Microsoft Purview eDiscovery: A Guide for IT Admins

Introduction

Microsoft Purview eDiscovery is a powerful suite of tools built into the Microsoft 365 compliance ecosystem that helps organizations identify, preserve, collect, and export electronically stored information for legal, regulatory, or internal investigation purposes. For IT admins at small and mid-sized businesses, understanding how this platform works can mean the difference between a smooth legal hold process and a costly compliance failure. Whether your organization is facing litigation, an HR investigation, or a regulatory audit, having a reliable eDiscovery workflow is no longer optional. This guide walks through everything you need to know to get started and manage the process effectively.

Understanding the Role of eDiscovery in Microsoft 365

Electronic discovery, commonly called eDiscovery, refers to the process of locating and securing digital information that may be relevant to a legal proceeding or internal investigation. In the Microsoft 365 environment, this process is handled through the Microsoft Purview compliance portal, which consolidates search, hold, and export capabilities across Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft services. Microsoft Purview eDiscovery replaces what was previously known as the Security and Compliance Center's Content Search and eDiscovery tools, offering a more unified and capable interface for compliance teams and IT administrators alike.

There are three tiers of eDiscovery functionality within Microsoft Purview: Content Search, eDiscovery Standard, and eDiscovery Premium (formerly Advanced eDiscovery). Content Search is available to most Microsoft 365 subscribers and allows basic keyword-based searches across the organization. eDiscovery Standard adds case management and legal hold capabilities, while eDiscovery Premium introduces advanced features like custodian management, near-duplicate detection, conversation threading, and predictive coding. Understanding which tier your organization has access to based on its licensing is the first practical step any IT admin should take before building out a compliance workflow.

How the Platform Searches, Holds, and Exports Data

At its core, Microsoft Purview eDiscovery operates through three primary workflows: search, hold, and export. The search phase allows administrators to define queries using keywords, date ranges, senders, recipients, and file types across one or more data sources within the Microsoft 365 tenant. These searches can be scoped to specific users, mailboxes, SharePoint sites, or Teams channels, giving administrators precise control over what data is pulled into scope. The platform uses the same underlying index as Microsoft Search, meaning results are generally fast and comprehensive across supported workloads.

Legal holds are a critical component of the eDiscovery workflow because they prevent data from being deleted or modified while an investigation is active. When a hold is placed on a mailbox or SharePoint site through Microsoft Purview eDiscovery, the content is preserved in a hidden recoverable items folder or a preservation hold library, even if the user deletes it. The export phase then allows collected data to be packaged and downloaded in formats compatible with third-party review tools, such as PST files for email or native file formats for documents. For organizations using eDiscovery Premium, the review set feature adds an in-platform document review experience with annotation, tagging, and analytics capabilities that reduce the volume of data that ultimately needs to be handed off to legal counsel.

Step-by-Step Guide

1. Access the Microsoft Purview Compliance Portal: Navigate to compliance.microsoft.com and sign in with an account that has been assigned the eDiscovery Manager or eDiscovery Administrator role. Role assignments are managed in the Microsoft Purview compliance portal under Permissions, and you should verify your access level before attempting to create cases or run searches.
2. Create a New eDiscovery Case: In the left navigation panel, expand the eDiscovery section and select either Standard or Premium depending on your license, then click Create a case. Give the case a descriptive name that reflects the matter at hand, such as the employee name, case number, or investigation type, and add any additional case members who need access.
3. Identify and Add Custodians: For eDiscovery Standard, you will manually define the data sources you want to search, such as specific mailboxes or SharePoint URLs. In eDiscovery Premium, you can formally add custodians — the individuals whose data is relevant to the case — and the platform will automatically map their associated data sources, including their primary mailbox, OneDrive account, and any Teams they belong to.
4. Place a Legal Hold on Relevant Data Sources: Within the case, navigate to the Holds tab and create a new hold that targets the custodians or data sources you identified. You can configure query-based holds that only preserve content matching specific criteria, or blanket holds that preserve everything in a mailbox or site, and the hold will take effect within minutes of being saved.
5. Build and Run Your Search Query: Go to the Searches tab within the case and create a new search using keyword logic, date filters, and source selections to find the content most relevant to the matter. Review the search statistics carefully after the query runs, as the estimated item count and size will help you determine whether your query is too broad or too narrow before you commit to a full collection.
6. Review Results and Refine the Scope: Preview a sample of the search results to confirm that the content returned is actually relevant to your investigation and not just a keyword match out of context. In eDiscovery Premium, you can add the results to a review set, where you and your legal team can apply tags, redactions, and relevance scores before deciding what to export.
7. Export the Data for Legal Review: Once the relevant content has been identified and reviewed, use the Export tab to package the data in the format required by your legal team or opposing counsel. Select your export options carefully, including whether to include versions, redacted items, or metadata reports, and download the export package using the eDiscovery Export Tool once it is ready.

Comparing eDiscovery Tiers and Key Capabilities

Best Practices

• Assign Roles Before You Need Them: Configure eDiscovery Manager and Administrator roles in advance so that the right people have access when a legal matter arises unexpectedly.
• Document Every Case Action: Keep a written log of holds placed, searches run, and exports generated so that your organization can demonstrate a defensible process if the eDiscovery workflow is ever challenged in court.
• Use Query-Based Holds Carefully: While query-based holds reduce storage overhead, overly narrow queries can result in relevant data being purged, so err on the side of broader preservation when in doubt.
• Coordinate with Legal Counsel Early: Involve your organization's attorneys in defining the scope of searches and holds before IT begins collecting data to ensure the process aligns with legal strategy and privilege protections.
• Audit Hold Status Regularly: Periodically review active holds in the Microsoft Purview compliance portal to confirm they are still in place and that no data sources have been inadvertently removed from scope during tenant changes or user offboarding.

Frequently Asked Questions

What Licenses Are Required to Use eDiscovery in Microsoft Purview?

Content Search is available to users on most Microsoft 365 business and enterprise plans, but eDiscovery Standard requires at least a Microsoft 365 E3, Office 365 E3, or equivalent education or government license. eDiscovery Premium requires Microsoft 365 E5, Office 365 E5, or the Microsoft 365 E5 Compliance add-on. IT admins should verify their tenant's licensing in the Microsoft 365 admin center before planning a compliance workflow, as attempting to access features beyond your licensed tier will result in access errors or missing menu options.

Can eDiscovery Searches Access Microsoft Teams Messages?

Yes, Microsoft Purview eDiscovery can search Teams chat messages, channel conversations, and meeting recordings, provided the data is stored in Exchange Online mailboxes and SharePoint or OneDrive, which is where Teams content is indexed. Private chat messages are stored in the mailboxes of the individual participants, while channel messages are stored in the group mailbox associated with the team. It is worth noting that some Teams content types, such as certain third-party app data or federated external chat, may not be fully indexed and could be outside the scope of a standard eDiscovery search.

How Long Does It Take for a Legal Hold to Take Effect?

Once a legal hold is created and saved in Microsoft Purview eDiscovery, it typically takes effect within minutes for Exchange Online mailboxes, though Microsoft's documentation notes that full propagation across all data sources can take up to 24 hours in some cases. During this window, users can still delete content, but the platform's preservation mechanisms will retain a copy in the recoverable items folder. IT admins should not assume that a hold is fully active the moment it is saved, and for time-sensitive matters, it is advisable to notify users through HR or legal channels to avoid deletion while the hold propagates.

What Is the Difference Between a Hold and a Retention Policy?

A legal hold in Microsoft Purview eDiscovery is a case-specific preservation action tied to a particular investigation or matter, and it overrides a user's ability to permanently delete content for the duration of that case. A retention policy, by contrast, is a governance tool applied broadly across the organization to ensure that content is kept for a defined period and then either deleted or flagged for review. Both can coexist on the same mailbox or site, but they serve different purposes: retention policies manage the lifecycle of data organization-wide, while legal holds protect specific data sets in response to a specific legal or investigative need.

Who Can See the Contents of an eDiscovery Case?

Access to a Microsoft Purview eDiscovery case is controlled at the case level, meaning only users who have been explicitly added as case members — in addition to holding the eDiscovery Manager or Administrator role — can view the case details, searches, holds, and exported content. Global administrators can access all cases by default, but standard eDiscovery Managers can only see cases they have been added to, which helps maintain confidentiality during sensitive investigations. IT admins should be deliberate about case membership, particularly in HR or executive-level investigations, and should avoid adding unnecessary personnel to cases where the subject matter is sensitive or legally privileged.

Managing eDiscovery compliance can be complex, especially for SMBs without a dedicated legal or compliance team on staff. Always Beyond helps organizations configure and manage Microsoft Purview eDiscovery workflows so that when a legal matter arises, your team is ready to respond quickly and defensibly. To learn how we can support your compliance infrastructure, contact Always Beyond today.