Microsoft Purview - Paint By Numbers Series (Part 5h) - Premium eDiscovery - Jobs
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Review Sets Communications Holds Exports Processing Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Exports tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. Jobs tab The Jobs tab shows all historical and active jobs being run as part of your eDiscovery case. You can find this tab on the far right of your case panel. In the bottom of this pane, you will see your eDiscovery jobs. The value of this tab, from a day to day perspective, is that you can see the status of your job The value of this tab, from a day-to-day perspective, is that you can see the status of your eDiscovery activities is that you can see if the activity is Successful, In Progress, or Failed. Then you can know if you need to step away from the case and do something else while the activity completes. We are now done with this part of the eDiscovery blog. Appendix and Links https://edrm.net/resources/frameworks-and-standards/edrm-model/ Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft DocsMicrosoft Purview- Paint By Numbers Series (Part 5) - Premium eDiscovery Overview and Settings
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope We will create a case and configure the settings for this case in this section of the blog. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Data Sources and Collections Review Sets Communications Holds Processing Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites If you have performed Part 1 of this blog series (creating a Sensitive Information Type), then you have everything you need. If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow. Create a Case Click Create Case Give the case a Name, Case Number (if applicable), and Case Description, and then click No, just go to the home page. Note – the more you put in the description, the better for reporting later on. So, if you have received an email from HR, Legal, outside council, etc., you can cut and paste that information into the Case Description. You will now find yourself in the Case Overview. With the case created, we will now run an investigation Settings Before we start collecting, reviewing and exporting data, we need to be sure the settings for the case are configured to your needs. When you click on the case, you will see your Settings tab on the far right. In that tab you will find 3 tabs Case Information Access & permissions Search & analytics We will go through each of these three tabs. Case Information If you click Select, you can change the case name, number, description, or change the status of the case. Under Actions, you can close the case, delete the case, or copy information to hand to Microsoft support if needed. Access & Permissions Under Access & Permission, if you click Select, you can add and/or remove users to manage this case. Please note that a user must have other eDiscovery permissions configured in Purview for these case specific permissions to take effect. Please reference the information on permissions in the Appendix and Links section below. Search and Analytics If you click Select, you can change the search settings on thr3eads and other functions. Here are the official explanations for the top sections of this tab. “Near duplicates/email threading: When turned on, duplicate detection, near duplicate detection, and email threading are included as part of the workflow when you run analytics on the data in a review set. Document and email similarity threshold: If the similarity level for two documents is above the threshold, both documents are put in the same near duplicate set. Minimum/maximum number of words: These settings specify that near duplicates and email threading analysis are performed only on documents that have at least the minimum number of words and at most the maximum number of words.” Themes “How does a person write a document? They generally start with one or more ideas they want to convey in the document, and compose using words that align with the ideas. The more prevalent an idea is, the more frequent the words that are related to that idea tend to be. This informs how people consume documents as well. The important thing to understand from reading a document is the ideas that the document is trying to convey, which ideas appear where, and what the relationships between the ideas are. This can be extended to how a person wants to consume a set of documents. They want to see which ideas are present in the sets, and which documents are talking about those ideas. Also, if they find a particular document of interest, they want to be able to see documents that discuss similar ideas. The Themes functionality in eDiscovery (Premium) attempts to mimic how humans reason about documents, by analyzing the themes that are discussed in a review set and assigning a theme to documents in the review set. In eDiscovery (Premium), Themes goes one step further and identifies the dominant theme in each document. The dominant theme is the one that appears the most often in a document. At the bottom of this tab, you can enable and configure Optical Character Recognition (OCR) for the case at hand. For more details on this, I recommend you look at the official links listed the Appendix and Links section below. See the “Configure search and analytics settings” URL in the Appendix and Links section below for more detail on these settings. Appendix and Links Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Configure search and analytics settings - eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Configure permissions filtering for eDiscovery - Microsoft Purview (compliance) | Microsoft Learn Assign eDiscovery permissions in the Microsoft Purview compliance portal - Microsoft Purview (compliance) | Microsoft Learn Themes in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft LearnMicrosoft Purview- Paint By Numbers Series (Part 5b) - Premium eDiscovery Data Sources & Collections
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope Once a case is created, you will need to add data sources “to be searched” and then you need will run a collection, meaning the actual search with search criteria. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Review Sets Communications Holds Processing Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites If you have performed Part 1 of this blog series (creating a Sensitive Information Type), then you have everything you need. If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow. First Investigation Steps Now that you have configured the case and case settings, it is time to look into who will be investigated or what locations of your tenant will be searched (Data Sources) and 2) what criteria will be applied to the investigated (Collections). Configure Data Sources There are 2 ways to indicate what data sources will be searched: custodian or location. Custodians Select the Data Sources tab and then click Add Data Source. You will have several options. We will choose Add new custodians. This allows you to search across multiple Office 365 applications for a user. Note – Import custodians imports a list of custodians via a CVS spreadsheet. Will not be covering this in depth. You can find information on this in the Appendix and Links section below. Type the name of the custodian you want to search. I will only be selecting one user at this time, Pradeep. Select your Hold Setting. The Hold Setting indicates which users’ data set to place on automatic hold when searched. If you do not select Hold for a user, the user’s data will be searched but not placed automatically on legal hold. In the Review section of the wizard, you will see what data locations are being searched and which are placed on automatic hold. Note #1 – Any data location associated with that user will have a number 1 associated with it. If there is no number associated with the data location, then, the user is not determined to have any data in that location. Automatic Hold will be placed on locations where the user has data, per the 2 nd step of the wizard. Note #2 – When you edit a custodian, you can change or clear the setting in this screen. If you are content with what you see, click Submit. Then click Done on the next screen. Locations If wish to search specific locations, and not just users and their associated data locations, you can select Add data locations. You can add SharePoint, Exchange, or M365 connected apps locations. I will add the default SharePoint location of the “The Landing” which is one of my pre-populated SharePoint sites. I will not be adding an Exchange location. Then click Add. Run a Collection Now we will run a collection (ie. search) of data. Select the Collections tab. Click Add Collection, and chose Standard collection. Give the collection a name and description and click Next. In my example, I’ve entered the name of the inventor of the X-Ray machine. For the custodians being searched (Custodial Data Sources), you can search either a) specific custodians assigned to this case or b) all users associated with your case. I will choose All users. Click Next. Next are Non-custodial data sources. These are sites, groups and other sources that are not associated with the custodians that you might want to add to your search. For now, accept the default and select Next. If you want to add other locations, other than those associated with the user via their Identity, then you can add them in the Additional Locations part of the wizard. For example, you can search Sarah Smith’s email in addition to Pradeep’s by adding her mailbox in this section. Accept the default and click Next. We have come at long last to the search criteria itself. In this section labeled Conditions, you can run searches based on keyword or other conditions. For my test I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This stands for 1MB file with SSN information for Advanced eDiscovery testing. I will search against the three names of this inventor. Here is a list of those other conditions you can choose from. Select the criteria that you want to search. When you are ready, click Next. Note – A common initial search is to search a user or set of users and a date range. Then run a secondary search against a secondar search on a narrower data range, keywords, a subset of users, etc. In Advanced eDiscovery, we will do those sorts of searches in the Review Sets tab which is next. Next is Save Draft or Collection. Here you have the option to save this collection as a draft (meaning the data set is not officially placed on hold) or you can collect items into a review set. We will choose the latter (Collect items and add to review set), and I will add it to a new Review set. Note #1 – If you have a case with multiple collections, you might decide to add a collection to a pre-existing Review Set. I do not have one here and so will use a new review set. Note #2 – If adding to an existing Review Set, you can select Additional collection settings. Again, we will not do those here as those options are also found in the Review Set section of the eDiscovery too. Note #3- placing data in a Review Set does not place that data on hold. That is performed in the Hold tab which will allow you to place a “hold in place” action on data. We will not be performing that in this blog Under Collection ingestion scale, I will choose the first option, Add all collection to review set. Note – you can choose to add only part of the collection to a review set, if you wish. Now review your collection and select Submit and then Done. Click Done and move to the Review Sets tab. Appendix and Links Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Work with custodians in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Collection statistics and reports - Microsoft Purview (compliance) | Microsoft Learn Keyword queries and search conditions for eDiscovery - Microsoft Purview (compliance) | Microsoft Learn Add custodians to an eDiscovery (Premium) case - Microsoft Purview (compliance) | Microsoft Learn Import custodians to an eDiscovery (Premium) case - Microsoft Purview (compliance) | Microsoft Learn Manage custodians in an eDiscovery (Premium) case - Microsoft Purview (compliance) | Microsoft Learn View custodian audit activity - Microsoft Purview (compliance) | Microsoft Learn Add non-custodial data sources to an eDiscovery (Premium) case - Microsoft Purview (compliance) | Microsoft Learn Overview of collections in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Create a collection estimate - Microsoft Purview (compliance) | Microsoft Learn Collection statistics and reports - Microsoft Purview (compliance) | Microsoft Learn Build search queries in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft LearnMicrosoft Purview- Paint By Numbers Series (Part 5) - Premium eDiscovery Overview and Settings
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Case Creation and Case Settings Data Sources and Collections Review Sets Communications Holds Processing Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites If you have performed Part 1 of this blog series (creating a Sensitive Information Type), then you have everything you need. If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow. Overview of Premium eDiscovery Blog Overview and Settings Case Creation and Case Settings Data Sources and Collections Communications Holds Exports Processing Jobs Where will you spend most of your time in an eDiscovery case? Once a case is created and you have configured any settings or permissions related to that case, you will spend the bulk of your time in the following three tabs which are covered in Sections 5b and 5c in this blog series. Data Sources Collections Review Sets Where will you spend most of your time in an eDiscovery case? Once a case is created and you have configured any settings or permissions related to that case, you will spend the bulk of your time in the following three tabs which are covered in Sections 5b and 5c in this blog series. Data Sources Collections Review Sets The 3 root Premium eDiscovery tabs Overview tab This tab will show you 1) all of your cases, 2) which cases have been recently accessed, and 3) your account’s rights relative to Premium eDiscovery. Cases tab In this tab you can see all the cases you have 1) created previously, 2) create a new case, or 3) download a spreadsheet with a list of all of this information. Here is an example of what you might find. Hold Reports (preview) tab As of the publication of this blog, this feature is in Public Preview. Hold reports are Out-of-the-box reports showing what data is on legal hold for any of your cases. They include the following information Location (ex. mailbox) Service (ex. Exchange, SharePoint, etc) Case name Case type (standard or premium) Case status Last Modified Last Fetched These reports must be enabled (or Opt-In) in the associated Premium eDiscovery Settings tab. Once you have “Opted-In” to the Hold Reports, you will see the reports populate in this tab. Below is an example of what you will find once you have Opted-In, you will see something similar to the below. Premium eDiscovery Settings There are 5 settings for Premium eDiscovery. We will cover each below. Analytics Hold Report (Preview) Communications Library Issuing Officer Historical Versions Analytics To understand what this setting does, let us look at the official documentation (find the link below and in the Appendix and Links section). “When attorney-client privilege detection is enabled, all documents in a review set will be processed by the attorney-client privilege detection model when you analyze the data in the review set. The model looks for two things: Privileged content – The model uses machine learning to determine the likelihood that the document contains content that is legal in nature. Participants – As part of setting up attorney-client privilege detection, you have to submit a list of attorneys for your organization. The model then compares the participants of the document with the attorney list to determine if a document has at least one attorney participant. The model produces the following three properties for every document: AttorneyClientPrivilegeScore: The likelihood the document is legal in nature; the values for the score are between 0 and 1. HasAttorney: This property is set to true if one of the document participants is listed in the attorney list; otherwise the value is false. The value is also set to false if your organization didn't upload an attorney list. IsPrivilege: This property is set to true if the value for AttorneyClientPrivilegeScore is above the threshold or if the document has an attorney participant; otherwise, the value is set to false.” Configuring this is covered in the following Microsoft document so we will not go into that here in this blog. Set up attorney-client privilege detection in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Hold Report (Preview) As of the publication of this blog, this feature is in Public Preview. Hold reports are Out-of-the-box reports showing what data is on legal hold for any of your cases. They include the following information Location (ex. mailbox) Service (ex. Exchange, SharePoint, etc) Case name Case type (standard or premium) Case status Last Modified Last Fetched There is only one thing to do on this tab and that is select Opt-In (or Opt-out if you decide to change your mind at a later date). Note – It can take up to 2 days for the hold reports to start being generated. Once you have “Opted-In” to the Hold Reports, you will see the reports populate when you return to the Hold report (preview) tab at the root of Premium eDiscovery. Below is an example of what you will find. Communications Library Here you can create, edit, and delete custodian communications/notifications to be used in any of your Premium eDiscovery Cases. We will walk through creating a notification below. Note – Case specific communications/notifications AND sending ANY communication/notifications will be covered in Part 5d – Premium eDiscovery – Communications of this blog series. On the left, click on Communications Library. There is a Standard template, but you create your own if you like. I will show you how to do that below. On the right side, select Create. You will be taken through a 5 step wizard. First, give the template a name. I will name my template “Custodian notification Template 1”. Click Next. Next, you will arrive at the Define Portal Content section of the wizard. Here you will see a document editor similar to Word where you can enter verbiage that meets your need. For this blog, I will not be using any customer verbiage in my example here. You will also see across the top of that editor 5 pre-populated options you can place into your Communication: Display Name - this is the name of the user receiving the email notification. Acknowledgement link – This it the URL where the custodian can acknowledge that they have been properly notified of the investigation. Portal Link – Here the custodian sees which acknowledgements they have marked. Issuing Officer Email – This will be the name of the individual in the individual case sending the communication/notification or it could be from a list of users created in the next section Issuing Officer. Issuing Date – Since you might have this sent once or multiple times, this will always be the date the notification was be sent. When you are satisfied with your message to your custodians, The third step of the wizard is the Set Notifications-Required. Here you have 3 notifications that are required: Issuance, Reissuance, and Release Here is an example of what you could put into any of these notifications. After you’ve saved your notifications, click Next. Fourth, you will arrive at the Set Notifications-Optional step of the wizard. Here you can add Reminder and Escalation notifications if you like. We’ll click Next. Last, Review your settings. Click Submit and then click Done. Issuing Officer Issuing officers will normally be part of your HR or Legal group. These would be the individuals who send out emails communications/notifications to custodians referenced in the Communications Library above. Click Add. A popup will appear on your right with users in Azure AD. Select a user or users you want to make an issuing officer and then click Add. You will now see these users added to this section of the Settings (example below) and you will be able to select these users in the Communications tab, which is part of each case and which is referenced later in this blog. Historical Versions As of the publication of this blog, this feature is in Public Preview. The Historical versions setting is related to versions of documents located in SharePoint. As this is in Public Preview, we will not be addressing this functionality at this time, but take a moment to read the following from the settings tab. “SharePoint versioning allows for tracking the activity of an item, which can help in providing an audit trail. The historical versions feature allows organizations to quickly search not only the current version of documents in SharePoint, but across all the previous versions of those documents stored in that SharePoint site. This additional visibility can help in finding previous versions that may be relevant to an investigation or case. This feature is currently available in public preview. During the public preview period, each organization is limited to 100 SharePoint site activations. When this feature becomes generally available, organizations that used the public preview will need to obtain a new license.” Appendix and Links https://edrm.net/resources/frameworks-and-standards/edrm-model/ Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Set up attorney-client privilege detection in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Overview of the eDiscovery (Premium) solution in Microsoft Purview - Microsoft Purview (compliance) | Microsoft Learn Microsoft Purview eDiscovery solutions - Microsoft Purview (compliance) | Microsoft Learn Assign eDiscovery permissions in the Microsoft Purview compliance portal - Microsoft Purview (compliance) | Microsoft LearnMicrosoft Purview - Paint By Numbers Series (Part 5d) - Premium eDiscovery - Communications
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Review Sets Holds Exports Processing Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document You will understand what a Microsoft Purview Premium eDiscovery Communication is and how to create a communication and what the end user experience is. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user delete of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. What is Communications in Premium eDiscovery? Before we dig into this tab, let us answer this question – What is Communication in Microsoft Purview Premium eDiscovery? I explain it like this: First, it is the process of informing a custodian that they are under investigation, either once or multiple times. Second, if you want the custodian to acknowledge to the organization that they are under investigation, they can do that. Third, you can inform the custodian that they are no longer under investigation and their data has been released from a legal hold. The official explanation is here: “A legal hold (also known as a litigation hold) notice is a notification sent from an organization’s legal department to employees, contingent staff, or custodians of data that may be relevant to a legal investigation. These notifications instruct custodians to preserve electronically stored information and any content that may be relevant to an active or impending legal matter. Legal teams must know that each custodian has received, read, understood, and has agreed to comply with the given instructions.” Work with communications in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Communications templates are found in the Premium eDiscovery Settings tab We covered this in Part 5 – Premium eDiscovery – Overview and Settings. Please refer to that blog entry for information on this. Communications tab Let us click on the Communications tab. It is in the middle of the “case” pane. Here you will see all of the communications/notifications that have been sent out for this case or create a new communication. This will let you see the 1) status, 2) when it was modified, 3) the number of custodians associated with the communication, and 4) the number of custodian Hold acknowledgements. Create a New Communication Here you can create, edit, and delete custodian communications/notifications to be used in this specific Premium eDiscovery Cases. We will walk through creating a notification below. On the right side, select New Communication. You will be taken through a 6-step wizard. First, give the template a name, select an issuing officer, and you also have the option to select one of the templates referenced above. For my example, I will name my template “Case Notification 1”, choose my admin account, and not select a template. Click Next. Next, you will arrive at the Define Portal Content section of the wizard. Here you will see a document editor similiar to Word where you can enter verbiage that meets your need. For this blog, I will not be using any customer verbiage in my example here. You will also see across the top of that editor 5 pre-populated options you can place into your Communication: Display Name - this is the name of the user receiving the email notification. Acknowledgement link – This it the URL where the custodian can acknowledge that they have been properly notified of the investigation. Tk Portal Link – Here the custodian see who has acknowledged that they have been placed on hold. Issuing Officer Email – This will be the name of the individual in the individual case sending the communication/notification or it could be from a list of users created in the next section Issuing Officer. Issuing Date – Since you might have this sent once or multiple times, this will always be the date the notification was be sent. When you are satisfied with your message to your custodians, The third step of the wizard is the Set Notifications-Required. Here you have 3 notifications that are required: Issuance, Reissuance, and Release Here is an example of what you could put into any of these notifications. After you’ve saved your notifications, click Next. Fourth, you will arrive at the Set Notifications-Optional step of the wizard. Here you can add Reminder and Escalation notifications if you like. We’ll click Next. Fifth, add the custodians to be notified, then click Next. Last, Review your settings. Click Submit and then click Done. End User experience with a Case Communication When the end user receives a communication/notification, what does that experience look like? They will see something similar to the below in their email. Notice that everything is pre-populated from the steps above. Again, please note my email notification is very generic. When the custodian clicks on the link “Click here to acknowledge this notice”, they will be taken to your company’s Microsoft Purview acknowledgement website. Here is an example of what they will see. When the custodian clicks on the link “Go to custodian portal”, they will be taken to Custodian Portal and able to see all the Premium eDiscovery Notifications that they have been sent, when they were sent, when they were due, etc. Here is an example. We are now done with the Communications tab. Appendix and Links Work with communications in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft LearnMicrosoft Purview - Paint By Numbers Series (Part 5g) - Premium eDiscovery - Processing
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Review Sets Communications Holds Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Exports tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user delete of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. What is Processing in Premium eDiscovery,. Let us start with what Processing when it comes to Premium eDiscovery is. It is the process of indexing data that either has NOT been indexed OR had an error when being indexed previously. Here is the official explanation from docs.microsoft.com: “Processing is the process of file identification, expansion of embedded documents and attachments, text extraction, and Optical Character Recognition (OCR) of image files and the subsequent indexing of that content. When you add custodians and non-custodian data sources to a case on the Sources tab, all partially indexed items from Microsoft 365 are processed to make them fully searchable. Likewise, when content is added to a review set from both Microsoft 365 and non-Microsoft 365 data sources, this content is also processed. The Processing tab in eDiscovery (Premium) provides insight into the status of advanced indexing for different processing scenarios.” Here is the official link (it is also in the Appendix and Links section below: Work with processing errors in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Note – I would not expect you to spend much if any of your time in this part of your Case unless you are troubleshooting indexing issues with tech support or are trying to index newly imported data (ex. PST files). Processing tab If you wish to look at the Processing tab, you can find the tab on the right-hand panel of your eDiscovery case tab. In the bottom of the pane, you will, under the Views drop down you can look at your: Index Status Errors Remediations For definitions of these, please see the links in the Appendix and Links section below. Here is an example view from the Index Status view. Since we are not troubleshooting indexing issues in the blog OR re-0running indexing for things such as OCR, we are now done with this part of the blog series and you can move to Part H. Appendix and Links Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Advanced indexing of custodian data - Microsoft Purview (compliance) | Microsoft Learn Supported file types in eDiscovery (Premium) - Microsoft Purview (compliance) | Microsoft Learn Partially indexed items in Content Search - Microsoft Purview (compliance) | Microsoft Learn File formats indexed by Exchange Search: Exchange 2013 Help | Microsoft Learn Default crawled file name extensions and parsed file types in SharePoint Server - SharePoint Server | Microsoft Learn Error remediation when processing data - Microsoft Purview (compliance) | Microsoft Learn Single item error remediation - Microsoft Purview (compliance) | Microsoft LearnMicrosoft Purview - Paint By Number (Part 5e) – Premium eDiscovery - Holds
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Communications Holds Processing Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Holds Sets tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. Hold tab Click on the Hold tab. Here is one of the two places you can place data on hold for an eDiscovery case. The other was covered in Part 5b – Data Sources and Collections. This Hold tab will 1) show your existing holds, 2) allow you to edit those holds or 4) allow you to create new Holds. We will walk through the steps to create a new Hold (which are the same steps to edit and existing Hold) for an eDiscovery case: Placing data on Hold We will first add a new hold to data for this specific eDiscovery case. Click the Create button in the top left corner. Name and describe your hold data in the Name your hold step. Then click Next. In step 2 of the wizard (Choose locations), choose the tenant locations you want to place on hold. You can Include or Exclude data locations on the right side. Note – This type of hold is hold in place. On step 3 (Query), insert the query that will be used to place data on hold. By default, you will be asked to use a keyword or the KQL editor. However, if you look below, you will see Add Conditions as an option. This means that you can use and combination of conditions to place data on hold. 5. Data range and Sender/Author are two standard conditions to place data on hold. For my example, I will use these. 6. For the final Review your settings step, review your data and click Submit when you are satisfied. 7. On the following screen you should be told that you “succeeded”. Then click Done. Editing Holds Return to your Holds tab. We will now look at how to edit an existing Hold. Select the Hold you want to edit. I will use my eDiscovery Case created above. When you click on it, the Hold will appear on the right and you can Edit or Delete it. If you click the Edit button, you will be taken through the 4 steps described above. Feel free to modify this Hold. Otherwise, we are done with this section of the blog Appendix and Links https://edrm.net/resources/frameworks-and-standards/edrm-model/ Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft DocsMicrosoft Purview - Paint By Number (Part 5c) – Premium eDiscovery - Review Sets
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Communications Holds Processing Exports Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Review Sets tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. Working with data in a Review Set Go to the Review Sets tab. Select the review set you just created click Open Review Set. Note – You, can also click Add Review Set to create a new review set. The reason to do this is so that you can better organize your future collections. 2. Let us take a tour of this interface. A ribbon across the top will show several options. Let us take a tour of this interface a. The first ribbon across the top will show several options to narrow your results by Keyword, Date, Sender/Author, Subject/Title, and/or Tags b. The second ribbon allows for actions against the data in the Review Set: Overview (Summary), Analytics, Actions (download, report, redaction, etc), Tags (legal), and Manage (the collected data). If you select a file or email a preview panel will appear on the right. I will select a file. Atop the preview pane you can find options to view the Source file, look at the file in plain text, Annotate the file for redaction, or look at the metadata. I will not be making any annotations to this file at this time. I will now export data for review by an external legal team. I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed. Again, I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed. Give the export a name and a description and click leave the rest of the settings at their defaults. Then click Export. A job will be created. Click OK. This set of exported data will appear in the Exports tab. Appendix and Links https://edrm.net/resources/frameworks-and-standards/edrm-model/ Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.Microsoft Purview - Paint By Numbers Series (Part 5g) - Premium eDiscovery - Exports
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Review Sets Communications Holds Processing Jobs Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Exports tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. Export #2 – This is also the term used to export a .CSV report. Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. Setting – High level analytics and settings and reports, etc. Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. We will not be using all of the tabs in available in a AeD case. How do user deletes of data work with AeD? If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. Export a subset of data On the Exports tab, click on your export. A window will appear on the right which will tell you if your export was successful. If so, you can now download it along with a summary report to your local machine and then hand it over to outside council as needed. Congratulations! You have now have now completed a basic Advanced eDiscovery case and have finished this blog series. Appendix and Links https://edrm.net/resources/frameworks-and-standards/edrm-model/ Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
