Natalia Merzlyakova - Fotolia

Get started Bring yourself up to speed with our introductory content.

Office 365 eDiscovery bolsters an admin's compliance arsenal

Microsoft's enhanced Office 365 eDiscovery features will look familiar to administrators who have used case management features in on-premises Exchange Server.

Many organizations contemplating a move to Office 365 have major concerns about security and compliance. Some may even abandon plans to move to the cloud because of compliance worries. Many of the legal and regulatory tasks administrators perform with on-premises Exchange Server can now be replicated with the updated Office 365 eDiscovery tool and other compliance utilities.

The most fundamental components of message compliance are protection and search and export. In this context, protection means ensuring messages are available for discovery for a specified amount of time. Some companies have a legal requirement to maintain messages for two years, so administrators must protect against end-user deletion or unfit automatic email retention policies.

Microsoft recently shifted the location of Exchange management tools, and it put most of the retention and compliance utilities in the Office 365 Security & Compliance Center. Go to the Office 365 Security & Compliance Center to see the new tool set (Figure 1).

Office 365 Security & Compliance Center
Figure 1. The tools in the Security & Compliance Center not only work with Exchange Online, but the entire Office Online suite.

The area provides tools to manage the security and compliance of the entire Office Online suite -- not just Exchange. This article covers just a few of the available tools, but I encourage administrators to explore what else is offered. Office 365 eDiscovery is an important message protection tool under the Data management and Search & investigation areas. We'll explore Retention's Delete and Preserve in a separate article.

Digging deeper into compliance issues

It's possible your company does not have a mandate to protect items for compliance. European companies should read this document retention guide; administrators at American companies should read this white paper. These documents can help explain retention guidelines that may apply to your company. Ultimately, it's up to the legal department to interpret laws that govern compliance requirements in the organization. If there is an Office 365 migration in the works, and there is no clear compliance policy, discuss it with the legal team.

Using Office 365 eDiscovery Search and Export

This set of tools requires some practice and experimentation. The Office 365 eDiscovery feature in the Security & Compliance Center has more power and versatility than similar tools in on-premises Exchange Server 2013 and 2016, and the Office 365 Exchange administrator console.

From the Security & Compliance Center, select eDiscovery from the left side of the screen beneath the Search & investigation section.

Office 365 eDiscovery section
Figure 2. The Office 365 eDiscovery section provides granular controls to create and manage cases.

In the Office 365 eDiscovery section, we go from searching data to creating cases to share with the company's legal department or with contactors. Here's how to create a new case (Figure 3). Click the plus sign above the Case name list. Enter details at the next screen and assign it to people who need to see the case. Click Finish to create the rule.

Office 365 eDiscovery case creation
Figure 3. Create a new case in the Office 365 eDiscovery section by giving it a name, a detailed description and access to the users who need access.

Select the case, then click the pencil icon to modify the search criteria (Figure 4).

Office 365 eDiscovery case search criteria
Figure 4. After creating the case, use the pencil icon to adjust the search criteria.

Figure 5 shows the details of the case. To add a search, select Searches in the left panel; then, click the plus sign to create a new search; and then select a name and the parameters of the search. You can search individual mailboxes, all mailboxes, SharePoint sites and public folders. Click Next to continue.

Office 365 eDiscovery search controls
Figure 5. Administrators can use the search controls in the Office 365 eDiscovery section to limit the locations a case covers.

The search conditions page (Figure 6) features a field to enter keywords and specific message properties, such as sender, recipient and dates. For this example, enter a search string and click Search to find the relevant messages.

Office 365 eDiscovery search limits
Figure 6. Administrators can further refine the limits of a case by entering keywords and other properties, such as the recipient of an email message.

Check the details of the search from the Searches window (Figure 7) and export the results from this page. One improvement to this process is the ability to export to a PST file.

PST file export
Figure 7. From the Office 365 eDiscovery Searches window, an administrator can export the results for a case into a PST file.

The preview option is much better than in previous iterations of Office 365 eDiscovery (Figure 8). Select the Preview Search Results option from the Searches page to see a list of the messages that match the search criteria.

Office 365 eDiscovery Preview Search Results
Figure 8. Select the Preview Search Results option from the Searches page to see a list of the messages that match the search criteria.

Office 365 eDiscovery holds

The Office 365 eDiscovery case management tool is essentially a litigation hold and a carryover from on-premises Exchange, but the terminology is different. A hold keeps all the data in the mailbox or other source until the administrator releases it.

A problem with legal holds is remembering why a mailbox is on hold in the first place. By using the same case structure within the Security & Compliance Center, administrators create new Office 365 eDiscovery cases or modify existing ones to identify and categorize specific mailbox holds.

From the eDiscovery case we created, select Holds from the left panel and click the plus sign to create a new hold (Figure 9). When the New case hold window opens, click the plus sign to select the Office 365 mailboxes to apply a hold. Administrators can also select Office 365 SharePoint sites for indexing here. Click Finish to continue.

Case management hold
Figure 9. Placing a hold on a mailbox preserves all its content.

The hold may take several minutes to begin. Once a mailbox is on hold, its recoverable items quota increases to 100 GB automatically. Administrators can monitor a busy mailbox that has been held for an extended amount of time to avoid a space issue.

Next Steps

Considerations before migrating to Exchange 2016

Talk dollars: What do Exchange and Office 365 cost?

Making sense of Office 365 licensing options

Dig Deeper on Exchange Server setup and troubleshooting