This chapter covers eDiscovery and Content Search in Microsoft 365, essential for managing legal and compliance investigations. For the MS-102 exam, this topic appears in roughly 10-15% of questions, primarily in the Security Threats domain (Objective 3.4). You must understand how to create eDiscovery cases, place holds, search content, and export results, as well as the differences between Content Search and eDiscovery cases, and the roles and permissions required.
Jump to a section
Imagine a law firm that needs to find all documents related to a specific client case. The firm has hundreds of thousands of documents stored across multiple filing cabinets, some in different rooms and even different floors. The senior partner issues a 'document request' — a specific set of search criteria (e.g., documents dated between Jan 2020 and Dec 2022 that mention 'Project X'). The paralegal (the eDiscovery manager) creates a 'search query' and runs it against all filing cabinets. The search returns a list of document IDs and locations. The paralegal then 'places a hold' on those documents — meaning no one is allowed to remove, modify, or destroy them, even if they were scheduled for shredding. Next, the paralegal 'exports' copies of those documents into a secure review room (the review set). The senior partner and legal team can then review, tag, and analyze the documents without affecting the originals. If the case goes to court, the firm can produce the exported documents as evidence. The key is that the hold prevents spoliation (destruction of evidence), the search narrows down the massive data set, and the export creates a static copy for review. The entire process is governed by strict rules and audit trails to ensure legal compliance.
What is eDiscovery and Content Search?
eDiscovery (electronic discovery) is the process of identifying, preserving, collecting, processing, and reviewing electronically stored information (ESI) for legal or regulatory purposes. In Microsoft 365, eDiscovery capabilities are built into the compliance center, offering two main tools: Content Search and eDiscovery (Standard) (formerly eDiscovery Center) and eDiscovery (Premium).
Content Search: A basic tool to search across Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business, Microsoft Teams, and Yammer groups. It allows you to preview results, export them, and create a report. However, it does not support placing holds or adding results to a review set.
eDiscovery (Standard): Adds case management, holds, and exports to a review set. You create a case, add custodians (optional), define searches, place holds on content locations, and export results for review.
eDiscovery (Premium): Extends Standard with advanced features like near-duplicate detection, email threading, predictive coding (machine learning-based relevance), and advanced indexing. It also supports custodian-based workflows and review sets with analytics.
How It Works Internally
When you create an eDiscovery case and define a search, the following happens:
Search Query Construction: You build a keyword query (e.g., subject:"Project X" AND date>=2020-01-01 AND date<=2022-12-31). This uses Keyword Query Language (KQL). The query can target specific content sources (mailboxes, sites, etc.) and include conditions like sender, recipient, file type, and sensitivity labels.
Search Execution: The search is submitted to the Microsoft 365 search index. The index is a distributed system that crawls and indexes content from Exchange, SharePoint, OneDrive, Teams, and Yammer. The search returns a list of items matching the query along with their locations (mailbox GUID, site URL, etc.).
Preview and Statistics: You can preview up to 1000 items per search. The search also returns statistics like total items, size, and locations hit.
Hold Application: For eDiscovery (Standard/Premium) cases, you can create a hold that preserves content. The hold is applied to the content locations (mailboxes, sites, etc.) and prevents deletion or modification. Holds use the concept of in-place hold or litigation hold for mailboxes and preservation hold library for SharePoint.
Export: You can export search results to a local machine or Azure storage. Exports include the original items (in their native format), a load file (for importing into review tools), and a results report (CSV).
Review Set (Premium only): For Premium, you add search results to a review set. This creates a static copy of the data that can be analyzed, tagged, and reviewed. The review set supports advanced analytics like near-duplicate grouping and email threading.
Key Components, Values, Defaults, and Timers
Search Query Limits: Maximum 100 conditions per search. Keyword length limited to 10,000 characters.
Preview Limit: Up to 1000 items can be previewed per search. If more results, you must export.
Export Limits:
Maximum export size: 5 TB or 1 million items per export.
Maximum number of simultaneous exports per tenant: 10.
Export data is available for 30 days after download.
Hold Limits:
Maximum 100 cases per tenant.
Maximum holds per case: 1000.
Maximum mailboxes per hold: 10,000.
Maximum sites per hold: 100.
Role Groups: To use eDiscovery, you need appropriate permissions. The eDiscovery Manager role group (in Compliance Center) provides access to Content Search and eDiscovery cases. The eDiscovery Administrator role group adds the ability to manage all cases and access any case.
Default Timers:
Search results are cached for 7 days. After that, you must re-run the search.
Holds are applied within 24 hours typically.
Export preparation can take minutes to hours depending on data volume.
Configuration and Verification Commands (PowerShell)
You can manage eDiscovery via the Compliance Center UI or PowerShell.
Connect to Security & Compliance Center PowerShell:
Connect-IPPSSessionCreate a new eDiscovery case:
New-ComplianceCase -Name "Case123" -Description "Legal hold case"Create a search inside a case:
New-ComplianceSearch -Case "Case123" -Name "Search1" -ContentMatchQuery "subject:'Project X'" -ExchangeLocation All -SharePointLocation AllStart the search:
Start-ComplianceSearch -Identity "Case123\Search1"Create a hold:
New-CaseHoldRule -Case "Case123" -Name "HoldRule1" -ContentMatchQuery "*"
New-CaseHoldPolicy -Case "Case123" -Name "HoldPolicy1" -ExchangeLocation All -SharePointLocation AllExport search results:
New-ComplianceSearchAction -Case "Case123" -SearchName "Search1" -ExportVerify hold status:
Get-CaseHoldPolicy -Case "Case123" | Format-List Name, Enabled, ExchangeLocationInteraction with Related Technologies
eDiscovery integrates with: - Microsoft Purview Information Protection: Sensitivity labels can be used in search queries to find content with specific labels. - Data Lifecycle Management: Retention policies and labels can conflict with eDiscovery holds. Holds take precedence over deletion policies. - Microsoft Teams: eDiscovery can search Teams channel messages, chats, and files. Teams data is stored in Exchange (conversations) and SharePoint (files). - Yammer: Yammer content is searchable if Yammer is in Native Mode. - Azure Information Protection: Encrypted content can be decrypted during export if the eDiscovery administrator has usage rights.
Common Exam Traps
Confusing Content Search with eDiscovery (Standard): Content Search cannot place holds or add to review sets. That requires eDiscovery (Standard) or Premium.
Assuming all content is indexed: Some file types are not searchable (e.g., encrypted files without decryption rights, or files with unsupported extensions).
Thinking holds are instant: Holds can take up to 24 hours to take effect.
Overlooking role-based access: Only users in the eDiscovery Manager or Administrator role group can create and manage cases.
Create an eDiscovery Case
Navigate to Microsoft Purview compliance portal > eDiscovery > Standard (or Premium). Click 'Create a case'. Provide a name, description, and optional tags. The case is the container for all searches, holds, and exports. Without a case, you cannot place holds or use review sets. For Content Search only, no case is needed.
Define and Run a Search
Inside the case, create a new search. Specify the query using KQL. Choose content locations: specific mailboxes, SharePoint sites, OneDrive accounts, or 'All'. You can also target Teams and Yammer. After configuring, run the search. The search queries the Microsoft 365 index and returns a list of items. You can preview up to 1000 results. Check statistics to see item count and size.
Place Content on Hold
To preserve content, create a hold within the case. A hold consists of a policy (defines locations) and a rule (defines the query). The hold prevents deletion and modification of matching content. Holds apply to Exchange mailboxes, SharePoint sites, and OneDrive accounts. For mailboxes, the hold uses litigation hold or in-place hold. For SharePoint, it uses the preservation hold library. Holds take effect within 24 hours.
Export Search Results
After the search completes, you can export the results. Choose export options: include items with unrecognized format, include encrypted items, or export in a compressed format. The export process prepares a package that can be downloaded. The export includes a results CSV, a load file (for third-party review tools), and the actual items in their native format. Exports are available for 30 days.
Add to Review Set (Premium)
In eDiscovery (Premium), you can add search results to a review set. This creates a static copy of the data. The review set allows you to tag, search, and analyze data. Advanced features like near-duplicate detection, email threading, and predictive coding are available. You can also add additional data to the same review set from different searches.
Enterprise Scenario 1: Legal Hold for Litigation
A multinational corporation is facing a lawsuit and must preserve all emails and documents related to a specific product line. The legal team creates an eDiscovery (Standard) case named 'ProductX Litigation'. They add all custodians (employees involved) by specifying their mailboxes and OneDrive accounts. A search is run with the query product:"X" and date range. A hold is placed on all custodians' mailboxes and the SharePoint site containing product documentation. The hold prevents any deletion or modification. The legal team then exports the results to a secure location for external counsel review. Common issues: forgetting to include Teams chats (which are stored in Exchange) or not applying the hold before the export (exports do not preserve data).
Enterprise Scenario 2: Internal Investigation
An HR department needs to investigate a complaint of harassment. They create an eDiscovery (Premium) case to leverage advanced analytics. They add the accused and accuser as custodians, and search for specific keywords. They add results to a review set. Using near-duplicate detection, they identify multiple copies of the same email. Email threading helps them see the full conversation. Predictive coding helps prioritize relevant items. The investigation team tags items as 'relevant' or 'not relevant'. The final set of relevant items is exported for legal review. Performance consideration: large review sets (millions of items) may require significant processing time. Misconfiguration: not adding all relevant custodians or not searching all content sources (e.g., missing Yammer).
Scenario 3: Regulatory Compliance Response
A financial institution receives a regulatory request for all communications regarding a specific transaction. They use Content Search (no case needed) to quickly find and export the data. They run a search across all Exchange mailboxes and SharePoint sites with the transaction ID. They export the results as a report and the actual files. Since no hold is needed (the regulator just wants a copy), Content Search suffices. However, they must ensure the export does not include privileged information. They use the query to exclude certain keywords. Common mistake: using Content Search when a hold is required; they later discover that some emails were deleted before the export. In that case, they should have used eDiscovery (Standard) with a hold.
MS-102 Exam Focus: eDiscovery and Content Search
The MS-102 exam tests your ability to configure and manage eDiscovery and Content Search in Microsoft 365. Key objectives under Security Threats (3.4) include:
3.4.1 Configure eDiscovery cases and searches
3.4.2 Manage eDiscovery holds
3.4.3 Export eDiscovery search results
3.4.4 Manage eDiscovery permissions
Common Wrong Answers and Why They Are Chosen
'Content Search can place holds.' – This is the most common trap. Candidates confuse Content Search with eDiscovery (Standard). Content Search is only for search and export; holds require a case.
'Holds are applied immediately.' – Many think holds are instant. In reality, holds can take up to 24 hours to take effect. The exam tests this delay.
'You can export from any search.' – Actually, only searches within a case (eDiscovery Standard/Premium) can be exported with a hold option. Content Search exports are available but cannot be used for holds.
'All file types are searchable.' – The exam may present a scenario where a file is not found. Unsupported file types or encrypted files without decryption rights are not indexed.
Specific Numbers and Terms to Memorize
Maximum items per preview: 1000
Maximum export size: 5 TB or 1 million items
Export availability: 30 days
Maximum holds per case: 1000
Maximum mailboxes per hold: 10,000
Maximum sites per hold: 100
Role groups: eDiscovery Manager, eDiscovery Administrator
KQL: Keyword Query Language
Edge Cases and Exceptions
Teams data: Channel messages are stored in Exchange, while files are in SharePoint. Ensure both locations are searched.
Yammer: Only searchable if in Native Mode.
Encrypted content: Can only be decrypted during export if the user has decryption rights.
Inactive mailboxes: They can be searched but cannot be placed on hold.
How to Eliminate Wrong Answers
If the question mentions 'preserve' or 'hold', the answer must involve eDiscovery (Standard) or Premium, not Content Search.
If the question asks about 'previewing results', remember the 1000-item limit.
If the question discusses 'advanced analytics', it refers to eDiscovery (Premium).
Always check permissions: only eDiscovery Managers and Administrators can perform these actions.
Content Search is for searching and exporting only; it cannot place holds.
eDiscovery (Standard) adds case management and holds; Premium adds advanced analytics.
Holds take up to 24 hours to apply; plan accordingly.
Export limit: 5 TB or 1 million items per export; exports expire after 30 days.
Preview limit: 1000 items per search.
Only eDiscovery Managers and Administrators can create and manage cases.
Teams data is stored in Exchange (chats) and SharePoint (files); search both.
Yammer in Native Mode is searchable.
These come up on the exam all the time. Here's how to tell them apart.
Content Search
No case required
Cannot place holds
No review set
Basic search and export only
Suitable for ad-hoc searches
eDiscovery (Standard)
Requires a case
Can place holds on content
Can export to a review set (Premium only)
Supports custodian management
Suitable for legal investigations
Mistake
Content Search can place a hold on content.
Correct
Content Search only allows searching and exporting. To place a hold, you must use eDiscovery (Standard) or Premium, which require a case.
Mistake
eDiscovery holds are applied instantly.
Correct
Holds can take up to 24 hours to fully apply. The hold policy must propagate to all content locations.
Mistake
You can search all content types without any limitations.
Correct
Some file types are not indexed (e.g., certain binary files). Encrypted files may not be searchable unless decryption rights are granted.
Mistake
Exporting search results preserves the original content.
Correct
Export creates a copy; it does not preserve the original. To preserve, you must apply a hold before any deletion occurs.
Mistake
Any user can create eDiscovery cases.
Correct
Only users assigned to the eDiscovery Manager or eDiscovery Administrator role group can create and manage cases.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Create an eDiscovery (Standard) case, then create a hold policy and rule. The hold policy specifies the mailbox locations (e.g., all mailboxes or specific ones). The hold rule defines the query (use '*' to hold everything). The hold will prevent deletion and modification. It may take up to 24 hours to take effect.
Content Search is a simple search and export tool without case management or hold capabilities. eDiscovery (Standard) requires a case, allows you to place holds on content, and supports exporting to a review set (in Premium). Use Content Search for quick searches; use eDiscovery (Standard) for legal holds and investigations.
Yes. Teams channel messages are stored in the group mailbox (Exchange) and can be searched by targeting the associated mailbox. Teams chat messages (1:1 and group chats) are stored in individual user mailboxes. SharePoint sites associated with Teams store files. Ensure you include both Exchange and SharePoint locations in your search.
You can export search results to a local machine or Azure. Export includes items, a load file, and a results report. Limits: maximum 5 TB or 1 million items per export, maximum 10 simultaneous exports per tenant. Exported data is available for 30 days after the export is created.
Go to Microsoft Purview compliance portal > Roles & scopes > Permissions. Add the user to the eDiscovery Manager or eDiscovery Administrator role group. eDiscovery Managers can create and manage cases; Administrators can access all cases and manage role group membership.
An inactive mailbox is a mailbox that has been soft-deleted (deleted user) but is preserved due to a hold or retention policy. It can be searched using eDiscovery, but you cannot place a new hold on it (it already has a hold). You can export data from it.
eDiscovery can search encrypted content if it is indexed (e.g., encrypted by Azure Information Protection). During export, encrypted items can be decrypted if the exporting user has the 'Decrypt' permission (via Rights Management). Otherwise, encrypted items are exported as encrypted.
You've just covered eDiscovery and Content Search — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?