eDiscovery & Audit
When legal comes knocking, eDiscovery finds and preserves the evidence. Audit tracks who did what and when. Together they are the compliance team's investigation toolkit.
What is eDiscovery?
Imagine a police investigation, but for emails and documents instead of physical evidence.
When a company faces a lawsuit or a regulatory investigation, the legal team needs to find every relevant email, document, and chat message β and make sure nothing gets deleted before the case is resolved.
eDiscovery (electronic discovery) is the process of searching, preserving, and exporting electronic data so it can be used as evidence. Think of it as a search warrant for your Microsoft 365 environment.
The eDiscovery workflow
Every eDiscovery investigation follows the same logical steps, whether the case is simple or complex:
| Step | What happens | Example at MedGuard |
|---|---|---|
| 1. Identify | Determine what data is relevant and who the key people (custodians) are | Nadia identifies 5 clinicians involved in a patient complaint investigation |
| 2. Preserve | Place a legal hold on relevant content so it cannot be deleted or modified | Legal hold placed on the 5 cliniciansβ mailboxes and OneDrive accounts |
| 3. Collect | Gather the preserved content into a manageable set | Search across Exchange, SharePoint, and Teams for messages mentioning the patient |
| 4. Process | Remove duplicates, extract metadata, prepare for review | System de-duplicates 12,000 items down to 3,400 unique documents |
| 5. Review | Legal team reviews content for relevance and privilege | Lawyers review the 3,400 documents, tag relevant and privileged items |
| 6. Export | Package reviewed content for submission to regulators or opposing counsel | Export 800 relevant documents in a standard legal format |
Three tiers of eDiscovery
Microsoft Purview offers three levels β each building on the one below:
Content search
The simplest tool. Search across Exchange, SharePoint, OneDrive, and Teams for specific content using keywords, date ranges, and senders. You can preview results and export them. No case management, no legal hold β just search and export.
eDiscovery Standard
Adds case management on top of content search:
- Create cases β organise searches and holds into named investigations
- Legal hold β preserve content so users cannot delete it (even if they try)
- Export results β package content for legal review
eDiscovery Premium
The full-featured tier for complex litigation and regulatory matters:
| Capability | What it does |
|---|---|
| Custodian management | Track and manage the people (custodians) whose data is relevant to the case |
| Review sets | Load collected content into a dedicated workspace for legal review and tagging |
| Near-duplicate detection | Identifies documents that are almost identical, reducing review time |
| Email threading | Groups email chains together so reviewers see conversations, not fragments |
| Themes | Uses analytics to identify key topics across thousands of documents |
| Predictive coding (ML) | Machine learning that predicts which documents are relevant based on reviewer decisions |
Scenario: MedGuard faces a patient data complaint
A former patient files a complaint alleging that MedGuard staff improperly accessed their medical records. The health authority demands all relevant communications within 30 days.
Nadiaβs response using eDiscovery Premium:
- Identify: Works with legal to identify 5 clinicians and 2 administrative staff as custodians
- Preserve: Places legal holds on all 7 custodiansβ mailboxes, OneDrive, and Teams data
- Collect: Searches for the patientβs name, medical record number, and related terms across all locations
- Process: The system collects 15,000 items, de-duplicates to 4,200, and applies email threading
- Review: Legal team uses the review set to tag documents as relevant, privileged, or not responsive
- Export: 1,100 relevant documents are exported and submitted to the health authority
Without legal hold, those 7 users could have deleted emails and files during the investigation. Legal hold ensures nothing disappears.
Legal hold: the preservation lock
Legal hold is one of the most important eDiscovery concepts for the exam. When content is placed on legal hold:
- Users can still work normally β they can read, edit, and even βdeleteβ items
- Deleted items are preserved in a hidden location β the user thinks they deleted it, but eDiscovery can still find it
- The hold stays until explicitly removed β it survives retention policy expiration, user deletion, and even account deactivation
Exam tip: legal hold vs retention
The exam may try to confuse legal hold with retention policies. They are different tools for different purposes:
- Retention policy: Keeps data for a defined period based on compliance rules. Applies broadly.
- Legal hold: Preserves specific content indefinitely because of a legal investigation. Applied to custodians.
Legal hold overrides retention. If a retention policy says βdelete after 3 yearsβ but a legal hold is active, the content is preserved until the hold is lifted.
eDiscovery tiers compared
| Feature | Content Search | eDiscovery Standard | eDiscovery Premium |
|---|---|---|---|
| Search across M365 | Yes | Yes | Yes |
| Case management | No | Yes | Yes |
| Legal hold | No | Yes | Yes |
| Export | Yes | Yes | Yes |
| Custodian management | No | No | Yes |
| Review sets | No | No | Yes |
| Analytics (threading, themes) | No | No | Yes |
| Predictive coding (machine learning) | No | No | Yes |
| Licence required | E3/E5 | E3/E5 | E5 or E5 Compliance add-on |
What is Audit?
Think of Audit as the security camera footage for your Microsoft 365 environment.
Every time someone opens a file, changes a setting, accesses a mailbox, or signs in β it gets recorded. Audit is the log of βwho did what, when, and where.β
eDiscovery finds the content. Audit finds the activity. They answer different questions: eDiscovery asks βwhat does the document say?β Audit asks βwho accessed the document and when?β
What gets audited?
The unified audit log captures activities from across Microsoft 365:
| Service | What is logged |
|---|---|
| Exchange Online | Mailbox access, email sent/received, delegate actions, admin changes |
| SharePoint Online | File views, edits, downloads, sharing, permission changes |
| OneDrive | File sync, uploads, downloads, sharing events |
| Teams | Channel creation, membership changes, meeting events |
| Microsoft Entra ID | Sign-ins, password changes, role assignments, Conditional Access outcomes |
| Admin activities | Configuration changes, policy updates, user management across all services |
Audit Standard vs Audit Premium
| Feature | Audit Standard | Audit Premium |
|---|---|---|
| Log retention | 180 days (default) | Up to 10 years (configurable) |
| High-value events | Basic activity logs | Includes critical events like MailItemsAccessed (tracks every time a mailbox item is read) |
| API bandwidth | Standard throttling limits | Higher bandwidth for large-scale log retrieval |
| Licence | E3 / E5 | E5 or E5 Compliance add-on |
| Use case | General compliance and troubleshooting | Forensic investigations, breach analysis, long-term regulatory requirements |
MailItemsAccessed: the high-value event
MailItemsAccessed is the most important Audit Premium event for the exam. It logs every time a mailbox item is accessed β whether the user reads it through Outlook, a mobile app, or a script.
Why it matters: if a mailbox is compromised, MailItemsAccessed tells investigators exactly which emails the attacker read. Without it, you know the attacker signed in, but not what they saw.
Scenario: investigating a breach at SecureBank
Alex at SecureBank discovers that an employeeβs mailbox was compromised through a phishing attack. The attacker had access for 3 days before the password was reset.
Using Audit Premium, Alex can:
- Search MailItemsAccessed for the compromised mailbox during the 3-day window
- See exactly which emails the attacker read β including customer account details and internal communications
- Determine the scope of the breach β was it 5 emails or 5,000?
- Meet regulatory notification requirements β accurately report which customer data was accessed
Without Audit Premium, Alex would only know the attacker signed in. With it, Alex knows exactly what was compromised.
Searching the audit log
Compliance teams search the audit log using filters:
- Date range β when did the activity happen?
- User β who performed the activity?
- Activity type β what did they do? (file accessed, mailbox read, setting changed)
- Service β which Microsoft 365 service was involved?
The search returns detailed records showing the user, the action, the target item, the IP address, and the timestamp.
eDiscovery vs Audit: different questions, different tools
| Feature | eDiscovery | Audit |
|---|---|---|
| Primary question | What does the content say? | Who did what, and when? |
| What it finds | Emails, documents, chat messages, files | Activity logs β sign-ins, file access, admin changes |
| Used for | Legal investigations, regulatory requests, litigation | Security investigations, compliance monitoring, troubleshooting |
| Output | Preserved and exported documents for legal review | Activity records showing actions, users, timestamps, and IP addresses |
| Key feature | Legal hold β preserves content from deletion | MailItemsAccessed β tracks exactly what was read in a mailbox |
π¬ Video walkthrough
π¬ Video coming soon
eDiscovery & Audit β SC-900 Module 7
eDiscovery & Audit β SC-900 Module 7
~10 minFlashcards
Knowledge check
MedGuard Health receives a legal demand to preserve all communications involving 5 clinicians while a patient complaint is investigated. Nadia needs to ensure these users cannot delete relevant emails or files. What should Nadia use?
Alex at SecureBank needs to determine exactly which emails an attacker read after compromising an employee's mailbox. The attacker had access for 48 hours. Which feature provides this information?
A MedGuard compliance officer needs to find all Teams messages and emails that mention a specific patient's name for a regulatory audit. They do not need legal hold or case management. Which tool is the simplest fit?