This training was last updated in March 2025.
Welcome to the updated Microsoft Purview eDiscovery Ninja Guide! We're thrilled to present this updated version, packed with the latest insights and resources to help you master the Microsoft Purview eDiscovery solutions.
Whether you're new to Purview eDiscovery or aiming to level up and become a master, this guide is designed to help you become a true eDiscovery Ninja.
Table of Contents
Module 1: Overview
The Overview includes an introduction, demonstration videos, the latest interactive guide, and blog postings to get you started on your journey.
eDiscovery Introduction
- Course: Describe the capabilities of eDiscovery - Learn, 8 min, 1 unit
- Interactive Guide: https://aka.ms/eDiscoveryNewUX
- YouTube webinar of Modern UX (November 2024): Microsoft Purview eDiscovery Modern UX
- YouTube Video from Microsoft State and Local Government (GCC): Introducing the New Purview eDiscovery User Interface
- Learn about eDiscovery solutions
- Learn about the eDiscovery workflow
- Notable changes in Microsoft eDiscovery
Features and capabilities based on licensing
Microsoft eDiscovery Blog announcement on new user experience
Module 2: Getting Started
The Getting Started section will provide you with the prerequisite knowledge required before using the Microsoft Purview eDiscovery solutions, including permissions, processing settings, supported file types and everything you need to know about decryption.
Permissions
- Assign permissions in eDiscovery
- Interactive Guide: Configure permissions and global settings with the interactive guide
Create a case
- Create and manage cases in eDiscovery
- Interactive Guide: Create and configure a case with the interactive guide
Manage eDiscovery processes (jobs)
Limits in eDiscovery
Supported file types
Document metadata fields
Decryption
Configure Settings
- Case information settings
- Enable Attorney-client privilege detection
- Manage guest access to cases
- Configure tag templates
- OCR
Module 3: Identification & Collection
The Identification section covers how to identify sources in Microsoft 365, how to set up your search, and how to evaluate search results before committing them to Export or to a Review Set for further analysis.
Create Search query for a case in eDiscovery:
- Create a search query for a case in eDiscovery
- Create a KeyQL search query with Microsoft Copilot (preview)
- Use the condition builder to create search queries in eDiscovery
- Use Keyword Query Language to create search queries in eDiscovery
- Create targeted search on folders in mailboxes in sites
- Interactive Guide: Design a search with the interactive guide
Search for content in Exchange Online
- Content stored in Exchange Online mailboxes
- Finding content in mailboxes in eDiscovery
- Searchable email properties
- Searchable sensitive data types
- Find and delete email messages (search & purge)
- Searching for messages sent to Bcc and expanded distribution group recipients
Search for content in SharePoint and OneDrive
Search for Microsoft Teams content
- Finding content in Microsoft Teams in eDiscovery
- Find and delete Microsoft Teams chat messages
- Conversation threading
Search for Copilot data
Collection settings – How to evaluate search results
Module 4: Preservation (holds)
The Preservation section will show you how to create and manage your holds in Microsoft Purview eDiscovery. Please note that both the Microsoft Purview eDiscovery solution and the Microsoft Purview Data Lifecycle Mangement & Records enable organizations to place their Microsoft 365 data on an in-place hold.
Create and manage Holds
- Create holds in eDiscovery
- Manage holds in eDiscovery
- Preserve Bcc and expanded distribution group recipients for eDiscovery
- Create holds report
- Interactive Guide: Apply a hold with the interactive guide
Hold Gotchas
Retention policies and retention labels
- Learn about retention policies & labels to retain or delete
- Learn about retention for Copilot & AI apps
- Auto-apply labels to Cloud Attachments
- Podcast featuring Stefanie Bier discussing roadmap for Cloud Attachments in Microsoft Purview
Module 5: Analysis & Review
The Analysis & Review section will teach you everything you ever wanted to know about Review Sets in Microsoft Purview eDiscovery! This section covers how document sets, Teams conversations, and emails are grouped together for review.
Manage Review Sets
- Manage review sets in eDiscovery
- Collection settings for Review Sets
- Add items from a review set to another review set in eDiscovery
Search for and filter content In a Review Set
- Search content in a review set in eDiscovery
- Group and view items in a review set in eDiscovery
- Tag items in a review set in eDiscovery
- Analyze data in a review set in eDiscovery
- Use the Query Report to create keyword reports for KeyQL queries
- Filter partially indexed content
- Interactive Guide: Create and manage review sets with the interactive guide
Review Set Gotchas
Module 6: Export
The Export section covers how to export results directly from your Collection, as well as how to export your search results from a Review Set.
Direct export from Collection
- Export direct from Collection
- Interactive Guide: Export data with the interactive guide
Export from a Review Set
- Export items from a review set in eDiscovery
- Export items to a different Review Set
- Interactive Guide: Export data with the interactive guide
Export reference
Module 7: Advanced
The Advanced section offers valuable materials for the more advanced use cases including automating your eDiscovery workflow using GRAPH APIs, audit log insights, as well as setting up compliance boundaries and search filtering.
Use the Microsoft Purview eDiscovery API
Set up compliance boundaries and search filtering at solution level
- Set up compliance boundaries in eDiscovery
- Searching and exporting content in multi-geo environment
- Compliance boundaries for SharePoint hub sites
- Configure search permissions filtering
- Compliance boundary limitations
Search for eDiscovery activities in the audit log
Additional Resources
The Additional Resources section offers some valuable reference materials and other resources. There are also links to the official eDiscovery blog, roadmap, Learn documentation, and interactive guides.
eDiscovery Blog: https://aka.ms/eDiscoveryblog
eDiscovery Roadmap: https://aka.ms/ediscoveryroadmap
eDiscovery Learn Documentation: https://aka.ms/eDiscoveryDocsNew
eDiscovery Interactive Guide: https://aka.ms/eDiscoveryNewUX
Join our Community: https://aka.ms/SecurityCommunity
Glossary/Abbreviations
Custodian |
A custodian is an individual who has administrative control over documents or electronic files, and whose data is identified, preserved, and collected for legal matters. |
Data Sources |
Data sources are the various locations such as Exchange, OneDrive, SharePoint, etc. where data is stored that will serve as the source of information used in eDiscovery. |
Data Spillage |
Data spillage refers to the unintended disclosure of confidential or sensitive information into an unauthorized environment, requiring prompt containment and remediation measures. |
ECA |
Early Case Assessment is the process of rapidly gathering, reviewing, and analyzing data about potential legal matters to make informed decisions on how to proceed. |
eDP |
In the classic interface, the eDiscovery Premium (eDP) user experience. |
eDS |
In the classic interface, the eDiscovery Standard (eDS) user experience. |
EDRM |
The Electronic Discovery Reference Model is a framework that outlines the typical stages and activities in eDiscovery. |
ESI |
Electronically Stored Information refers to any data or documents stored in electronic form that are identified, collected, and analyzed for use as evidence in legal proceedings. |
EXO |
Exchange Online |
Exports |
Exports refer to downloading or transferring results after a search or review. When items are exported, they are prepared for download based on the defined export options. |
Hold Policies |
Hold Policies are the process by which organizations preserve potentially relevant information when litigation is pending, expected, or triggered by another event. |
M365 |
Microsoft 365 is a subscription service that combines Office applications, cloud services, and advanced security features to help individuals and businesses stay productive and secure. |
ODB/OD4B |
OneDrive (formerly OneDrive for Business) |
Preservation |
Preservation is the process by which organizations protect data from modification or deletion to ensure its integrity for legal purposes. The duty to preserve evidence typically arises when litigation is pending, expected, or triggered by another event. In M365, this is managed through hold policies. |
PST |
The Personal Storage Table is a widely utilized Microsoft export format for the exchange of emails in their native format. |
Retention |
Retention is the duration for which an organization retains information, often determined by its business, legal, regulatory, fiscal, and risk considerations. In M365, retention is managed through the implementation of retention labels and policies. |
Review Sets |
Review Sets are a static set of documents that allow reviewers to analyze, query, view, organize, tag, and export data. |
SPO |
SharePoint (formerly SharePoint Online) |
You made it! Thank you for taking the time to go through the Purview eDiscovery Ninja guide. While there is currently no official badge or certification available, we hope you found the information helpful.
We’d love to hear from you on LinkedIn once you become a #PurvieweDiscoveryNinja
Special thank you to David Robbins, John Wirtala, Alastair Sharp, Aaron Thorpe and Stefanie Bier for putting together the newly updated Microsoft Purview eDiscovery Ninja Guide!