Case authorization, preservation, search, export, custody, evidence, and defensible closure

Microsoft Purview eDiscovery Standard Operations Guide

Operate Microsoft Purview eDiscovery as a controlled evidence process. Establish legal and business authority, use least-privileged case access, map every custodian and content location, preserve the right sources, design reproducible searches, reconcile estimates and errors, export with traceable settings, protect downloaded evidence, and close cases without unintentionally releasing required preservation.

Current Purview eDiscovery experience and core-feature boundaryCases, roles, sources, holds, searches, exports, audit, and custodyExchange, OneDrive, SharePoint, Teams, groups, partially indexed items, and evidence
Secure evidence intake and chain-of-custody vault for Microsoft Purview eDiscovery Standard operations
A defensible workflow controls who may collect, what is preserved, how scope is tested, which errors remain unresolved, and how every export is transferred into protected evidence custody.

Operating objective

Make every preservation, search, and export decision explainable and reproducible

Microsoft Purview eDiscovery can organize cases, search Microsoft 365 content, apply case holds, generate process reports, and export responsive material. The technology does not decide the legal scope, whether preservation is required, which custodians are relevant, what proportionality means, or whether a collection is complete. Those decisions belong to authorized legal, privacy, compliance, HR, security, and business owners working within applicable law and policy.

Microsoft’s current documentation presents one modern eDiscovery experience with eDiscovery feature support and Premium eDiscovery feature support. This page retains “Standard” in its title and preserved URL because organizations still use that familiar name for the core case, hold, search, and export workflow. Before a matter starts, confirm the tenant’s current subscriptions, the operator’s licenses, the case license setting, the workloads in scope, and whether premium capabilities such as advanced indexing or review-set workflows are required.

A defensible operation separates four records: the legal or business instruction, the source and custodian map, the technical execution evidence, and the evidence-custody record after export. Search hit counts alone are not proof of completeness. Location errors, partially indexed items, changed source content, security filters, locked sites, export exceptions, retention behavior, and the time between search and export can change what is collected.

Control statement: No case, hold, search, preview, export, download, transfer, release, closure, or deletion should occur without an accountable owner, documented authority, approved scope, least-privileged access, source validation, recorded settings, reviewed process reports, protected evidence location, custody log, exception decision, retention instruction, and independent closure approval.

Authority and separation of duties

Define who may authorize the matter, operate the platform, review evidence, and release preservation

Authorizing owner

Approves the legitimate purpose, matter scope, jurisdictions, custodians, preservation instruction, review use, outside-party access, retention, and closure. For legal matters, this is normally counsel or an authorized delegate—not the platform administrator.

eDiscovery administrator

Maintains role-group governance, can access all cases, handles case membership exceptions, oversees guest approvals where used, reviews tenant settings and compliance boundaries, and provides independent control over operator access.

Case manager and operator

Creates and documents the case, adds approved sources, runs holds/searches/exports, reviews process reports, maintains the activity log, and escalates errors. Managers should access only assigned cases and use separate everyday and privileged accounts.

Evidence custodian and reviewer

Receives exported packages through an approved transfer, validates inventory and hashes, controls storage and access, logs every handoff, and retains the original export. Review copies should be separated from the preserved master evidence.

Membership in an eDiscovery role group is not sufficient by itself for ordinary case access: the user must also be granted access to the case. Microsoft documents that only an eDiscovery Administrator can remove case members, including a case creator. Review role-group and case membership on a schedule, immediately after staffing changes, and before closure. If external reviewers are needed, use the supported guest workflow, time-bound approval, multifactor authentication, minimum reviewer rights, explicit matter terms, and post-case Entra guest cleanup.

Capability and license boundary

Use core eDiscovery for controlled collection; escalate when the matter needs premium processing or review

Operational needCore eDiscovery approachWhen to evaluate premium supportEvidence to retain
Create and control a matterUse a case with approved members, sources, holds, searches, exports, and case audit activity.When the matter needs review sets, richer review workflows, advanced indexing, analytics, tagging, redaction, or broader legal-team collaboration.Case settings, license-level setting, membership, role group, matter ID, approvals, and audit log.
Preserve Microsoft 365 contentCreate case holds for validated mailboxes and sites; monitor status and resolve errors before relying on preservation.When scale, custodian management, communications, premium limits, or collection workflow requires enhanced features.Hold policy, sources, query, status, Locations report, creation time, retries, verification, and release authority.
Find potentially responsive contentRun scoped searches, generate statistics, review samples where permitted, inspect locations/errors, and version each refinement.When advanced indexing, OCR, review-set filtering, analytics, themes, near-duplicate detection, or more complete processing of partially indexed content is required.Query, conditions, source list, statistics, sample record, Settings/Locations reports, exceptions, and approval.
Collect and transfer evidenceExport native documents and mailbox content with item/location/settings reports; download within the package availability period.When the matter needs review-set export, advanced processing, redaction, tagging, load files, or external review at scale.Export configuration, reports, package inventory, timestamps, hashes, secure destination, custody log, and access history.
Investigate unindexed or difficult contentQuantify partially indexed material, include the approved population in export, document what cannot be previewed, and review exported material separately.When advanced indexing and OCR are needed to reduce uncertainty, apply the query to reprocessed content, or filter before export.Partially indexed counts/size, inclusion choice, rationale, reports, premium decision, exceptions, and reviewer outcome.

License check: Microsoft currently documents E3 or E5 licensing for users who export, plus a SharePoint E3 requirement when exporting SharePoint content. Subscription eligibility and features can change. Validate the operator, case, workload, add-on, and regional requirements in Microsoft’s current documentation before collection begins.

Matter intake and case setup

Translate the request into a bounded technical collection plan before touching content

Authority and issue statement

Record who requested the matter, why it is authorized, the questions to answer, jurisdictions, confidentiality, preservation deadline, review destination, and who may change scope. Reject vague instructions such as “export everything about the employee.”

Custodian interviews and systems map

Identify primary and alternate identities, aliases, shared mailboxes, archives, OneDrive URLs, Teams and channels, group sites, renamed or deleted accounts, mobile/offline data, third-party systems, and business vocabulary. The directory record is only the start of source discovery.

Data minimization and proportionality

Use approved people, locations, dates, participants, item types, and concepts. Separate preservation scope from collection scope: a broader location-based hold may be appropriate while a narrower search/export limits unnecessary review and privacy exposure.

Case naming and settings

Use a non-sensitive case label plus an internal matter ID. Confirm the case’s feature/license setting, approved members and role groups, optional guest handling, search/analytics settings, organization-wide source settings, and data region before work starts.

Existing preservation and retention

Inventory retention policies, retention labels, Litigation Hold, delay hold, inactive mailboxes, prior case holds, restricted sites, and preservation lock implications. Do not assume a retention policy is equivalent to matter-specific legal preservation.

Change and communications plan

Define who receives legal-hold notices outside the platform, how custodian changes are handled, how scope refinements are approved, what triggers escalation, how operators communicate without exposing the matter, and who authorizes release or closure.

Content-source architecture

Map the person or group to every mailbox and site that may hold its Microsoft 365 evidence

Business sourceLikely eDiscovery locationsValidation questionsCommon blind spot
Individual employee or contractorPrimary and archive Exchange mailbox, OneDrive, 1:1/group Teams chat stored in mailboxes, and any owned or directly identified sites.Is the identity active, deleted, restored, renamed, synchronized, Multi-Geo, inactive, or using aliases/alternate accounts? Is OneDrive provisioned?Selecting the displayed person without reviewing the exact mailbox/site locations, archives, old UPN, or deleted-user OneDrive URL.
Microsoft Team or Microsoft 365 groupGroup mailbox, connected SharePoint site, channel-related sites, and relevant participant mailboxes for some message types.Which standard, private, or shared channels existed during the period? Were sites renamed, archived, restored, or owned across tenants?Searching only the group mailbox or only the main site while missing separate private/shared-channel sites and participant copies.
Shared mailbox or resource mailboxThe mailbox location plus delegate mailboxes or sent-item behavior where relevant.Who had Full Access, Send As, Send on Behalf, forwarding, inbox rules, and retention? Where were sent copies stored?Assuming the shared mailbox proves authorship or contains every message sent through delegated access.
SharePoint business workspaceExact site URL, subsites where applicable, libraries, lists, versions, recycle/retention behavior, and connected group or Team.Was the site renamed, locked, moved, archived, deleted, restored, or subject to access restrictions? Are linked files stored elsewhere?Using a friendly site name instead of validating the precise URL and status at preservation, search, and export time.
Departed or deleted userInactive or restored mailbox, retained OneDrive site, successor-owned content, and group/team repositories.Was the license removed, mailbox made inactive, OneDrive reassigned, identity hard-deleted, or content migrated? What preservation existed before deletion?Expecting the data-source picker to reconstruct content that was already purged before a valid retention or hold took effect.
External collaborationHome-tenant mailboxes/sites for content stored by the organization; guest identity and cross-tenant locations may provide identifiers, not access to another tenant’s evidence.Which tenant owns the message/file? Was the user a guest, federated participant, shared-channel participant, or external sender? Is separate legal process required?Treating cross-tenant visibility as if the local case can search and preserve evidence stored in the external organization.
Copilot or application-generated contentUnderlying Exchange, SharePoint, OneDrive, Teams, or other supported Microsoft 365 storage depending on the application and artifact.Which workload generated the item, where is it stored, what retention applies, and is the specific data type supported by the current search/export path?Searching for the product name without validating the storage location, data type, indexing behavior, or license support.

In the current experience, adding a person or group as a data source can identify associated mailboxes and sites. Always open the managed-source detail and approve the actual locations. An “Unverified” source may still be added, but validation occurs when the process runs and the final status appears in the location report. For a deleted user’s OneDrive, Microsoft directs operators to add the OneDrive site URL directly as a SharePoint location.

Preservation design

Apply holds early, verify every location, and control release as a separate high-risk change

Location-based versus query-based

A location-based hold reduces the risk that an incomplete keyword query misses relevant content. A query-based hold may reduce preserved volume, but it depends on correct properties, supported syntax, indexing, dates, participants, item types, encryption, and source behavior. Counsel should approve the tradeoff.

Partially indexed and encrypted items

Microsoft warns that keyword-heavy query holds might not apply as intended to encrypted or partially indexed content. Where completeness matters, use a location hold or constrain queries to supported dates, participants, and item types; document the decision and test representative locations.

Hold status is evidence

Creating a policy is not the same as confirming preservation. Record submission and completion times, review each location and error, retry failed locations, preserve process reports, and do not communicate “hold active” until the approved validation gate passes.

Scale and limits

Current core-feature limits include 1,000 mailboxes and 100 sites in a single case hold, up to 100 mailboxes expanded from one distribution list, and 10,000 hold policies per organization. Microsoft recommends keeping each case below 1,000 searches, holds, or exports for performance. Recheck current limits before design.

Lifecycle dependencies

Account deletion, mailbox conversion, OneDrive reassignment, site moves, domain changes, mergers, and tenant migration can alter source identifiers. Change processes must check the matter register before moving or deleting an identity, mailbox, site, Team, or group.

Release and closure

Closing or deleting a case turns off its holds. Content can then become eligible for deletion under normal retention and user activity. Require written release authority, second-person review, confirmation of other holds/retention, final evidence export, and a documented post-release observation period.

Preservation is time-sensitive: Microsoft notes that a newly created hold can take time to take effect. Document when the duty arose, when instructions were issued, when the platform policy was submitted, when every location succeeded, and what interim preservation steps covered the gap.

Twelve-step operations runbook

Authorize, preserve, search, validate, export, transfer, and close with a complete evidence trail

Open the matter record

Assign a matter ID, accountable owner, authorized purpose, jurisdiction, confidentiality, preservation deadline, review destination, closure authority, and change-control path. Obtain written scope before platform activity.

Confirm subscriptions, roles, and case access

Validate current feature eligibility, operator/export licenses, role-group membership, case membership, separate privileged accounts, audit logging, compliance boundaries, guest prohibition or approval, and least privilege.

Map custodians and noncustodial sources

Interview requestors and technical owners; reconcile names, aliases, dates, mailboxes, archives, OneDrive, Teams/channels, group sites, shared mailboxes, deleted/inactive identities, external repositories, and migration history.

Record existing retention and holds

Capture Litigation Hold, inactive mailbox, retention policy/label, prior case hold, preservation lock, site lock, lifecycle status, deletion/recovery state, and dependencies. Do not replace or remove existing controls.

Create and verify preservation

Choose location or approved query scope, name the hold with the matter ID, add exact sources, run it, inspect status and reports, retry errors, record success time, and obtain signoff. Use documented interim steps where propagation is incomplete.

Design a search protocol

Define concepts, people, locations, dates, participants, message/document properties, synonyms, spelling, exclusions, inclusiveness tests, partially indexed treatment, and validation samples. Version the protocol before running it.

Run statistics and reconcile locations

Generate statistics, preserve Summary, Settings, Statistics, and Locations reports, compare expected versus processed sources, investigate zero-hit and failed locations, quantify partially indexed material, and rerun transient errors.

Validate and refine

Review authorized samples, known-item tests, key-custodian/date coverage, false positives, unexpected gaps, privacy exposure, and search boundary effects. Record every query revision and approval; never overwrite the evidence of an earlier iteration.

Approve export settings

Choose indexed/partially indexed content, versions, cloud attachments, conversation format, PST or individual messages, folder/path structure, package sizes, decryption, reports, organization by source, and the secure destination. Freeze the search version.

Generate and inspect the export

Monitor Process Manager, preserve export reports, resolve or formally accept retrieval exceptions, compare search and export counts, verify location optimization and settings, and document content changed or deleted between search and retrieval.

Download and transfer into custody

Use the authorized operator, download before package expiry, inventory packages and reports, calculate approved hashes, record UTC/local timestamps, store originals in protected evidence storage, log each transfer, and issue controlled review copies.

Reconcile, report, and close

Document scope, sources, queries, counts, errors, partially indexed decisions, exceptions, custody, review handoff, remaining holds, and remediation. Close only with written release, dual review, retention/disposition instructions, access removal, and post-closure validation.

Search engineering and result validation

Treat search statistics as estimates and process reports as essential scope evidence

Version the query

Give each search an immutable version name. Retain the exact KeyQL/conditions, time zone interpretation, source list, creator, execution time, partially indexed option, changes, rationale, validation method, and approver. Duplicate a search for major revisions instead of erasing history.

Use known-item tests

Identify representative messages or files that should be returned and known exclusions that should not. Test aliases, participants, dates, file names, phrase variants, channel messages, document versions, and workload-specific properties before relying on broad counts.

Inspect every location

The Locations report identifies the mailbox/site, hit count, size, status, and errors. Compare it with the approved source map. A zero may be correct, a query miss, a boundary effect, or a source-resolution problem; an absent or failed location requires a decision.

Understand estimate drift

Counts can change because live source data changes, items move or are deleted, holds change, transient failures occur, document versions and folders behave differently, permissions filters apply, or exported formats differ from indexed estimates. Record the timing of each stage.

Quantify partially indexed content

Unsupported, unreadable, oversized, encrypted, password-protected, or indexing-error content can be partially indexed. It cannot be previewed in the same way and date filters do not necessarily exclude all such material. Record count/size, inclusion scope, export outcome, and review decision.

Apply compliance boundaries carefully

Search-permission filters can restrict which mailboxes/sites an operator can search. Microsoft notes that holds are not constrained the same way and that some all-site partially indexed export paths can cross an assigned boundary. Test the design with an eDiscovery Administrator and document the applied security filter.

Reconciliation rule: Do not report only “the search returned 8,000 items.” Report the approved sources, processed and failed locations, indexed hits, partially indexed population, duplicates/versions where relevant, retrieval exceptions, exported items, and unresolved uncertainty.

Export, transfer, and chain of custody

Preserve the export configuration, reports, packages, and original metadata as one evidence set

Freeze and approve settings

Export settings change the result and its organization. Preserve the Settings report showing indexed/partially indexed selection, versions, conversation handling, cloud attachments, decryption, format, path, package size, and source organization. The setting record is part of the evidence.

Download before expiration

Current Microsoft guidance says search export packages are available for 14 days from creation and then are automatically deleted. Track the deadline, download promptly, verify every package, and never treat the temporary portal package as the long-term evidence repository.

Protect individual download links

Microsoft describes export package links as individual-use links that should not be shared. Use assigned case access or an approved guest/reviewer model, not a forwarded package URL. Record who downloaded, when, from which case/export, and where it was placed.

Reconcile exceptions

Use Items and Summary reports to identify moved/deleted items, timeouts, permissions, locked sites, DLP-restricted files, access-controlled SharePoint files, and other retrieval failures. Retry transient failures; obtain an explicit legal/owner decision for unresolved exceptions.

Preserve original timestamps

Local ZIP extraction can change filesystem timestamps even though Purview preserves source metadata in the item report and file format. Keep the original packages, reports, package hashes, and tool/version used for extraction. Treat review copies as derivatives.

Secure the evidence store

Use encryption, restricted groups, immutable or controlled retention where appropriate, malware-safe handling, separate master/review areas, access logging, geographic and contractual controls, approved transfer, backup, recovery test, and documented final disposition.

Custody checkpointRequired recordBlocking exceptionRelease condition
Export createdCase/search/export IDs, creator, UTC time, approved settings, expected sources, reports, and package-expiry date.Unapproved query/version, stale statistics, failed locations, unknown partially indexed choice, or missing authorization.Settings and scope independently reviewed; exception owner assigned.
Portal process completedStatus, location/item totals, Summary, Settings, Locations, Items and error details.Unexplained count difference, retrieval exception, locked source, access error, or unprocessed location.Retry succeeds or authorized owner accepts documented limitation.
Packages downloadedOperator, time, package/report names, byte sizes, hashes, endpoint, secure path, and transfer method.Expired/missing package, hash mismatch, incomplete download, unmanaged endpoint, or shared link.All expected files verified and placed in approved evidence storage.
Review copy issuedRecipient, purpose, subset, derived-copy hash, encryption, transfer, access expiry, and return/destruction requirement.Unapproved reviewer, excessive scope, insecure transfer, no contract/terms, or uncontrolled local copy.Authorization, minimum necessary set, protected transfer, and custody receipt.
Matter closedFinal inventory, remaining holds, release approval, case status, access removal, evidence retention/disposition, and validation.Unresolved preservation duty, other matter dependency, missing review return, or no deletion authority.Dual approval and confirmed downstream custody/disposition plan.

Top eDiscovery risks and misconfigurations

Failures that can lose evidence, overcollect private data, or make results impossible to defend

Administrator invents the scope

A technical operator interprets a vague request without documented legal/business authority, dates, sources, exclusions, or approval.

Case role is treated as authorization

Broad role-group membership or eDiscovery Administrator access is used to enter matters unrelated to the user’s assignment.

Person selected, locations not verified

The picker resolves only part of the mailbox/site estate; aliases, archives, channel sites, deleted OneDrive, or shared sources are missed.

Query hold misses unindexed content

Keywords are trusted to preserve encrypted, unsupported, password-protected, or partially indexed items without a documented completeness decision.

Hold submitted but errors ignored

A policy exists, yet failed or unverified locations are never reconciled and no success time is recorded.

Hit count reported as complete

Statistics are presented without failed locations, boundary filters, partially indexed material, versions, retrieval exceptions, or estimate drift.

Search overwritten during refinement

Earlier queries, results, rationale, approvals, and known-item validation disappear, preventing reconstruction of the decision path.

Export package reports discarded

Content is retained but Settings, Locations, Items, Summary reports, package inventory, hashes, and download details are not.

Individual export link shared

A temporary download link or package is forwarded instead of using approved case access and protected evidence transfer.

Case closed before hold release review

Closure turns off preservation while another matter, retention duty, review, or evidence transfer still depends on the content.

Evidence, metrics, and recurring control

Measure completeness, timeliness, exception handling, and access—not only item volume

Preservation latencyDuty/request time → instruction → hold submission → all-location success. Explain every gap and interim control.
Source reconciliationExpected mailboxes/sites versus resolved, processed, successful, failed, unverified, excluded, and externally stored sources.
Search qualityKnown-item recall, false-positive sample, query versions, failed locations, zero-hit review, partially indexed volume, and approved refinements.
Export completenessSearch estimate versus exported success, retrieval exceptions, package/report inventory, downloads before expiry, and hash verification.
Access governanceRole-group members, case members, administrators, guests, last activity, excessive access, removals, and post-case Entra cleanup.
Custody integrityMaster evidence, derived copies, storage location, encryption, transfers, receipts, access events, retention, recovery tests, and disposition.
Process reliabilityRetry rate, recurring source errors, elapsed search/export time, stale statistics, package download failures, and runbook exceptions.
Closure hygieneOpen cases, aging, inactive cases, remaining holds, overdue release decisions, access removal, final reports, and validation after closure.

Per activity

Peer-check the source, query or export settings; preserve process reports; reconcile errors; record operator and timestamp; and update the matter register before the next stage.

Weekly while active

Review hold/search/export status, source changes, errors, expiring packages, new custodians, access, evidence transfers, remediation owners, and counsel instructions.

Quarterly program review

Recertify roles, cases, guests and storage; sample custody records; test recovery; review licensing and Microsoft changes; validate scripts/runbooks; and remediate recurring exceptions.

Related architecture and authoritative references

Connect preservation and collection to the Microsoft 365 controls that create, retain, protect, and audit the evidence

Frequently asked questions

Microsoft Purview eDiscovery Standard operations FAQ

Is Microsoft Purview eDiscovery Standard still the current product name?

Organizations still commonly use “eDiscovery Standard” for the core case, hold, search, and export capability. Microsoft’s current documentation describes a modern unified eDiscovery experience and distinguishes eDiscovery feature support from Premium eDiscovery feature support. Keep the familiar internal label if useful, but validate the current case setting, subscriptions, operator licenses, portal workflow, and required features before each matter.

Does an eDiscovery role automatically let a user open every case?

No. An eDiscovery Manager needs the appropriate Purview role-group membership and access to the specific case. eDiscovery Administrators have broader access and should be tightly limited, monitored, and separated from daily accounts. Case membership, role-group membership, guest access, and audit activity should be recertified independently.

Should a legal hold use keywords or preserve the whole location?

That is a legal and proportionality decision, not merely a technical preference. A query-based hold can reduce volume but can miss content when the query, indexing, encryption, supported properties, or source mapping is incomplete. Microsoft cautions about keyword-heavy query holds for partially indexed or encrypted items. Use counsel-approved scope, known-item tests, documented limitations, and location-based preservation when completeness requires it.

Why can search and export counts differ?

Search statistics are estimates. Source data can change between stages; items may move or be deleted; locations can fail; security filters and access restrictions can apply; document versions, cloud attachments, decryption, partially indexed choices, and output formats affect results; and retrieval can time out. Preserve process reports and reconcile each difference before reporting completeness.

Can partially indexed items be safely ignored if they are a small percentage?

No automatic percentage is legally or operationally safe. Partially indexed material can contain unsupported, unreadable, encrypted, oversized, or password-protected content and cannot be evaluated exactly like indexed results. Quantify the count and size, identify affected locations, document the risk, obtain an authorized decision, export the approved population, or evaluate premium advanced indexing and OCR when required.

Does this guide replace legal advice or a professional eDiscovery assessment?

No. It is an operational starting point. Preservation duties, privacy, employment rules, discovery procedure, cross-border transfer, privilege, proportionality, admissibility, and disposition require qualified legal and compliance guidance. Technical configuration should be validated for the tenant, licenses, workloads, geography, and matter. A self-guided checklist does not replace a professional audit, legal review, forensic collection, or litigation-support engagement.

Independent, evidence-first implementation support

Need a defensible Microsoft 365 eDiscovery operating model?

IT Perfection can help Orange County and Southern California organizations inventory sources, document roles and case workflows, validate preservation and search operations, design export custody controls, improve Microsoft 365 governance, and coordinate remediation with internal IT and authorized legal or compliance stakeholders.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.

This guide is for initial operational guidance only. It does not replace legal advice, a professional cybersecurity or eDiscovery audit, a compliance assessment, forensic collection, penetration test, litigation-support engagement, or legal/compliance review.