Cloud Attachments and eDiscovery – a Purview Approach

Reading Time: 6 minutes

Warning: This post was written by me, not AI. 🙂

There is a Microsoft Purview capability whereby a retention label can be applied to cloud attachments.  (Microsoft reference: Auto-apply retention labels to cloud attachments)

At first, I didn’t understand the use-case for this capability. Since then, I’ve spent some time digging into it and have worked with a large customer planning to use it so I now have a much better understanding of why you would want to configure this and some important enablement considerations.

This post explains the reason why this is such an important feature and some of my recommendations around it.

For some background, check out this recent post by Ryan Hemmel where he explains the “hype” about cloud attachments (aka “hyperlinked documents”) and the evolving case law around it: What’s the Hype about Hyperlinked Documents? – ProSearch

---

Background

What’s a cloud attachment? A cloud attachment is a hyperlinked file that is stored in SharePoint, OneDrive, or Microsoft 365 Groups and attached as a link to Outlook, Teams, and Viva Engage messages or that is referenced in Copilot interactions.

For example, instead of attaching a copy of a file to an email, a link to the file is sent instead. Although this setting can be enforced thru Group policy, in many organizations I work with, it is simply the encouraged and recommended behavior for email because it has several benefits:

• the linked document can be changed after it is sent, ensuring recipients always access the most current version
• reduces document sprawl
• SharePoint/OneDrive permission controls are enforced for the document

What Microsoft 365 workloads are involved in a cloud attachment? There are 2 key components to consider when managing cloud attachments:

1. Where the cloud attachment is sent from. As of the time of this writing, the electronic communication (eComm) channels in Microsoft 365 that can send a cloud attachment include: Outlook, Teams, Viva Engage, and Copilot interactions.
2. Where the cloud attachment is pointing to. In Microsoft 365, the file that the cloud attachment is pointing to will be stored in either SharePoint (any type of site) or OneDrive. These are the locations that must be in scope for the retention label to be auto-applied.

Please be aware of some limitations Microsoft has documented to things that are shared as “links” that cannot be retained as cloud attachments: Can’t retain cloud attachments.

---

What’s the legal use-case for retaining cloud attachments?

In the era of cloud attachments, their discoverability is of paramount importance. Legal teams need to know the exact version of a file that was shared as a cloud attachment when the email, Teams, or Viva Engage communication was sent. Over time, the file may have changed many times since the cloud attachment was originally shared that could affect the content, context, and/or meaning of a file.

Although it is certainly possible in an eDiscovery Standard or Premium case to review/export all versions of a document and painstakingly match the date and time stamp of each version to the exact time an e-comm was sent, this can take a lot of time. Below are the settings in the Purview eDiscovery tools to show all versions.

In eDiscovery Standard, you have an option to export all document versions:

In eDiscovery Premium, you also have an option to collect all document versions:

Typically, resources tasked with doing this type of correlation are “expensive” resources in an organization making the less time spent doing this, the better. Using eDiscovery Premium (this feature is not available with eDiscovery Standard), having the ability to review the cloud attachment version (along with the current version) can significantly reduce this time. This is a setting you can default for all cases with the eDiscovery (Premium) settings (currently in Public Preview):

---

The End-to-End Process

There are 3 key steps to capturing and viewing a cloud attachment. I’ve captured the process below…

STEP 1: 1-time Purview Records Management setup

The mechanism that Purview uses to retain cloud attachments is the application of a retention label on a copy of the exact file version that was shared. It is applied via an auto-apply retention label policy applied to M365 locations where the file was shared from. The retention label will be applied only to the version of the file that’s being shared or referenced and does not apply to the message it was shared from.

STEP 2: End-users send Cloud Attachments from eComm channels

The mechanism that Purview uses to retain a cloud attachment is it will take a copy of the exact version of the file that was shared and preserve it in the (hidden) Preservation Hold Library on the site it was shared from. This is done without impeding the end-user sharing experience.

STEP 3: eDiscovery Premium collection (Public Preview)

When you have selected the “Cloud Attachments” link for the eDiscovery case, both the cloud attachment version and the current (live) version will appear in-line with the eComm channel (in the image below, an Exchange email message) in the Review set:

---

My Enablement Recommendations:

• Create a separate retention label for your organization’s cloud attachments
• Align the cloud attachment retention label’s retention period to the longest length of time you’re retaining eComm channels in your organization for. This ensures the cloud attachment file will be discoverable for the same length of time that any eComm channel is discoverable.
  • Example: if you are retaining Exchange email for 2 years and automatically deleting, set the retention label for cloud attachments to also retain for 2 years. This ensures that if an email with a cloud attachment comes in scope of an eDiscovery search, you are guaranteed that the exact version of the file that was shared as the cloud attachment will still exist and will be returned to the Review Set in eDiscovery Premium.
• Create an auto-apply retention label policy for the cloud attachment label scoped to the locations you want to retain for. Remember, depending on where a user is sharing the cloud attachment from, it could be in their OneDrive or any SharePoint site they have access to in your tenant. For this reason, you will likely want to scope the locations to all OneDrives and SharePoint sites (all types).
• [Optional but recommended] To ensure the current version of your file or the eComm cannot be maliciously or inadvertently deleted while an active eDiscovery case is in progress, I also recommend placing an eDiscovery hold on the custodial location(s) where a cloud attachment may be linking to (custodian’s OneDrive, SP site, M365 Group site) and the eComm was sent from (custodian’s mailbox, Teams chats, etc). Configuring the same retention period on the cloud attachment retention label as the longest retention period for the tool where cloud attachments can be shared from in addition to placing an eDiscovery hold on the data source location as soon as you are aware of the need for one will balance the cloud attachments’ storage footprint with the discoverability of the cloud attachment.

Note: The preservation of cloud attachments is a behind-the-scenes process that preserves the file version at the time of sharing in the (hidden) Preservation Hold Library on the site it was shared from. An end-user is not impacted during the sharing process.

---

Wrapping it up…

I believe this capability will be more important as organizations use cloud attachments as their de facto standard. Are your legal teams asking for this? Are you ready?

Thanks for reading.

-JCK