Advanced eDiscovery in Microsoft 365 provides an end-to-end workflow to preserve, collect, review, analyze, and export data that are responsive to your organization's internal and external investigations. Nothing is needed to deploy Advanced eDiscovery, but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start to create and use Advanced eDiscovery cases to manage your investigations.
This article discusses the steps necessary to set up Advanced eDiscovery. This includes ensuring the proper licensing required to access Advanced eDiscovery and add custodians to cases, as well as assigning permissions to your legal and investigation team so they can access and manage cases. This article also provides a high-level overview of using cases to manage the Advanced eDiscovery workflow for a legal investigation.
Step 1: Verify and assign appropriate licenses
Licensing for Advanced eDiscovery requires the appropriate organization subscription and per-user licensing.
Organization subscription: To access Advanced eDiscovery in the Microsoft 365 compliance center or the Security & Compliance Center, your organization must have one of the following:
Microsoft 365 E5 or Office 365 E5 subscription
Microsoft 365 E3 subscription with E5 Compliance add-on
Microsoft 365 E3 subscription with E5 eDiscovery and Audit add-on
Per-user licensing: To add a user as a custodian in an Advance eDiscovery case, that user must be assigned one of the following licenses, depending on your organization subscription:
Microsoft 365: Users must be assigned a Microsoft 365 E5 license, an E5 Compliance add-on license, or an E5 eDiscovery and Audit add-on license.
Office 365: Users must be assigned an Office 365 E5 license.
For information about how to assign licenses, see Assign licenses to users.
Step 2: Assign eDiscovery permissions
To access Advanced eDiscovery or added as a member of an Advanced eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Security & Compliance Center. Members of this role group can create and manage Advanced eDiscovery cases. They can add and remove members, place custodians and content locations on hold, manage legal hold notifications, create and edit searches associated in a case, add search results to a review set, analyze data in a review set, and export and download from an Advanced eDiscovery case.
Complete the following steps to add users to the eDiscovery Manager role group:
Go to https://protection.office.com/permissions and sign in using the credentials for an admin account in your Microsoft 365 organization.
On the Permissions page, select the eDiscovery Manager role group.
On the eDiscovery Manager flyout page, click Edit next to the eDiscovery Manager section.
On the Choose eDiscovery Manager page in the edit role group wizard, click Choose Discovery Manager.
Click Add then select the checkbox for all users you want to add to the role group.
Click Add to add the selected users, and then click Done.
Click Save to add the users to the role group, and then click Close to complete the step.
More information about the eDiscovery Manager role group
There are two subgroups in the eDiscovery Manager role group. The difference between these subgroups is based on scope.
eDiscovery Manager: Can view and manage the Advanced eDiscovery cases they create or are a member of. If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on the Advanced eDiscovery page in the compliance center. In general, most people in your organization can be added to the eDiscovery Manager subgroup.
eDiscovery Administrator: Can perform all case management tasks that an eDiscovery Manager can do. Additionally, an eDiscovery Administrator can:
View all cases that are listed on the Advanced eDiscovery page.
Manage any case in the organization after they add themselves as a member of the case.
Access and export case data for any case in the organization.
Because of the broad scope of access, an organization should have only a few admins who are members of the eDiscovery Administrators subgroup.
For more information about eDiscovery permissions and a description of each role that's assigned to the eDiscovery Manager role group, see Assign eDiscovery permissions.
Step 3: Configure global settings for Advanced eDiscovery
The last step to complete before people in your organization start to create and use cases is to configure global settings that apply to all cases in your organization. At this time, the only global setting is attorney-client privilege detection (more global settings will be available in the future). This setting enables the attorney-client privilege model to run when you analyze data in a review set. The model uses machine learning to determine the likelihood that a document contains content that is legal in nature. It also compares the participants of documents with an attorney list (that you submit when setting up the model) to determine if a document has at least one participant who is an attorney.
For more information about setting up and using the attorney-client privilege detection model, see Set up attorney-client privilege detection in Advanced eDiscovery.
Step 4: Create an Advanced eDiscovery case
The next step is to create a case and start using Advanced eDiscovery. Complete the following steps to create a case and add members. The user who creates the case is automatically added as a member.
Go to https://compliance.microsoft.com and sign in using the credentials for user account that has been assigned the appropriate eDiscovery permissions. Members of the Organization Management role group can also create Advanced eDiscovery cases.
In the left navigation pane of the Microsoft 365 compliance center, click Show all, and then click eDiscovery > Advanced.
On the Advanced eDiscovery page, click the Cases tab, and then click Create a case.
On the New eDiscovery case flyout page, give the case a name (required), and then type an optional case number and description. The case name must be unique in your organization.
Click Save to create the case.
The new case is created and the Settings tab in the new case is displayed.
In the Access & permissions tile on the Settings tab, click Select, and then click Update.
On the Manage this case flyout page, under Manage members, click Add to add members to the case.
In the list of people, select the check box next to the names of the people that you want to add to the case. As previously explained, be sure that the people you add to the case have been assigned the appropriate eDiscovery permissions.
After you've selected the people to add as members of the case, click Add.
In the Manage this case flyout page, click Save to save the new list of case members.
Click the Home tab to go to the case home page.
Explore the Advanced eDiscovery workflow
To get you started using Advanced eDiscovery, here's a simple workflow that aligns with common eDiscovery practices. In each of these steps, we'll also highlight some extended Advanced eDiscovery functionality that you can explore.
Add custodians to a case. The first step after creating a case is to add custodians. A custodian is a person having administrative control of a document or electronic file that may be relevant to the case. Here are some things that happen (or that you can do) when you add custodians to a case:
Data in the custodian's Exchange mailbox, OneDrive account, and any Microsoft Teams or Yammer groups that the custodian is a member of can be "marked" as custodial data in the case.
Custodian data is re-indexed (by a process called Advanced indexing). This helps optimize searching for it in the next step.
You can place a hold on custodian data. This preserves data that may be relevant to the case during the investigation.
You can associate other data sources with a custodian (for example, you can associate a SharePoint site or Microsoft 365 Group with a custodian) so this data can be re-indexed, placed on hold, and searched, just like the data in the custodian's mailbox or OneDrive account.
You can use the communications workflow in Advanced eDiscovery to send a legal hold notification to custodians.
Search custodial data sources for data relevant to the case. After you add custodians to a case, use the built-in search tool to search the custodian data locations for data that may be relevant to the case. You use keywords, properties, and conditions to build search queries that return search results with the data that's most likely relevant to the case. You can also:
View search statistics that may help you refine a search query to narrow the results.
Preview the search results to quickly verify whether the relevant data is being found.
Revise a query and re-run the search.
Add data to a review set. Once you've configured and verified that a search returns the desired data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is re-indexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set. Additionally, you can also add non-Office 365 data into a review set.
There's also a special kind of review set that you can add data to, called a conversation review set. These types of reviews sets provide conversation reconstruction capabilities to reconstruct, review, and export threaded conversations like those in Microsoft Teams. For more information, see Review conversations in Advanced eDiscovery.
Review and analyze data in a review set. Now that data is in a review set, you can use a wide-variety of tools and capabilities to view and analyze the case data with the goal of reducing the data set to what is most relevant to the case you're investigation. Here's a list of some tools and capabilities that you can use during this process.
View documents. This includes viewing the metadata for each document in a review set, and viewing the document in its native version or text version.
Create queries and filters. You create search queries using a variety of search criteria (including the ability to search all file metadata properties) to further refine and cull the case data to what is most relevant to the case. You can also use review set filters to quickly apply additional conditions to the results of a search query to further refine those results.
Create and use tags. You can apply tags to documents in a review set to identify which are responsive (or non-responsive to the case) and then use those tags when creating search queries to include or exclude the tagged documents. You can also tagging to determine which documents to export.
Annotate and redact documents. You can use the annotation tool in a review to annotate documents and redact content in documents as work product. We generate a PDF version of an annotated or redacted document during review to reduce the risk of exporting the unredacted native version of the document.
Analyze case data. The analytics functionality in Advanced eDiscovery is powerful. After you run analytics on the data in review set, we perform analysis such as near duplicate detection, email threading, and themes that can help reduce the volume of documents that you have to review. We also generate an Analytics reports that summarize the result of running analytics. As previously explained, running analytics also runs the attorney-client privilege detection model.
Export and download case data. A final step after collecting, reviewing, and analyzing case data is to export it out of Advanced eDiscovery for external review or for review by people outside of the investigation team. Exporting data is a two-step process. The first step is to export data out of the review set and copy it to a different Azure Storage location (one provided by Microsoft or one managed by your organization). Then you use Azure Storage Explorer to download the data to a local computer. In addition to the exported data files, the contains of the export package also contains an export report, a summary report, and an error report.