eDiscovery

    How To Create an eDiscovery Legal Hold in Microsoft 365

    In a time where most business operations are digital, managing and preserving data is more important than ever, ...


    In a time where most business operations are digital, managing and preserving data is more important than ever, especially during legal proceedings. With so much communication happening online, organizations must be extremely careful with how they handle data once legal challenges arise. If your organization uses Microsoft 365, knowing how to implement an eDiscovery legal hold can help. But it's also important to understand where the limitations lie.

    This blog walks you through the process of creating a legal hold in Microsoft 365. But along the way, we’ll highlight why relying only on Microsoft Purview could leave your organization exposed to data loss, failed holds, or even non-compliance. 

    What Is a Legal Hold? 

    A legal hold (also called a litigation hold) preserves all relevant information when litigation is expected. It’s a safeguard to ensure important data isn’t deleted or changed while a case is active. Without this step, crucial evidence could be lost. 

    Legal holds protect organizations from accusations of spoliation and demonstrate due diligence in legal matters, a must-have in today's compliance-heavy environment. That’s why understanding how legal holds work in Microsoft 365 is essential. 6561

    Legal holds in Microsoft 365 can sometimes fail without any warning, particularly when multiple holds are active on the same data. In addition, if users are deactivated or deleted before their mailboxes are properly converted to inactive status, their data may be permanently lost. 

    Microsoft 365 Tools for Legal Hold 

    Microsoft 365 offers several tools to set up legal holds: 

    • Security & Compliance Center: Central hub for hold and compliance management. 
    • eDiscovery Manager: Allows assignment of roles to handle cases. 
    • Content Search: This lets you locate and lock data across emails, OneDrive, and SharePoint. 

    On paper, it’s a strong offering. But the reality can be more complicated. Frequent changes to the user interface in Microsoft 365 can create confusion and disrupt established workflows. Administrators often need to rely on PowerShell to complete basic tasks, such as applying legal holds to more than 100 users. It’s also difficult to target specific folders, like those in OneDrive, without having to include the user’s entire account. This leads to unnecessary data collection. These friction points slow down teams and can make compliance feel more like a guessing game.

    Step-by-Step: How To Create a Legal Hold in Microsoft 365 

    Here’s how the process should work. 

    1. Go to the Microsoft 365 Security & Compliance Center - This is where you’ll manage everything related to getting started. 
    2. In the menu, click eDiscovery under the Solutions section - This opens the tools you need to get started.
    3. Inside the eDiscovery area, click on Cases - Here you’ll see all your existing cases. Creation and Management of Cases are done here. 
    4. Click + Create a Case to start a new one - This lets you define what the case is about and what data needs to be held. 
    5. Enter a clear Name and Description for the case, then click Save - Choose names that are easy to recognize later. 
    6. Once the case is created, open it and double-check that all your information looks right. 
    7. In the case menu, go to Settings > Members - This is where you manage who has access to the case and its relevant information. 
    8. Click + Add to give specific users or groups access - This ensures everyone involved can see or manage the case as needed. 
    9. Next, click on Holds inside the case - This is where you define what data needs to be preserved. 
    10. Click + Create to begin setting up your legal hold - You’ll be able to customize what data is included. 
    11. Give the hold a Name and Description so it's easy to track, especially if you have multiple holds running at once. 
    12. Under Choose what to hold, select the locations you want to preserve, like Mailboxes, OneDrive accounts, or SharePoint sites. 
    13. You can also filter your hold with options like date ranges or keyword filters - This helps focus only on what’s relevant, which saves storage and makes reviews easier.
    14. Once everything is set up, click Save - This activates the hold and starts preserving the selected data.  

    The steps are straightforward, but execution often isn’t. Legal and IT teams often experience slow search performance, failed exports, and the need to repeat basic actions during the legal hold process. As a result, many choose to export data as a precaution, fearing that relying solely on in-place holds may not fully preserve all necessary information. 

    What to Watch Out For 

    Using Microsoft 365’s built-in tools feels like you’re covered, but many organizations have experienced setbacks. 

    Organizations have reported inconsistent or problematic behavior when applying legal holds or running search operations in Microsoft 365. Some content may not be captured by holds at all, especially non-indexable data such as massive Excel files, encrypted documents, or image-only PDF files. Additionally, the recoverable items mailbox has a storage cap of around 110GB. If this limit is reached, it can result in data not being preserved as expected. 

    These aren’t small glitches. Some risks could determine whether your organization survives legal scrutiny. 

    Users on the dedicated eDiscovery subreddit, r/ediscovery, have raised concerns about the lack of practical guidance in Microsoft's documentation. While the official resources span over 8,000 pages, much of it is too broad or theoretical, making it difficult to apply to real-world legal hold scenarios. 

    Proactive Steps for Success 

    To offset these risks: 

    • Audit holds frequently to ensure they’re still relevant and working. 
    • Train your team, don’t assume they understand how to use Purview’s UI or PowerShell workarounds. 
    • Keep detailed records, even for temporary holds, in case questions come up months later. 

    Still, many teams are forced to overcompensate. 

    Out of concern for potential non-compliance or legal repercussions, many teams choose to over-collect or export large volumes of data “just in case”. This cautious approach is often driven by uncertainty about whether the legal holds are truly capturing everything required.

    If you’re managing legal holds using Microsoft 365, especially with E3 licensing, you’re likely doing more manual work than you should. 

    Microsoft 365 E3 licensing lacks several important legal hold features, such as custodian acknowledgment workflows, audit trails, and automated hold notices. Advanced capabilities like reminder emails and centralized dashboards are only available through E5 licenses or additional add-ons. This limitation leaves many legal and IT teams worried about needing to upgrade licenses last minute, in the case of ongoing litigation. 

    CaseFusion: A Smarter Way to Manage Legal Holds 

    If managing legal holds in Microsoft 365 feels too complicated or risky, it might be time to explore other options. CaseFusion is built to simplify and automate the entire process. From identifying custodians to preserving their data. With built-in workflows, audit trails, and policy-based automation, your legal team can gain more control and confidence in every step. It integrates smoothly with existing systems and reduces the need for manual oversight or last-minute interventions.

    Admin -- Case Details - Legal Holds -- List-1     

    CaseFusion might be the upgrade for teams that want to minimize risk and improve defensibility. 

    Final Thoughts 

    Setting up an eDiscovery legal hold in Microsoft 365 is possible. However, relying solely on the built-in Microsoft Purview tools is risky, especially if your compliance needs are high and your licensing is limited. 

    Microsoft is seen as prioritizing license upselling over legal usability. Some users call Purview “malpractice-level bad” when describing reliability and compliance risk. 

    In critical legal scenarios, confidence matters, and right now, many organizations lack confidence in Microsoft Purview's ability to reliably preserve data without costly workarounds or E5 licenses. 

    Don’t just follow the steps, understand the risks, question the defaults, and explore whether other tools such as CaseFusion might help you manage legal holds with fewer blind spots. 

    Custodian - Legal Holds -- View Hold - Survey Viewer -- Edit

     

    Similar posts