This chapter covers eDiscovery and Audit in Microsoft 365, two critical components of the compliance solutions domain. For the SC-900 exam, you need to understand the purpose and capabilities of eDiscovery and Audit, not the detailed configuration. Approximately 10-15% of exam questions touch on compliance features, with eDiscovery and Audit being a significant subset. This chapter will explain what eDiscovery is, how it works, the different eDiscovery solutions, and the role of auditing in supporting investigations.
Jump to a section
eDiscovery in Microsoft 365 is like a corporate legal team needing to produce all documents related to a lawsuit. The company has thousands of filing cabinets (Exchange mailboxes, SharePoint sites, OneDrive accounts, Teams chats) across multiple floors (geographic regions). The legal team issues a preservation notice (litigation hold) to prevent any document from being shredded or altered. They then hire a team of paralegals (eDiscovery managers) who use a search tool (Content Search) to find relevant documents by keywords, date ranges, and custodians. They place the found documents into a secure evidence room (eDiscovery case) with strict access controls. The paralegals can review, tag, and redact documents within that room. When ready, they export the documents with a chain-of-custody report (audit log) and hand them over to opposing counsel. The entire process is governed by rules (regulatory compliance) and must be defensible in court. Just as a physical document warehouse requires careful indexing, secure storage, and controlled access, eDiscovery in Microsoft 365 provides a structured, auditable workflow for identifying, preserving, collecting, reviewing, and producing electronic data for legal or investigative purposes.
What is eDiscovery?
eDiscovery (electronic discovery) is the process of identifying, preserving, collecting, reviewing, and producing electronically stored information (ESI) in response to legal or regulatory requests. In Microsoft 365, eDiscovery capabilities are built into the Microsoft Purview compliance portal. The exam focuses on the two main eDiscovery solutions: eDiscovery (Standard) and eDiscovery (Premium).
Why eDiscovery Exists
Organizations face legal and regulatory obligations to produce relevant data when litigation or investigations arise. Without eDiscovery tools, finding data across Exchange, SharePoint, OneDrive, Teams, and other workloads would be manual, time-consuming, and error-prone. Microsoft 365 eDiscovery provides a centralized, auditable, and legally defensible process to manage the entire lifecycle of ESI.
How eDiscovery Works Internally
#### eDiscovery (Standard)
eDiscovery (Standard) is the basic solution for searching and exporting content from Exchange Online, SharePoint Online, OneDrive for Business, Teams, and other workloads. The workflow is:
Create a case: A case is a container that holds searches, holds, and exports. Cases are created in the Microsoft Purview compliance portal.
Assign permissions: Only users added as eDiscovery Managers can access the case.
Create a search: Define search criteria including keywords, date ranges, locations (mailboxes, sites), and conditions (sender, subject, file type).
Preview results: View a sample of results to validate the search.
Place a hold: Apply a litigation hold to preserve content relevant to the case. Holds prevent deletion and preserve versions.
Export results: Download the search results in a structured format (e.g., PST files for mailboxes, native files for SharePoint).
#### eDiscovery (Premium)
eDiscovery (Premium) builds on Standard by adding advanced features for large-scale, complex investigations:
Advanced indexing: Automatically re-indexes all content to ensure thorough searchability.
Intelligent filtering: Use machine learning to identify relevant content (e.g., themes, near-duplicates, email threading).
Review sets: Load search results into a review set for deep analysis, tagging, and annotation.
Predictive coding: Train a model to prioritize review of the most relevant documents.
Redaction: Permanently remove sensitive content from documents.
Export with metadata: Export results with comprehensive metadata for legal review.
Key Components, Values, and Defaults
eDiscovery Roles: eDiscovery Manager role group includes Case Management, Compliance Search, Export, Hold, and Preview roles.
Case Limits:
Maximum of 1,000 cases per tenant (Standard + Premium combined).
Maximum of 1,000 searches per case.
Maximum of 100 holds per case.
Search Limits:
Maximum 1,000 keywords per search query.
Maximum 100 search conditions per search.
Maximum 5,000 mailboxes per search (if not using all mailboxes).
Maximum 100 sites per search (if not using all sites).
Export Limits:
Maximum export size: 5 GB per export (Standard), 50 GB per export (Premium).
Maximum concurrent exports: 10 per tenant.
Hold Duration: No default; holds apply until removed.
Configuration and Verification Commands
While SC-900 does not require PowerShell, administrators use Security & Compliance Center PowerShell for advanced tasks. Example commands:
# Create a new eDiscovery case
New-ComplianceCase -Name "Case001" -Description "Legal matter"
# Create a search
New-ComplianceSearch -Name "Search001" -Case "Case001" -ContentMatchQuery "subject:'contract'" -ExchangeLocation All -SharePointLocation All
# Start a search
Start-ComplianceSearch -Identity "Search001"
# Place a hold
New-CaseHoldRule -Name "Hold001" -Case "Case001" -ContentMatchQuery "*" -ExchangeLocation All -SharePointLocation AllInteraction with Related Technologies
eDiscovery integrates with:
Microsoft Purview Audit: All eDiscovery actions (create case, search, export) are logged in the audit log.
Microsoft Purview Data Lifecycle Management: Retention policies and labels can affect eDiscovery holds; holds override retention policies.
Microsoft Purview Records Management: Records cannot be deleted, but eDiscovery holds can preserve them.
Microsoft Purview Compliance Manager: eDiscovery processes contribute to compliance score.
What is Auditing?
Auditing in Microsoft 365 provides a record of user and admin activities across the organization. The audit log captures events like user sign-ins, file accesses, mailbox operations, and admin changes. For the exam, understand the difference between Mailbox Auditing and Unified Auditing.
#### Mailbox Auditing (Legacy)
Mailbox auditing logs actions performed by mailbox owners, delegates, and admins. It was originally enabled by default only for admins. As of January 2019, Microsoft enabled mailbox auditing by default for all users.
#### Unified Auditing
Unified auditing consolidates audit records from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power Platform, and other services into a single audit log. You search the unified audit log in the Microsoft Purview compliance portal.
How Auditing Works
Event Generation: When a user or admin performs an auditable action (e.g., delete a file, change a password), the service generates an audit record.
Audit Record Ingestion: The record is sent to the unified audit log within minutes (typically 15-30 minutes, but can be up to 24 hours for some events).
Search: Auditors search the audit log using criteria like date range, user, activity, and workload.
Export: Results can be exported as CSV for further analysis.
Key Components and Defaults
Audit Log Retention:
- E5/G5: 365 days (1 year). - E3/G3: 90 days. - For longer retention, you need a third-party SIEM or use Audit (Premium). - Audit (Premium): Available in E5/G5, provides: - 1-year retention by default. - 10-year retention (optional). - High-value events (e.g., mailbox access by admin). - Bandwidth for high-volume organizations. - Activities Logged: Hundreds of activities, including:
Mailbox: Send, receive, delete, move, folder create.
SharePoint: File upload, download, delete, view, edit.
Azure AD: User sign-in, password change, role assignment.
Teams: Channel creation, message sent, file shared.
Configuration and Verification Commands
# Search the unified audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations "FileDeleted"
# Enable mailbox auditing (if needed)
Set-Mailbox -Identity user@domain.com -AuditEnabled $trueInteraction with Related Technologies
eDiscovery: Audit logs are used to verify eDiscovery actions and to prove chain of custody.
Microsoft 365 Defender: Audit logs feed into incident investigations.
Data Lifecycle Management: Audit logs track retention policy actions.
Exam Focus
For SC-900, focus on:
The purpose of eDiscovery (Standard and Premium) and Auditing.
The difference between eDiscovery (Standard) and eDiscovery (Premium).
The types of events captured in audit logs.
The default retention periods for audit logs.
How eDiscovery and Audit support compliance and investigations.
1. Create an eDiscovery Case
An administrator or eDiscovery Manager creates a new case in the Microsoft Purview compliance portal. The case serves as a container for all searches, holds, and exports related to a specific legal matter or investigation. Each case has a unique name and description. Permissions are assigned to control who can access the case. The case creation is logged in the unified audit log. This step establishes the legal foundation for the discovery process.
2. Define and Run a Search
Within the case, the eDiscovery Manager creates a search using keywords, date ranges, locations, and conditions. The search query is sent to the relevant workloads (Exchange, SharePoint, Teams, etc.) which index and return matching items. The search results are stored temporarily. The manager can preview a sample of results to validate the search logic. The search action is audited. This step identifies the ESI relevant to the case.
3. Place a Hold on Content
To preserve identified content, the eDiscovery Manager applies a hold. The hold query is sent to the workloads, which then prevent deletion or modification of matching items. For mailboxes, the hold places the mailbox on In-Place Hold or Litigation Hold. For SharePoint sites, it preserves document versions. Holds override any retention or deletion policies. The hold action is recorded in the audit log. This step ensures data is not lost during the investigation.
4. Load Results into Review Set (Premium)
In eDiscovery (Premium), the search results are loaded into a review set. This process involves copying the data from the original locations into a secure, isolated storage in the compliance portal. During loading, advanced indexing re-indexes all content for optimal searchability. The data is deduplicated and grouped by email threads and near-duplicates. This step prepares the data for detailed analysis.
5. Review, Tag, and Analyze
Reviewers examine the content in the review set. They can tag documents with labels (e.g., 'relevant', 'privileged'), annotate, and redact sensitive information. eDiscovery (Premium) provides machine learning tools like predictive coding to prioritize review. Reviewers can also query the review set to find specific items. All actions are logged for audit. This step ensures only relevant data is produced.
6. Export and Produce
The final step is to export the reviewed data for legal production. The export package includes the native files, metadata, and an audit report showing the chain of custody. Exports can be downloaded via browser or Azure Storage. The export is logged. This step delivers the ESI to opposing counsel or regulatory bodies in a defensible format.
In a large enterprise, eDiscovery is often used during litigation. For example, a global company faces a lawsuit from a former employee alleging wrongful termination. The legal team creates an eDiscovery (Premium) case. They search for emails, Teams messages, and documents related to the employee's performance reviews, termination reasons, and communications with HR. They place holds on the mailboxes of key HR personnel and managers. The search yields 50,000 items. Using predictive coding, the team reduces the review set to 5,000 relevant items. They tag privileged documents for redaction. Finally, they export the data with a detailed audit log showing every action taken. The export is handed to opposing counsel, and the audit log proves the process was defensible.
Another scenario is regulatory compliance. A financial institution must respond to a regulatory inquiry about trading activities. They use eDiscovery (Standard) to search for all communications containing specific stock symbols within a date range. They place holds on traders' mailboxes. They export the results as PST files for the regulator. The audit log shows that the hold was placed before any deletion could occur.
Common issues in production:
Exceeding export limits (5 GB for Standard) requires splitting the export.
Large cases with thousands of searches can hit the 1,000 search limit.
If a hold is not applied correctly, users may delete critical data, causing spoliation.
Inefficient search queries return too many irrelevant results, overwhelming reviewers.
Auditing is used daily by security teams. For instance, after a data breach, the security team searches the unified audit log for unusual file downloads by a compromised account. They filter by user, date, and activity 'FileDownloaded'. They find that the user downloaded 500 files from a sensitive SharePoint site in one hour. The audit log retention (90 days for E3) may limit how far back they can search. With Audit (Premium), they could retain logs for 1 year or even 10 years.
Another use case: An admin accidentally deleted a user mailbox. The help desk searches the audit log for 'Deleted mailbox' activity to identify who did it and when. They find the admin's action and restore the mailbox from recycle bin. The audit log provides accountability.
Performance considerations: The unified audit log can handle millions of events per day. However, searching very large date ranges (e.g., 1 year) may be slow. Exporting audit logs via PowerShell or API is recommended for large volumes. Audit (Premium) provides higher ingestion bandwidth for organizations generating over 10,000 events per minute.
SC-90 tests your understanding of what eDiscovery and Audit are and their high-level capabilities, not how to configure them. The objective code is 4.4: 'Describe the capabilities of eDiscovery and Audit in Microsoft 365.'
Common wrong answers and why candidates choose them: 1. 'eDiscovery (Standard) includes predictive coding' – Candidates confuse Standard with Premium. Predictive coding is only in Premium. Standard only has basic search and export. 2. 'Audit logs are retained for 90 days for all licenses' – This is true for E3/G3, but E5/G5 have 365 days (or more with Premium). Candidates forget the license-dependent retention. 3. 'eDiscovery can search on-premises Exchange mailboxes' – eDiscovery only works with cloud workloads (Exchange Online, SharePoint Online, etc.). On-premises data requires hybrid configuration or third-party tools. 4. 'Placing a hold deletes the content' – Holds preserve content; they prevent deletion. Candidates misunderstand the purpose of holds.
Specific numbers and terms that appear on the exam: - 90-day audit log retention for E3; 365-day for E5. - 1,000 cases per tenant limit. - 5 GB export limit for Standard; 50 GB for Premium. - eDiscovery (Standard) vs. eDiscovery (Premium) – know which features belong to which. - Unified audit log includes activities from Exchange, SharePoint, Azure AD, Teams, etc.
Edge cases:
If a user is deleted, their mailbox is no longer searchable unless it's inactive. eDiscovery can search inactive mailboxes if they are on hold.
Audit log events may take up to 24 hours to appear (typical is 15-30 minutes).
Some activities (like viewing an item) are not audited by default; you need Audit (Premium) for high-value events.
How to eliminate wrong answers:
If the question mentions predictive coding, advanced indexing, or review sets, it must be eDiscovery (Premium).
If it mentions basic search and export, it's eDiscovery (Standard).
For audit retention, look for license clues (E3 vs E5).
If it says 'all activities are logged immediately', it's false – there is a delay.
Focus on understanding the purpose and capabilities. The exam will not ask you to create a case or search the audit log.
eDiscovery (Standard) is for basic search, hold, and export; eDiscovery (Premium) adds advanced analysis like predictive coding and review sets.
Audit log retention: 90 days for E3/G3, 365 days for E5/G5; Audit (Premium) offers up to 10 years.
eDiscovery cases can hold up to 1,000 searches and 100 holds per case; maximum 1,000 cases per tenant.
Unified audit log captures activities from Exchange, SharePoint, Azure AD, Teams, and more.
Holds preserve content from deletion or modification; they do not delete content.
eDiscovery only works with cloud workloads; on-premises data requires hybrid setup.
Audit events typically appear within 15-30 minutes but can take up to 24 hours.
Export limit: 5 GB for Standard, 50 GB for Premium; max 10 concurrent exports per tenant.
These come up on the exam all the time. Here's how to tell them apart.
eDiscovery (Standard)
Basic search and export capabilities.
No advanced indexing or machine learning.
Export limit: 5 GB per export.
No review sets; results are exported directly.
Suitable for small to moderate investigations.
eDiscovery (Premium)
Advanced features: predictive coding, review sets, redaction.
Advanced indexing for thorough searchability.
Export limit: 50 GB per export.
Review sets allow tagging, annotation, and analysis.
Designed for large-scale, complex investigations.
Mistake
eDiscovery (Standard) can perform predictive coding.
Correct
Predictive coding is a feature of eDiscovery (Premium) only. eDiscovery (Standard) provides basic search, hold, and export capabilities.
Mistake
Audit logs are retained for 90 days for all Microsoft 365 subscriptions.
Correct
Audit log retention is 90 days for E3/G3, but 365 days for E5/G5. Audit (Premium) offers up to 10-year retention.
Mistake
Placing an eDiscovery hold deletes the content from the original location.
Correct
A hold preserves content by preventing deletion or modification. The content remains in its original location but is protected from purging.
Mistake
eDiscovery can search on-premises Exchange mailboxes directly.
Correct
eDiscovery in Microsoft 365 only searches cloud workloads. To search on-premises, you need Exchange hybrid configuration or third-party eDiscovery tools.
Mistake
All audit activities appear in the audit log within minutes.
Correct
Most events appear within 15-30 minutes, but some can take up to 24 hours. The delay is normal and not indicative of a problem.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
eDiscovery (Standard) provides basic search, hold, and export capabilities, suitable for small investigations. eDiscovery (Premium) adds advanced features like predictive coding, review sets, advanced indexing, and redaction, designed for large-scale, complex legal cases. The exam tests that you know which features belong to which solution. For example, predictive coding is only in Premium.
Audit log retention depends on the license: 90 days for E3/G3, 365 days for E5/G5. With Audit (Premium) add-on, you can retain logs for up to 10 years. The exam often asks about these retention periods, so memorize them.
Yes, eDiscovery can search content from Microsoft Teams (chats, channel messages, files), SharePoint Online, OneDrive for Business, Exchange Online, and other workloads. The unified audit log also captures activities from these services.
Placing a hold preserves the mailbox content from deletion or modification. The mailbox is placed on In-Place Hold or Litigation Hold, preventing purging of items. Users can still work normally, but deleted items are retained in the Recoverable Items folder.
eDiscovery (Standard) is available in E3/G3 and above. eDiscovery (Premium) requires E5/G5 or an add-on license. The exam may test that Premium is an E5 feature.
You search the unified audit log in the Microsoft Purview compliance portal. You can filter by date range, user, activity, workload, and other criteria. Results can be exported as CSV. For advanced queries, use PowerShell with the Search-UnifiedAuditLog cmdlet.
eDiscovery (Standard) exports are limited to 5 GB per export. For larger exports, you need to split the search or use eDiscovery (Premium) which supports 50 GB per export.
You've just covered eDiscovery and Audit — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?