Lab: Explore eDiscovery

This lab maps to the following Learn content:

  • Learning Path: Describe the capabilities of Microsoft Priva and Microsoft Purview
  • Module: Describe the data compliance solutions of Microsoft Purview
  • Unit: Describe eDiscovery

Lab scenario

In this lab you’ll go through the steps required for setting up eDiscovery, including setting up role permissions, creating an eDiscovery case, creating an eDiscovery hold and creating a search query. Note: Licensing for eDiscovery (Standard) requires the appropriate organization subscription and per-user licensing. If you aren’t sure which licenses support eDiscovery (Standard), visit Get started with eDiscovery (Standard) in Microsoft Purview.

Estimated Time: 45 minutes

Task 1

To access eDiscovery (Standard) or be added as a member of an eDiscovery case, a user must be assigned the appropriate permissions. In this task, you as the global admin, will add specific users as members of the eDiscovery Manager role group.

  1. Open the browser tab for home page of Microsoft Purview. If you previously closed it, open a browser tab and enter https://admin.microsoft.com. Sign in with the admin credentials for the Microsoft 365 tenant provided by the authorized lab hoster (ALH).

  2. From the left navigation pane of the Microsoft 365 admin center, select Show all then select Compliance. A new browser page opens to the welcome page of the Microsoft Purview portal.

  3. From the left navigation pane, select Settings, expand Roles and scopes, then select Role groups.

  4. In the search field, on the top, right of the page, enter eDiscovery then hit Enter on your keyboard. Select eDiscovery Manager.

  5. Select Edit. For the purpose of this lab, you’ll set yourself as MOD administrator as the eDiscovery Manager and administrator. In practice, you would designate specific users for specific roles.
    1. The “Manage eDiscovery Manager” page allows you to add users to the role of eDiscovery manager.
    2. Select Choose users. Search for and select MOD Administrator then press Select at the bottom of the page, then select Next.
    3. On the “Manage eDiscovery Administrator” page, select Choose users . Search for and select MOD Administrator then press Select at the bottom of the page, then select Next and then Save.
    4. On the “You successfully updated the role group” page, select Done.
  6. Keep this browser tab open, as you’ll use it in the next task.

Task 2

In this task you, as an eDiscovery Administrator (MOD admin is an eDiscovery administrator), will create a case to start using eDiscovery (Standard).

  1. You should still be on the compliance portal roles page. If you closed the browser tab from the previous task, open a new browser tab and enter compliance.microsoft.com to get to the Microsoft Purview portal.

  2. From the left navigation panel, under Solutions, expand eDiscovery then select Standard Cases.

  3. From the top of the eDiscovery (Standard) page, select + Create a case.

  4. In the New case window, enter a Case name, SC900 Test Case then select the Save at the bottom of the page.

  5. The case should now appear on the list.

  6. As the creator of the case and because you have eDiscovery Administrator privileges, you can begin to work with it.

  7. Keep this browser tab open, as you’ll use it in the subsequent task.

Task 3

Now that you’ve created an eDiscovery (Standard) case, you can begin to work with the case. In this task, you’ll create an eDiscovery hold for the case for you created. Specifically, you’ll create a hold for the exchange mailbox belonging to Adele Vance.

  1. Open the eDiscovery (Standard) tab on your browser.

  2. From the eDiscovery (Standard) page, select the case you created in the previous tab, SC900 Test Case.

  3. From the Home page of the case, select the Hold tab then select +Create.

  4. In the name field, enter Test hold then select Next.

  5. In the Choose locations page, select toggle switch next to Exchange mailboxes to set the status to On.

  6. Now select Choose users, groups, or teams. In the search box, enter Adele then press enter on your keyboard. From the search results select Adele Vance, then select Done.

  7. From the Choose locations page, select Next. For expediency with the lab, no other locations will be included in this hold.

  8. The Query conditions page enables you to create a hold for items based on a query that you can create. You can choose to use the Query builder to create a query or for more advanced users, you can use the KQL editor. For this exercise, you want the hold to preserve all content in the specified location for the specified user, so you will not create a query.

  9. Review your settings and select Submit, it may take a minute, then select Done. The Test hold should appear on the list. If you don’t immediately see it, select Refresh

  10. Keep this browser tab open, as you’ll use it in the subsequent task.

Task 4

With a hold in place, you’ll create a search query. Once your search is complete, the eDiscovery supports actions, such as exporting and downloading the results for future investigation. Note: Searches associated with an eDiscovery (Standard) case are not listed on the Content search page in the Microsoft Purview portal. These searches are listed only on the Searches page of the associated eDiscovery (Standard) case.

  1. Open the SC900 Test Case tab on your browser.

  2. From the SC900 Test Case page, select Searches.

  3. From the Search page, select + New Search.

  4. In the Name field, enter Test Hold – Sales Search, then select Next from the bottom of the page.

  5. In the Choose locations page, select locations on hold and unselect Add App Content for On-Premises users, as your lab environment has no on-premises users, then select Next.

  6. The Query conditions page enables you to create a search, based on specific Keywords or Conditions that are satisfied, In the keyword field enter Sales select Next.

  7. Review your settings and select Submit, it may take a minute, then select Done. The search should appear on the list. If you don’t immediately see it, select Refresh

  8. From the Searches window, select the search you created, Test Hold - Sales Search. A window that opens with the Summary tab selected. Once the search is complete the status will indicate that the search is completed. You’ll see a Search statistics tab (if you don’t see the Search statistics tab, the search may still be running and may take a few minutes to complete). Select the Search statistics tab and select the drop-down next to Search content. You can also view more information for the Condition report and Top locations.

  9. From the bottom of the page, select Actions. Note the available options that include export options (the export options cannot be selected from within the lab platform provided by the authorized lab hoster, but are available in a production environment and are considered part of the standard workflow). Select Close.

  10. Sign out and close all open browser windows.

Review

In this lab, you went through the steps required to get started with eDiscovery (Standard), including setting up the role permissions for eDiscovery and creating an eDiscovery case. With the case, created you went through elements of the eDiscovery (Standard) workflow by creating an eDiscovery hold and creating a search query.