Share via

Learn about eDiscovery

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronically stored information (ESI) that you can use as evidence in investigations and legal cases. You can use Microsoft Purview eDiscovery to identify, review, and manage content in Microsoft 365 services to support your investigations. Supported Microsoft 365 services include:

  • Exchange Online
  • Microsoft Teams
  • Microsoft 365 Groups
  • OneDrive
  • SharePoint
  • Viva Engage

You can search mailboxes and sites in the same eDiscovery search, and then export the search results. You can use eDiscovery cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage cases and analyze content by using premium eDiscovery features.

eDiscovery in the Microsoft Purview portal

Depending on the licensing and subscriptions for your organization, you have access to specific eDiscovery or premium eDiscovery features in the Microsoft Purview portal. All Content Search features are now included within the search experience in eDiscovery, or you can use the Content Search case in eDiscovery to manage all new and existing content searches.

To get the latest information on planned eDiscovery features and capabilities and estimated release dates, see the Microsoft 365 Roadmap.

Important

The classic eDiscovery experiences were retired on August 31, 2025. This retirement includes classic Content Search, classic eDiscovery (Standard), and classic eDiscovery (Premium). These options aren't available as an experience option in the Microsoft Purview portal.

Unless you're working directly with Microsoft when using these legacy features for specific short-term transition scenarios, use the guidance for the new eDiscovery experience in the Microsoft Purview portal.

Notable changes in eDiscovery

For customers who are already familiar with previous versions of eDiscovery, several notable differences exist when using eDiscovery in the Microsoft Purview portal:

  • Advanced indexing: When you add a custodian or noncustodial data source to a case in previous versions of eDiscovery, you need to reindex any content that's partially indexed or has indexing errors. Reindexing determines if the contents are relevant to defined search conditions. This reindexing process is called advanced indexing. As more partially and unindexed items are added to data sources (user's mailbox, OneDrive account, and so on), you need to separately update the index for specific custodian or noncustodial data sources.

    In eDiscovery, advanced indexing runs automatically during each search that's scoped for statistics results and when you add results to a review set or export search results, depending on the indexing options you choose for the process. You no longer need to separately reindex data sources before the search process. This just in time indexing process helps avoid issues with stale indices that might result in indexing and search running sequentially and separately in the classic experience. Running (or rerunning) a search automatically updates all indexes.

  • Collections: In previous versions of eDiscovery, collections provided managers with estimates of the content that might be relevant to cases. These estimates allowed managers to make quick, informed decisions about the size and scope of content relevant to cases. Once added to a review set, the collection is immutable.

    In eDiscovery, Statistics in searches replace collections. Statistics results in searches now allow managers to review important insights about the items included in the results and the relevance to the case. Searches aren't immutable in eDiscovery, even after the results are added to a review set. You can update searches at any time. Adding only a sample of the collection into review set and deleting a search is removed in eDiscovery.

  • Content Search: Content search in the retired compliance portal was a separate solution from eDiscovery used for basic searches for content. Results from content search were estimated numbers of locations and search results that you could preview or export to a local computer.

    In the Microsoft Purview portal, all Content Search functionality is now included in a system generated eDiscovery case by default for all members of the eDiscovery manager and Administrator role groups. If you need to limit access to content searches, use Case settings to remove or add members to the case to manage access to these searches. You can also select Content Search in eDiscovery to create a Content Search case in your orgainziation that contains all new and existing content searches.

    The Content Search case has the same capability as other user-created cases. You can create holds, review sets, and more in the content search case, depending on your subscription.

    To learn more about the changes to Cntent Search in eDiscovery, check out the following video:

  • Custodians: In previous versions of eDiscovery, custodians (users) were the primary component of the eDiscovery workflow. Custodians were potential persons of interest in an investigation that you added to cases.

    In eDiscovery, cases are the primary component of the eDiscovery workflow. You still add people, groups, and data sources to cases, but the case is the central organizing unit.

  • Export updates: The new export flow in eDiscovery supports a unified export structure across premium and nonpremium feature exports, faster export performance, detailed reporting, and flexible export options.

  • Jobs: In previous versions of eDiscovery, tasks, activities, and reports associated with workflow components were called jobs. These events and reports are now referred to as processes in eDiscovery.

Features and capabilities

The following table compares key eDiscovery capabilities and features:

Capability eDiscovery feature support Premium eDiscovery feature support
Search for content Supported. Supported.
Keyword queries and search conditions Supported. Supported.
Search statistics Supported. Supported.
Export search results Supported. Supported.
Role-based permissions Supported. Supported.
Case management Supported. Supported.
Place content locations on hold Supported. Supported.
Advanced indexing Supported.
Review sets Supported.
Support for cloud attachments and SharePoint versions Supported.
Optical character recognition Supported.
Conversation threading Supported.
Search statistics and reports Supported.
Review set filtering Supported.
Tagging Supported.
Analytics Supported.
Computed document metadata Supported.
Transparency of long-running processes Supported.
Full reporting for all processes Supported.
Enhanced data source mapping Supported.

Here's a description of each eDiscovery capability.

  • Search for content: Search for content that's stored in Exchange mailboxes, OneDrive accounts, SharePoint sites, Microsoft Teams, Microsoft 365 Groups, and Viva Engage Teams. Searches include content generated by other Microsoft 365 apps that store data in mailboxes and sites.
  • Keyword queries and search conditions: Create Keyword Query Language (KeyQL) search queries to search for content keywords that match query criteria. You can also include conditions to narrow the scope of your search.
  • Search statistics and samples: After you run a search, you can view statistics of the estimated search results, such as the number and total size of items matching your search criteria. You can also view a representative sample of the items included in the search results.
  • Export search results: Export search results to a local computer in your organization. When you export search results, items are copied from their original content ___location and packaged. Then you can download those items in the export package to a local computer.
  • Case management. An eDiscovery case contains all searches, holds, and review sets related to a specific investigation. You can also assign members to a case to control who can access the case and view the contents of the case.
  • Role-based permissions: Use role-based access control (RBAC) permissions to control what eDiscovery-related tasks that different users can perform. You can use a built-in eDiscovery-related role group or create custom role groups that assign specific eDiscovery permissions.
  • Place content locations on hold: Preserve content relevant to your investigation by placing a hold on the content locations in a case. Holds let you secure electronically stored information from inadvertent (or intentional) deletion during your investigation.
  • Advanced indexing: When a search, review set, or export process is run, the associated content locations where items are partially indexed are reindexed in a process called Advanced indexing. Advanced indexing ensures any content deemed as partially indexed is reprocessed to make it fully searchable when you collect data for an investigation.
  • Review sets: Add relevant data to a review set. A review set is a secure, Microsoft-provided Azure Storage ___location in the Microsoft cloud. When you add data to a review set, the collected items are copied from their original content ___location to the review set. Review sets provide a static, known set of content that you can search, filter, tag, analyze, and predict relevancy using predictive coding models. You can also track and report on what content gets added to the review set.
  • Support for cloud attachments and SharePoint versions: When you add content to a review set, you can include cloud attachments or linked files. The target file of a cloud attachment or linked file is added to the review set. You also can add all versions of a SharePoint document to a review set.
  • Optical character recognition (OCR): When content is added to a review set, OCR functionality extracts text from images, and includes the image text with the content that's added to a review set. This lets you search for image text when you query the content in the review set.
  • Conversation threading: When chat messages from Teams and Viva Engage conversations are added to a review set, you can collect the entire conversation thread. The entire chat conversation that contains items that match the search criteria is added to the review set. This lets you review chat items in the context of the back-and-forth conversation.
  • Search statistics and reports: After you create a search or add the search results to a review set, you can view a rich set of statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results.
  • Review set filtering: After content is added to a review set, you can apply filters to display only the set of items that match your filtering criteria. Then you can save the filter sets as a query, which lets you quickly reapply the saved filters. Review set filtering and saved queries help you quickly select content items that are most relevant to your investigation.
  • Tagging: Tags also help you omit nonrelevant content and identify the most relevant content. When experts, attorneys, or other users review content in a review set, their opinions related to the content can be captured by using tags. For example, if the intent is to exclude unnecessary content, a user can tag documents with a tag such as "nonresponsive". After content is reviewed and tagged, a review set query can be created to exclude any content tagged as "nonresponsive". This process eliminates the nonresponsive content from subsequent steps in the eDiscovery workflow.
  • Analytics: eDiscovery allows you to analyze review set documents to help you organize the documents in a coherent manner and reduce the volume of documents to be reviewed. Near duplicate detection groups textually similar documents together to help you make your review process more efficient. Email threading identifies specific email messages that give a complete context of the conversation in an email thread. Themes functionality attempts to analyze themes in review set documents and assign a theme to documents so that you can review documents with related theme. These analytics capabilities help make your review process more efficient so that reviewers can review a fraction of collected documents.
  • Computed document metadata: Many of the eDiscovery premium features, such as conversation threading and analytics, add metadata properties to review set documents. This metadata contains information related to the function performed by a specific feature. When reviewing documents, you can filter on metadata properties to display documents that match your filter criteria. This metadata can be imported into third-party review applications after review set documents are exported.
  • Transparency of long-running processes: Processes in eDiscovery are typically long-running activities that are triggered by user actions, such as the adding custodians to a case, adding content to a review set, running analytics, and creating search queries. You can track the status of these processes and get support information if you need to escalate issues to Microsoft Support.
  • Full reporting for all processes: Use the Process report to view and manage processes in cases, searches, review sets, and holds.
  • Enhanced data source mapping: Searching of locations based on users, search one site for groups and map other locations with groups. Explore frequent collaborators as part of data sources. Includes new locations for users.

Integration with other solutions

Insider risk management

You can quickly escalate cases in Microsoft Purview Insider Risk Management to new cases in eDiscovery when you need additional legal review for potentially risky user activity. The tight integration between these solutions helps your risk and legal teams work more efficiently and provides a complete end-to-end view of user activities under review.

To learn more, see get started with Insider Risk Management and escalate an Insider Risk Management case to an eDiscovery (Premium) case.

Microsoft Security Copilot

In eDiscovery, you can use Microsoft Security Copilot features to draft KeyQL search queries by using natural language. Copilot translates natural language to KeyQL without requiring you to learn how to construct a KeyQL query, know operators, or know supported search metadata fields. Copilot can also provide a contextual summary of most items in a review set. The summary is in the context of text included in a selected item. This summary saves time for reviewers by quickly identifying information helpful when tagging or exporting items. Security Copilot summarizes the entire item, including any documents, meetings transcripts, or attachments. Most of the common document file types are supported.

For more information about using Security Copilot with review sets, see Summarize an item by using Security Copilot.

Ready to get started?