eDiscovery

How To Create an eDiscovery Legal Hold in Microsoft 365

Electronic discovery (eDiscovery) identifies and locates electronically stored information for use in legal ...


Electronic discovery (eDiscovery) identifies and locates electronically stored information for use in legal proceedings. To preserve this information, organizations may put a legal hold in place. An eDiscovery legal hold is a notice that instructs employees and systems to maintain specific electronic data because there is reasonable anticipation it could be needed for litigation or an investigation.

With many software applications, applying a legal hold doesn’t inform the end-user that it has happened (in case it triggers unusual, possibly incriminating behavior).

Lawyer explaining legal situation to her clientsSeveral eDiscovery platforms exist, some of which integrate into platforms like Microsoft Office 365. For many organizations using Microsoft’s tool has emerged as one of the most commonly used options. In addition, some large corporations prefer this electronic discovery solution because they already use Microsoft 365 for other business functions.

If you have the Microsoft suite at your organization, here's how to use its built-in tools for eDiscovery in Office 365 to create a hold.

How an eDiscovery Legal Hold Works

Microsoft makes it possible to put a hold on a wide range of data sets and data sources via its Purview tool. For example, you can place holds on mailboxes associated with Exchange accounts, Office 365 Groups, and Teams. You can also place holds on data in OneDrive for Business accounts. Microsoft is extending the capabilities of Microsoft Purview and the legal hold process.

One downside to Microsoft's system is that the hold does not go into immediate effect. Instead, it has a latency period of up to 24 hours.

Microsoft also allows IT managers or even legal teams to set parameters on how long to preserve the data. It falls into the following categories:

  • Holding data created, sent, received, or stored during a specific period
  • Holding data from a particular account or source, regardless of its associated dates
  • Holding data that match a particular search query
  • Holding data indefinitely

Because there are so many different types of holds, there are also several ways to complete the process.

Take a look at the most common options. 

Microsoft Purview CTA

How To Create an eDiscovery Legal Hold in Microsoft 365

Now that you understand the options and how they work, here's how to create an eDiscovery Legal Hold in Microsoft 365. It’s worth pointing out that there is a difference between an Office 365 content search vs. eDiscovery hold. It’s also important to note that in almost all situations this isn’t something that a regular end-user would be doing; it would be an IT Administrator or, depending on how permissions have been set up inside the organization, a member of a legal team.

Note that these instructions are for standard eDiscovery cases but work for premium cases with just a few changes:

  1. Sign in to the Microsoft Purview compliance portal.
  2. Clock Show All from the left panel and then eDiscovery > (Click Advanced for Premium).
  3. Select the name of the case the hold you place will fall under.
  4. Go to the Home page or the case and select the Hold
  5. Choose Create and fill in a unique name for the hold and other information.
  6. Click
  7. Choose the locations or sources for your hold, and then click

How To Create a Query-Based eDiscovery Legal Hold

If you want to create a query-based legal hold, follow the steps above. Then move on to these additional steps:

  1. Add Keywords to your query based on what you need to find.
  2. Add Conditions to help you better narrow down the information.
  3. Click Next and then

How To Create a Legal Hold for a Mailbox

Sometimes, you might need to put an entire email account on litigation hold. This involves a much different process from the standard and query holds. Follow these steps:

  1. Sign in to the Microsoft 365 admin center.
  2. Go to Users > Active Users and select the user whose account you would like to put on hold.
  3. Go to the properties flyout section.
  4. Click the tab for Mail > More Sections > Manage Litigation Hold.
  5. Enter the relevant information, such as hold duration, a web page with more information for the user, and a private note for the user.
  6. Go back to the properties flyout section and select Save changes.

4 Main Sources for an eDiscovery Legal Hold

Whether you use a Microsoft premium or standard option, you generally have four content locations for your legal hold. These do not represent the exhaustive potential sources, so review your Microsoft 365 account and data records thoroughly before determining the parameters for your hold:

  1. Exchange Email
  2. Exchange Public Folders
  3. SharePoint Sites
  4. OneDrive for Business

How to search locations on eDiscovery Hold in Microsoft 365

When you need to search specific content, you can configure the search to ensure it only searches the locations that are on hold. This means you won’t be searching through unnecessary data or getting information back that is irrelevant. You need to be aware of some other factors to consider when carrying out a search.

You may come across a situation where the content location for your search is part of multiple holds within the same case. In this event, when using the ‘all case’ content option, the hold queries would be combined by OR operators to ensure all locations are searched.

Another thing to note is that when the content location is part of two different holds, one where it is query-based and the other where all content is placed on hold, all the content will be searched. 

If you have it set up that a search is configured to search locations on hold and then make a change, such as by adding or removing a search location, the search configuration will automatically be updated with those changes. But it is important to know that you would have to rerun the search after the change has been made to update the search results.

If you have multiple holds in one location, the maximum number of keywords that can be searched per query is 500. The search will combine all query-based holds using the OR operator. It’s worth noting that if there are more than 500 keywords, all content will be searched.

Lastly, if a legal hold displays a status of ‘On (Pending)’, you can still run any required searches.

How to delete content locations on eDiscovery Hold in Microsoft 365

When a mailbox, SharePoint site, or OneDrive account is removed from a hold, a ‘delay hold’ is put in place. There is a delay of 30 days to ensure that data isn’t permanently deleted from the content location. During these 30 days, it gives IT admins and legal teams the chance to search for and/or recover content that is due to be deleted. The delay hold works slightly differently for each Office 365 workload, so we’ll explain more below.

Mailboxes: The delay hold is put on the mailbox the next time the Managed Folder Assistant processes the mailbox and finds that a hold was removed. When the delay hold is in place, the mailbox is still on hold for an unlimited hold duration, as if the mailbox was on Litigation Hold.

But once the 30 days have passed, the delay hold will expire, and Microsoft 365 will attempt to remove the delay hold. The items marked for deletion will be deleted the next time the mailbox is processed by the Managed Folder Assistant.

SharePoint and OneDrive: Any content stored in the Preservation Hold library isn't deleted during the 30-day delay. Also, during this delay, you cannot manually delete any of the content.

Key challenges of eDiscovery Holds

A key thing to note with eDiscovery Holds is that the Microsoft Office 365 environment was primarily built and designed with IT professionals in mind. However, it is lawyers and other legal professionals who are mainly involved in finding and preserving the evidence in the eDiscovery Hold tools.

This may lead to some of the following challenges:

Preservation and Searches

In Microsoft Teams, you aren’t easily able to preserve some data, such as audio conversations or content from guest users. This must be done using PowerShell scripts or advanced searching, neither of which is likely to be done by a legal professional.

Depending on the tools you are using, you might also be limited by storage – you’ll need to keep an eye on this to ensure you don’t lose required data.

eDiscovery Features

You need to be aware of what Office 365 license your users hold, as this will affect which features are available. Users will need to either have an E5 license or an add-on that provides access to the required eDiscovery features. These features include admins being able to issue legal holds directly through the Office 365 eDiscovery tool or the ability to search documents metadata which can provide valuable additional data.

Overlapping Holds

In large organizations, it is common for users to be placed in multiple holds. This can make it very hard to track which users need to be in which hold and for how long. It also makes it difficult when you want to remove a user from one, or several holds, but not all of them.

This can be made easier by having a tool to track who is in what holds, and you can even set up alerts to be noticed when a user is removed from an active hold, for example.

Global eDiscovery Holds

eDiscovery holds are very common in some countries, such as the United States, but less common in others. This can be a challenge when a Hold has users from several countries, as each country will have its own data protection and privacy laws that must be adhered to.

Employee Changes

A legal hold only works when it is associated with the correct contact and no details change for that contact. For example, a hold may be required for an entire department, and this may get difficult to control if people are constantly moving into or out of the department. This also relies on departments communicating. In this example, HR would need to tell Legal when people move departments.

Why eDiscovery Holds are essential for all businesses

eDiscovery Holds are now a necessity for all businesses, large or small. They are essential as they allow businesses to protect themselves and their data.

With a Hold in place, a business can store and retain the required electronic data and content. Most importantly, the business would be able to retain this data even if it is deleted by the user or anyone else.

By having an eDiscovery Hold in place, it means you will be prepared for any legal challenge you are presented with in the future. If you do not have these processes in place, you are at risk both legally and financially. If you cannot provide evidence of your data retention and discovery processes, you may be fined.

An important thing to note is that a Hold should not be used as a form of backup. You should also have a separate backup process in place. The purpose of a Hold is to preserve the data and prevent data loss – it will not restore any lost data.

Office 365 Backup CTA

Key points to consider when using eDiscovery Holds

When a new Hold is created, you can set a ‘Hold Duration’. This essentially means any data that is either deleted or modified will be kept for the hold duration period and then permanently deleted. Other options are to retain the data indefinitely or until the Hold is removed.

It sounds obvious, but a Hold cannot preserve data that was deleted before the Hold was put in place.

When creating and setting up new Holds, it should be a joint project between the IT and Legal teams. The IT teams will be able to set up and turn on the Holds, but the Legal team needs to be involved so they know what has been done and which data is being preserved.

You should have both eDiscovery Holds and Backup processes in place, not just one or the other!

Exchange Migration CTA 

How Cloudficient Can Help You Simplify eDiscovery Legal Holds

Obviously, as an enterprise-sized organization living in Microsoft Office 365, end users won’t be able to see, modify, or remove any kind of legal hold that has been placed on their data. It’s an IT-only or perhaps legal team-only operation, depending on your organizational structure, that is performed from time to time.

If you want to take advantage of all that the Microsoft Office 365 platform can give to your business, including the legal hold processes described here, you’ll need to migrate mailbox data, SharePoint sites, file server data, and legacy archive data to the cloud if you haven’t done so already.

As migration experts, we have over a century of proven experience in the field of helping customers leverage the cloud. We have a simple migration process that quite simply works, automating and streamlining all the additional steps as well as migrating data. If you need more information, contact us today!

With unmatched next generation migration technology, Cloudficient is revolutionizing the way businesses retire legacy systems and transform their organization into the cloud. Our business constantly remains focused on client needs and creating product offerings that match them. We provide affordable services that are scalable, fast, and seamless.

If you would like to learn more about how to bring Cloudficiency to your migration project, visit our website, or contact us.

Similar posts