{"id":11066,"date":"2017-09-20T16:03:58","date_gmt":"2017-09-20T23:03:58","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=11066"},"modified":"2023-06-11T16:18:31","modified_gmt":"2023-06-11T23:18:31","slug":"office-365-meets-evolving-ediscovery-challenges-in-a-cloud-first-world","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/office-365-meets-evolving-ediscovery-challenges-in-a-cloud-first-world\/","title":{"rendered":"Office 365 meets evolving eDiscovery challenges in a cloud-first world"},"content":{"rendered":"
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n
Microsoft Office 365 gives you eDiscovery in the cloud. Quickly and easily find and retain content to satisfy legal and regulatory requests and internal investigations. And there\u2019s no need to move content to an archive\u2014it stays in place, immutable, secure, and accessible to content owners. Use eDiscovery search tools and Advanced eDiscovery analytics tools to filter content, and to cut review time and costs. Using these tools, our legal department at Microsoft saves about $4.5 million per year.<\/p>\n
To continue to meet legal, business, and regulatory compliance challenges, businesses must be able to keep and protect important information and quickly find what\u2019s relevant. Spending days, if not weeks, manually sifting through millions of files to find the small number that are relevant isn\u2019t just expensive, it isn\u2019t an option.<\/p>\n
This paper walks you through the eDiscovery capabilities in Microsoft Office 365 and gives examples of how we use them at Microsoft to help satisfy compliance and legal requests in a timely and cost-effective manner.<\/p>\n
When organizations migrate to the cloud, they are better served by solutions that are designed for the cloud from the beginning. That’s why at Microsoft, we’ve adopted a cloud first strategy. Our solutions give our customers increased efficiencies, cost savings, and security in the cloud, right from the start. Our Office 365 eDiscovery solution brings eDiscovery to the cloud in a scalable, efficient, always up to date, and secure environment.<\/p>\n
Office 365 eDiscovery can help you quickly and cost-effectively locate, identify, and retrieve relevant information\u2014and preserve it in place. No need to move content to a separate archive to store, index, and process. And the Office\u00a0365 eDiscovery solution is available globally to use in any locale or situation where you need to respond to legal and compliance needs or to an internal investigation.<\/p>\n
Complementing the eDiscovery capabilities is Office 365 information governance. It helps preserve the content you need and eliminate what you don\u2019t, minimizing over-preservation and reducing the risk and expense of eDiscovery, investigations, and regulatory compliance.<\/p>\n
When you need to respond to a legal or regulatory information request, the search and analytics tools in Office\u00a0365 eDiscovery can cut your costs and streamline your responses. eDiscovery search finds text and metadata in content across your Office 365 assets\u2014SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. Office\u00a0365 Advanced eDiscovery further organizes and filters your content. It groups content into categories, removes duplicates, and uses machine learning to filter for relevance, reducing the amount that must be sent to review. You\u2019ll find relevant content faster\u2014while keeping your organization\u2019s information more secure.<\/p>\n
<\/p>\n
At Microsoft, we know how demanding and complex compliance it can be. As you might imagine, being a large enterprise operating at a global scale, we\u2019re subject to many discovery requests every year. Our legal department uses the eDiscovery features of Office 365 to improve the accuracy and usefulness of our discovery results and save time and money.<\/p>\n
Before Office 365 eDiscovery was available, we had to manually collect content from various sources. Gathering a large volume of content and loading it into an offline processing tool took time. Then we had to reprocess it. With collection, processing, and remediation, it could take between two and three weeks to give outside counsel the documents they requested. Today, we do most of this work in hours, not days or weeks. We start to export content on the fly and have it ready for counsel to load into their review tool by the end of the day.<\/p>\n
When we need to find specific content to respond to discovery requests, we first use eDiscovery search in the Office\u00a0365 Security & Compliance Center. We run searches right away, across the relevant Office 365 assets, without requiring the preliminary step of collecting content and moving it to a separate location to index and search.<\/p>\n
We also preserve relevant content in place, in Office 365. We associate the relevant content sources with a case that we create in the Security & Compliance Center and then place the content on hold. This hold overrides any other retention policies that might be in force, and preserves the content for the duration of the case. The hold is practically invisible to the people using the sources, so they can continue working on their projects without interruption or loss of productivity.<\/p>\n
After we discover potentially relevant content using Office 365 eDiscovery Search, we use Advanced eDiscovery analytics to thread email conversations, remove duplicates, find near-duplicates, and identify themes. This lets us give each reviewer a structured batch of unique files, eliminating redundant effort and saving review time. In some cases, instead of doing heavy keyword culling, we use the Advanced eDiscovery Relevance feature to identify relevant content. And even if we\u2019re using keyword filtering, we always use Advanced eDiscovery to export our content in a format that\u2019s immediately usable by our eDiscovery review partner and which requires no reprocessing.<\/p>\n
By reducing the amount of manual work required to respond to eDiscovery requests, Office 365 eDiscovery saves our legal department about $4.5 million annually. With eDiscovery search, we typically reduce the amount of content in a case by about 95 percent. However, this still leaves large volumes of data that need to be submitted to the very costly process of legal review. Advanced eDiscovery helps us reduce these costs significantly: we typically see a further reduction of 30 percent by eliminating duplicate files and grouping near-duplicates, and another 25 percent by consolidating email threads.<\/p>\n
It can happen in any organization. You\u2019re going about your business, and you receive a discovery request for \u201cany and all\u201d information (email, documents, presentations, databases, instant messages, images, voice mail, social media posts, and so on) related to a project you completed last year. Or you need to collect content that demonstrates you\u2019re complying with corporate or government rules. If only the tools required to manage those tasks were just built into the platform where the data is. Fortunately, when your data is in Office 365, they are.<\/p>\n
To be prepared for internal investigations, external litigation, or regulatory requests, your organization needs to preserve potentially relevant content. At the same time, you want to find relevant content quickly without disrupting your business. Preserving content you don\u2019t need impedes your ability to do this and increases your overall risk.<\/p>\n
We have seen that as businesses grow, so too do the demands to be compliant. The Office 365 Security & Compliance Center provides the solution. Its compliance features help you protect important content and reduce the expense and risk of keeping content you don\u2019t need. And its eDiscovery features make it easier to identify content that\u2019s relevant to a specific investigation, preserve it, and get it ready for a requesting party or reviewer.<\/p>\n
Whether you are a small business or a large enterprise, the complexities of compliance are simplified with Office\u00a0365. Small businesses can grow quickly and achieve compliance with a single step. Large enterprises will find complex compliance requirements simplified and advanced capabilities just a click away.<\/p>\n
As organizations migrate to the cloud, they need solutions designed for the cloud from the start, not simply older tools that have been shoe-horned into this new environment. That’s why our cloud first strategy requires that we build new solutions that give our customers increased efficiencies, cost savings, and security in the cloud. eDiscovery has traditionally been on premises where information is manually collected from various sources and processed to find the most relevant data. Our Office 365 eDiscovery solution brings eDiscovery to the cloud in a scalable, efficient, up to date, and secure environment.<\/p>\n
Office 365 eDiscovery offers many benefits, including:<\/p>\n
The first section of this paper,\u00a0Compliance and eDiscovery in Office 365,<\/strong>\u00a0introduces information governance in Office\u00a0365 and the Office 365 eDiscovery features and workflow. The second section,\u00a0How we use eDiscovery at Microsoft,<\/strong>\u00a0describes how the Microsoft legal organization uses Office\u00a0365 eDiscovery features and lists some key takeaways that the team has learned.<\/p>\n Today\u2019s organizations face information overload. The amount of electronic information is exploding. And the information is more complex, coming from multiple sources in multiple formats\u2014email, documents, social media, instant messages, and videos\u2014the list goes on.<\/p>\n Managing information effectively to meet internal and external compliance requirements is more difficult than ever. The solution starts with effective information governance. In Office 365, we deliver cloud-powered, intelligent, in-place information governance solutions that address importing, retaining, protecting, and purging files when a scheduled expiration date occurs. These solutions help you keep important information; delete what\u2019s redundant, obsolete, or trivial; and manage how sensitive or confidential information is shared. The high-value, important content in your organization can be protected for as long as you need it.<\/p>\n Office 365 also gives you flexibility in the way that you preserve important content. You have the option to preserve content at the global level, using organization-wide policies, or at the eDiscovery case level, in relation to a specific investigation. You can apply a preservation policy globally to certain content to preserve it regardless of events, or place content associated with a case on hold, preserving it for the duration of an investigation.<\/p>\n The\u00a0Electronic Discovery Reference Model (EDRM)<\/a>, shown in the following figure, summarizes the typical phases in the eDiscovery process for identifying relevant content and reducing the volume of content to present.<\/p>\n The information governance features in Office 365 help you intelligently manage content in a proactive manner to respond to both internal and external compliance requirements. You can respond to eDiscovery requests more quickly, easily, and cost-effectively. The\u00a0Office 365 Security & Compliance Center<\/a>\u00a0is a central location where you manage information governance and eDiscovery across all of your Office 365 data assets. Use it to:<\/p>\n The following figure illustrates the information governance and eDiscovery features of Office 365.<\/p>\n <\/p>\n To use the eDiscovery features of the Security & Compliance Center, you need the following:<\/p>\n When you create a case in the Security & Compliance Center, you assign roles to the people whom you\u2019re going to add as members to a case. This enables them to do specific eDiscovery tasks.<\/p>\n For details about these roles and instructions for assigning them, see\u00a0Assign eDiscovery permissions in the Office 365 Security & Compliance Center<\/a>.<\/p>\n In addition to assigning roles, you can use PowerShell cmdlets to set permissions filters that allow individuals to perform content searches on a subset of content sources based on your organization\u2019s structure. If necessary, use these filters to determine who can search specific peoples\u2019 content, instead of giving all eDiscovery Managers and eDiscovery Administrators the ability to search everyone\u2019s content. For more information, see\u00a0Configure permissions filtering for Content Search<\/a><\/p>\n NOTE: When you create a case, you\u2019re automatically added to the case as a member. You can add other members who will also work on this case, as described in\u00a0Create a new case and add members<\/a>. Only case members can view the search results associated with a case.<\/p>\n To use the Office 365 retention and eDiscovery features with your content, the content must be stored in Office\u00a0365. For content outside of Office 365, we make it easy for you to import it. Upload email, documents, and other content to Office 365 to a network storage location in the Microsoft cloud, or put your content on an encrypted hard drive and ship it to Microsoft. Then use the Office 365 Import Service to import it. For more information and links to step-by-step instructions, see\u00a0Overview of importing PST files and SharePoint data to Office\u00a0365<\/a>.<\/p>\n NOTE: Skype for Business content saved in Exchange Online doesn\u2019t need any action to be searched by Office 365 eDiscovery. If your users turn on OneDrive for Business sync, their synced desktop content will be accessible to Office\u00a0365 eDiscovery features for indexing, search, analysis, and in-place preservation.<\/p>\n All types of content\u2014not just email and documents\u2014are potentially important and might be used in an investigation. Your content may come from social media, messaging, vertical industries (such or CRM or financial services), or collaboration tools like Dropbox. To import this content into Office 365, use a solution from a\u00a0Microsoft partner<\/a>. If you have specialized on-premises deployments of Skype for Business or Lync, our partners can also help import content from those deployments as well as Yammer content. Partners understand the file formats and can extract content in real time as it is created, sending it to Office 365 using the third-party ingestion API. For details, see\u00a0Archiving third-party data in Office\u00a0365<\/a>.<\/p>\n <\/p>\n An important eDiscovery task is collecting and preserving potentially relevant content, so that it can\u2019t be changed or deleted. Historically, collection has been a prerequisite for preservation. You would locate the content and then move it to a separate archive. With Office 365, however, you don\u2019t need to collect potentially relevant content before you can preserve and process it.<\/p>\n You have two ways to preserve content in the Office 365 Security & Compliance Center: either using\u00a0retention policies<\/a>\u00a0or\u00a0case-specific eDiscovery holds<\/a>. Use retention policies to proactively manage the lifecycle of content globally in Office\u00a0365. Use case-specific holds to retain only the content associated with a specific investigation.<\/p>\n To use a case-specific hold, create a case in the Security & Compliance Center, create a Hold within that case, and add the relevant content source locations to that Hold. You can add sources such as Exchange Online mailboxes, OneDrive for Business sites, SharePoint Online sites, and Office\u00a0365 groups to the Hold. If you want, you can also enter a search query to target the Hold to specific content within those sources. After the Hold policy is applied, the data in the source locations will be preserved in place\u2014both content that already exists as well as content yet to be created.<\/p>\n To identify where the content that you want to preserve is located, you may want to consult the custodians whose content is relevant to the matter at hand. They may provide a list of pertinent locations, such as their Exchange mailboxes, OneDrive for Business and SharePoint sites, local computers, file shares, other databases, line-of-business applications, social media, or others. You can also run a search across your organization\u2019s assets, including SharePoint Online sites and Exchange Online, and then use the list of source locations to find the top locations\u2014those yielding the most search hits.<\/p>\n The advantages of in-place hold in Office 365 are:<\/p>\n For step-by-step instructions about putting content on hold, see\u00a0Place mailboxes and sites on hold<\/a>.<\/p>\n The following figure shows the structure of an Exchange Online mailbox. The top section, containing Inbox, user-created folders, and Deleted Items, is visible to the custodian. The Recoverable Items partition, however, isn\u2019t exposed to the custodian, with one exception described later. When you place an Exchange Online mailbox on hold, Office\u00a0365 eDiscovery uses the Recoverable Items partition to preserve all of the mailbox content (email and attachments, tasks, and contacts) intact, regardless of what the custodian does with them.<\/p>\n Here\u2019s what happens to Exchange Online content that\u2019s been put on hold, under different scenarios:<\/p>\n Historically, people have performed eDiscovery by using a collection system that gathers content in response to specific litigation or compliance events, or a journaling process that saves all content to a separate offline archive. When an email is transmitted, a copy of it and any attachments are delivered to the archive.<\/p>\n These approaches have several disadvantages:<\/p>\n An Office 365 in-place hold has distinct benefits:<\/p>\n SharePoint Online and OneDrive for Business similarly have a partition that isn\u2019t visible to the user, the PreservationHoldLibrary. When a custodian\u2019s content is on hold, deleted content is stored in this partition.<\/p>\n Here\u2019s what happens under different scenarios with SharePoint Online and OneDrive for Business content that has been placed on hold:<\/p>\n You can run eDiscovery searches to find and filter content that\u2019s associated with a case. Office 365 indexes most Exchange Online, SharePoint Online, and OneDrive for Business content. This includes Office files, searchable PDF files, lists, communications, social discussions, and many other file types. You can use keywords and metadata filters to minimize how much content must be reviewed in your eDiscovery case, or use search to bring back entire sources without filtration.<\/p>\n Office 365 eDiscovery search supports typical legal queries. You can construct queries using Boolean and proximity operators to filter content with any combination of keywords, date ranges, authors, recipients, domains, file types, etc. You can apply a query to all of the content in a case, or narrow the scope of the query to a subset of source locations.<\/p>\n Among other attributes, Office 365 indexes Exchange message properties including sender, recipients, message body, and attachments. Documents and messages encrypted with RMS and Azure RMS technology are also indexed and searchable. For details, see\u00a0File formats indexed by Exchange Search<\/a>\u00a0and\u00a0Default crawled file name extensions and parsed file types in SharePoint Server 2013.<\/a><\/p>\n Some subsets of content may not be indexed and can\u2019t be searched, such as image files, password-protected items, or items encrypted with non-Microsoft technology. You can, however, use eDiscovery search to identify the items that have index errors, so you can export and remediate them as appropriate. And although such content may not be fully text-searchable in place, you can use metadata filters, such as date or email sender information. For details, see\u00a0Unindexed items in Content Search<\/a>.<\/p>\n Very large eDiscovery searches can search all mailboxes, all Exchange public folders, all SharePoint Online sites, and OneDrive for Business source locations with a single query. If you don\u2019t want to search everything, you can specify up to 1,000 mailboxes and 100 sites per query. There are, however, limits, including the number of results that you can preview, the maximum number of keywords in a single search (500), and the number of variants for wildcard terms (10,000 total). For details, see\u00a0Limits for Content Search in the Office 365 Security & Compliance Center<\/a>.<\/p>\n You can also specifically search items that were imported into mailboxes in Office 365 from a third-party source. For more information, see\u00a0Use Content Search to search third-party data that was imported into Office 365<\/a>.<\/p>\n NOTE: Search results associated with a case can be viewed only by case members who have been assigned the eDiscovery Manager role.<\/p>\n After you run a search, the number of content source locations and an estimated number of search results are displayed in the details pane of the search page. You can preview the most recent 200 results per source location, up to 1,000 items per query, to help determine whether the search is appropriate or whether it requires refinement. To preview a document, click Preview Results and scroll through the presented results. After completing your search, you can export either a report or the full results to a local computer, or prepare the results for analysis in Advanced eDiscovery, as described later.<\/p>\n For more information about running searches, see\u00a0Run a Content Search in the Office 365 Security & Compliance Center<\/a>. For details about constructing queries, see\u00a0Keyword queries and search conditions for Content Search<\/a>.<\/p>\n After running your search, you can export the results. You can opt to export either the full search results themselves, or simply a report that lists each item and its metadata, as described in\u00a0Export a Content Search report<\/a>. Or, if your organization has an Office\u00a0365 E5 subscription, you can apply Advanced eDiscovery analytics that further refine and organize the content before you export it, as described in the next section.<\/p>\n You can export the results of a single search or multiple searches. Results are exported as follows:<\/p>\n After the native files exported from Office 365 eDiscovery are downloaded, they can be viewed using their native applications (such as Outlook or Word), but they may also be processed with a third-party tool in order to be loaded into a dedicated review tool. The content exported from Advanced eDiscovery, as described later, can be imported directly without any additional processing for most files.<\/p>\n For step-by-step instructions to export search results, see\u00a0Export Content Search results from the Office 365 Security & Compliance Center<\/a>.<\/p>\n Advanced eDiscovery goes beyond search, using machine learning and predictive coding to intelligently analyze the content, organize it, and reduce it before it goes to review. It intelligently simplifies sorting through large quantities of content to quickly find what\u2019s relevant. It saves review time and costs\u2014and gets you better results faster.<\/p>\n Advanced eDiscovery allows you to:<\/p>\n The workflow for Advanced eDiscovery is as follows:<\/p>\n You start with the source content from Office 365 eDiscovery search(es) that you\u2019ve previously created for a case, which may or may not be filtered or refined. Then, follow the steps in\u00a0Prepare search results for Office 365 Advanced eDiscovery<\/a>. After you complete these steps, you can begin working with the content in Advanced eDiscovery.<\/p>\n Advanced eDiscovery includes analytics for structuring your content. This helps organize the content and reduce its volume. These analytics are useful and relevant even for smaller content sets, including those that have already been filtered using keywords. As noted briefly above, these analytical tools include the following capabilities:<\/p>\n For details about these capabilities, see\u00a0Analyze case data with Advanced eDiscovery<\/a>.<\/p>\n Predictive coding is a sophisticated way to refine content. Going beyond keyword search, the Advanced eDiscovery Relevance application uses machine learning to decide what\u2019s relevant to the case and what isn\u2019t. Relevance consistently finds more relevant content, while returning less irrelevant content than conventional methods, such as keyword search.<\/p>\n When you use predictive coding, you (or someone familiar with the case or investigation, such as an attorney or subject matter expert) train the Advanced eDiscovery system to find the content you want. The system selects samples of documents which the attorney tags as relevant or not relevant to the case. The first tagging cycle builds a statistical model. The system uses the statistical model to monitor training progress and quantify results. Training the system includes a number of rounds (typically between 25 and 40, with each round comprising 40 documents) until the system has enough data to create a valid model for what you consider to be relevant or not. The system uses an Active Learning capability to select the training documents, maximize efficiency, and optimize outcomes. After training is complete, Relevance calculates the likely relevance of each document in the collection. It ranks the documents to help you decide which documents to submit to review based on relevance estimates.<\/p>\n For details about predictive coding, see\u00a0Use the Advanced eDiscovery Relevance module<\/a>.<\/p>\n Predictive coding has been used in many cases and has achieved broad acceptance in the legal community and by various government agencies as a valuable eDiscovery tool.<\/p>\n To help you demonstrate that you used predictive coding appropriately, Office 365 eDiscovery provides auditing capabilities and a decision log that shows all of the steps that you took to cull content. Part of the recommended workflow is to use the built-in statistical analysis to sample the set of irrelevant data. Sampling ensures that the data has been effectively and defensibly culled. Many of our\u00a0Microsoft eDiscovery partners<\/a>\u00a0can assist with the eDiscovery process and provide workflow advice and validation.<\/p>\n Two new features of Advanced eDiscovery make it faster and easier to find, analyze, and review relevant information:<\/p>\n Remediating content using Advanced eDiscovery<\/p>\n Most content in Office 365 is indexed and searchable, but there will always be some content that doesn\u2019t have associated text. In many eDiscovery cases, most unindexed content is in image files. With its new optical character recognition (OCR) capability, Advanced eDiscovery will extract text from image files or objects within the files. The text can then be analyzed by Advanced eDiscovery analytics. This reduces the amount of manual remediation work required to analyze image files.<\/p>\n After you complete your analysis and reduce the content set, you\u2019re ready to export it from Advanced eDiscovery. When you export, all of the content associated with the case can be downloaded to your local computer or copied to another location. The content is exported in its native format with accompanying HTML representations and extracted text files, so the output is directly compatible with third-party review tools. The export package includes a load file in CSV format. The CSV includes the metadata of the exported content and all of the analytics metadata needed to organize the content, such as near-duplicates, threads, and themes. The export also includes the Export_list.xlsx file that you can use to organize and annotate your review of the downloaded content. As noted, the data, both native files and metadata, is structured for direct streamlined export to the leading review tools.<\/p>\n For more information, see\u00a0Export case data with Advanced eDiscovery<\/a>.<\/p>\n The Security & Compliance Center auditing features help ensure that your approach to eDiscovery is defensible in court. Use auditing to verify that on-hold content or its metadata wasn\u2019t altered. Office 365 auditing captures a number of events for security and compliance monitoring. Content Search and eDiscovery-related activities that are performed in the Security & Compliance Center or run with the corresponding PowerShell cmdlets are logged in the Office 365 audit log. Events are logged when administrators or anyone who\u2019s assigned eDiscovery permissions perform certain Content Search and eDiscovery-related tasks in the Security & Compliance Center. For details, see\u00a0Search for eDiscovery activities in the Office 365 audit log<\/a>.<\/p>\n At Microsoft, our litigation team uses Office 365 eDiscovery and Advanced eDiscovery to help save time and money in our investigations. We use eDiscovery to preserve and discover our potentially relevant content. We use Advanced eDiscovery analytics to thread email conversations, remove duplicates, identify near-duplicates, and derive themes. In some cases, we use the Advanced eDiscovery Relevance feature instead of doing heavy keyword culling. And even if we\u2019re using keyword filtering, we always use Advanced eDiscovery export because it lets us hand off content to our eDiscovery review partner in a format that doesn\u2019t require reprocessing.<\/p>\n The rest of this section describes some of the ways we use Office 365 eDiscovery at Microsoft in legal matters. The process we use would be similar for other types of investigations.<\/p>\n At Microsoft, we place content on hold from within the cases that we\u2019ve created in the Security & Compliance Center. We create separate holds for each case. Because the Security & Compliance Center is fully scriptable, we save time by using PowerShell automation. One script that we created automates the daily task of applying in-place preservation to the content sources of custodians who were recently put on legal hold. Of course, the same tasks can be done manually in the Security & Compliance Center.<\/p>\n Each matter in our dedicated legal-hold database\u2014provided by a third-party\u2014has a corresponding eDiscovery case in the Security & Compliance Center. We apply in-place hold to Exchange mailboxes and OneDrive for Business sites associated with the custodians for each matter. Daily, we run a script that discerns any legal hold activity that\u2019s occurred since the previous day.<\/p>\n The script looks up the Exchange and OneDrive For Business locations for each custodian and confirms whether an eDiscovery case already exists in the Security & Compliance Center for the corresponding matter. If not, it creates the case, and adds our internal eDiscovery team as members. It then creates a hold in the case, and adds the custodians\u2019 Exchange and OneDrive For Business sources to the hold. If an eDiscovery case already exists, it confirms that the custodians\u2019 sources are associated, and if not, it adds them to the hold.<\/p>\n If custodians sync their desktops with OneDrive for Business, the synced desktop content is put on in-place hold, too. Custodians can continue to work with the information and aren\u2019t necessarily aware that the content is on hold unless we tell them.<\/p>\n The following script example creates a case and corresponding hold per matter. It adds the corresponding sources listed on the CSV to the appropriate case hold policy. It\u2019s simpler than the script we use because we have a complex, hybrid environment, but it can give you an idea of just how simple it can be to automate a presumably large process in Office 365.<\/p>\n # Create a remote PowerShell session in EOP<\/p>\n $UserCredential = Get-Credential<\/p>\n $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https:\/\/ps.protection.outlook.com\/powershell-liveid\/ -Credential $UserCredential -Authentication Basic -AllowRedirection<\/p>\n Import-PSSession $Session<\/p>\n <\/p>\n # Import the mapping csv<\/p>\n $Data = import-csv .\\CaseCustodianMapping.csv<\/p>\n <\/p>\n # Specify desired Case Members<\/p>\n $Members = <\/p>\n # Create each case and corresponding hold policy for the appropriate sources<\/p>\n $Matters = $Data.MatterName | sort -Unique<\/p>\n foreach ($Matter in $Matters)<\/p>\n {<\/p>\n }<\/p>\n <\/p>\n # Remove the remote PowerShell session<\/p>\n Remove-PSSession $Session<\/p>\n For reference information that you can use to create your own PowerShell scripts, see\u00a0Office 365 Security & Compliance Center cmdlets<\/a>.<\/p>\n At Microsoft, when we need to find specific content to respond to discovery requests, we use eDiscovery search in the Security & Compliance Center. Typical source locations that we search are Exchange mailboxes, OneDrive for Business sites, SharePoint Online sites, on-premises SharePoint sites, file shares, and local computers. Because outside counsel is usually the most familiar with the case, they often provide a list of relevant custodians and complex queries to run against their content source locations. Our internal eDiscovery team runs the queries on their behalf to find the subsets of potentially relevant content required to respond to the discovery requests.<\/p>\n We\u2019re able to search content in Office 365 right away because it\u2019s already indexed. We go to the appropriate case in the Security & Compliance Center and run eDiscovery searches across the relevant source locations, without the preliminary step of having to collect and reprocess the content in a separate tool.<\/p>\nCompliance and eDiscovery in Office 365<\/h2>\n
Managing eDiscovery<\/h3>\n
\n
\nNOTE: The Security & Compliance Center is fully scriptable using PowerShell, enabling you to manage your Office 365 Security & Compliance Center settings from the command line. For more information, see\u00a0Office 365 Security & Compliance Center PowerShell<\/a>.<\/li>\n<\/ul>\nPrerequisites for eDiscovery<\/h4>\n
\n
eDiscovery security roles<\/h4>\n
\n
\nNOTE: Exchange and SharePoint administrators do not have these permissions unless they\u2019ve explicitly been given this role.<\/li>\nImporting content into Office 365<\/h3>\n
Collecting and preserving content<\/h3>\n
Advantages of eDiscovery in-place hold in Office 365<\/h4>\n
\n
How in-place hold works in Exchange Online<\/h4>\n
\n
Advantages of in-place hold over collection and email journaling<\/h4>\n
\n
\n
How in-place hold works in SharePoint Online and OneDrive for Business<\/h4>\n
\n
Using Office 365 eDiscovery search to filter content<\/h3>\n
Exporting search results<\/h4>\n
\n
Using Advanced eDiscovery<\/h3>\n
\n
\n
Preparing source content for Advanced eDiscovery<\/h4>\n
Using analytics to organize and reduce the volume of content<\/h4>\n
\n
Using predictive coding to determine relevance<\/h4>\n
Validating the results of predictive coding<\/h4>\n
Analyzing results quickly<\/h4>\n
\n
Exporting content from Advanced eDiscovery<\/h4>\n
Auditing eDiscovery events<\/h3>\n
How we use eDiscovery at Microsoft<\/h2>\n
Placing content on hold<\/h3>\n
<\/p>\n
\"<\/code>eDiscMgr1@contoso.com
\"<\/code>,
\"<\/code>eDiscMgr2@contoso.com
\"<\/code>,
\"<\/code>eDiscMgr3@contoso.com
\"<\/code><\/p>\n
\u00a0 <\/code>$Mailboxes = ($Data | where {$_.MatterName -eq $Matter}).Alias<\/p>\n
\u00a0 <\/code>URLs = ($Data | where {$_.MatterName -eq $Matter}).URL<\/p>\n
\u00a0 <\/code>New-ComplianceCase -Name $Matter<\/p>\n
\u00a0 <\/code>Update-ComplianceCaseMember -Case $Matter -Members $Members<\/p>\n
\u00a0 <\/code>New-CaseHoldPolicy -Case $Matter -Name $Matter -ExchangeLocation $Mailboxes -SharePointLocation $URLs -Enabled:1<\/p>\n
\u00a0 <\/code>New-CaseHoldRule -Policy $Matter -Name $Matter<\/p>\n
Using Office 365 eDiscovery search to filter content<\/h3>\n