Microsoft Purview - Paint By Numbers Series (Part 5d) - Premium eDiscovery - Communications
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation.
Document Scope
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery.
It is presumed that you already data to search inside your tenant.
We will only step through a basic eDiscovery case (see the Use Case section).
Out-of-Scope
This document does not cover any other aspect of Microsoft E5 Compliance, including:
- Data Classification
- Information Protection
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices
- Data Lifecycle Management (retention and disposal)
- Records Management (retention and disposal)
- Premium eDiscovery
- Overview and Settings
- Case Creation and Case Settings
- Data Sources and Collections
- Review Sets
- Holds
- Exports
- Processing
- Jobs
- Insider Risk Management (IRM)
- Priva
- Advanced Audit
- Microsoft Cloud App Security (MCAS)
- Information Barriers
- Communications Compliance
- Licensing
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
Use Case
There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user.
Overview of Document
You will understand what a Microsoft Purview Premium eDiscovery Communication is and how to create a communication and what the end user experience is.
Definitions
- Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation.
- Collections – This is the actual search being performed. Collections include user, keyword, data, etc.
- Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data.
- Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI.
- Note - This task is optional.
- Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory.
- Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities.
- Note - This task is optional.
- Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop.
- Export #2 – This is also the term used to export a .CSV report.
- Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time.
- Setting – High level analytics and settings and reports, etc.
- Custodian – This is the individual being investigated.
Notes
- Core vs Advanced eDiscovery (high level overview)
- Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows.
- Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data.
- If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix.
- For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing.
- We will not be using all of the tabs in available in a AeD case.
- How do user delete of data work with AeD?
- If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications.
- If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted.
Pre-requisites
You should review the previous parts of this eDiscovery blog series and be sure you have done them.
What is Communications in Premium eDiscovery?
Before we dig into this tab, let us answer this question – What is Communication in Microsoft Purview Premium eDiscovery?
I explain it like this:
First, it is the process of informing a custodian that they are under investigation, either once or multiple times. Second, if you want the custodian to acknowledge to the organization that they are under investigation, they can do that. Third, you can inform the custodian that they are no longer under investigation and their data has been released from a legal hold.
The official explanation is here:
“A legal hold (also known as a litigation hold) notice is a notification sent from an organization’s legal department to employees, contingent staff, or custodians of data that may be relevant to a legal investigation. These notifications instruct custodians to preserve electronically stored information and any content that may be relevant to an active or impending legal matter. Legal teams must know that each custodian has received, read, understood, and has agreed to comply with the given instructions.”
Work with communications in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn
Communications templates are found in the Premium eDiscovery Settings tab
We covered this in Part 5 – Premium eDiscovery – Overview and Settings. Please refer to that blog entry for information on this.
Communications tab
Let us click on the Communications tab. It is in the middle of the “case” pane.
Here you will see all of the communications/notifications that have been sent out for this case or create a new communication. This will let you see the 1) status, 2) when it was modified, 3) the number of custodians associated with the communication, and 4) the number of custodian Hold acknowledgements.
Create a New Communication
Here you can create, edit, and delete custodian communications/notifications to be used in this specific Premium eDiscovery Cases. We will walk through creating a notification below.
- On the right side, select New Communication. You will be taken through a 6-step wizard.
- First, give the template a name, select an issuing officer, and you also have the option to select one of the templates referenced above. For my example, I will name my template “Case Notification 1”, choose my admin account, and not select a template. Click Next.
- Next, you will arrive at the Define Portal Content section of the wizard. Here you will see a document editor similiar to Word where you can enter verbiage that meets your need. For this blog, I will not be using any customer verbiage in my example here.
- You will also see across the top of that editor 5 pre-populated options you can place into your Communication:
- Display Name - this is the name of the user receiving the email notification.
- Acknowledgement link – This it the URL where the custodian can acknowledge that they have been properly notified of the investigation.
- Tk Portal Link – Here the custodian see who has acknowledged that they have been placed on hold.
- Issuing Officer Email – This will be the name of the individual in the individual case sending the communication/notification or it could be from a list of users created in the next section Issuing Officer.
- Issuing Date – Since you might have this sent once or multiple times, this will always be the date the notification was be sent.
- When you are satisfied with your message to your custodians,
- The third step of the wizard is the Set Notifications-Required. Here you have 3 notifications that are required: Issuance, Reissuance, and Release
- Here is an example of what you could put into any of these notifications.
- After you’ve saved your notifications, click Next.
- Fourth, you will arrive at the Set Notifications-Optional step of the wizard. Here you can add Reminder and Escalation notifications if you like. We’ll click Next.
- Fifth, add the custodians to be notified, then click Next.
- Last, Review your settings.
- Click Submit and then click Done.
End User experience with a Case Communication
When the end user receives a communication/notification, what does that experience look like?
They will see something similar to the below in their email. Notice that everything is pre-populated from the steps above. Again, please note my email notification is very generic.
When the custodian clicks on the link “Click here to acknowledge this notice”, they will be taken to your company’s Microsoft Purview acknowledgement website. Here is an example of what they will see.
When the custodian clicks on the link “Go to custodian portal”, they will be taken to Custodian Portal and able to see all the Premium eDiscovery Notifications that they have been sent, when they were sent, when they were due, etc. Here is an example.
We are now done with the Communications tab.
Appendix and Links
Work with communications in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn