eDiscovery - Issues exploring groups & users related to a hybrid data source
Hi all, first time posting - unusually I could find nothing out there that helped. I work in an organisation has an on-premises domain which syncs to our tenant. I don't manage the domain or the sync, but I'm assured that the settings are vanilla and there are no errors being logged. 99% of our users are hybrid. The tenant is shared across multiple legal entities, so I'm using eDiscovery to fulfil our GDPR subject access requests The issue I am hitting is straightforward. in eDiscovery searches with hybrid users as the data source, I cannot add related objects (manager, direct reports, groups the user is in). The properties are present in Entra, but not visible to Purview, so I'm not investigating sync errors at the moment. For cloud objects, I can see manager, teams, etc. and it works fine. Does anyone have any insights they can share on the "explore and add" mechanics in eDiscovery search data sources? I'm drawing a complete blank on this one. Where should I be looking?Teams Private Channels Reengineered: Compliance & Data Security Actions Needed by Sept 20, 2025
You may have missed this critical update, as it was published only on the Microsoft Teams blog and flagged as a Teams change in the Message Center under MC1134737. However, it represents a complete reengineering of how private channel data is stored and managed, with direct implications for Microsoft Purview compliance policies, including eDiscovery, Legal Hold, Data Loss Prevention (DLP), and Retention. 🔗 Read the official blog post here New enhancements in Private Channels in Microsoft Teams unlock their full potential | Microsoft Community Hub What’s Changing? A Shift from User to Group Mailboxes Historically, private channel data was stored in individual user mailboxes, requiring compliance and security policies to be scoped at the user level. Starting September 20, 2025, Microsoft is reengineering this model: Private channels will now use dedicated group mailboxes tied to the team’s Microsoft 365 group. Compliance and security policies must be applied to the team’s Microsoft 365 group, not just individual users. Existing user-level policies will not govern new private channel data post-migration. This change aligns private channels with how shared channels are managed, streamlining policy enforcement but requiring manual updates to ensure coverage. Why This Matters for Data Security and Compliance Admins If your organization uses Microsoft Purview for: eDiscovery Legal Hold Data Loss Prevention (DLP) Retention Policies You must review and update your Purview eDiscovery and legal holds, DLP, and retention policies. Without action, new private channel data may fall outside existing policy coverage, especially if your current policies are not already scoped to the team’s group. This could lead to significant data security, governance and legal risks. Action Required by September 20, 2025 Before migration begins: Review all Purview policies related to private channels. Apply policies to the team’s Microsoft 365 group to ensure continuity. Update eDiscovery searches to include both user and group mailboxes. Modify DLP scopes to include the team’s group. Align retention policies with the team’s group settings. Migration will begin in late September and continue through December 2025. A PowerShell command will be released to help track migration progress per tenant. Migration Timeline Migration begins September 20, 2025, and continues through December 2025. Migration timing may vary by tenant. A PowerShell command will be released to help track migration status. I recommend keeping track of any additional announcements in the message center.
Cannot update Case number in Microsoft Purview eDiscovery
I can no longer update the Case number under case settings in the new eDiscovery UI. I used to be able to update it via the externalId Graph endpoint but that appears to be deprecated. The error simply reads "update failed" - there is no additional information. Is anyone else having this problem?
9M365PurvieweDiscoveryInfra touching files in office activity logs
Hi, We use Office Activity Logs through Log Analytics Workspace to report on specific files. We noticed that in our most recent report, many files were accessed by 'ExportWorker' with 'ClientAppName' M365PurvieweDiscoveryInfra. This seems to have happened on specific days a couple of weeks ago where the activity 'file accessed' whenever an ediscovery was run on a location that stored the particular file was registered. This was not the case before if I remember correctly. Does anyone know why this activity was registered as such in the logs and/or has also experienced the exportworker of M365PurvieweDiscoveryInfra touch their files when running an ediscovery? Is this a change with the new eDiscovery? It is also undesirable that users can track incident response employees touching their files in case of an investigation.
eDiscovery for email attachment with encrypted sensitivity labels
We are currently testing encrypted sensitivity labels in conjunction with eDiscovery. We applied an encrypted label to a document, and eDiscovery was able to successfully search for the content in both OneDrive and SharePoint. However, the same functionality does not appear to work for email attachments—the content of encrypted attachments is not searchable. Are there any specific settings or configurations that need to be enabled to support encrypted email attachments in eDiscovery? ThanksSTALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information
Hello team, In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc. the users reject to delete those emails as they may needs for reference. i.e.: Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed. However, this emails without protection in the user's mailbox is only meat for the attackers. unfortunately, we can`t protect existing emails with auto-labeling. So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox. This case apply almost 100% to any organization, this is a problem for everyone. ------------------------------------------------------------------------------------------------------------------------------------------ My approach: eDiscovery download all sensitive emails discovered. Apply label using AIP UL client to the download *.msg which put the files *.pfile Create folder in HR user's OneDrive which the email will be removed. If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder. After the search content in *.msg, the user should apply protection again. Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS. I want to check any other approach best practice is recommended? Backup & Setup Global Admin (GA) prepares local backup: export saved as native *.msg files. Create & Secure the Evidence Folder GA connects to user’s OneDrive. GA creates folder: ArchivedSensitiveEmails. GA applies retention label (Record) to folder → prevents rename/move GA breaks inheritance → only the OneDrive owner (Edit) Upload & Protect GA uploads the backup emails (*.msg) into the new folder. GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward. Now all items are protected as *.msg.pfile. User Workflow (On-Demand Search) User may remove protection on a file/folder to perform keyword search on native .msg. User is required to reapply protection after finishing the search (via Purview client). Automatic Weekly Enforcement Scheduled PowerShell job runs weekly across all OneDrives. Script scans ArchivedSensitiveEmails folder for unprotected .msg. If found → automatically applies encryption using the GA’s published sensitivity label. Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added. Script deletes original .msg after creating .msg.pfile to enforce security. CSV log maintained for audit of actions (protected, skipped, errors). ------------------------------------------------------------------------------------------------------------------------------------------ So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?
eDiscovery keyword statistics.
Noticing with this roadmap item: https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC1105008 specifically Expanded search condition builder with support for logical operators (AND, OR, NEAR) in the keywords field That when running a new search that the statistics generated for keywords claims that "Query does not contain keywords" and doesn't generate the Statistics reports for keywords anymore. Tried with keywords on multiple lines as well as same line but separated with OR statements. Is this known issue?
