First, it is important to understand what eDiscovery (Electronic Discovery, e-Discovery) is. There are two main meanings:
Legal Perspective – eDiscovery is the electronic aspect of finding electronically stored information in the event of a court proceeding or investigation. It also refers to laws that regulate this aspect. eDiscovery applies to all systems.
Microsoft 365/Office 365 Perspective – eDiscovery is a mechanism or set of capabilities designed to assist in finding, collecting, and exporting data from Microsoft 365 organizations. As the name suggests, the primary purpose of eDiscovery (mechanism) is to assist in the event of a dispute and comply with the legal definition of eDiscovery. In particular, this article is about the mechanism of Office 365 / Microsoft 365 and its premium version – Advanced eDiscovery.
Advanced eDiscovery requirements and permissions
Advanced eDiscovery is not part of every tenant. To experience its benefits, you need either an E5 subscription or E3 with the Advanced Compliance add-on. At least that would be the case if the feature hadn’t been publicly previewed since May 17thth2019
Another important requirement to keep in mind is permissions. Previously, the eDiscovery mechanism was based on permissions from the Exchange admin center. Currently, the Security & Compliance Center has its own independent Permissions tab. To manage eDiscovery cases, a user must be assigned an eDiscovery role group – eDiscovery Manager. This role group is special because it has two very different subgroups:
eDiscovery Manager – This role group allows its members to create and manage eDiscovery cases as long as they created the case or were added as members to the case.
eDiscovery Administrator – is a role group that allows full access to each individual eDiscovery case without necessarily being a member of that case.
Managers cannot see the cases they have not created or are not assigned to. Administrators have full access to all cases – better assign these permissions wisely. There are also two roles that are important when dealing with eDiscovery:
reviewer – Reviewers can be assigned as members of a case. They cannot create eDiscovery cases, perform a content search, or even preview search results—they can only access and analyze the case data in Advanced eDiscovery. This is the most restrictive eDiscovery-related role, but without it users cannot access eDiscovery at all.
Like the Exchange Online admin center, this Microsoft 365 module offers a fully customizable RBAC experience. Therefore, alongside these default role groups, you can define custom role groups with the permissions you choose.
What does the eDiscovery mechanism do?
eDiscovery includes many options for finding, collecting, retaining, and exporting data. Here are the key parts:
eDiscovery case. A case is the most basic eDiscovery tool. With eDiscovery cases, you can control who can see and access a specific investigation.
holding litigation. When a mailbox or other resource (such as a SharePoint site) is on litigation hold, it means its content is protected. The owner of a mailbox in a dispute can delete items, but not delete them. This means it’s not possible to permanently delete an email or any other item while a mailbox is on litigation hold. While on Litigation Hold, deleted items are moved to a specific subfolder in the Recoverable Items folder: DiscoveryHold. Its contents can be searched with eDiscovery content search or with the Search-Mailbox cmdlet.
content search. Content Search can use various filters and criteria to search for specific content in mailboxes, SharePoint sites, or in public folders. It can also be used as a means of manual local backup. Data that meets the specified requirements can be exported to PST files, which can later be imported back into mailboxes for audit or recovery purposes.
eDiscovery, enhanced or not, allows admins to search, analyze, and export specific data from an Office 365 organization. Although the purpose and general idea of both mechanisms are the same, there are some important differences in how they achieve the same goal.
How is Advanced eDiscovery different from eDiscovery?
The easiest way to see the differences between an eDiscovery case and an advanced case is to look at both in the Security & Compliance Center. Now that you’ve noticed a slightly different layout, it’s time to dig into the details.
The default eDiscovery case has 4 tabs: Home, Holds, Searches, and Exports.
The first conclusion is that a standard eDiscovery case offers the possibility of:
- Put mailboxes, SharePoint sites and public folders on hold,
- Search for items related to a case
- Export the results
Advanced eDiscovery adds the following tabs:
- manager indicates the users who may have relevant information about the case. In the standard eDiscovery case, they would simply be added to the legal hold.
- communication provides a simple tool for sending notifications to administrators. The case manager may ask the custodians to keep any information that might be useful for the discovery.
- review sets Results from a content search (or multiple searches) can be added to a review set for further analysis.
- jobs – Essentially lists all jobs performed in the eDiscovery case with their current status, creation and completion dates.
- settings has three sections. While the first two can be modified in a standard eDiscovery case, the third (search and analysis) offers some additional options. The Case Information tab allows the manager to change basic case information such as name, number, description and status. Access & Permissions provides an option to add or remove users responsible for the case. Search and analysis is the best part.
Search and analysis in Advanced eDiscovery
The Search & Analysis section gives you options that can potentially speed up the detection process. For example:
Near-duplicate detection significantly reduces the amount of documents and threads exported for revision. Email threading parses emails as threads. So if someone replies to an email that is a “hit,” eDiscovery doesn’t return 20 consecutive emails, just one conversation. OCR
Allows Microsoft 365 to find text in graphics files to later add to a review set. OCR supports GIF, JPG, PNG and TIFF.
Advanced eDiscovery also uses machine learning mechanisms to limit search results to items most likely to be relevant to the case. The system can be trained by accessing a specific verification set by clicking on it Manage Rating Set and selection of relevance Tile.
How to run an advanced eDiscovery case
In the next article, Create an Advanced eDiscovery Case, I’ll show you how to run an Advanced eDiscovery case and take advantage of all the premium features mentioned in the article above. Be sure to read it if you want to see the premium features in action.