documents with a tag such as "nonresponsive". After content is reviewed and tagged, a review set query can be created to exclude any content tagged as "nonresponsive". This process eliminates the nonresponsive content from subsequent steps in the eDiscovery workflow.
  • Analytics: eDiscovery allows you to analyze review set documents to help you organize the documents in a coherent manner and reduce the volume of documents to be reviewed. Near duplicate detection groups textually similar documents together to help you make your review process more efficient. Email threading identifies specific email messages that give a complete context of the conversation in an email thread. Themes functionality attempts to analyze themes in review set documents and assign a theme to documents so that you can review documents with related theme. These analytics capabilities help make your review process more efficient so that reviewers can review a fraction of collected documents.
  • Computed document metadata: Many of the eDiscovery premium features, such as conversation threading and analytics, add metadata properties to review set documents. This metadata contains information related to the function performed by a specific feature. When reviewing documents, you can filter on metadata properties to display documents that match your filter criteria. This metadata can be imported into third-party review applications after review set documents are exported.
  • Transparency of long-running processes: Processes in eDiscovery (preview) are typically long-running activities that are triggered by user actions, such as the adding custodians to a case, adding content to a review set, running analytics, and creating search queries. You can track the status of these processes and get support information if you need to escalate issues to Microsoft Support.
  • Full reporting for all processes: Use the Process report to view and manage processes in cases, searches, review sets, and holds.
  • Enhanced data source mapping: Searching of locations based on users, search one site for groups and map other locations with groups. Explore frequent collaborators as part of data sources. Includes new locations for users.

Microsoft Purview compliance portal-only eDiscovery features

Some eDiscovery features are currently supported only in the Microsoft Purview compliance portal or the classic eDiscovery experience. You need to use and manage these features in the compliance portal or enable the classic eDiscovery experience in eDiscovery (preview) until they're fully available in the Microsoft Purview portal:

  • Case level custodian-management: Manage the people that you identify as people of interest in the case (called custodians) and other data sources that may not be associated with a custodian. When you add custodians and noncustodial data sources to a case, you can place a legal hold on these data sources, communicate with custodians by using the legal hold notification process, and search custodian and noncustodial data sources to collect content relevant to the case.

  • Communications: Using eDiscovery (Premium) custodian communications, organizations can manage their workflow around communicating with custodians. Through the Communications tool, legal teams can systematically send, collect, and track legal hold notifications.

  • Error remediation: Fix processing errors using a process called error remediation. Error remediation allows you to rectify data issues that prevent eDiscovery (Premium) from properly processing the content during Advanced indexing. For example, files that are password protected can't be processed since the files are locked or encrypted. Using error remediation, you can download files with errors, remove the password protection, and then upload the remediated files.

  • Export to customer-owned Azure Storage location: When you export documents from a review set, can export them to an Azure Storage account managed by your organization. Additionally, eDiscovery (Premium) lets you customize what data is exported. This includes exporting file metadata, native files, text files, tags, and redacted documents saved to a PDF file.

  • Import non-Office 365 data: Not all documents that you need to analyze in eDiscovery (Premium) are in Office 365. With the non-Office 365 data import feature in eDiscovery (Premium), you can upload documents that aren't in Office 365 to a review set.

  • Legal hold notifications: Manage the process of communicating with case custodians. A legal hold notification instructs custodians to preserve content that's relevant to the case. You can track the notices that were received, read, and acknowledged by custodians. The communications workflow in eDiscovery (Premium) allows you to create and send initial notifications, reminders, and escalations if custodians fail to acknowledge a hold notification.

  • Predictive coding models: Use predictive coding models to reduce large volumes of case content to a relevant set of items that you can prioritize for review. You can create and train your own predictive coding models that help you prioritize the review of the most relevant items in a review set. The system uses the training to apply prediction scores to every item in the review set. This lets you filter items based on the prediction score, which allows you to review the most relevant (or nonrelevant) items first.

    Important

    Predictive coding has been retired as of March 31, 2024 and is not available in new eDiscovery cases. For existing cases with trained predictive coding models, you can continue to apply existing score filters to review sets. However, you can't create or train new models.

Integration with other solutions

Insider risk management

Cases in Microsoft Purview Insider Risk Management can be quickly escalated to new cases in eDiscovery (preview) when additional legal review is needed for potentially risky user activity. The tight integration between these solutions can help your risk and legal teams work more efficiently and can help provide a complete end-to-end view of user activities under review.

Check out how to get started with Insider Risk Management and how to easily escalate an Insider Risk Management case to an eDiscovery (Premium) case.

Microsoft Security Copilot

You can use Microsoft Security Copilot features in eDiscovery (preview) to use natural language to draft KeyQL search queries. Copilot translates natural language to KeyQL without requiring you to learn how to construct a KeyQL query, know operators, and know supported search metadata fields. Copilot can also provide a contextual summary of most items in a review set. The summary provided is in the context of text included in a selected item. This summary can save time for reviewers by quickly identifying information helpful when tagging or exporting items. Security Copilot summarizes the entire item, including any documents, meetings transcripts, or attachments. Most all of the common document file types are supported.

For more information about using Security Copilot with review sets, see Summarize an item by using Security Copilot.

Ready to get started?