Doing eDiscovery, Litigation Hold, and Addressing Journaling in Office 365

1 2 3 Page 2
Page 2 of 3

Set-Mailbox -LitigationHoldEnabled $true

{where username is the name of the user, and the is the name of the company’s domain name}

Similarly, a mailbox can be placed on hold for a period of time using:

Set-Mailbox -LitigationHoldEnabled $true -LitigationHoldDuration 2555

{where 2555 is the # of days, which is approximately 7-years}

Or to place all mailboxes on Litigation hold for a year, the PowerShell command is:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -LitigationHoldEnabled $true -LitigationHoldDuration 365

More specific details on this command sequence is up on:

Enabling Query-based Hold

While Litigation Hold places a user’s entire mailbox on hold, an organization may choose to select content to put on hold. This may be enabled for a user that will be working on a specific project or will hold a specific (regulated) role for a period of time, and the user’s mailbox content will be held during that period.

With a Query-based Hold, an administrator can choose which users it wants to retain content (all or selected users), and the administrator can also choose the period of retention (ie: 1-yr, 3-yr, forever). This is why email archiving and retention periods are no longer a separate thought process and configuration task, but rather all rolls up into the Query-based Holds process across all Office 365 workloads.

To put a mailbox on a Query-based Hold in Office 365, an individual you added to the Discovery Management role needs to do the following:

1. Logon to the Office 365 Admin Portal ( with a user logon that has rights to the Office 365 admin center.

2. On the lefthand side, scroll down to Admin and click on Exchange

3. In the Exchange admin center, click on “compliance management” and in the “in-place eDiscovery & hold” section click the + button to create a Hold policy

30 inplace ediscovery

4. After pressing + in the “in-place eDiscovery & hold”, you’ll go through a series of pages to place all (or selected) mailboxes on hold. The first page is to enter in a Name and description of this particular hold (make it descriptive like “Hold Mary Smith and John Doe’s Mailboxes for all of 2015 and 2016” or “Hold All Exec Mgmt Mailboxes for 9 months”. After you enter in a name (and an optional description), click Next

5. You’ll now be prompted to choose “Search all mailboxes” or “Specify mailboxes to search”. Obviously click on the “Search all mailboxes” if you want to select all mailboxes for Hold, or you can choose “Specific mailboxes to search” and click on the + to then enter in the names and select users you want selected to put on hold. Click Next when done

40 select mailboxes

6. You can now narrow down your Hold criteria. If you already put the entire mailbox on Litigation Hold, they you wouldn’t necessarily need to put the entire content of the mailbox on a Query-based hold. To selectively search for content, enter in start/end dates, and keyword criteria, or even choose to select messages only come from or to specific individuals that you want searched and held.

7. Click to select the “Place content matching the search query in selected sources on hold” and likely have the “Hold indefinitely” also selected, then click Finish. (this will put the content on hold until you specifically remove the hold), then click Finish.

With Litigation Hold and Query-based holds enabled, all messages, regardless of other retention policy limits, will be retained.

Searching for Content (aka eDiscovery) in Office 365

Searching for information, whether it is information actively in a user’s mailbox, edited or modified by the user, deleted from their mailbox (but not yet purged out of Office 365), or held for Litigation Hold is all searched the exact same way. The only difference is the amount of information that may be found (ie: mailboxes on Litigation Hold will find more information than a mailbox not on Hold, since mailboxes not on hold will almost inevitably have information deleted or content will have been modified/edited and not tracked and saved)

Key to searching is to choose words, date ranges, and other key parameters to help you zero in on the information you are looking for, but not narrow down so tightly that your search doesn’t find all the information you are looking for. As an example, if you simply search for information between Bob and Mary over a 30-day period, you might end up with 1000 messages that might be too much information to find what you are looking for. On the other hand, if you search for messages between Bob and Mary over the 30-day period with the key phrase “don’t tell anyone”, which might narrow down the search to say 8 messages, if at any point during the email thread either Bob or Mary deleted or changed the “don’t tell anyone” phrase in the email, those subsequent emails would not show up in your search results. This happens frequently as messages get really long, users may delete or truncate part of the message. Or if you only look for words in a Subject line but then one of the users change the Subject Line title, then your tight search may not result in what you were expecting to look for either.

It is recommended that you create a very small mailbox with only a few dozen messages inside it of it and try out the searching process to perfect your ability to look for (and ultimately find) information you are looking for before you try to look at a mailbox or several mailboxes with hundreds of thousands of email messages. Remember, this is a very specific search, it will find exactly what you are looking for, unlike searching the Web with Google or Bing where it finds information that “kind of” has the same words, or similar words and phrases, the eDiscovery search in Office 365 will only find 100% exact matches to what you query.

Additionally, when you do an e-Discovery search in Office 365, depending on your configuration, the results will provide you a list of messages but won’t specifically tell you where it found the message (in the user’s Inbox, Sent Mail, Deleted Items Folder, etc). Content will just be provided that the search found, which could be information from any of the following locations:

  • Any folder in the user’s mailbox
  • The Deleted Items folder which holds messages that have been deleted but not yet flushed from the Deleted Items folder
  • The Recoverable Items / Deletions folder which contains messages deleted from the Deleted Items folder
  • The Recoverable Items / Purges folder which is used for messages deleted while the mailbox is in Litigation Hold or Single Item Recovery
  • The hidden Recoverable Items / Versions folder which contains messages that were edited or modified.

You may find multiple copies of what might look like the same message, however when you look deeper, you'll find the message likely was modified, edited, deleted, and/or attempted to be purged. This is a good thing in eDiscovery, that it finds messages that have been edited or modified by the user so that you see ALL copies and versions, but you have to be aware when you search and find the content that the search results don’t clearly tell you “this is a message that John deleted” nor will you get a notice that’ll say “this is the email that Mary modified these 5 words”. You merely get lots of messages, and it is up to you to figure out what was modified, changed, deleted, etc.

To search for information using the native Office 365 eDiscovery search capabilities, do the following:

Assign Someone the Rights to Perform a Search Query

This is a one-time step that needs to be performed to give someone the rights to create a search query. By default, no one in the organization, including the Office 365 Administrator, has the rights to create search queries, but the Office 365 Administrator can give themselves permission to perform searches. So it’s just 1 extra step for the Office 365 Administrator to give themselves and others (like someone in legal counsel, human resources, compliance security, etc) search capabilities.

To assign the rights to create a search query, do the following:

1. Logon to the Office 365 Security & Compliance portal ( with a user logon that has rights to the Office 365 administration.

2. On the lefthand side, scroll down and click on Permissions

50 admincenterexchange

3. On the Permissions page, double-click on “eDiscovery Manager” and under eDiscovery Administrator, click the + button and add the users you want to give rights to search mailboxes, SharePoint folders, and/or OneDrive locations, then click Save.

60 discovery management

This individual (or individuals) now have the ability to proceed with actually searching mailboxes, sites, and OneDrive locations. To search for content, do the following:

1. Logon to the Office 365 Security & Compliance portal ( with a user logon that has been given the eDiscovery Administrator permissions in the previous set of steps.

2. On the lefthand side, scroll down to Search & investigation, then click on Content search.

3. Click on + to create a new search, give your search a unique descriptive name (like “Search All Mailboxes for the Words Gunfight”)

4. Choose to “Search Everywhere” if you want to search all of Office 365 (Exchange emails, SharePoint files, and Public Folders), or click to choose specific users as well as specific content (so you can select one or a few selected users, you can select specific words, as well as you can choose to just check emails and not SharePoint). (click on “Learn more” for help with syntax).  Lots of variations to the search.

65 searchcriteria

5. Click Next to begin the search.

6. Click on “Preview search results” to see a list of emails (and documents, etc) that meet the criteria you specified in your search.

70 searchresults

7. Click “Start Export” that will export the found content out to a PST that can used for preliminary review, or can be burned to a DVD and provided as official search results.

80 export

The content found from the search results is raw information, if the mailboxes were placed on Litigation Hold or Query-based hold, then the results will include original messages as well as any messages deleted, modified, edited, sent, received, everything will be in the search results. Far fewer instances will be found from mailboxes that did not have a prior Hold associated to the content.

This hold and search capability is built-in to Office 365 and available to organizations with the Office E3 or higher licenses that provide eDiscovery search. With Litigation Hold enabled, this completely replaces the need for Journals as content in various forms are preserved, can be documented, and can be validated.

Introduction of Advanced eDiscovery in Office 365

While the Hold and Search capabilities in Office 365 provides rudimentary functionality, many organizations want a more sophisticated Case Management system to organize searches, queries, and conduct tagging within the query results.

In 2015, Microsoft acquired a company called Equivio and integrated in their eDiscovery and Machine Learning powered compliance solution to Microsoft’s offering. Organizations that own the Office 365 E5 license has rights to use the “Advanced eDiscovery” features.

To move content from the built-in Content search to the Advanced eDiscovery, do the following:
1. From within the Office 365 Security & Compliance portal ( after completing a Content search covered in the previous set of steps, you’ll find the Search results pane on the right side will have a notation “Analyze results with Advanced eDiscovery” with a “Prepare results for analysis”, click on that “Prepare results for analysis”

90 prepare analysis

2. A pop-up will ask a few more questions. Choose the items to prepare, and then under “Send email to this address when we’re done preparing the results”, key in an email that’ll notify you when the preparation is complete, then click Prepare. This process could take minutes or a couple hours dependent on how much content it needs to prepare. A notification will be sent to the email you entered in during the previous step when the preparation is done, or on the Content search page, you’ll notice the “Check preparation status” (notifying you it is still chugging along) will be replaced by “Check preparation status” and “Prepare results again” giving you indication that the preparation has completed.

3. When the preparation is complete, on the Office 365 Security & Compliance portal, in the lefthand column, scroll down to “Search & investigation” to the eDiscovery option, and then click on “Go to Advanced eDiscovery”

4. You will land at a “Cases” page that’ll note the various cases you have been working on. If this is the first time you are going to this page, your Cases list will be blank. Click the + button in the upper right to create a new case.

5. Enter in a Descriptive name for the Case (like Case between Bob and Mary on Legal Case #1234567), then click OK

There are 4 major items you can do within each case, you can “Prepare” a case (which imports the Search Content into the case management system); “Relevance” that allow you to review, search, and tag content; “Export” that allows you to report your results; and “Reports” that generates a series of analysis reports.

1 2 3 Page 2
Page 2 of 3