Getting It Right About Office 365 eDiscovery
When you write about Microsoft on an ongoing basis, there is always the chance of receiving email from someone in a development or marketing group to tell you that something you said is wrong. Which is what happened when I received a note about my post on Restricting Office 365 Content Searches with Permission Filters.
As it turned out, my error was minor. When making the point that Office 365 will block the creation of new workload-specific searches from July 1, 2017, I failed to emphasize that existing searches and eDiscovery cases will continue to work until they are no longer needed. This is the way that you would hope compliance technology would work as it makes no sense to disable some perfectly technology mid-way through its lifecycle.
I pleaded guilty as charged and adjusted the text (one of the reasons why writing for an online site is much easier than for print publications). All is well. That is, until July 1 comes around and the unwary are surprised by something that Microsoft has flagged for several months now.
What Happens for Exchange
Exchange eDiscovery administrators are accustomed to going to the Compliance section of the Exchange Administration Center (EAC) to create and manage eDiscovery searches. The searches are in-place, meaning that no information is moved out of mailboxes to be searched, and you can apply a hold to keep information until whatever caused the search no longer needs that information.
Exchange eDiscovery searches cover both user mailboxes and public folders, but perhaps not as well in the cloud as they do on-premises. Searches run on an on-premises Exchange 2016 server span up to 10,000 mailboxes by default, but as the search limits are controlled by throttling policies, you can adjust those limits if needed. By comparison, Exchange Online always limits searches to 10,000 mailboxes.
Office 365 content searches run through the Security and Compliance Center. These searches use a different architecture that takes advantage of the Office 365 server fabric. The searches are more scalable and faster and can scan hundreds of thousands of mailboxes. Such large searches often generate massive volumes of search results, which is why Microsoft offers Advanced eDiscovery (part of the E5 plan and available as an add-on) to help investigators find the proverbial needle in the haystack.
Moving from using Exchange searches to Office 365 content searches is straightforward, but you must understand that a division exists between searching to find something and the placement of a hold to keep the found information, if needed. Content searches find information and can be part of an Office 365 eDiscovery case. That case can also set holds on content.
What Happens for SharePoint
The notion of an eDiscovery case composed of multiple parts is well-known to those who work with the SharePoint eDiscovery Center (Figure 1), so moving to Office 365 eDiscovery should be even easier for them than for their Exchange counterparts.
Office 365 eDiscovery cases can span Exchange mailboxes, public folders, group mailboxes, SharePoint and OneDrive for Business sites, and Skype for Business conversations, so these cases are more functional than the SharePoint equivalent, which limit themselves to SharePoint and Exchange mailboxes.
An Office 365 eDiscovery case consists of:
- Searches: The simplest case has just one search. Complex investigations might include an array of searches, each designed to look for different information.
- Holds: If searches find information, it probably needs to be kept until the investigation is complete. These are in-place holds and tools like the Exchange Recoverable Items structure and SharePoint Preservation Holds library make sure that no-one can remove held information from the tenant.
- Exports: Searches generate results. Someone must review those results to decide whether they mean anything. You can export results to allow external experts (like lawyers) to review the data.
In SharePoint terms, you can compare an eDiscovery Set to an Office 365 eDiscovery hold because the eDiscovery hold combines the query to find items and the ability to place a hold on those items. Personally speaking, I consider the SharePoint eDiscovery Center to be clunky in its user interface when compared to the Security and Compliance Center, so the transition is at least easier on the eye.
Microsoft is not offering tools to move Exchange or SharePoint eDiscovery searches to the Security and Compliance Center. The basic idea is that you leave existing searches and cases alone for those concerned with these objects to use until their need disappears. Given the sometimes-slow pace of legal investigations, it will probably be several years before Microsoft can eventually remove the older functionality from Office 365.
In the meantime, if you want to start any new eDiscovery activities, the strong recommendation is to use the Security and Compliance Center to create content searches and eDiscovery cases to support new investigations. And after July 1, you will not have a choice in the matter.
Apart from eDiscovery cases, the Security and Compliance Center offers other ways to place holds on information that you want to keep. Classification labels and retention policies are both part of the new Office 365 Data Governance framework and you can use both to place holds on content. Or indeed, to remove information from various locations within Office 365, including Groups.
A set of PowerShell cmdlets are available to work with content searches and eDiscovery cases. The fact that the cmdlets exist is good. Whether anyone will use the cmdlets to interact with searches and cases is quite another matter.
Still Work to Do
Data Governance still does not offer complete coverage across Office 365 as several high-profile locations including Yammer, Teams, and Planner are unsupported. However, all signs are that Microsoft is devoting enormous effort into expanding the new framework to achieve full coverage soon.
Consistency All Round
Discarding the sometimes confusing and radically different approaches to eDiscovery inherited from on-premises products in favor of consistency and greater functionality is a good thing. It is yet another sign that Office 365 is gradually discarding its on-premises roots to become a truly integrated suite. The old-style functionality will persist in the on-premises products, just in case you feel the need to go back in time.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle