Practical Compliance: Microsoft Revamps Purview eDiscovery

Purview Introduces a Unified eDiscovery Framework

Microsoft announced modernized eDiscovery in message center notification MC808165 (last updated 20 September 2024, Microsoft 365 roadmap item 383744). Normally Practical365.com doesn’t cover individual updates, but this is a major overhaul of a Purview solution that will affect how administrators work.

In a nutshell, Microsoft is combining three separate solutions into a unified eDiscovery framework. The three “classic” solutions are:

• Content search: Basic search of Exchange mailboxes, SharePoint and OneDrive sites, Teams, Viva Engage, Planner compliance records, and so on that’s available in Office 365 E3 and above. The on-premises versions of Exchange and SharePoint offered much the same facility. Microsoft updated the content search UI in 2021. The interface remained slow, but it is dependable.
• eDiscovery standard: Built around the concept of “cases” where each case represents an investigation composed of searches, in-place holds, and other information. The searches run in an eDiscovery case are content searches and the in-place holds are like those imposed by Microsoft 365 retention policies.
• eDiscovery Premium. In January 2015, Microsoft bought Equivio, a company specializing in high-end eDiscovery technology. Subsequently, Microsoft rebranded the Equivio technology as eDiscovery Premium (also referred to as Advanced eDiscovery) and bundled it in Office 365 E5. Advanced eDiscovery is also available through license add-ons.

The modernized eDiscovery is simplified into standard and premium cases. A case is a container to hold elements of an eDiscovery operation. Standard cases are limited to searches and holds, while premium cases offer a lot more functionality.

Purview Portal Transitions

The work around eDiscovery is part of a transition from the Microsoft Purview compliance portal and the Microsoft Purview portal. The names of the two administrative portals don’t sound very different, but Microsoft wants to retire the compliance portal at the end of December 2024. After that point, the Microsoft Purview portal is the focus for the Purview solution and all future development will happen there, including the modernized eDiscovery interface.

Microsoft plans to maintain access to the “classic eDiscovery experience” through the Purview portal until an indeterimate point in 2025. You can work with eDiscovery as before until Microsoft retires the “classic” experience. After that, only the new UI will be available.

Finding Content Searches

From a tenant administrator perspective, content searches are core functionality. Content searches use Keyword Query Language (KeyQL) queries to find items of interest that can then be exported as individual message items, documents, or to a PST. Content searches are also good at recovering information from inactive mailboxes or deleted documents held by retention policies.

By comparison, eDiscovery cases are usually the domain of specialized investigators who understand techniques used to find information needed in more complex situations, such as legal investigations into some wrongdoing. This is especially true for eDiscovery premium cases, which can scale up to deal with millions of items.

It makes perfect sense for Microsoft to create a unified eDiscovery framework where the three solutions share a common workflow. The logic is less appealing for administrators who might not use eDiscovery heavily and now need to transition to the new UI. My reaction was: “Where are my old content searches”?

To fit content searches into the new framework, Microsoft gathered them into a special form of an eDiscovery case. Cases have always supported multiple searches, so there’s nothing unusual about the solution. Content searches were not highlighted in the preview UI and many administrators reported that they couldn’t easily find how to access searches that they had previously run. Microsoft listened and the current UI (Figure 1) has two links to access content searches.

After opening the content search case, it’s a matter of finding the individual content search you need (or creating a new search) and working with it. Aside from fitting content searches into the eDiscovery framework, there’s no trace of modernization here as Purview uses exactly the same UI, and everything works as before. This situation will pertain until Microsoft retires classic eDiscovery at the end of 2025.

Modern eDiscovery

Which brings us to modernized eDiscovery, where cases are the basis for all eDiscovery operations. As noted above, a case is a container to hold elements used in eDiscovery, like searches and in-place holds, and in premium cases, review sets, analytics, statistics, and so on (here’s a comparison between the two levels of eDiscovery).

Creating a case is simple because it’s just a container, or as Microsoft says ”the primary component of the eDiscovery workflow” (in other words, cases are how you organize eDiscovery activity). Purview knows what license the account that creates a case has and can enable or disable premium features based on licensing. If you have Office 365 E3, you are limited to standard eDiscovery functionality, but a standard case can be upgraded if someone with a premium license manages the case and amends the case setting to use premium features (Figure 2).

After creating a case, the next step is to develop the case by adding searches to find information of interest and to impose in-place holds necessary to retain information needed by an investigation. The most basic form of case is one with a single search (the equivalent of a content search). Compliance roles and role groups are available to control who can manage individual cases and access the information discovered by case searches.

Standard cases don’t change very much in the modernized eDiscovery. These cases are basic. They satisfy a need to allow organizations to run simple eDiscovery operations that consist of finding and holding information. Premium eDiscovery is very different and it’s where most Microsoft engineering effort has been focused over the past few years.

Premium eDiscovery cases feature review sets. A review set is data found by searches and copied to a secure location in Azure. Once the data is copied from its original locations (mailboxes, sites, OneDrive, Teams), eDiscovery investigators can work on the set to determine if the information is of real value. Figure 3 shows an item from a review set being annotated.

Creating a review set involves a process called advanced indexing. With standard eDiscovery, the possibility exists that a search might not find an item of interest because of partial indexing. Advanced indexing reprocesses any partially indexed items in search locations to make sure that any data needed for an investigation is found.

One advantage of review sets is that Purview can extract full Teams and Viva Engage chats. A chat is composed of individual messages, each of which is captured as a compliance record in the user’s mailbox. A simple search will find compliance records that match the search criteria. When Purview creates a review set, it includes all the messages from the full conversation to make sure that investigations understand why a search match occurred and the complete context around the match. This is known as conversation threading.

Conversation threading and other features like analytics add computed metadata to items in review sets. For instance, the thread identifier for a Teams conversation is captured. Investigators can filter items based on metadata to help collect related information.

Some Flaws in Preview

The new UI is still in preview and some flaws appear. For instance, when adding sources to a search, the account picker includes guest accounts and accounts synchronized because they’re part of a multi-tenant organization. This might be because the search covers cloud-only mailboxes used to hold compliance items created for guest accounts, but there’s no indication that this is the case.

Lots of Change

There’s a lot in modernized eDiscovery, especially in the Premium variant. Many of the advanced features are a little esoteric and will only interest people who specialize in compliance. Users working on compliance should have Office 365 E5 licenses to allow them to take advantage of the extra functionality exposed in eDiscovery and other Purview compliance solutions.

Tenant administrators need to understand that the Purview compliance portal is being retired, a new Purview portal is coming, and that users who depend on the classic eDiscovery solutions will probably need some training to understand how to get things done with the modernized eDiscovery, including the differences in terminology, like “collections” being replaced by “statistics”, and functionality like the new process manager and the way that eDiscovery premium links mailboxes with OneDrive accounts when adding users to cases. Like many other places in life, detail really counts when working with eDiscovery.