Blog Post

Healthcare and Life Sciences Blog
6 MIN READ

Microsoft Purview - Paint By Numbers Series (Part 5g) - Premium eDiscovery - Exports

James_Havens's avatar
James_Havens
Icon for Microsoft rankMicrosoft
Dec 09, 2022

 

Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation.

 

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery.

It is presumed that you already data to search inside your tenant.

We will only step through a basic eDiscovery case (see the Use Case section).

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Data Classification
  • Information Protection
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Data Lifecycle Management (retention and disposal)
  • Records Management (retention and disposal)
  • Premium eDiscovery
    • Overview and Settings
    • Case Creation and Case Settings
    • Data Sources and Collections
    • Review Sets
    • Communications
    • Holds
    • Processing
    • Jobs
  • Insider Risk Management (IRM)
  • Priva
  • Advanced Audit
  • Microsoft Cloud App Security (MCAS)
  • Information Barriers
  • Communications Compliance
  • Licensing
  •  

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.

 

If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog.  That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.

Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community

Use Case

 

There are many use cases for Advanced eDiscovery.  For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user.

Overview of Document

This part of the blog is looking at the Exports tab, and how it should be used in an eDiscovery case.

 

Definitions

  • Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed.  These are all the custodians (users) being investigated.  This is not the users performing the investigation.
  • Collections – This is the actual search being performed.  Collections include user, keyword, data, etc.
  • Review Sets – Once a collection/search has been performed, the data most be reviewed.  This tab is where secondary searches can be done and a review of the data.
  • Communications – If the HR or legal team wishes, they can notify the user that they are under investigation.  You can also set up reminder notifications in this section of the UI. 
    • Note - This task is optional.
  • Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold.  This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted.  If the user deletes their reference, then the data is placed into a hidden hold directory.
  • Processing – This tab is related to the indexing of data in your production environment.  You would use this if you are not finding data that you expect and you need to re-run indexing activities.
    • Note - This task is optional.
  • Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop.
  • Export #2 – This is also the term used to export a .CSV report.
  • Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc).  This is useful if you launch an activity and want to monitor its status in real-time.
  • Setting – High level analytics and settings and reports, etc.
  • Custodian – This is the individual being investigated.

 

 

Notes

  • Core vs Advanced eDiscovery (high level overview)
    • Core eDiscovery – This allows for searching and export of data only.  It is perfect for basic “search and export” needs of data.  It is not the best tool for data migration or HR and/or Legal case management and workflows.
    • Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity.  This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data.
  • If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States.  The link is in the appendix.
  • For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing.
  • We will not be using all of the tabs in available in a AeD case.
  • How do user deletes of data work with AeD?
  • If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications.
  • If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications.  However, the user reference to the data will be deleted so they will believe that the data is deleted.

Pre-requisites

You should review the previous parts of this eDiscovery blog series and be sure you have done them.

 

 

Export a subset of data

 

  1. On the Exports tab, click on your export.  A window will appear on the right which will tell you if your export was successful.  If so, you can now download it along with a summary report to your local machine and then hand it over to outside council as needed.

 

 

  1. Congratulations!  You have now have now completed a basic Advanced eDiscovery case and have finished this blog series.

Appendix and Links

 

 

Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

 

Updated Dec 12, 2022
Version 2.0
No CommentsBe the first to comment