Improving eDiscovery workflows and enhancing your forensic investigations
Published Sep 22 2020 08:00 AM 7,046 Views

The recent shift towards remote work has accelerated digital transformation. End users are increasingly collaborating in chat-based workspaces like Microsoft Teams and Yammer, resulting in new types of data that’s more dynamic than email and more complex to discover.


On top of this, of legal and compliance leaders are struggling to manage their current workload, as legal department plans have been significantly disrupted by the coronavirus pandemic and economic upheaval, according to a survey by Gartner, Inc.”1 This is adding to the growing pressures organizations face to efficiently respond to their legal, regulatory and internal obligations.  


To help with these challenges, we are excited to share several new capabilities that improve eDiscovery workflows efficiently with Advanced eDiscovery and enhance forensic investigations with Advanced Audit.


Here is what we are announcing today:

  • Support for collecting, reviewing and exporting linked content from OneDrive and SharePoint Online in Advanced eDiscovery (GA)
  • First set of Graph APIs for Advanced eDiscovery (Public Preview)
  • New audit events in Advanced Audit (GA)
  • 10-year retention add-on in Advanced Audit (GA)

Collect, review and export OneDrive and SharePoint Online files shared within Teams, Yammer, and Outlook seamlessly

As organizations empower users to collaborate and share files from anywhere, we often hear from IT, legal, and eDiscovery teams, who have asked us to help streamline the process of discovering and producing data that includes linked content from OneDrive and SharePoint Online. These links are often shared in Teams and Yammer chat messages or Outlook email messages.


There are significant benefits to collaborating on linked content stored in OneDrive and SharePoint Online. For example, it enhances user productivity through real-time collaboration, helps control file versions, and enables shareable content across Outlook, Teams and Yammer.


Unfortunately, when it comes to discovering linked content, organizations have a disjointed experience, since the linked content is stored separately from the original email or chat message. This often leads to custom configurations to associate the linked content with the message, since manually doing so doesn’t scale if you have thousands of emails or chat messages to search and produce.


To help streamline discovery of linked content, Advanced eDiscovery collects and natively groups linked content from OneDrive and SharePoint Online in the same family as the original Outlook email or Teams and Yammer chat message during review and preserves groups during export—streamlining the eDiscovery process without additional configuration. This is rolling out in Advanced eDiscovery today, learn more about this capability here.



Advanced eDiscovery groups modern attachments as family during search, review, and export.


Automate and extend workflows with Graph APIs for Advanced eDiscovery

Another area we often hear our customers need help with is automation. Many large and highly regulated organizations look to automation to improve the efficiency and cost of responding to legal, regulatory, and internal requests, often within a very specific time period.


To help organizations scale and produce relevant data quickly and predictably, we are excited to share that the first set of Graph APIs for Advanced eDiscovery are now available in public preview. Graph APIs for Advanced eDiscovery can automate workflows and common processes to standardize highly repetitive and manual steps. For example, developers can write a custom flow that calls the Graph API so when the matter management system identifies a new case, it kicks off an automated workflow that creates a corresponding Advanced eDiscovery case and applies holds to sources ensuring content is not lost during intake process. You can further customize the workflow by notifying reviewers when a review set is ready, and following review, initiate export of the relevant set of data with predefined settings.



Graph APIs for Advanced eDiscovery help automate and standardize repeatable tasks to save time.


Partners can also extend Advanced eDiscovery workflows to support additional custom requirements with integrations to other solutions.


The first set of Graph APIs that are available in public preview enables organizations to call the APIs to get a list of cases, read the properties of a case, and create, update, delete and retrieve information on the cases. Similar actions are available for your review set and review set queries. For example, you can automatically apply the auto generated query to filter out duplicate items, or you can automatically apply your own custom query to your review set. Familiarize yourself with the Microsoft Graph and get started by reviewing the documentation here.


Meet regulatory obligations and conduct forensic investigations with Advanced Audit

Increasingly, data privacy regulations are looking for organizations to take swift action following a data breach. Organizations may face regulatory fines if they are unable to efficiently determine what data was compromised.


We are rolling out two new audit events that can help you with your forensic investigations. The first audit activity we are releasing is the mail send event, which is generated when a user sends, replies to, or forwards an email. Whether the action was malicious or unintentional, this event can let investigators know what email metadata was contained in the emails sent from a compromised account.


Another new audit activity we are releasing is the user search event, which is generated when a user search was performed on Exchange Online or SharePoint Online. This is valuable especially if a malicious actor accessed an account to search for sensitive material. By understanding whether a search event was performed, an investigator can understand the scope of the content that has been compromised. Learn more about these new events here.



New user search event provides the ability to see the date of activity, the user and the search text


In addition to understanding the scope of what is compromised, highly regulated organizations are often required to retain audit logs for more than a year. To help meet more rigorous regulatory and internal compliance obligations or conduct longer running investigations, organizations can now add 10-year audit log retention to Advanced Audit. Once enabled, you can access the logs in the Microsoft 365 compliance center or through the Office 365 Management Activity API. The events will also soon be accessible across Microsoft Compliance solutions. 10-year audit lot retention will start rolling out at the end of this month and when Learn more about 10-year audit log retention here.



Apply audit log retention policy – eligible customers can choose to apply retention for up to 10 years


Get started today!

These new features in Advanced eDiscovery and Advanced Audit are now available.

We hope you find this update valuable. Let us know what you think!


On behalf of the eDiscovery and Audit team,

Thank you!

Iram Arras


1 Gartner Press Release, Gartner Survey Reveals Legal Leaders Are Struggling with Their Workload Since COVID-19, August 2020,

1 Comment
Version history
Last update:
‎Jan 12 2022 08:34 AM
Updated by: