Microsoft 365 eDiscovery Guide (Purview): Step-by-Step Tutorial for Beginners [2026]

You can skip Hold in eDiscovery if there is no need to preserve data for a legal case, investigation, or compliance requirements. However, if you are required to retain data for legal or regulatory reasons, applying a Hold is recommended. Skipping it may lead to data loss if users delete or modify content before the investigation is complete.

Step 6: Running a Content Search

• Click New Search in eDiscovery.

Give a Name and Description of the New Search

• Select the Location Add Sources and Search the user account.

• Use filters such as:
  • Keywords (e.g., “confidential project”)
  • Date Ranges
  • Specific Users or Groups
  • Subject Title
• One you add the filters click on the Run query at top right.

• Review search results and refine as needed. After Review Click on the Export at top.

Step 6: Exporting and Downloading Data

• Give it a Name and Description.

• Choose the Default Settings or Adjust the Export Result as needed. Click on the Export.

• It will take some time to download the Result, Depending on the Case size. You can Track the Progress Under the Process Manager.

• Once Export is completed, You can go to Exports in in the Cases. 

• Open the eDiscovery Case and Click on the Download.

If you encounter an error, please check the roles assigned to your account. Additionally, errors may occur if your browser does not support the required features or if you are logged in using an InPrivate browsing session. For the best result, use Microsoft Edge.

• Once the export is complete, Downloaded. you can Review the emails and Search Data.

Step 8: Reviewing Data in eDiscovery

• Import the PST file into the Outlook app to review the results.
• If you have a large amount of data, you can also use third-party software for better management and analysis: – Use the Free version of SysTools Outlook PST Viewer.

Best Practices for eDiscovery in Office 365

✔ Maintain detailed documentation for all cases.
✔ Regularly audit permissions to prevent unauthorized access.
✔ Train employees on data retention policies for compliance.
✔ Automate case notifications to streamline workflows.

Common Challenges and Solutions

🚀 Large Datasets – Use date filters to narrow search results.
🔒 Permission Issues – Ensure users have the eDiscovery Manager role.
⏳ Slow Searches – Follow indexing best practices for faster queries.

Conclusion

Microsoft 365 eDiscovery is a powerful tool for businesses to efficiently manage legal and compliance needs. By following this step-by-step guide, organizations can search, preserve, and export critical data with ease. Whether using Core eDiscovery for basic searches or Advanced eDiscovery for in-depth analysis, mastering these tools is essential for compliance teams.

FAQs

1. How long does an eDiscovery search take in Office 365?
It depends on dataset size and complexity, but most searches complete within a few minutes to an hour.

2. Can I recover deleted emails using eDiscovery?
Yes, as long as retention policies are in place and the data has not been permanently deleted.

3. Is eDiscovery included in all Microsoft 365 plans?
No, Core eDiscovery is available in E3, while Advanced eDiscovery requires an E5 license.

4. How do I ensure compliance with data retention policies?
Regularly review legal hold settings and configure compliance policies in the Compliance Center.

5. What happens if I remove a legal hold?
Data may be deleted permanently if no other retention policy is in place.

6. What is eDiscovery office 365?
eDiscovery in Office 365 (Microsoft 365) is a tool that helps organizations search, preserve, and export data from Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 services for legal, compliance, or investigative purposes.

Related URLs:-

• Secure Sensitive Documents in SharePoint Online Using IRM
• Microsoft 365 Data Protection: The Ultimate Guide to Secure Your Cloud Data.
• How to Send Encrypted Email in Outlook: A Step-by-Step Guide
• Microsoft Insider Risk Management: A Complete Guide to Prevent Insider Threats

Enjoyed the article?
We’d love to hear your thoughts—share your comments below!
For more insights, guides, and updates from the Microsoft ecosystem, be sure to subscribe to our newsletter and follow us on LinkedIn. Stay connected and never miss out on the latest tips and news!

Microsoft 365 eDiscovery is a powerful built-in tool that helps legal, compliance, and IT teams quickly search, preserve, and export data across Microsoft 365 services like Outlook, Teams, SharePoint, and OneDrive. Whether you need to recover missing emails or collect documents for an investigation, Microsoft 365 eDiscovery simplifies the process by allowing you to locate relevant data without manually checking individual user accounts.

To make eDiscovery effective, organizations must also implement proper Data Retention Policies. Users can accidentally or intentionally delete important emails and files, and once permanently removed, that data may not be recoverable—even with eDiscovery. Microsoft 365 retention policies help prevent this by automatically preserving critical data for a defined period, ensuring compliance and protecting business information. Built into Microsoft 365 at no additional cost, these policies play a crucial role in any eDiscovery strategy.

In this guide, you’ll learn how to use Microsoft 365 eDiscovery step by step—from creating an eDiscovery case to exporting data for investigations or compliance needs. We’ll start by explaining the different eDiscovery solutions available in Microsoft 365, including Content Search and eDiscovery, and how they compare. You’ll also understand key roles like eDiscovery Manager vs. eDiscovery Administrator, followed by a complete walkthrough of the eDiscovery process. Additionally, this guide covers best practices, common challenges, and practical solutions to help you efficiently manage eDiscovery tasks in real-world scenarios.

Microsoft 365 eDiscovery: Types of eDiscovery Solutions Explained:

Core eDiscovery vs. Advanced eDiscovery

🔹 Key takeaway: If your organization deals with litigation or regulatory compliance, Advanced eDiscovery provides deeper insights and efficiency.

Content Search vs. Microsoft 365 eDiscovery: What’s the Difference?

While eDiscovery in Microsoft 365 is designed for legal and compliance needs, Content Search is a simpler tool mainly used by IT admins to search for data across Microsoft 365 services like Exchange, SharePoint, OneDrive, and Teams. Both tools help you find and export information, but they serve different purposes.

Use Content Search when you need to quickly search and export data for internal reviews, user requests, or troubleshooting. It’s fast, straightforward, and doesn’t require setting up a case.

Use Microsoft 365 eDiscovery when you need to preserve, review, or hand over data for legal matters. M365 eDiscovery supports legal holds, role-based access control, and audit trails—features that are essential during investigations or lawsuits.

Pre-requisites for Using eDiscovery

Before you begin, ensure you have the necessary permissions and licenses.

Licensing Requirements:

• Core eDiscovery – Included in Microsoft 365 E3 plans.
• Advanced eDiscovery – Requires a Microsoft 365 E5 license.

Compliance Center Access:

Admins wondering how to access eDiscovery can do so via the Microsoft Purview Compliance Portal: https://compliance.microsoft.com

Required Permissions:

To access eDiscovery, users must have:

✔ eDiscovery Manager role
✔ Compliance Administrator or eDiscovery Admin role (for advanced tasks and Manage All Cases)

In the Compliance admin Portal. Navigate to Settings, Roles, and Scopes Section.

• Click on Role Groups Under the Roles and Scopes

• Search the eDiscovery Manager role to manage permissions and ensure users can access necessary eDiscovery features.

• Click on the edit under the eDiscovery Manager

Search the user and assign the eDiscovery Manager and Administrator role.

Difference Between eDiscovery Manager and eDiscovery Administrator

In Microsoft Purview eDiscovery, both eDiscovery Managers and eDiscovery Administrators have different levels of permissions and responsibilities.

1. eDiscovery Manager

• Can create, manage, and execute eDiscovery cases but within the scope assigned to them.
• Has access only to the specific cases they are assigned to.
• Can search, place holds, and export data for investigation purposes.
• Typically assigned to compliance officers, legal teams, or IT staff handling specific eDiscovery cases.

2. eDiscovery Administrator

• Has full control over all eDiscovery cases in the organization.
• Can assign eDiscovery Managers and define their permissions.
• Can access, edit, and manage all cases, even those they did not create.
• Can set up eDiscovery policies and manage organization-wide legal compliance.

Once the role is assigned, you can create the Case.

Microsoft 365 eDiscovery: Complete Step-by-Step Guide

Step 1: Accessing the Microsoft Purview Compliance Portal

• Sign in to Microsoft 365 Compliance Center.

• Navigate to eDiscovery under Solutions.
• Choose the Cases and Create New Case.

Step 2: Creating an eDiscovery Case

• Click Create a Case in the eDiscovery dashboard.
• Enter a Case Name and Description.
• Click Save to create the case.

If you want to create an Advanced eDiscovery case, expand the Advanced Settings (optional) section and enable the eDiscovery Premium option. If the option is greyed out, it means your tenant does not have a valid license to use this feature. In that case, you can start a trial or purchase the required license to access eDiscovery Premium.

Step 3: Assigning Permissions to Users (Optional)

By default, an eDiscovery Administrator has access to all cases, while an eDiscovery Manager only has access to the cases assigned to them. If you want to grant access to another user with specific permissions, you can delegate access by following the steps below.

• Open the eDiscovery case.
• Go to Case Settings at top right corner > Permissions.
• Add users and assign roles (e.g., Reviewer, Investigator).

Step 5: Placing Content on Legal Hold

Placing content on hold (also known as a litigation hold) means preserving a user’s data to prevent it from being permanently deleted. When a hold is applied to a mailbox or OneDrive account, any data the user deletes—whether intentionally or accidentally—is not removed. Instead, it is securely stored in a hidden location (often referred to as the eDiscovery container), allowing administrators to search and recover that data at any time. This ensures important information is retained for legal, compliance, or investigation purposes.

• Navigate to the Hold Policies section.
• Click Create Hold and select the data source:

• Give a Name and Description of the Hold

• Choose the Locations and select the Add sources:
  • Exchange (Emails)
  • OneDrive (Documents)

• Save the Policy and click on the Apply Hold. 
• Once the Policy is applied you should see the Hold Status in the Details Tab.

You can skip Hold in eDiscovery if there is no need to preserve data for a legal case, investigation, or compliance requirements. However, if you are required to retain data for legal or regulatory reasons, applying a Hold is recommended. Skipping it may lead to data loss if users delete or modify content before the investigation is complete.

Step 6: Running a Content Search

• Click New Search in eDiscovery.

Give a Name and Description of the New Search

• Select the Location Add Sources and Search the user account.

• Use filters such as:
  • Keywords (e.g., “confidential project”)
  • Date Ranges
  • Specific Users or Groups
  • Subject Title
• One you add the filters click on the Run query at top right.

• Review search results and refine as needed. After Review Click on the Export at top.

Step 6: Exporting and Downloading Data

• Give it a Name and Description.

• Choose the Default Settings or Adjust the Export Result as needed. Click on the Export.

• It will take some time to download the Result, Depending on the Case size. You can Track the Progress Under the Process Manager.

• Once Export is completed, You can go to Exports in in the Cases. 

• Open the eDiscovery Case and Click on the Download.

If you encounter an error, please check the roles assigned to your account. Additionally, errors may occur if your browser does not support the required features or if you are logged in using an InPrivate browsing session. For the best result, use Microsoft Edge.

• Once the export is complete, Downloaded. you can Review the emails and Search Data.

Step 8: Reviewing Data in eDiscovery

• Import the PST file into the Outlook app to review the results.
• If you have a large amount of data, you can also use third-party software for better management and analysis: – Use the Free version of SysTools Outlook PST Viewer.

Best Practices for eDiscovery in Office 365

✔ Maintain detailed documentation for all cases.
✔ Regularly audit permissions to prevent unauthorized access.
✔ Train employees on data retention policies for compliance.
✔ Automate case notifications to streamline workflows.

Common Challenges and Solutions

🚀 Large Datasets – Use date filters to narrow search results.
🔒 Permission Issues – Ensure users have the eDiscovery Manager role.
⏳ Slow Searches – Follow indexing best practices for faster queries.

Conclusion

Microsoft 365 eDiscovery is a powerful tool for businesses to efficiently manage legal and compliance needs. By following this step-by-step guide, organizations can search, preserve, and export critical data with ease. Whether using Core eDiscovery for basic searches or Advanced eDiscovery for in-depth analysis, mastering these tools is essential for compliance teams.

FAQs

1. How long does an eDiscovery search take in Office 365?
It depends on dataset size and complexity, but most searches complete within a few minutes to an hour.

2. Can I recover deleted emails using eDiscovery?
Yes, as long as retention policies are in place and the data has not been permanently deleted.

3. Is eDiscovery included in all Microsoft 365 plans?
No, Core eDiscovery is available in E3, while Advanced eDiscovery requires an E5 license.

4. How do I ensure compliance with data retention policies?
Regularly review legal hold settings and configure compliance policies in the Compliance Center.

5. What happens if I remove a legal hold?
Data may be deleted permanently if no other retention policy is in place.

6. What is eDiscovery office 365?
eDiscovery in Office 365 (Microsoft 365) is a tool that helps organizations search, preserve, and export data from Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 services for legal, compliance, or investigative purposes.

Related URLs:-

• Secure Sensitive Documents in SharePoint Online Using IRM
• Microsoft 365 Data Protection: The Ultimate Guide to Secure Your Cloud Data.
• How to Send Encrypted Email in Outlook: A Step-by-Step Guide
• Microsoft Insider Risk Management: A Complete Guide to Prevent Insider Threats

Enjoyed the article?
We’d love to hear your thoughts—share your comments below!
For more insights, guides, and updates from the Microsoft ecosystem, be sure to subscribe to our newsletter and follow us on LinkedIn. Stay connected and never miss out on the latest tips and news!