Which searchable unique identifiers do eDiscovery and Content Search have in common, if any?
I can see Immutable ID and Item Identity are a match when comparing exports of overlapping data from eDiscovery against Content Search, but I can't actually search those values to find the exact data set that I need. Here's my use case: we have files that were tagged for hard deletion in an eDiscovery Review Set. I need to find those exact files in a Content Search, but attempts to find emails and their attachments using FileId, FamilyId, ConversationId have all failed. Content Search just ignores those queries and returns the entirety of whatever mailboxes I'm searching on. Email Message Id appears to be unavailable in Content Search and neither Item Identity nor Immutable ID are working either. How can I find the exact files that were tagged? Is there a unique identifier that can be used? We need to do a hard delete of these items, hence the need to pull them into Content Search. Any help or suggestions would be appreciated. So far, the best matching search I've been able to run is on received date (which includes the timestamp) but this is giving me too many results. Given the lack of columns and filtering in Content Search, having too many results is not ideal. Need to get the exact tagged set returned. And what about Compound Path? Which way should the slashes go for Content Search? I can't get it to return anything.
Any advice on a self service way of having managers access mailbox from terminated employees?
Greetings, I'm looking for some advice on a challenge we are facing with accessing mailboxes from terminated users. Currently, we have some managers who need access to terminated employees' emails for valid business reasons, and our current process involves exporting PSTs from eDiscovery, which can be time-consuming and cumbersome. Moreover, once we pass the PST to the requestor, we lose control of it, which is not ideal because it's not subject to retention policies. We've considered creating a shared mailbox, importing the PST there, and giving access to the requestor, but that takes too long and involves too many parties in the process (exporting the PST, legal team, creating the shared folder, X team, giving access to said shared mailbox, eventually removing it, Y team, etc.). I would like to know if there is a self-service way for approved employees to access mailboxes from terminated users (users that no longer exist in Active Directory and are only available in eDiscovery). Any insights or advice you can provide would be greatly appreciated. Thank you in advance for your help.Name & alias mismatch in eDiscovery Premium
Purview eDiscovery Premium manager here. Has anyone in this forum encountered a problem where the display name for one custodian and the email address for another somehow get mixed and one of the metadata fields ends up looking like this? Example Case: Ren v. Stimpy Custodian 1: Ren Hoek <rhoek@companydotcom> Custodian 2: Stimpson J. Cat <sjcat@companydotcom> In the list of possible senders in the review set I find: Ren Hoek <sjcat@companydotcom> This shouldn't be possible. There's no one in the active directory with that display name and email combination. Those are two completely separate accounts. In the actual review set that I'm managing, there are over one hundred appearances of this mismatch. We have a ticket open with Microsoft, but the ticket isn't going anywhere. Microsoft doesn't seem to have an answer for it. We have verbal confirmation from Microsoft that it's just a display issue with Purview and that there are no actual emails going out as "Ren Hoek <sjcat@companydotcom>". But what we don't have is an explanation as to why this happened in Purview and no clear idea how to prevent it or how frequently its happening. Exporting the files that show the mismatch via Purview's export tool shows the proper pairing of name and alias on the native file. No mismatch, so that's good. But, when downloading the files, one by one, you see the mismatch. This is, of course, a problem. Anyone have any insight into this? Can the error be duplicated somehow? Any help would be greatly appreciated. Edit: the only items this affects are calendar invites. All emails, chats, etc. display with the correct display name & alias.Microsoft Purview Best Practices
Microsoft Purview is a solution that helps organizations manage data and compliance. It also uses AI to classify data, monitor compliance, and identify risks. Key features include data discovery, classification, governence, retention, compliance management, encryption, and access controls. Purview ensures data security, prevents insider threats, and helps implement data loss prevention policies to meet compliance requirements. Hello everyone - This is just a short introduction, I am Dogan Colak. I have been working as an M365 Consultant for about 5 years, holding certifications such as MCT, SC-100, SC-200, SC-300, and MS-102, with a focus on Security & Compliance. This year, I am excited to share what I have learned with the Microsoft Technology Community. In the coming days, I will be publishing videos and articles based on the training agenda I have created. I will also share these articles on LinkedIn, so feel free to follow me there. I am always open to feedback and suggestions. See you soon!
premium ediscovery custodian data sources
to confirm, adding a custodian in Purview premium ediscovery - this does not add any "Team" SPO sites (SPO sites not connected to Teams). If a customer wanted to know every SPO site a custodian has access to - would this be possible to write a script? Or, is the best approach for a discovery admin to just do a broad search of ALL SPO sites and see what gets returned from this broad search?Question about eDiscovery syntax
What would the appropriate eDiscovery syntax be if I wanted to perform a search on a single Exchange mailbox, capturing all email interactions between the mailbox's owner (i.e. mailto:email address removed for privacy reasons) and an external email address (i.e. mailto:email address removed for privacy reasons)?Teams Private Channels Reengineered: Compliance & Data Security Actions Needed by Sept 20, 2025
You may have missed this critical update, as it was published only on the Microsoft Teams blog and flagged as a Teams change in the Message Center under MC1134737. However, it represents a complete reengineering of how private channel data is stored and managed, with direct implications for Microsoft Purview compliance policies, including eDiscovery, Legal Hold, Data Loss Prevention (DLP), and Retention. 🔗 Read the official blog post here New enhancements in Private Channels in Microsoft Teams unlock their full potential | Microsoft Community Hub What’s Changing? A Shift from User to Group Mailboxes Historically, private channel data was stored in individual user mailboxes, requiring compliance and security policies to be scoped at the user level. Starting September 20, 2025, Microsoft is reengineering this model: Private channels will now use dedicated group mailboxes tied to the team’s Microsoft 365 group. Compliance and security policies must be applied to the team’s Microsoft 365 group, not just individual users. Existing user-level policies will not govern new private channel data post-migration. This change aligns private channels with how shared channels are managed, streamlining policy enforcement but requiring manual updates to ensure coverage. Why This Matters for Data Security and Compliance Admins If your organization uses Microsoft Purview for: eDiscovery Legal Hold Data Loss Prevention (DLP) Retention Policies You must review and update your Purview eDiscovery and legal holds, DLP, and retention policies. Without action, new private channel data may fall outside existing policy coverage, especially if your current policies are not already scoped to the team’s group. This could lead to significant data security, governance and legal risks. Action Required by September 20, 2025 Before migration begins: Review all Purview policies related to private channels. Apply policies to the team’s Microsoft 365 group to ensure continuity. Update eDiscovery searches to include both user and group mailboxes. Modify DLP scopes to include the team’s group. Align retention policies with the team’s group settings. Migration will begin in late September and continue through December 2025. A PowerShell command will be released to help track migration progress per tenant. Migration Timeline Migration begins September 20, 2025, and continues through December 2025. Migration timing may vary by tenant. A PowerShell command will be released to help track migration status. I recommend keeping track of any additional announcements in the message center.
eDiscovery keyword statistics.
Noticing with this roadmap item: https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC1105008 specifically Expanded search condition builder with support for logical operators (AND, OR, NEAR) in the keywords field That when running a new search that the statistics generated for keywords claims that "Query does not contain keywords" and doesn't generate the Statistics reports for keywords anymore. Tried with keywords on multiple lines as well as same line but separated with OR statements. Is this known issue?
