Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.3.3. eDiscovery and Content Search

šŸ’” First Principle: eDiscovery is the legal process of finding, preserving, and producing electronically stored information (ESI) in response to litigation or regulatory investigation. Microsoft Purview eDiscovery gives you the tools to place holds on content, search across M365 workloads, and export findings ā€” all with a documented chain of custody.

When a company faces a lawsuit, they're legally required to preserve all relevant evidence and produce it on request. Without eDiscovery tools, this means manually searching every user's email, every SharePoint site, and every Teams conversation ā€” across potentially thousands of users. Purview eDiscovery automates this search and preservation process.

Content Search: The simplest tool ā€” search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams messages for keywords, date ranges, file types, or senders. Export results for review. No holds, no case management ā€” just search and export.

Microsoft Purview eDiscovery (Standard): Adds case management and legal holds.

  • Create a case to organize an investigation
  • Place holds on specific users' mailboxes and SharePoint sites ā€” preserves content even if users delete it
  • Run keyword searches scoped to the case
  • Export content for legal review

Legal holds: When a hold is applied, content in the held location becomes immutable from a deletion standpoint ā€” users can delete items normally, but M365 preserves them in hidden preservation folders. Holds override retention policies in the direction of retention (if a hold says keep, it keeps even if a retention policy says delete).

āš ļø Exam Trap: eDiscovery requires specific roles ā€” not all admins can run searches or place holds. The eDiscovery Manager role allows running searches and managing cases. The eDiscovery Administrator role can access all cases in the organization. Global Administrators do not automatically have eDiscovery access.

Reflection Question: Your legal team needs to preserve all emails sent by three specific employees over the past year while an investigation is ongoing. Users should not know the hold is in place. Which Purview feature do you use, and what happens if a user deletes an email after the hold is applied?

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications