Advanced eDiscovery O365: Everything You Need To Know

14 min readJan 28, 2021

The Advanced eDiscovery O365 provides an end-to-end workflow to preserve, collect, review, analyze, and export content that’s responsive to your organization’s internal and external investigations. It also let’s legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.

This article discusses the steps necessary to set up Advanced eDiscovery. This includes ensuring the proper licensing required to access Advanced eDiscovery and add custodians to cases, as well as assigning permissions to your legal and investigation team so they can access and manage cases. This article also provides a high-level overview of using cases to manage the Advanced eDiscovery workflow for a legal investigation.

Office 365 advanced ediscovery license

Licensing for Advanced eDiscovery requires the appropriate organization subscription and per-user licensing.

Organization subscription: To access Advanced eDiscovery in the Microsoft 365 compliance center or the Security & Compliance Center, your organization must have one of the followings:Microsoft 365 E5 or Office 365 E5 subscriptionMicrosoft 365 E3 subscription with E5 Compliance add-onMicrosoft 365 E3 subscription with E5 eDiscovery and Audit add-onIf you don’t have an existing Microsoft 365 E5 plan and want to try Advanced eDiscovery, you can add Microsoft 365 to your existing subscription or sign up for a trial of Microsoft 365 E5.
Per-user licensing: To add a user as a custodian in an Advance eDiscovery case, that user must be assigned one of the followings licenses, depending on your organization subscription:Microsoft 365: Users must be assigned a Microsoft 365 E5 license, an E5 Compliance add-on license, or an E5 eDiscovery and Audit add-on license.Office 365: Users must be assigned an Office 365 E5 license. For information about how to assign licenses, see Assign licenses to users.

Assign eDiscovery permissions

To access Advanced eDiscovery or added as a member of an Advanced eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Security & Compliance Center. Members of this role group can create and manage Advanced eDiscovery cases. They can add and remove members, place custodians and content locations on hold, manage legal hold notifications, create and edit searches associated in a case, add search results to a review set, analyze data in a review set, and export and download from an Advanced eDiscovery case.

Complete the following steps to add users to the eDiscovery Manager role group:

Navigate to permissions.
sign in using the credentials for an admin account in your Microsoft 365 organization.
On the Permissions page, click eDiscovery Manager
Click Edit role group

Click choose eDiscovery Administrator and click Edit

Now, click Add to add a administrator and select a user. You may click Remove to remove a user from the eDiscovery manager

Once done, click save
This changes will take a few hours to reflect.

Set up the Advanced eDiscovery Case

Navigate to compliance portal
In the left navigation, click eDiscovery, and then click Advanced eDiscovery

Select Cases from the top Menu
In Cases, click the Create a case to create a new case.

On the New eDiscovery Case page, mention a case name and number
Do you want to configure additional settings after creating this case?: No, just go to the home page. I’ll use the default case settings for now

Click Save.

Add custodians to the Advanced eDiscovery case

On the Test12 page, click the Data sources tab
Click + Add custodians

Choose Custodians section to add the users to the case

On the Choose custodial locations page, verify Exchange and OneDrive are selected as data sources, and then click Next

If you’re interested in placing a hold on teams channel of the custodian, click Add

Choose teams

You will see all teams where the custodian has access. Select a team that you wish to place the hold

On the Select additional locations page, click Next

On the Place a hold on the selected custodians page, verify Hold is selected for the custodians

Click complete

Note: On the Investigation page, click the Jobs tab and ensure the Indexing Job Status for the custodian is Successful, before you continue.

Set up Searches

On the Test12 page, click the Searches tab, and then click New search

Enter the name and description page and click Next

On the Custodians page, enter the names of the suggested custodians and then click Next

On the Non-custodian page, click +Add non-custodial sources. If not, move to the next step

Note: There may be content located in mailboxes and sites that aren’t associated with a custodian but that’s relevant to the case. Content locations where case custodians don’t have administrative control but may be owners of relevant data, are known as non-custodial data sources.

On the Additional locations page, click Next

On the Search criteria page, click +Add conditions

Select Date

Configure the date and click Next
On the Review your search page, review your selections, click Submit

Create a review set

On the Test12 page, click the Review sets tab and click + Add Review Set

On the Add Review Set page, enter the Name and click Add

Develop review strategy

If you have a very large volume of data, the Advanced eDiscovery dashboard enables you to view reporting and eDiscovery data visually.

Even before you start your review process, the dashboard can help you quickly analyze your content in the review set to identify trends or key statistics and develop your review strategy. The dynamic dashboard is customizable so you can add, remove and configure widgets appropriate to your case and drill down into your content through the visuals.

Here for example, I only want to review all the cases from a specific sender domain. To do this, I will create a widget that allows me to see that data with a bar chart. Once I create the widget, I can then use this to help me craft my search. By applying a condition to the widget I can further filter down my search, which in this example I only want to see by the senders domain. Once I specify the domain I can use this to create my search and save it as a query.

Click Review sets on the top and open the Custodial Data review set

On Individual results click Search profile view

Click +New widget then click create custom widget

Add Title and Choose pivot (sender domain) and Choose chart type (bar) then click Next

Click on widget then on the top right corner of the widget click Apply condition

On the flyout page, click an element on the widget key or widget chart to create a filter

When you’re done, click Save as query to save your conditions as a new search query for the review set

Close the Search profile view to return to the search results view.

Configure tag panel

As a part of the review set, you can configure a customizable tagging panel to organize your content. For example, you can create tags that identify content as responsive or non-responsive, privileged, etc. Later you can use these tags for workflows downstream such as redacting sensitive content on only the data tagged as “responsive”, or export all content tagged “ready for export”.

This helps reviewers with early classification and culling of data to limit exports to the most responsive and relevant set of data. You can also leverage pre-trained Machine Learning models to help you identify potentially sensitive content. To use the models, you simply need to add smart tags sections to your tag panel.

On the Review sets tab, click the Custodial Data review set
On the Custodial Data page, click Manage Review Set

Scroll to the bottom and under Tags, click Manage tags

On the Custodial Data, Tags page, click +Add section

Enter section title and description (optional)

Click Save
On the Tag set section, click the vertical ellipsis, and click + Add option button

Below the Tag set section, on the new Selection item, click the Enter selection label field and type Tag select

Click Save.

Configure audit activity logging

On the Test12 page, click the Data sources tab, then select the custodians

On the custodian details page, click View custodian activity

If necessary, click Start recording user and admin activities, then click Turn on

Specify a date range and select Search to view recent custodian activity data

Note: If no data is available, log in as the custodian and open a few files.

Click Close to close the Custodian activities page.

Settings — Analytics settings and / or basic information

Once you have created the case, you can configure case settings depending on the type of case it is, and the complexity expected. The Settings tab is used to configure search analytics within the case level.

On the Test12 page, click the Settings tab

In the Search & analytics section, click Select

Review the settings for Analytics
Select the checkboxes and change the following settings:

Document and email similarity threshold: 70%
Max number of themes: 10

Scroll to the bottom and Click Save

Click Exit.

Create and send hold notification

Organizations are often required to inform custodians that they are on legal hold and need to be able to track when the custodians have been notified and when they acknowledged the legal hold. Organizations now can manage their legal workflow around custodian communications from within Advanced eDiscovery in the Compliance Center.

Admins can send, collect, and track legal hold notifications. You can customize the hold notification workflows and content to meet your organization’s needs.

You can pre-fill notifications such as reminders and escalations. While creating these notifications, you can add links to ensure that custodians acknowledge receiving this information. A rich text editor is provided to create the Hold Notice and variables are available that can be used to create the notice.

The admin can define if this is a new issuance, re-issue or release of hold for the communication and define the content within the hold as well as utilize common variables such as display name, acknowledgement link and more.

Click the Communications tab and select + New Communication

Enter the name and select an issuing officer

Click Next

Note: All custodial notifications will be sent on behalf of the Issuing Officer.

Create the Hold Notice by using the rich-text editor and merge fields. You can copy the letter as follows and update the fields for the hold notice. In the text editor, highlight Replace with ACKNOWLEDGEMENT LINK, then click the Acknowledgement Link button located at the top of the editor to insert the merge field.

Hold Order

Confidential

To: {{DisplayName}}
From: Office of General Counsel
Date: {{IssuingDate}}

The company has received a subpoena from SEC which will require the collection and production of certain company documents in connection with an investigation of insider trading. We intend to comply fully with the subpoena and to cooperate with the SEC investigation.

In order to fully comply with the SEC subpoena, it is vital that all documents described in the attachment (including hard copy documents as well as electronic data and documents) be preserved, and all routine destruction or discarding of any such documents or data, whether pursuant to formal company policies or otherwise, be suspended until further notice. This includes turning off any “autodelete” functions and insuring that back-up tapes are preserved and not overwritten or deleted. If you have a question about whether or not something needs to be preserved, on the side of preserving it until advised otherwise by legal counsel.

This policy applies to all such documents whether kept at the office, at off-site storage facilities, or at your home. It includes not only on formal company documents, but also materials such as handwritten notes, drafts, calendars and the like. In addition, if anyone under your supervision has custody or control of such documents or data and it is not listed as a recipient of this memorandum, please forward it to them immediately. If you know of others who should receive this memorandum, or if you know of documents beyond our control that should be preserved, please notify {{IssuingOfficerEmail}} immediately.

Detailed instructions regarding the procedures for the collection of documents will follow shortly and will be designed to minimize disruption of your daily business activities. Until such instructions are provided, all documents and files should be maintained as they are kept in the ordinary course of business.

The subpoena should not be discussed outside of any discussions necessary for document preservation and compliance, or in communications with company counsel. There should be no discussions with third parties.

We require that you acknowledge this notice by clicking the link below

Replace with ACKNOWLEDGEMENT LINK

If you have any questions concerning this notice, please contact {{IssuingOfficerEmail}}

Once the portal content is created, click Next
On the Set Notifications — Required page, click Edit and create new Issuance, Reissue, and Release notifications

Issuance:
Recipient: All custodians
Subject: Issuance of Hold Notification
Body: This is the issuance of the hold notification.
{{IssuingOfficerEmail}}

Reissue:
Recipient: All custodians
Subject: Reissue of Hold Notification
Body: This is the reissue of the hold notification.
{{IssuingOfficerEmail}}

Release:
Recipient: All custodians
Subject: Release of Hold Notification
Body: This is the release of the hold notification.
{{IssuingOfficerEmail}}

Note: You may add a CC\BCC if necessary.

After the required set notifications are created, click Next
On the Set Notifications — Optional page, click Next. The optional notifications include a Reminder and Escalation workflow to send recurring messages to the specified custodians and/or their manager
On the Choose the custodians you want to notify page, verify all custodians are selected and click Next

On the Review your settings page, verify the settings and click Send.

Overview of jobs

Any process in Advanced eDiscovery that takes more than a few seconds is created as a job. The Jobs tab tracks the status of jobs that are running or have been completed.

On the Test 12 page, click the Jobs tab. Click the Filter button

Next to Type, select items to show and hide to expose its details

Optional: Scroll to the bottom of filters and repeat showing and hiding the applied filters for the Status and Scope sections.

Click Apply.

Export

In some cases, a lawyer or another third party may just need to download five documents from a case for a specific deposition, and in that case, we provide the download option.

On the Test12 page, click the Review sets tab, and then click on the Custodial Data review set
Click the Action drop-down menu, then click Export