Microsoft Purview eDiscovery: A Legal Teams How-To Guide

Microsoft Purview eDiscovery Basics: A Legal Team’s How‑To Guide

Modern legal teams live where their clients’ data lives—across Outlook, Teams, SharePoint, and OneDrive. Microsoft Purview eDiscovery brings those sources under one defensible umbrella for legal holds, search, review, and export. This practical guide walks attorneys and litigation support professionals through the fundamentals, step-by-step workflows, and real-world tips for using Purview eDiscovery (Standard and Premium) to streamline matters while maintaining airtight defensibility.

What Is Microsoft Purview eDiscovery?

Microsoft Purview eDiscovery centralizes discovery activities across Microsoft 365. It offers two tiers: eDiscovery Standard for core case management, legal holds, searches, and exports; and eDiscovery Premium for end-to-end workflows including custodian management, legal hold communications, collection, processing, in-place review sets, analytics (email threading, near-duplicate detection), and targeted exports.

Best practice: Treat Purview as your system of record for legal holds and discovery decisions on Microsoft 365 data. Keep all case actions, notes, and exports tied to a specific case for consistent auditability and chain-of-custody continuity.

Licensing, Permissions, and Readiness Checklist

Get the foundation right before your first case—licensing and role assignments determine which workflows are available.

Purview eDiscovery Tiers and Capabilities (Check current Microsoft licensing for updates)
Area eDiscovery Standard eDiscovery Premium
Typical License Included in many Microsoft 365/Office 365 E3 plans Microsoft 365 E5 or E5 Compliance add-on
Case Management Yes Yes (enhanced)
Legal Hold Yes (mailboxes, OneDrive, sites) Yes + custodian/non-custodial sources + hold communications
Search Keyword and condition-based Advanced collections targeting, scope control
Review No in-place review Review sets, tagging, analytics (threading, near-duplicates)
Export PST/ZIP, query results Load files, metadata-rich exports, bates/stamping workflows via partner tools
Legal Hold Notices Manual (outside Purview) Built-in notifications and acknowledgments

Role-Based Access You’ll Need

  • Assign users to Purview role groups such as eDiscovery Manager (case work) and eDiscovery Administrator (org-level control).
  • Ensure service accounts for automation are least-privileged and monitored.
  • Enable unified audit (typically on by default) for full event visibility.

Readiness Checklist

  • Confirm licensing tier for each user/data location in scope.
  • Verify data sources: Exchange Online, SharePoint sites, OneDrive accounts, Teams (including private/shared channels).
  • Align retention policies with legal holds to avoid conflicts (holds should supersede deletions).
  • Document your matter intake process: timeline, scope, custodians, legal issues, and preservation strategy.

The Anatomy of a Defensible eDiscovery Matter

End-to-End Microsoft Purview eDiscovery Workflow

1) Intake and Scoping → 2) Custodian Identification → 3) Legal Hold Placement → 4) Data Scoping/Search → 5) Collection/Processing → 6) Review/Analytics → 7) Production/Export → 8) Post‑Matter Closure and Hold Release

Tip: Separate “preservation” (hold) from “collection” decisions. In Purview, you can place a broad hold quickly to mitigate risk, then use targeted searches and collections to minimize downstream review volume.

Tutorial: Running a Case in eDiscovery Standard (Hold → Search → Export)

This hands-on tutorial is ideal for firms with Microsoft 365 E3-level capabilities. You’ll create a case, preserve data, search, and export results for external review.

Prerequisites

  • eDiscovery Manager role assigned.
  • List of custodians and locations (mailboxes, OneDrive, SharePoint sites, Teams channels if applicable).

Step-by-Step

  1. Create a Case

    • Go to Microsoft Purview portal → eDiscovery → Standard → Create case.
    • Name the case (e.g., “Acme v. Contoso – 2026”) and add a description.
    • Add case members (attorneys, litigation support) with appropriate roles.
  2. Place Legal Holds

    • Open the case → Holds → Create hold.
    • Select locations (Exchange mailboxes, OneDrive accounts, SharePoint sites). For Teams, target the underlying group mailbox and SharePoint site.
    • Optionally filter holds (query-based hold) for date ranges or keywords if you must narrowly preserve. Default is broad preservation—often safer early on.
    • Save. Document the hold scope and rationale in the case notes.
  3. Build Searches

    • Case → Searches → New search.
    • Add locations (mirror your hold targets, or a subset).
    • Define your query using KQL and conditions. Examples:
      • keyword: “project x” OR “PX-100”
      • conditions: date range, sender/recipient, file types (docx, xlsx, pdf)
    • Run and review statistics (hit counts by location, top contributors). Refine as needed to balance recall and precision.
  4. Validate and Iterate

    • Preview samples: open items to confirm relevance and identify false positives.
    • Adjust keywords, add/remove custodians, and exclude obvious noise (e.g., marketing distributions) carefully.
  5. Export Results

    • From the search, choose Export.
    • Decide export options: de-duplication, include versions/attachments, output format (PST/ZIP).
    • Generate the export and download via the provided Export tool link.
    • Record the Export ID and hash values for chain-of-custody. Store alongside your case log in SharePoint or your DMS.
  6. Track Everything

    • Use Excel to log holds, queries, custodians, export IDs, and key decisions. Save the workbook in the case SharePoint site.
    • When the matter closes, release holds (Case → Holds → Release), documenting dates and approvals.

Tutorial: Using eDiscovery Premium for In-Place Review and Analytics

With E5 or the E5 Compliance add-on, you can reduce handoffs by reviewing inside Microsoft 365 before producing externally.

Prerequisites

  • eDiscovery (Premium) role access and case created in Premium.
  • Identified custodians and any non-custodial data sources (shared mailboxes, site collections).

Step-by-Step

  1. Set Up Custodians and Holds

    • Open your Premium case → Collections and Holds → Add custodians.
    • Place legal holds at the custodian or non-custodial source level. Use built-in legal hold notifications to issue notices and track acknowledgments.
  2. Collect to a Review Set

    • Create a collection with targeted scope (keywords, date ranges, data types, and locations).
    • Send collected items to a new or existing review set. This processes data for review and analytics.
  3. Run Analytics

    • In the review set, enable analytics: email threading, near-duplicate detection, language detection.
    • Use results to cull redundant material and accelerate first-level review.
  4. Tag and Triage

    • Create tag sets (Responsive, Non-Responsive, Privileged, Needs Further Review).
    • Filter by threads, participants, or themes; bulk-tag straightforward families to reduce reviewer effort.
  5. Quality Control

    • Spot-check near-duplicate decisions; validate thread inclusiveness to avoid over/under-production.
    • Document QC rates and reviewer guidance in case notes.
  6. Export for Production

    • Export tagged sets with metadata and load files compatible with platforms like Relativity or Summation.
    • Capture export reports, hash values, and any exceptions into your matter log.

Data Nuances for Teams, SharePoint, Outlook, and OneDrive

Understanding where data lives improves your scoping accuracy and reduces surprises.

Key Microsoft 365 Sources and eDiscovery Considerations
Source Where Data Resides Notes for eDiscovery
Outlook Email Exchange Online mailboxes, archives Holds preserve mailbox content; consider shared mailboxes and archives.
Teams Chat (1:1/Group) Exchange mailboxes (chat compliance copies) Include custodians’ mailboxes; emojis/reactions are captured as message metadata.
Teams Channel Messages Group mailbox; files in Team’s SharePoint site Private and shared channels have distinct sites/mailboxes; include them explicitly.
Teams/OneDrive Files SharePoint sites and OneDrive accounts Version history matters; holds preserve versions in scope.
SharePoint Sites SharePoint Online Identify case-related sites (projects, deal rooms). Include subsites and libraries as needed.
Viva Engage/Yammer Yammer (Enterprise) integrated storage Supported in Premium; verify enablement in your tenant.

Note: Retention labels and policies can affect visibility. Legal holds should override deletions, but conflicts can impact user experience and storage. Coordinate with your compliance admin.

Hands-On Automation: Legal Hold Acknowledgments with SharePoint and Power Automate

If you don’t have Premium’s built-in legal hold communications, you can still track acknowledgments using Outlook, SharePoint, and Power Automate. This lightweight workflow logs notices, sends reminders, and produces an auditable register in Excel or SharePoint.

What You’ll Build

  • A SharePoint list (“Legal Holds”) to track matters, custodians, and acknowledgment status.
  • A Power Automate cloud flow that emails custodians from Outlook with unique links.
  • An acknowledgment form (Microsoft Forms) that writes back to the SharePoint list.
  • Optional: A scheduled reminder flow for non-responders and a summary Excel export.

Step-by-Step

  1. Create the SharePoint List

    • Site → New → List → “Legal Holds”.
    • Add columns: MatterName (Single line), CustodianName (Person), CustodianEmail (Single line), NoticeSent (Date), Acknowledged (Yes/No), AcknowledgedDate (Date), ReminderCount (Number), CaseID (Single line).
  2. Build the Acknowledgment Form

    • Microsoft Forms → New Form (“Legal Hold Acknowledgment”).
    • Questions: CaseID (short answer), CustodianEmail (short answer), “I acknowledge the legal hold” (required Yes/No), Comments (optional).
    • Copy the form link for use in emails.
  3. Create the “Send Notice” Flow (Instant)

    • Power Automate → Create → Instant cloud flow → Trigger: “Manually trigger a flow”.
    • Action: “Get items” (SharePoint) from the “Legal Holds” list, filtered where Acknowledged eq false.
    • Action: “Send an email (V2)” (Outlook) to CustodianEmail with subject “Legal Hold Notice: @{items(‘CaseID’)}”.
    • Body should include the Form link with pre-filled parameters, e.g., “CaseID=@{CaseID}&CustodianEmail=@{CustodianEmail}”.
    • Action: “Update item” to set NoticeSent to utcNow().
  4. Create the “Log Acknowledgment” Flow (Automated)

    • Trigger: “When a new response is submitted” (Microsoft Forms) → select your Acknowledgment form.
    • Action: “Get response details”.
    • Action: “Update item” in SharePoint where CaseID and CustodianEmail match response values: set Acknowledged = Yes and AcknowledgedDate = utcNow().
  5. Add a Reminder Flow (Scheduled)

    • Trigger: Recurrence (e.g., every 3 days).
    • Action: “Get items” where Acknowledged eq false and NoticeSent is not null.
    • Loop: Send polite reminder via Outlook, increment ReminderCount, and log each reminder date in a multiline Comments column.
  6. Export and Report

    • Use “Export to Excel” from the SharePoint list or build a Power BI report for counsel updates.
    • Store the register in your case SharePoint site for auditors and opposing counsel transparency.

Defensibility Tip: Lock down the “Legal Holds” list permissions (read-only for most, edit for legal ops). Include the notice language inside the email and attach a PDF copy generated from Word for archival consistency.

Security, Auditing, and Defensibility Tips

  • Chain of Custody: Capture export job IDs, SHA-256 hashes, and timestamps. Store alongside case logs.
  • Audit Everything: Unified audit should capture holds, searches, exports, and access. Periodically export audit logs to your matter site.
  • Scope Controls: Use separate cases per matter; avoid reusing cases across clients.
  • Least Privilege: Limit eDiscovery Administrator roles; segregate duties between legal and IT where possible.
  • Retention vs. Holds: Ensure retention policies don’t prematurely purge relevant content; document resolution of any conflicts.

Common Pitfalls and How to Avoid Them

  • Missing Teams Private/Shared Channels: Add their distinct mailboxes/sites to holds and searches.
  • Under-Inclusive Early Queries: Start broader, iterate narrower; log your query evolution.
  • Ignoring Non-Custodial Data: Shared mailboxes, project sites, and departmental repositories often contain key documents.
  • No Communication Tracking (Standard): Use the Power Automate workflow above to produce an auditable acknowledgment trail.
  • Unverified Exports: Validate exports with hash checks and sample review before production.
  • Overlapping Roles: Keep role assignments clean to prevent accidental access and maintain privilege boundaries.

Conclusion and Next Steps

Microsoft Purview eDiscovery consolidates preservation and discovery tasks inside Microsoft 365, reducing risk and accelerating matters. Start with a solid foundation—licensing, roles, and process—then apply the Standard and Premium workflows outlined here for holds, search, review, and export. By layering in automation for communications and reporting, your team can deliver faster, more defensible outcomes with fewer tools to manage.

Want expert guidance on bringing Microsoft 365 automation into your firm’s legal workflows? Reach out to A.I. Solutions today for tailored support and training.

Share:

More Posts

Categories
Tags

Send Us A Message