Blog Post

Microsoft Security Blog
6 MIN READ

Become a Microsoft Purview eDiscovery Ninja

Stefanie_Bier's avatar
Stefanie_Bier
Icon for Microsoft rankMicrosoft
Sep 30, 2021

 

 

 

This training was last updated in March 2025. 

Welcome to the updated Microsoft Purview eDiscovery Ninja Guide! We're thrilled to present this updated version, packed with the latest insights and resources to help you master the Microsoft Purview eDiscovery solutions.

Whether you're new to Purview eDiscovery or aiming to level up and become a master, this guide is designed to help you become a true eDiscovery Ninja.

 

Module 1: Overview

The Overview includes an introduction, demonstration videos, the latest interactive guide, and blog postings to get you started on your journey.

eDiscovery Introduction

Features and capabilities based on licensing

Microsoft eDiscovery Blog announcement on new user experience

Module 2: Getting Started

The Getting Started section will provide you with the prerequisite knowledge required before using the Microsoft Purview eDiscovery solutions, including permissions, processing settings, supported file types and everything you need to know about decryption. 

Permissions

Create a case

Manage eDiscovery processes (jobs)

Limits in eDiscovery

Supported file types 

Document metadata fields

Decryption

Configure Settings

Module 3: Identification & Collection

The Identification section covers how to identify sources in Microsoft 365, how to set up your search, and how to evaluate search results before committing them to Export or to a Review Set for further analysis. 

Create Search query for a case in eDiscovery:

Search for content in Exchange Online

Search for content in SharePoint and OneDrive

Search for Microsoft Teams content

Search for Copilot data

Collection settings – How to evaluate search results

Module 4: Preservation (holds)

The Preservation section will show you how to create and manage your holds in Microsoft Purview eDiscovery. Please note that both the Microsoft Purview eDiscovery solution and the Microsoft Purview Data Lifecycle Mangement & Records enable organizations to place their Microsoft 365 data on an in-place hold.

Create and manage Holds

Hold Gotchas

Retention policies and retention labels

Module 5: Analysis & Review

The Analysis & Review section will teach you everything you ever wanted to know about Review Sets in Microsoft Purview eDiscovery! This section covers how document sets, Teams conversations, and emails are grouped together for review. 

Manage Review Sets

Search for and filter content In a Review Set

Review Set Gotchas

Module 6: Export

The Export section covers how to export results directly from your Collection, as well as how to export your search results from a Review Set.  

Direct export from Collection

Export from a Review Set

Export reference

Module 7: Advanced

The Advanced section offers valuable materials for the more advanced use cases including automating your eDiscovery workflow using GRAPH APIs, audit log insights, as well as setting up compliance boundaries and search filtering. 

Use the Microsoft Purview eDiscovery API

Set up compliance boundaries and search filtering at solution level

Search for eDiscovery activities in the audit log

Additional Resources

The Additional Resources section offers some valuable reference materials and other resources. There are also links to the official eDiscovery blog, roadmap, Learn documentation, and interactive guides.

eDiscovery Blog: https://aka.ms/eDiscoveryblog

eDiscovery Roadmap: https://aka.ms/ediscoveryroadmap

eDiscovery Learn Documentation: https://aka.ms/eDiscoveryDocsNew

eDiscovery Interactive Guide: https://aka.ms/eDiscoveryNewUX

Join our Community: https://aka.ms/SecurityCommunity

Glossary/Abbreviations

Custodian

A custodian is an individual who has administrative control over documents or electronic files, and whose data is identified, preserved, and collected for legal matters.

Data Sources

Data sources are the various locations such as Exchange, OneDrive, SharePoint, etc. where data is stored that will serve as the source of information used in eDiscovery.

Data Spillage

Data spillage refers to the unintended disclosure of confidential or sensitive information into an unauthorized environment, requiring prompt containment and remediation measures.

ECA

Early Case Assessment is the process of rapidly gathering, reviewing, and analyzing data about potential legal matters to make informed decisions on how to proceed.

eDP

In the classic interface, the eDiscovery Premium (eDP) user experience.

eDS

In the classic interface, the eDiscovery Standard (eDS) user experience.

EDRM

The Electronic Discovery Reference Model is a framework that outlines the typical stages and activities in eDiscovery.

ESI

Electronically Stored Information refers to any data or documents stored in electronic form that are identified, collected, and analyzed for use as evidence in legal proceedings.

EXO

Exchange Online

Exports

Exports refer to downloading or transferring results after a search or review. When items are exported, they are prepared for download based on the defined export options.

Hold Policies

Hold Policies are the process by which organizations preserve potentially relevant information when litigation is pending, expected, or triggered by another event.

M365

Microsoft 365 is a subscription service that combines Office applications, cloud services, and advanced security features to help individuals and businesses stay productive and secure.

ODB/OD4B

OneDrive (formerly OneDrive for Business)

Preservation

Preservation is the process by which organizations protect data from modification or deletion to ensure its integrity for legal purposes. The duty to preserve evidence typically arises when litigation is pending, expected, or triggered by another event. In M365, this is managed through hold policies.

PST

The Personal Storage Table is a widely utilized Microsoft export format for the exchange of emails in their native format.

Retention

Retention is the duration for which an organization retains information, often determined by its business, legal, regulatory, fiscal, and risk considerations. In M365, retention is managed through the implementation of retention labels and policies.

Review Sets

Review Sets are a static set of documents that allow reviewers to analyze, query, view, organize, tag, and export data.

SPO

SharePoint (formerly SharePoint Online)

 

You made it! Thank you for taking the time to go through the Purview eDiscovery Ninja guide. While there is currently no official badge or certification available, we hope you found the information helpful.

We’d love to hear from you on LinkedIn once you become a #PurvieweDiscoveryNinja

 

Special thank you to David Robbins, John Wirtala, Alastair Sharp, Aaron Thorpe and Stefanie Bier for putting together the newly updated Microsoft Purview eDiscovery Ninja Guide!

Updated Mar 17, 2025
Version 15.0

12 Comments