How to do In-place eDiscovery in new O365?

 Please find the Ignite training on this topic that I delivered along with Mark on this Topic here https://community.office365.com/en-us/blogs/office_365_community_blog/archive/2013/08/01/ignite-webcast-how-to-use-ediscovery-in-office-365.aspx

For detailed and easy understanding of how the mail gets moved through different Deletions folder and what is the retention period of items in the respective folder, please follow the previous post using below link. It has easy steps that you can use to recover emails. If the emails are not present in Recover deleted items then you can use the MFCMAPI option or eDiscovery option depending on number of user mailbox items you want to restore. The deleted items remain in the Deleted Items folder is extended to indefinitely or according to the duration set by your administrator.

https://blogs.office.com/2015/02/20/extended-email-retention-deleted-items-office-365/ (Thanks Nino Bilic for pointing this out)

 

Single Item Recovery in O365

https://blogs.technet.com/b/praveenkumar/archive/2012/10/16/single-item-recovery-in-exchange-online.aspx

 

 

In the below post I have described how we can do eDiscovery in new Office 365

 

       

  • In Exchange admin center select Permissions > admin roles

                       Double click Discovery Management

                       Under Roles Click on Add and Select Mailbox Import Export

                       Under Member, Add yourself as a Member and Click Save.

 

        

 

    

  • Now click on compliance management and select in-place eDiscovery & hold

        

  • Hit + sign to create a new search query
  • Give a Name and Description and hit Next

           

  • Select the mailboxes that you want to query and click Next.

        

  • In the next screen if options are greyed out as below it means you do not have proper permissions. Revisit the step for adding permissions. If proper permissions have been added sign out and sign in back

      

  • In the filed provide the text you want to search. You can use Boolean expression like OR and AND to make robust query

        

  • Once you have specified the search attributes hit on Next
  • You can do a in place hold of the search items. (Note, this option will be greyed out if you have selected all mailboxes during the mailbox selection process) and hit on finish

         

               

How to see the search results?

As we have added yourself to the Mailbox import export and other permissions we have the below options available

 

In new O365 we have more robust options to see the results compared to W14

 

 

Estimate search results

This gives us a list a small report of the search. It also tells us what was number of hits for each of the items we entered in search Query as keywords

 

Part of the estimate result is copied below

----------------------------------------------------------------------------------

Test

This search is for searching all mails in the organization that has word test in the subject line

Hold None

Search Status: Estimate Succeeded

Run by: Prakum

Run on: 18-07-2013 13:56

Size: 410.23 KB

Items: 5

Errors: None

Statistics:

KEYWORD

HITS

Test

25

<-Previous- Keywords: 1 to 1 of 1 -Next->

  -------------------------------------------------------------------------------------

 

Preview search results

This opens up eDiscovery preview of results in the browser and we could see the results directly in the browser itself

 

 

Copy search results

This option opens up a dialog box where you can select fine tune search results and copy the items to Discovery search mailbox

Once you hit Copy, in the search results field towards the left you will have an option to open Discovery Search mailbox..

 

 

 If you click on open it opens the Discovery Search Mailbox in a new browser

 

 

 

The mailbox will have a folder by the name of the search (TEST in our case) and put the mail items there as below

 

 

 

 

Export to PST

This is a new option that we have in new O365 where we can export the search results to PST to the local computer. It downloads the results based on mailboxes, ie if the search finds there are 10 mbx that has the keyword we are searching for if creates 10 PST one each for each mailbox.

 

 

We have not discussed in detail regarding the in-place Hold, would discuss that in subsequent posts :)

 

 

 

In-Place eDiscovery

https://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx

 

Single Item Recovery in O365

https://blogs.technet.com/b/praveenkumar/archive/2012/10/16/single-item-recovery-in-exchange-online.aspx