This chapter covers eDiscovery in Microsoft 365, a critical set of tools for legal and compliance teams to identify, preserve, and export electronic data for legal or investigative purposes. For the MS-900 exam, eDiscovery is part of the Security, Compliance, and Identity domain (objective 3.2), and typically appears in 2-3 questions focusing on the differences between Content Search, eDiscovery (Standard), and eDiscovery (Premium), as well as the concept of legal hold. Understanding these capabilities is essential for answering scenario-based questions about data preservation and discovery workflows.
Jump to a section
Imagine a company is sued and the court orders them to produce all emails related to a specific project from the last two years. The legal team needs to find relevant documents across thousands of filing cabinets, but they can’t just walk in and grab files—they must preserve every document exactly as it was, even if employees try to delete or alter them. First, they place a 'legal hold' on all relevant cabinets, freezing them in time so nothing can be changed or destroyed. Then, they search through the cabinets using a detailed index of keywords and dates to find matching documents. Once found, they carefully copy each document into a secure review room, where lawyers can examine and annotate them without risking the originals. Finally, they package the relevant documents into a neat, labeled box for the court, with a chain-of-custody log. In Microsoft 365, eDiscovery works the same way: you place a hold on mailboxes and sites, search using content queries, add results to a review set, analyze and tag them, and then export them in a forensically sound format. The entire process is logged and auditable, just like a legal discovery process.
What is eDiscovery and Why It Exists
eDiscovery (electronic discovery) refers to the process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request or investigation. In Microsoft 365, eDiscovery capabilities are built into the Microsoft Purview compliance portal and are divided into three tiers: Content Search, eDiscovery (Standard), and eDiscovery (Premium). Each tier provides increasing levels of functionality for searching, preserving, and exporting data.
The primary purpose of eDiscovery in Microsoft 365 is to help organizations comply with legal and regulatory requirements by allowing authorized users to:
Search across all data sources (Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business accounts, Microsoft Teams, Yammer, and more)
Place content on hold to prevent deletion or alteration
Export results in a forensically sound format
Manage the entire discovery workflow with case management
The exam focuses on understanding the capabilities of each tier and when to use them.
How eDiscovery Works Internally
eDiscovery in Microsoft 365 leverages the indexing and search capabilities of the Microsoft 365 platform. When you create a search, the system queries the unified indexing layer that indexes all content in Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. The search uses Keyword Query Language (KQL) syntax, which allows for complex queries including keywords, date ranges, sender/recipient, file types, and more.
When you place a hold, the system uses the Microsoft 365 Hold feature, which works by preserving the original version of content even if a user modifies or deletes it. For Exchange Online, this is implemented by placing the mailbox on In-Place Hold or Litigation Hold; for SharePoint and OneDrive, it uses Preservation Hold libraries. The hold is applied at the item level, meaning that if a user edits a document, the original version is retained in the preservation hold library, and the edit is allowed to proceed.
Key Components, Values, Defaults, and Timers
Content Search: - Simple search tool for finding content across mailboxes and sites. - Searches run against indexed content and return results quickly (typically within minutes). - Results can be exported as CSV, PST, or individual items. - Maximum export size: 5 TB per export job. - No case management or hold capabilities.
eDiscovery (Standard): - Adds case management: cases are containers that hold searches, holds, and exports. - Allows you to create holds associated with a case. - Supports searching across all workloads (Exchange, SharePoint, OneDrive, Teams, Yammer). - Holds are applied to mailboxes, sites, and public folders. - Default hold duration: indefinite until removed. - Maximum number of cases: 300 per tenant.
eDiscovery (Premium): - Advanced workflow with review sets, analytics, and predictive coding. - Review sets allow you to add search results to a separate container for analysis. - Analytics include email threading, near-duplicate detection, and themes. - Predictive coding uses machine learning to identify relevant documents. - Supports legal hold notifications and custodian management. - Maximum review set size: 1 TB per case.
Legal Hold: - Prevents deletion or modification of content. - For Exchange: places mailbox on Litigation Hold or In-Place Hold. - For SharePoint/OneDrive: creates a Preservation Hold library. - Hold duration can be indefinite or based on a date range. - Users can still work on content; original versions are preserved.
Configuration and Verification Commands
While MS-900 does not require command-line knowledge, understanding the PowerShell equivalents helps grasp the underlying mechanics.
To create a Content Search via PowerShell:
New-ComplianceSearch -Name "Project X Search" -ExchangeLocation All -SharePointLocation All -ContentMatchQuery "project AND confidential"To start a search:
Start-ComplianceSearch -Identity "Project X Search"To create an eDiscovery case and hold:
New-ComplianceCase -Name "Case 001" -CaseType Standard
New-CaseHoldPolicy -Name "Hold Policy" -Case "Case 001" -ExchangeLocation "user@contoso.com"To verify holds are applied:
Get-Mailbox -Identity "user@contoso.com" | FL LitigationHoldEnabledIf LitigationHoldEnabled is True, the hold is active.
How eDiscovery Interacts with Related Technologies
eDiscovery integrates with: - Microsoft Purview Data Lifecycle Management: Retention policies and labels can conflict with eDiscovery holds. A hold always takes precedence over a deletion policy. For example, if a retention policy is set to delete emails after 3 years but a hold is placed on a mailbox, the held items are preserved even after the retention period. - Microsoft Purview Audit (Standard and Premium): All eDiscovery actions (searches, holds, exports) are logged in the audit log. This provides a chain of custody for legal proceedings. - Microsoft Purview Information Protection: Sensitivity labels can be applied to documents during the eDiscovery review process, but labels do not affect the search or hold capabilities. - Microsoft Teams and Yammer: eDiscovery can search messages, files, and conversations in Teams and Yammer. For Teams, this includes private channel messages and shared files.
Exam-Relevant Details
The MS-900 exam expects you to know:
The three tiers of eDiscovery: Content Search, eDiscovery (Standard), and eDiscovery (Premium).
That Content Search is basic search and export only; no holds or case management.
That eDiscovery (Standard) adds holds and case management.
That eDiscovery (Premium) adds advanced analytics, review sets, and predictive coding.
That only eDiscovery (Standard) and eDiscovery (Premium) can place holds.
That eDiscovery (Premium) is an add-on license (requires E5 or add-on).
The concept of legal hold and that it preserves content even if users delete it.
The types of content that can be searched: Exchange, SharePoint, OneDrive, Teams, Yammer, and Office 365 Groups.
Be careful: The exam may ask which eDiscovery tool to use for a specific scenario. For example, if the scenario requires only searching and exporting data without holds, the answer is Content Search. If the scenario requires placing a hold and managing a case, it's eDiscovery (Standard). If advanced analytics like predictive coding are needed, it's eDiscovery (Premium).
Create an eDiscovery Case
In the Microsoft Purview compliance portal, navigate to eDiscovery > eDiscovery (Standard) or eDiscovery (Premium) and create a new case. Give it a name and description. For Standard, this creates a container for searches, holds, and exports. For Premium, it also creates a review set. The case is stored in the compliance portal and can be accessed by authorized users (Compliance Administrator, eDiscovery Manager, etc.).
Define and Run a Search
Within the case, create a search by specifying keyword queries (using KQL), date ranges, and locations (mailboxes, sites, etc.). The search queries the Microsoft 365 indexing service, which returns a count of results. You can preview a sample of results to validate the query. The search does not modify any data; it only identifies items that match the criteria.
Place Content on Hold
To preserve content, create a hold policy associated with the case. Specify the locations (mailboxes, sites, public folders) that should be held. Once applied, the hold prevents deletion or modification of content in those locations. For Exchange, this enables Litigation Hold; for SharePoint/OneDrive, it creates a Preservation Hold library. The hold remains until you remove it.
Add Results to Review Set (Premium Only)
In eDiscovery (Premium), after the search returns results, you can add them to a review set. This copies the data into a secure, isolated container. During this process, you can choose to include additional data like attachments or versions. The review set allows you to analyze, tag, and review the data without affecting the original sources.
Analyze and Review (Premium Only)
Within the review set, use built-in analytics like email threading (groups related emails into conversations), near-duplicate detection (identifies similar documents), and themes (clusters documents by topic). You can also apply tags (e.g., responsive, privileged) and use predictive coding to train a model that identifies relevant documents. This step is crucial for large datasets to reduce review time.
Export Results
Regardless of the tier, you can export search results. For Content Search and eDiscovery (Standard), export options include individual items, PST files, or a CSV report. For eDiscovery (Premium), you can export from the review set with options to include metadata, tags, and native files. The export is packaged into a zip file with a manifest. The export is logged in the audit log for chain of custody.
In a large enterprise with 50,000 employees, eDiscovery is used daily for litigation preparedness. For example, a company facing a lawsuit must produce all communications related to a specific contract. The legal team creates an eDiscovery (Standard) case, places a hold on the mailboxes of all employees involved in the contract, and runs a search for keywords like 'contract' and the contract number. They export the results to PST files and hand them over to external counsel. A common issue is that the search might miss data from Microsoft Teams chats if the search scope does not include Teams. The engineer must ensure that all relevant workloads are selected, including Exchange, SharePoint, OneDrive, and Teams. Performance considerations: large searches (over 1 million items) may take hours to complete, and export jobs can fail if they exceed the 5 TB limit. Best practice is to break large searches into smaller date ranges.
Another scenario: An internal investigation into a data leak. The security team uses eDiscovery (Premium) to search across all employee communications for specific file hashes or sensitive data patterns. They place holds on the suspect's accounts and add results to a review set. Using analytics, they identify key emails and documents, then use predictive coding to quickly find all related content. They export the evidence with tags and metadata for HR proceedings. A misconfiguration could occur if the legal hold is not applied quickly enough; users might delete evidence before the hold takes effect. The engineer must apply holds immediately upon suspicion.
A third scenario: Regulatory compliance with GDPR. A user requests deletion of their data (right to erasure), but the company must also preserve data for ongoing litigation. eDiscovery holds take precedence over deletion policies, so the engineer must carefully manage holds to avoid violating data subject rights. They may need to use a targeted hold that only preserves specific items rather than the entire mailbox.
The MS-900 exam tests eDiscovery under objective 3.2: 'Describe the capabilities of Microsoft 365 compliance solutions.' Specifically, you need to know the differences between Content Search, eDiscovery (Standard), and eDiscovery (Premium). The most common exam questions are scenario-based: 'Which eDiscovery tool should you use to...?'
Common wrong answers and why candidates choose them: 1. Choosing Content Search when a hold is needed: Candidates think Content Search can place holds because it's the simplest tool. In reality, Content Search cannot place holds; only eDiscovery (Standard) and (Premium) can. 2. Choosing eDiscovery (Standard) when advanced analytics are needed: Candidates might think Standard includes analytics because it's called 'Standard.' However, analytics like predictive coding and review sets are only in Premium. 3. Thinking that eDiscovery can search all data in the tenant: eDiscovery can only search data that the user has access to; it respects permissions and RBAC. The exam may ask about scope limitations. 4. Confusing eDiscovery holds with retention policies: Both preserve data, but holds are for legal purposes and are managed within cases, while retention policies are for general data lifecycle management. The exam may ask which to use for litigation.
Specific numbers and terms that appear on the exam: - The three tiers: Content Search, eDiscovery (Standard), eDiscovery (Premium). - eDiscovery (Premium) requires an E5 license or add-on. - Legal hold preserves content even if users delete it. - eDiscovery can search Exchange, SharePoint, OneDrive, Teams, Yammer, and Office 365 Groups. - Content Search can export up to 5 TB per job.
Edge cases: - If a user leaves the organization, their mailbox is disabled but still searchable if it is part of an eDiscovery hold. The exam may test that holds remain active even after the license is removed. - eDiscovery holds can be applied to inactive mailboxes. Inactive mailboxes are mailboxes of former employees that are preserved for legal reasons.
How to eliminate wrong answers: - If the question mentions 'place a hold' or 'preserve data,' eliminate Content Search. - If the question mentions 'analytics,' 'predictive coding,' or 'review set,' choose eDiscovery (Premium). - If the question only mentions 'search and export,' any tool could work, but Content Search is the simplest and does not require a case. However, if the scenario implies a legal case, choose eDiscovery (Standard) or (Premium). - Remember that eDiscovery (Premium) is an add-on, so if the question says 'without additional licensing,' it cannot be Premium.
eDiscovery in Microsoft 365 has three tiers: Content Search, eDiscovery (Standard), and eDiscovery (Premium).
Content Search is for simple search and export; it cannot place holds.
eDiscovery (Standard) adds case management and the ability to place holds.
eDiscovery (Premium) adds advanced analytics, review sets, and predictive coding.
eDiscovery (Premium) requires an E5 license or an add-on license.
Legal holds preserve content even if users delete or modify it; original versions are retained.
eDiscovery can search Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Yammer, and Office 365 Groups.
All eDiscovery actions are logged in the audit log for chain of custody.
Holds take precedence over retention policies; held items are preserved even after retention period expires.
Only users with the eDiscovery Manager role can search across all tenant data.
These come up on the exam all the time. Here's how to tell them apart.
Content Search
No case management; standalone searches
Cannot place holds on content
Export results as CSV, PST, or individual items
Maximum export size: 5 TB per job
Available with E3 license
eDiscovery (Standard)
Case-based workflow for organizing searches, holds, and exports
Can place holds associated with a case
Export options similar to Content Search
Maximum 300 cases per tenant
Available with E3 license
eDiscovery (Standard)
Basic case management with holds
No review sets; results exported directly
No analytics or predictive coding
Suitable for small to medium investigations
No additional license required (E3)
eDiscovery (Premium)
Advanced case management with review sets
Review sets allow deep analysis and tagging
Includes email threading, near-duplicate detection, themes, and predictive coding
Suitable for large-scale litigation with thousands of documents
Requires E5 license or add-on
Mistake
Content Search can place a legal hold on content.
Correct
Content Search is a simple search and export tool. It cannot place holds. Only eDiscovery (Standard) and eDiscovery (Premium) can create holds associated with a case.
Mistake
eDiscovery can search all data in the tenant without any permissions.
Correct
eDiscovery respects role-based access control (RBAC). Only users with the eDiscovery Manager role or equivalent can search across all mailboxes and sites. Regular users can only search their own data.
Mistake
eDiscovery holds prevent users from editing or deleting content.
Correct
Holds preserve the original version of content but do not prevent users from editing or deleting. When a user modifies or deletes held content, the original version is retained in a preservation hold library (for SharePoint/OneDrive) or the mailbox's recoverable items folder (for Exchange).
Mistake
eDiscovery (Standard) includes advanced analytics like predictive coding.
Correct
eDiscovery (Standard) does not include advanced analytics. Features like review sets, email threading, near-duplicate detection, and predictive coding are only available in eDiscovery (Premium).
Mistake
You need an E5 license to use any eDiscovery capabilities.
Correct
Content Search and eDiscovery (Standard) are available with E3 licenses. eDiscovery (Premium) requires an E5 license or an add-on license.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Content Search is a basic tool for searching and exporting content across Microsoft 365 without case management or hold capabilities. eDiscovery (Standard) provides a case-based workflow where you can create searches, place holds, and manage exports under a specific case. If you need to preserve content for legal reasons, you must use eDiscovery (Standard) or (Premium). On the exam, if the scenario requires a hold, eliminate Content Search.
Yes, eDiscovery can search Microsoft Teams data, including 1:1 chats, group chats, channel messages, and private channel messages. It can also search files shared in Teams (stored in SharePoint or OneDrive). When creating a search, ensure you include Teams as a location. Note that Teams data is indexed and searchable within minutes of being created.
eDiscovery (Premium) requires a Microsoft 365 E5 license or an E5 Compliance add-on license. Organizations with E3 licenses can use Content Search and eDiscovery (Standard) but not Premium. The exam often tests this: if the question says 'without additional licensing,' Premium is not an option.
For Exchange Online, placing a Litigation Hold is instantaneous. For SharePoint and OneDrive, the Preservation Hold library is created immediately, but it may take up to 24 hours for the hold to be fully enforced on existing content. The hold is applied at the item level; any new content created after the hold is automatically preserved.
Yes, eDiscovery (Standard) allows you to export search results as PST files, individual messages, or a CSV report. The export is packaged into a zip file. This is useful for providing data to external legal counsel. Note that export jobs can be large and may take hours to complete.
If a user leaves the organization and their license is removed, the mailbox becomes an inactive mailbox. eDiscovery holds remain active on inactive mailboxes, and you can still search and export data from them. This is crucial for legal compliance. The exam may test that holds persist even after license removal.
For Content Search, the maximum export size is 5 TB per job. For eDiscovery (Standard) and (Premium), the limit is also 5 TB per export. If your results exceed this, you need to break the search into smaller date ranges. The exam may ask about this limit.
You've just covered eDiscovery in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?