Create eDiscovery Holds for an eDiscovery Case (Standard) - Microsoft Purview (Compliance) (2023)

  • Article
  • 17 minutes to read

You can use a Microsoft Purview eDiscovery case (default) to create holds to preserve content that may be relevant to the case. You can keep the Exchange mailboxes and OneDrive for Business accounts of the people you're investigating the case. You can also keep mailboxes and sites associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. When you put content locations on hold, the content is retained until you remove the content location from the hold or until you remove the hold.

After you create an eDiscovery hold, it can take up to 24 hours for the hold to take effect.

When creating a hold, you have the following options to determine the scope of the content preserved within the specified content locations:

  • Create an infinite wait where all content in specific locations is put on hold. Alternatively, you can create a query-based hold where only content in specific locations that match a search query is placed on hold.
  • Specify a date range to keep only content that was sent, received, or created within that date range. Alternatively, you can keep all content in specific locations, regardless of when it was sent, received, or created.

Advice

If you're not an E5 customer, you can try all the premium features of Microsoft Purview for free. Use the Purview Solutions 90-day trial to explore how Purview's robust features can help your organization manage data security and compliance needs. start now atMicrosoft Purview Compliance Portal Test Center. Learn the details aboutterms of registration and evaluation.

How to create an eDiscovery hold

To create an eDiscovery hold associated with an eDiscovery case (default):

  1. Go toMicrosoft Purview Compliance Portaland sign in with the credentials of the user account that has been granted the appropriate eDiscovery permissions.

  2. In the left navigation pane, selectShow everythingand then selecteDiscovery > Núcleo.

  3. NoeDiscovery (default)page, select the name of the case on which you want to create the hold.

  4. NoCasapage of the case, select theKeepaba

  5. NoKeeppage, selectIn tears.

  6. Noname your waitwizard page, name the hold and add an optional description, then selectNext. The hold name must be unique within your organization.

  7. Nochoose the locationswizard page, choose the content locations you want to put on hold. You can put mailboxes, sites, and public folders on hold.

    Create eDiscovery Holds for an eDiscovery Case (Standard) - Microsoft Purview (Compliance) (1)

    1. swap mailboxes: Set the switch toemand then selectSelect users, groups or teamsto specify the mailboxes to be put on hold. Use the search box to find mailboxes for users and distribution groups (to preserve the mailboxes of group members). You can also retain the associated mailbox for a Microsoft Team, an Office 365 group, and a Yammer group. For more information about what application data is retained when a mailbox is put on hold, seeContent stored in mailboxes for eDiscovery.

    2. Sites make SharePoint: Set the switch toemand then selectchoose sitesto specify SharePoint sites and OneDrive accounts to put on hold. Enter the URL of each site you want to put on hold. You can also add the SharePoint site URL to a Microsoft Team, Office 365 Group, or Yammer Group.

    3. change public folders: Set the switch toemto put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the option disabled if you don't want to keep public folders.

    Important

    When adding Exchange mailboxes or SharePoint sites to a hold, you must explicitly add at least one content location to the hold. In other words, if you set the switch toemfor mailboxes or sites, you must select specific mailboxes or sites to add to the hold. Otherwise, the eDiscovery hold will be created, but no mailboxes or sites will be added to the hold.

  8. When you are done adding locations to the basement, selectNext.

  9. To create a query-based hold using keywords or conditions, complete the following steps. To keep all content in the specified content locations, selectNext.

    Create eDiscovery Holds for an eDiscovery Case (Standard) - Microsoft Purview (Compliance) (2)

    1. in the box belowKeywords, enter a query to keep only the content that matches the query criteria. You can specify keywords, email message properties, or website properties such as file names. You can also use more complex queries that use a boolean operator, such asmi,O, oNO.

    2. Selectadd conditionto add one or more conditions to narrow the hold query. Each condition adds a clause to the KQL search query that is created and executed when you create the hold. For example, you can specify a date range for email or website documents that were created within the date range to be retained. A condition is logically connected to the query keyword (specified in theKeywordsbox) and other conditions by themioperator. This means that the elements must satisfy the keyword query and the condition to be persisted.

    For more information on creating a search query and using conditions, seeKeyword queries and search conditions for eDiscovery.

  10. After setting up a query-based hold, selectNext.

  11. Review your settings (and edit if necessary) and selectTo send.

Observation

When you create a query-based hold, all content in the selected locations is initially placed on hold. Thereafter, any content that doesn't match the specified query is removed from retention every seven to 14 days. However, a query-based hold will not delete content if more than five holds of any type are placed on a content location or if any item has indexing issues.

Query-based holds placed on sites

Consider the following when placing a query-based eDiscovery hold on documents located on SharePoint sites:

  • A query-based hold initially retains all documents on a site for a short time after they are deleted. This means that when a document is deleted, it is moved to the retention library for retention, even if it doesn't match the query-based retention criteria. However, deleted documents that do not match a query-based hold will be deleted by a timer job that processes the hold library for retention. The timer job runs periodically and compares all documents in the hold library with their query-based eDiscovery holds (and other types of holds and retention policies). The timer job removes unmatched documents with a query-based hold and retains the matching documents.

  • Query-based holds should not be used to perform a targeted hold, such as holding documents to a specific folder or site, or using other location-based hold criteria. Doing so may have unwanted results. We recommend using non-location-based retention criteria such as keywords, date ranges, or other document properties to retain site documents.

Find locations on eDiscovery hold

When yousearch contentIn an eDiscovery case (default), you can quickly configure the search to find only content locations that have been placed on hold associated with the case.

Select theStandby Locationsoption to search for all content locations that have been placed on hold. If the case contains multiple eDiscovery holds, the content locations of all holds will be searched when you select this option. Also, if a content location has been placed on a query-based hold, only items that match the hold query will be found when you run the search. In other words, only content that matches the search and retention criteria is returned with the search results. For example, if a user was placed on a query-based case hold that holds items that were submitted or created before a specific date, only those items would be searched. This is done by connecting the case hold query and the search query using amioperator.

Here are some other things to keep in mind when searching for locations in the eDiscovery Hold:

  • If a content location is part of multiple reservations in the same case, the wait queries are combined byOoperators when you search for that content location using the case sensitive content option. Similarly, if a content placement is part of two different holds, where one is query-based and the other is an infinite hold (where all content is put on hold), then all content due to the hold is fetched. infinite.

  • If a search is configured to search for on-hold locations and an eDiscovery hold on the case changes (by adding or removing a location or changing a hold query), the search settings will update with those changes. However, you must rerun the search after changing the hold to update the search results.

  • If multiple eDiscovery holds are placed on a single location in an eDiscovery case and you choose to search for placements on hold, the maximum number of keywords for that search query is 500. This is because the search combines all withholdings according to the query using theOoperator. If there are more than 500 keywords in the combined hold queries and search query, all mailbox content is searched, not just content that matches query-based case holds.

  • If an eDiscovery hold has a status ofSlope), you can still search for standby locations while standby mode is activated.

Preserve content in Microsoft Teams

Conversations that are part of a Microsoft Teams channel are stored in the mailbox associated with Microsoft Teams. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you should put the team mailbox and the SharePoint site on eDiscovery hold to keep the conversations and files in a channel.

Alternatively, conversations that are part of the chat list in Teams (calledquotes 1:1o1:N group chats) are stored in the mailboxes of users participating in the chat. And files that users share in chat conversations are stored in the OneDrive account of the user who shares the file. Therefore, you must add individual user mailboxes and OneDrive accounts to an eDiscovery hold to preserve the conversations and files in the chat list. It's a good idea to put the mailboxes of members of a Microsoft team on hold, in addition to putting the team mailbox and site on hold.

Observation

If your organization has a hybrid deployment of Exchange (or your organization syncs an on-premises Exchange organization with Office 365) and you've enabled Microsoft Teams, on-premises users can use the Teams chat app and participate in 1:1 and 1:1 chats. No group talks. These conversations are stored in a cloud-based storage associated with a local user. If an on-premises user is placed on an eDiscovery hold, Teams chat content is retained in cloud-based storage. For more information, seeFind Teams chat data for local users.

For more information on how to preserve Teams content, seePut a Microsoft Teams user or team on legal hold.

Preserve card content

Similarly, card content generated by apps in Teams channels, 1:1 chats, and 1:N group chats are stored in mailboxes and persist when a mailbox is placed on hold from eDiscovery. Acardis a UI container for short pieces of content. Cards can have multiple properties and attachments, and can include buttons that trigger card actions. For more information, seecards. Like other Teams content, where card content is stored is based on where the card was used. The content of cards used in a Teams channel is stored in the Teams group mailbox. The card content for 1:1 and 1xN chats is stored in the mailboxes of the chat participants.

Retain meeting and call information

Summary information for meetings and calls in a Teams channel is also stored in the mailboxes of the users who dialed into the meeting or call. This content is also retained when an eDiscovery hold is placed on users' mailboxes.

Preserve content on private channels

Starting in February 2020, we are also enabling the ability to keep content on private channels. Since private channel chats are stored in chat participants' mailboxes, placing a user's mailbox on eDiscovery hold will preserve private channel chats. Additionally, if a user's mailbox was placed on an eDiscovery hold before February 2020, the hold will now be automatically applied to private channel messages stored in that mailbox. Keeping shared files in private channels is also supported.

Conserve wiki content

Each team or team channel also contains a wiki for note taking and collaboration. Wiki content is automatically saved in a .mht format file. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can retain wiki content by adding the team's SharePoint site to an eDiscovery hold.

Observation

The ability to persist Wiki content for a team or team channel (when you put the team's SharePoint site on hold) was released on June 22, 2017. If a team site is on hold, Wiki content will be retained after that date. However, if a team site is suspended and the Wiki content was removed before June 22, 2017, the Wiki content will not be preserved.

Office 365 Groups

Teams is based on Office 365 Groups, so putting Office 365 Groups on hold for eDiscovery is similar to putting Teams content on hold.

Consider the following when placing Office 365 Teams and Groups on an eDiscovery hold:

  • As explained above, to put content located in Office 365 groups and teams on hold, you must specify the mailbox and SharePoint site associated with a group or team.

  • run orGet-UnifiedGroupcmdlet emPowerShell para Exchange Onlineto display properties for Office 365 teams and groups. This is a good way to get the URL of the website associated with an Office 365 team or group. For example, the following command displays selected properties for an Office 365 group named Senior Leadership Team:

    Get-UnifiedGroup "Equipe de Liderança Sênior" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrlDisplayName: Senior Leadership TeamAlias: seniorleadershipteamPrimarySmtpAddress: seniorleadershipteam@contoso.onmicrosoft.comSharePointSiteUrl: https://contoso.sharepoint.com/sites/seniorleadershipteam

    Observation

    to run theGet-UnifiedGroupcmdlet, you must have the View-Only Recipients role in Exchange Online or be a member of a role group assigned to the View-Only Recipients role.

  • When a user's mailbox is searched, any Office 365 teams or groups that the user is a member of will not be searched. Similarly, when you put an Office 365 team or group on hold for eDiscovery, only the group mailbox and team site are put on hold. Group member mailboxes and OneDrive for Business sites aren't put on hold unless you explicitly add them to eDiscovery hold. So, if you have to put an Office 365 team or group on hold for a legal reason, consider adding team or group member mailboxes and OneDrive accounts to the same hold.

  • To get a list of the members of an Office 365 team or group, you can view the properties in thegroupspage in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:

    Get-UnifiedGroupLinks <group or team name> -LinkType Members | Name to display FL, main Smtp address

    Observation

    to run theGet unified group linkscmdlet, you must have the View-Only Recipients role in Exchange Online or be a member of a role group assigned to the View-Only Recipients role.

Keep content in OneDrive accounts

To collect a list of URLs for OneDrive for Business sites in your organization so you can add them to a hold or survey associated with an eDiscovery case, seeCreate a list of all OneDrive locations in your organization. The script in this article creates a text file that contains a list of all OneDrive sites in your organization. To run this script, you must install and use the SharePoint Online Management Shell. Be sure to add your organization's My Site domain URL to each OneDrive site you want to search. This is the domain that contains all of your OneDrive; for example,https://contoso-my.sharepoint.com. Here's an example URL for a user's OneDrive site:https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com.

Important

A user's OneDrive account URL includes the user's Principal Name (UPN) (for example,https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com). In the rare case that a person's UPN changes, the OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of an eDiscovery hold and their UPN changes, you'll need to update the hold by adding the user's new OneDrive URL and removing the old one. If the OneDrive site URL is changed, any holds previously placed on the site will remain in effect and the content will be preserved. For more information, seeHow UPN changes affect OneDrive URL.

Removing content locations from an eDiscovery hold

After you remove a mailbox, SharePoint site, or OneDrive account from an eDiscovery hold,delay waitIt is applied. This means that the actual retention removal is postponed for 30 days to prevent data from being permanently removed (purged) from a content location. This gives administrators the opportunity to search for or retrieve content that will be deleted after an eDiscovery hold is removed. The details of how deferred retention works for mailboxes and sites are different.

  • Mailboxes:A slack hold is placed on a mailbox the next time the Managed Folder Assistant processes the mailbox and detects that an eDiscovery hold has been removed. Specifically, a delay hold is applied to a mailbox when the Managed Folder Assistant sets one of the following mailbox properties toTRUE:

    • DelayHoldApplied:This property applies to email-related content (generated by people using Outlook and Outlook on the web) stored in a user's mailbox.

    • DelayReleaseHoldApplied:This property applies to cloud-based content (generated by non-Outlook applications such as Microsoft Teams, Microsoft Forms, and Microsoft Yammer) stored in a user's mailbox. Cloud data generated by a Microsoft application is usually stored in a hidden folder in a user's mailbox.

    When a deferred hold is placed on the mailbox (when one of the above properties is set toTRUE), the mailbox is still considered on hold for an unlimited waiting period, as if the mailbox is on litigation hold. After 30 days, the delay hold expires and Microsoft 365 will try to remove it automatically (by setting the DelayHoldApplied or DelayReleaseHoldApplied property toFalse) to remove the hold. Once any of these properties is set toFalse, matching items marked for deletion will be cleaned up the next time the mailbox is processed by the Managed Folder Assistant.

    For more information, seeDelayed Hold Mailbox Management.

  • The sites make SharePoint and OneDrive:Any SharePoint or OneDrive content that is retained in the retention retention library is not deleted during the 30-day delay retention period after a site is removed from an eDiscovery hold. This is similar to what happens when you release a site from a retention policy. Additionally, you cannot manually delete this content in the retention retention library during the 30-day delay retention period.

    For more information, seeHow to release a hold policy.

A delay hold is also applied to content placements on hold when you close an eDiscovery case (default), because holds are turned off when a case is closed. For more information on how to close a case, seeClose, reopen, and delete an eDiscovery case (default).

eDiscovery retention limits

The following table lists the limits for eDiscovery cases and case holds.

limit descriptionLimit
Maximum number of cases for an organization.
sin limit
The maximum number of eDiscovery retention policies for an organization. This limit includes the combined total of eDiscovery (Standard) and eDiscovery (Premium) retention policies.
10.0001
Maximum number of mailboxes on a single eDiscovery hold. This limit includes the combined total of user mailboxes and mailboxes associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.
1.000
Maximum number of sites in a single eDiscovery hold. This limit includes the combined total of OneDrive for Business sites, SharePoint sites, and sites associated with Microsoft 365 groups, Microsoft Teams, and Yammer groups.
100
Maximum number of cases displayed on the eDiscovery home page and maximum number of items displayed on the Holds, Searches, and Export tabs in a case.1.0001

Observation

1To display a list of more than 1,000 cases, holds, searches, or exports, you can use the appropriate Security and Compliance PowerShell cmdlet:

  • Get-ComplianceCase
  • Get-CaseHoldPolicy
  • Get Fulfillment Search
  • Get-ComplianceSearchAction
Top Articles
Latest Posts
Article information

Author: Twana Towne Ret

Last Updated: 04/24/2023

Views: 5276

Rating: 4.3 / 5 (64 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Twana Towne Ret

Birthday: 1994-03-19

Address: Apt. 990 97439 Corwin Motorway, Port Eliseoburgh, NM 99144-2618

Phone: +5958753152963

Job: National Specialist

Hobby: Kayaking, Photography, Skydiving, Embroidery, Leather crafting, Orienteering, Cooking

Introduction: My name is Twana Towne Ret, I am a famous, talented, joyous, perfect, powerful, inquisitive, lovely person who loves writing and wants to share my knowledge and understanding with you.