5 key questions an Office 365 eDiscovery Team must answer

Reading Time: 4 minutes

The eDiscovery function in an organization should ideally be performed by business teams outside of IT such as Compliance, Legal, Risk, Security and Internal Audit. This eliminates communication breakdowns, expedites the eDiscovery request turnaround time, and places the job function in the area of the business that understands the problem best. For business teams to do this however, they need to answer 5 questions about each request before starting.

Business teams should run their own eDiscovery cases rather than IT... here's a great place for them to start! Click To Tweet

This is a joint post with a friend and co-worker of mine, Ali Fadavinia. Ali and I work together on a large team rolling out Office 365 capabilities, including eDiscovery, to an organization.

Ali’s technical background is Network and Computer Software Engineering. He enjoys working with cutting-edge technologies and implementing them across infrastructures and organizations. He works with the Office 365 suite of products such as eDiscovery in his daily work environment.

You can reach out to Ali via LinkedIn.

This post covers Office 365 content only. To be clear, in most organizations, there is content outside of Office 365 that must also be presented when fulfilling an eDiscovery request to provide a complete and accurate response. (Example: Facebook, LinkedIn, Twitter, DropBox) This content can be imported into Office 365 and included in an eDiscovery search as well. Reference: Archive third-party data

For each eDiscovery request an organization must respond to, the business team needs to answer the following 5 fundamental questions: 

2020-01-08_21-36-09These questions are a great way to start thinking about any eDiscovery request. This post will expand on these questions thru a real-world example of an internal investigation eDiscovery request. 

Internal Investigation Request

“Produce all communication between employees Bob and Lisa in regards to Financial reports between April and June 2019” 

To monitor ongoing communication betweeBob & Lisa, this organization could also leverage Supervision Policies in Office 365. A new solution announced at Ignite 2019 called Communication Compliance could also be used. Link: Communication Compliance in Microsoft 365 (Preview) 

Let’s return to the initial 5 questions and how we would answer them for this investigative request:

#1 – Who has what we need?  

In this example, Bob and Lisa are the owners of their communication. We’ll limit our search to all digital communication between these 2 employees. Fairly straight-forward.

#2 – Where do we look for it? 

It’s important for the eDiscovery team to align on what communication means within the scope of this request (across Office 365). For this example, they align on: 

  • Outlook Emails between Bob and Lisa
  • Microsoft Teams chats between Bob and Lisa
  • Teams posts (conversations) in any Microsoft Teams where both Bob and Lisa are members

#3 – Is a hold required?

A hold is required to protect the integrity of the records produced in the response. In this request, we want to prevent the inadvertent or intentional deletion of any of the communication channels we identified above so we’ll place both Bob and Lisa’s Exchange mailboxes on hold as well as the Group mailboxes they’re a member of. This makes both Bob and Lisa “custodians”.

To find their Group mailboxes, you would need to find all Groups Bob and Lisa are each a member of (using PowerShell, viewing group membership in Outlook contact card, or the Microsoft 365 Admin Center… Users) and then cross-reference the lists with each other identifying the team(s) that overlap. In this case, it is one Team – the IT Genius Team.

Hold locations

 At Microsoft Ignite 2019, a new capability in Advanced eDiscovery was announced to automatically detect all Teams a custodian is currently a member of, making this discovery a much easier (and integrated) task.

#4 – How do we get it?

We search for it by building a query. We’ll start by using the GUI in the eDiscovery tool, however a query will be generated out of this using Keyword Query Language (KQL) syntax.

For this request, we’ll execute 2 searches for the search term “financial report” against the hold locations where each of Bob or Lisa are the sender. This is done to simplify the queries and the search review as this will isolate conversations from Bob versus conversations from Lisa:

  • Search #1: search against all hold locations but filter the search to only include items sent by Lisa to either Bob directly or to the ‘IT Genius Team’ group mailbox. This will include email messages and Teams chats between Bob and Lisa and Teams posts for the ‘IT Genius Team’ sent by Lisa.
  • Search #2: search against all hold locations but filter the search to only include items sent by Bob to either Lisa directly or to the ‘IT Genius Team’ group mailbox. This will include email messages and Teams chats between Bob and Lisa and Teams posts for the ‘IT Genius Team’ sent by Bob.

The generated search queries for the above 2 examples looks like this: 

Search query #1 against hold locations:

financial report(c:c)(participants=”Lisa Spencer”)(participants=”IT Genius Team”)(date=2019-04-01..2019-06-30)(from=”Bob Smith”)

Search query #2 against hold locations:

financial report(c:c)(participants=”IT Genius Team”)(participants=”Bob Smith”)(date=2019-04-01..2019-06-30)(from=”Lisa Spencer”)

#5 – What does it look like when we get it? 

When these search results are exported for review, they’ll be in the form of email messages because they’re all different forms of communication. Whether the communication  happened directly in Outlook, in a Teams chat, or a Teams post (either standard or private channel), they’re all stored in Exchange as an email message behind-the-scenes. The results can be exported in 1 .pst file, separate .pst files, or individual email messages depending on how the business team prefers to review them.

If the request was to include files as well, the results would include the native files. (Office documents, images, pdfs, etc.)

Note: if using Advanced eDiscovery, you can review the results within the tool rather than exporting for review.

Closing thoughts

Whether the eDiscovery request is small or large, investigative or statutory, the 5 questions discussed in this post should be top-of-mind for business teams responding to the request and a great place to start. This should help standardize and streamline the process. Always a good thing.

Thanks for reading.

-JCK and Ali

Credit: Photo by Jon Tyson on Unsplash


  1. Was wondering how you separate email from chat conversations when structuring a search in the O365 eDiscovery module (the requestor wants chat converdations only; no email)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.