This chapter covers eDiscovery (Electronic Discovery) in Microsoft 365, specifically the differences between Standard and Premium editions. You will learn the core capabilities, licensing requirements, and when to use each. This topic is part of SC-900 Domain 4 (Compliance Solutions), Objective 4.4, and typically appears in 2-3 exam questions, often asking you to identify which edition supports a given feature like advanced analytics or redaction.
Jump to a section
Imagine a company's legal team needs to find all documents related to a lawsuit. In 'Standard' mode, they have a library catalog system. They can search by keywords, author, date, and see basic metadata (title, author, date). They can check out documents, but they can't see who has read them or when pages were torn out. They can place a hold on a book so no one else can check it out. This is eDiscovery Standard: search, hold, export, but limited metadata and no content-level analysis. In 'Premium' mode, they have a full forensic lab. They can not only search but also analyze the text for patterns, near-duplicates, and email threads. They can redact sensitive information, tag documents with custom labels, and run advanced analytics like clustering and predictive coding. They can also review documents in a dedicated review set with a modern interface. The lab can show every annotation, every access, and even reconstruct deleted content from backups. This is eDiscovery Premium: adds advanced processing, analytics, review, and redaction on top of Standard. The key difference: Standard is for basic discovery needs; Premium is for complex litigation and regulatory investigations requiring deep analysis.
What is eDiscovery and Why Does It Exist?
eDiscovery (electronic discovery) is the process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information (ESI) in response to legal or regulatory requests. In Microsoft 365, eDiscovery tools help organizations meet legal hold obligations, respond to discovery requests, and manage investigations. The two tiers—Standard and Premium—offer different levels of capability.
eDiscovery Standard
eDiscovery Standard (formerly called In-Place eDiscovery & Hold) is a native feature in Exchange Online and SharePoint Online. It provides basic search and hold capabilities across mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams. It is included in most Microsoft 365 subscriptions (E1, E3, E5, and some Business plans).
Key capabilities: - Content Search: Search across Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business, Microsoft Teams, and Yammer groups. Supports keyword queries, property restrictions (e.g., date range, sender), and searchable file types. - eDiscovery Hold: Place a legal hold on content in mailboxes and sites to preserve it immutably. Holds prevent deletion and modification of content until released. Holds are placed using a case-based approach. - Export: Export search results to PST files or individual messages/documents. Exports include metadata like item ID, location, and date. - Case Management: Create cases to organize searches and holds. Cases are scoped to specific permissions (eDiscovery Manager role).
Limitations:
No advanced analytics (e.g., near-duplicate detection, email threading, themes).
No review set for collaborative review; exports must be reviewed externally.
No redaction capabilities.
No predictive coding or machine learning models.
Limited metadata and no ability to view item-level details within the tool.
eDiscovery Premium
eDiscovery Premium (formerly Advanced eDiscovery) builds on Standard by adding an end-to-end workflow for managing complex investigations. It is available only with Microsoft 365 E5 or E5 Compliance add-on. It includes all Standard features plus:
Advanced Processing and Analytics: - Text Extraction: Extract text from images using OCR (Optical Character Recognition). - Near-Duplicate Detection: Group similar documents to reduce review volume. - Email Threading: Reconstruct email conversations to show the full thread, including attachments. - Themes: Automatically cluster documents by topic using machine learning. - Predictive Coding (Relevance): Train a model by tagging a sample set; the model then scores remaining items for relevance, reducing the number of documents needing human review.
Review and Analysis: - Review Sets: Dedicated storage containers where search results are added for collaborative review. Review sets support advanced filtering, tagging, and annotation. - Redaction: Permanently hide sensitive content within documents (text or image areas). Redactions are saved as part of the review set. - Tagging: Create custom tags (e.g., "Privileged", "Responsive") and apply them to items for categorization. - Advanced Filtering: Filter by metadata, content, or analytics results (e.g., near-duplicate groups, relevance score).
Workflow and Automation: - Communication Workflow: Send hold notifications to custodians and track acknowledgments. - Custodian Management: Identify and manage custodians (people who may have relevant data). Automatically map their data sources. - Legal Hold Notifications: Automate the process of issuing, reminding, and escalating holds. - Export and Production: Export review set items with redactions intact, produce load files for external review platforms.
How It Works Internally
When you create an eDiscovery case in the Microsoft 365 compliance portal (https://compliance.microsoft.com), you define a case with a name, description, and members. For Standard, you then create a search (e.g., query across mailboxes and sites). The search queries the Exchange Search index and SharePoint Search index. Results are returned as a list of items with metadata. You can then place a hold by selecting the search and applying a hold to the locations. The hold is enforced by the mailbox or site through retention policies (e.g., the Recoverable Items folder).
For Premium, after creating a case, you add custodians and define their data sources. You can then create a search, but instead of exporting directly, you add results to a review set. The review set is an Azure Blob Storage container where items are processed: text extraction, OCR, and indexing. Analytics run asynchronously. Once processed, reviewers can filter, tag, and redact. Redactions are stored as overlays; the original file is not modified. Predictive coding requires a sample of at least 500 items for training, and the model is validated through iterative rounds.
Key Components and Values
- eDiscovery Roles: - eDiscovery Manager: Can create cases, add members, and manage searches/holds. - eDiscovery Administrator: Full access to all cases, can manage other members. - Case Limits (Standard): Maximum 1 TB of data per case; maximum 50 cases per tenant (default, can be increased). - Hold Limits: A single hold can cover up to 10,000 mailboxes and 100 sites. Total holds per tenant: 10,000. - Search Limits: Maximum 1,000 search queries per tenant per day via UI; 10,000 via API. - Review Set Limits (Premium): Up to 100 GB per review set; up to 10 review sets per case. - Retention Period: Holds are indefinite until released. No default expiration. - Export: Standard exports to PST or individual files. Premium exports to a production format with load files (e.g., CSV).
Configuration and Verification
To enable eDiscovery, you need appropriate licenses. Standard is available with E3; Premium requires E5 or E5 Compliance. In the compliance portal, navigate to eDiscovery > Standard or Premium. Create a case, then search or add custodians. Use PowerShell cmdlets for automation:
# Create a Standard case
New-ComplianceCase -Name "Case123" -CaseType Standard
# Create a Premium case
New-ComplianceCase -Name "Case456" -CaseType Advanced
# Create a search
New-ComplianceSearch -Name "Search1" -Case "Case123" -ExchangeLocation All -SharePointLocation All -ContentMatchQuery "subject:confidential"
# Start search
Start-ComplianceSearch -Identity "Search1"
# Add to review set (Premium only)
Add-ComplianceSearchToReviewSet -SearchName "Search1" -ReviewSetName "ReviewSet1"Interaction with Related Technologies
eDiscovery integrates with: - Microsoft Purview Data Lifecycle Management: Holds override retention policies; content on hold is preserved even if a deletion policy would remove it. - Microsoft Purview Communication Compliance: eDiscovery can search communications flagged by Communication Compliance policies. - Microsoft Purview Audit (Standard/Advanced): Audit logs track eDiscovery actions (e.g., search run, hold placed) for compliance. - Microsoft Purview Information Protection: Sensitivity labels are preserved during export; redactions can remove sensitive content.
Create an eDiscovery Case
Navigate to the Microsoft 365 compliance portal (compliance.microsoft.com) and select eDiscovery. Choose Standard or Premium. Click 'Create a case'. Enter a name and description, then assign members (eDiscovery Manager or Administrator roles). The case serves as a container for searches, holds, and review sets. For Premium, you can also add custodians at this stage. The case creation is logged in the audit log.
Define Custodians (Premium Only)
In Premium, you can add custodians—people who may possess relevant data. For each custodian, you specify their mailbox, OneDrive, and any additional sites. The system automatically discovers associated data sources like Teams chats and SharePoint sites they belong to. You can also assign hold notifications. This step streamlines data collection and ensures all relevant sources are included.
Create and Run a Search
Within the case, create a search by specifying locations (mailboxes, sites, Teams, Yammer) and a query using KQL (Keyword Query Language). The search queries the Exchange and SharePoint search indexes. Results are returned as a list of items with metadata. You can preview results (up to 1000 items) to validate. The search runs against live data; it does not create a snapshot.
Place a Legal Hold (Optional)
To preserve content, you can place a hold based on the search results. In Standard, you associate the search with a hold. In Premium, you can place holds on custodians or specific locations. Holds are enforced by the Recoverable Items folder in Exchange and by preservation locks in SharePoint. Content in the hold scope cannot be permanently deleted or modified until the hold is released.
Add Results to Review Set (Premium Only)
In Premium, instead of exporting, you add search results to a review set. The review set is an Azure Blob Storage container where data is processed: text extraction, OCR, and indexing. You can add multiple searches to the same review set. Once added, analytics run (near-duplicate detection, email threading, themes). This step enables advanced review capabilities.
Review, Tag, and Redact (Premium Only)
In the review set, you can filter items by metadata, content, or analytics output. Apply tags (e.g., 'Responsive', 'Privileged') to categorize. Use redaction tools to permanently hide sensitive text or image areas. Redactions are stored as overlays and can be exported. You can also use predictive coding to prioritize review. The review interface is web-based and supports collaborative work.
Export or Produce Results
In Standard, export search results to PST files or individual items. In Premium, export from the review set with redactions and tags included. You can produce load files (e.g., CSV) for external review platforms. Exports are downloaded via a secure link. The export includes metadata and a summary report. In Premium, you can also export native files with redactions applied as new files.
Enterprise Scenario 1: Internal Investigation for Intellectual Property Theft
A large pharmaceutical company suspects an employee has exfiltrated trade secrets. The legal team uses eDiscovery Premium to conduct a forensic investigation. They create a case and add the employee as a custodian, automatically mapping their mailbox, OneDrive, and Teams chats. They run a search for keywords related to the project. The search returns thousands of documents. They add results to a review set and run analytics. Near-duplicate detection groups similar files; email threading shows the full conversation chain. Predictive coding helps prioritize relevant documents. Redaction is used to hide personally identifiable information (PII) before producing to external counsel. This scenario requires Premium because of the need for analytics, custodian management, and redaction.
Scenario 2: Regulatory Compliance for Financial Firm
A financial firm must respond to a regulatory request for all communications related to a specific trade. The volume is moderate (5000 emails). They use eDiscovery Standard to search across all mailboxes for the trade number. They place a hold on the relevant mailboxes to preserve data. They export the results to PST files and hand them to the regulator. Standard suffices because no advanced analytics or redaction is needed. The cost is lower (E3 licenses).
Common Pitfalls:
Using Standard when Premium is required (e.g., need for OCR or predictive coding).
Exceeding review set size limits (100 GB per set) causing performance issues.
Forgetting to release holds after the case closes, leading to unnecessary storage costs.
Misconfiguring custodian data sources, missing important locations like Teams chat.
SC-900 Objective 4.4: Describe the capabilities of eDiscovery solutions. The exam focuses on distinguishing between Standard and Premium. Expect 2-3 questions that test your ability to identify which edition supports a given feature.
Common Wrong Answers: 1. 'eDiscovery Standard includes predictive coding.' (False: Predictive coding is Premium-only.) 2. 'eDiscovery Premium is available with Microsoft 365 E3.' (False: Requires E5 or E5 Compliance add-on.) 3. 'Both editions support redaction.' (False: Redaction is Premium-only.) 4. 'eDiscovery Standard can place holds on all content across the tenant.' (Partially true: Holds are per case/location, but the statement is too broad. The exam may test that Standard holds are limited to mailboxes and sites, not all content types.)
Specific Numbers and Terms: - 'Review set' is a Premium concept. - 'Custodian' is a Premium concept. - 'Predictive coding' and 'Relevance' are Premium. - 'Email threading' and 'Near-duplicate detection' are Premium. - 'Redaction' is Premium. - Standard features: Content search, eDiscovery hold, export to PST. - Licensing: Standard = E3, Premium = E5 or E5 Compliance.
Edge Cases:
Can Standard search Teams? Yes, Standard can search Teams chat and channel messages.
Can Premium search Azure AD? No, eDiscovery searches Exchange, SharePoint, OneDrive, Teams, Yammer, not Azure AD.
Can you have both Standard and Premium cases? Yes, they are separate.
How to Eliminate Wrong Answers: If the question mentions analytics, machine learning, redaction, review sets, or custodians, the answer is Premium. If it mentions basic search, hold, or export, it could be Standard or both. Always check licensing requirements—if the user has E3, they cannot use Premium features.
eDiscovery Standard is for basic search and hold; Premium adds analytics, review sets, and redaction.
Licensing: Standard = E3; Premium = E5 or E5 Compliance.
Predictive coding, near-duplicate detection, email threading, and themes are Premium-only.
Redaction is only available in Premium review sets.
Custodian management and hold notification workflows are Premium-only.
Both editions can place legal holds on Exchange mailboxes and SharePoint sites.
Review sets are Azure Blob Storage containers; maximum 100 GB per set.
eDiscovery Standard supports export to PST; Premium supports export with load files and redactions.
Audit logging tracks all eDiscovery actions for compliance.
Holds override retention policies; content on hold is preserved indefinitely until released.
These come up on the exam all the time. Here's how to tell them apart.
eDiscovery Standard
Included with Microsoft 365 E1/E3 and some Business plans
Basic search across mailboxes, SharePoint, OneDrive, Teams, Yammer
Place legal holds on content locations
Export to PST or individual files
No analytics, no redaction, no review set
eDiscovery Premium
Requires Microsoft 365 E5 or E5 Compliance add-on
All Standard features plus advanced analytics (OCR, near-duplicates, email threading, themes)
Predictive coding (Relevance) to reduce review volume
Review sets with collaborative review, tagging, and redaction
Custodian management and communication workflows
Mistake
eDiscovery Standard can redact documents.
Correct
Redaction is a Premium-only feature. Standard only allows export and basic search; it has no annotation or redaction tools.
Mistake
eDiscovery Premium requires Exchange Online Plan 2.
Correct
Premium requires Microsoft 365 E5 or E5 Compliance add-on. Exchange Online Plan 2 is included in E5, but the license is the E5 suite, not the Exchange plan alone.
Mistake
Both editions provide predictive coding.
Correct
Predictive coding (Relevance) is exclusive to Premium. Standard has no machine learning capabilities.
Mistake
eDiscovery Standard can place holds on all content types including Teams messages.
Correct
Standard can place holds on mailboxes and sites, which covers Teams messages stored in mailboxes and SharePoint sites. However, it cannot place holds on content types like Azure AD or non-Microsoft sources. The statement is technically correct but misleading—the exam tests that Standard holds are limited to Exchange and SharePoint.
Mistake
You can export redacted documents from eDiscovery Standard.
Correct
No redaction is possible in Standard. Exports are raw copies of the original items. Redaction is only available in Premium review sets.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The main difference is that Premium adds advanced analytics (predictive coding, near-duplicate detection, email threading, themes), review sets (collaborative review with tagging and redaction), and custodian management. Standard only provides basic search, hold, and export. Premium requires an E5 license, while Standard is included with E3.
No, eDiscovery Premium requires Microsoft 365 E5 or the E5 Compliance add-on. If you have E3, you can only use Standard. You would need to upgrade or purchase the add-on to access Premium features.
Yes, eDiscovery Standard can search Microsoft Teams data because Teams messages are stored in Exchange Online mailboxes (for chat) and SharePoint sites (for channel messages). When you search all mailboxes and sites, Teams content is included.
A review set is a container in Azure Blob Storage where search results are added for further analysis. Within a review set, you can filter, tag, redact, and run analytics. Review sets allow multiple people to collaborate on reviewing documents. They are a Premium-only feature.
In eDiscovery Standard, create a case, then create a search. After the search runs, you can select 'Place hold' and associate the search with a hold. The hold preserves all content matching the search query in the specified locations. Holds are indefinite until released.
No, redaction is not available in Standard. You would need to export the documents and use a third-party tool for redaction. In Premium, redaction is built into the review set.
Predictive coding (also called Relevance) is a machine learning feature that helps prioritize review. You tag a sample of documents as relevant or not relevant, and the model learns from those tags. It then scores the remaining documents by relevance, so you can review the most likely relevant items first. This reduces the total number of documents needing human review.
You've just covered eDiscovery Standard vs Premium — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?