Microsoft Exchange In-Place eDiscovery

Microsoft Exchange In-Place eDiscovery is an administrative feature to perform legal discovery searches for relevant content in mailboxes. Discovery can be conducted in accordance with established enterprise policies, as a means to ensure regulatory or governmental compliance, or in response to litigation.

Corporate communications can often be used as evidence in formal reviews or legal proceedings. The communication may be between employees within an enterprise, or between employees and individuals outside of the organization. The challenge is to establish a fast and efficient means of identifying, organizing and protecting the content in question -- a process called "discovery" -- so that it can be further analyzed and acted upon as circumstances dictate.

Discovery may take place as a routine corporate policy. For example, corporate officers may review the communications involved in a corporate merger or acquisition to ensure terms and conditions were clearly explained. Discovery may also have benefits for regulatory compliance by assuring regulators of proper communications. But discovery is often used as an evidence-gathering mechanism in response to litigation. For example, a prosecution team may file a request for discovery which compels a subject to identify, provide and protect specific communications stipulated in the request.

How In-Place eDiscovery works

Exchange Server provides a powerful platform for electronic discovery through the detailed content indexes generated by Exchange Search. Administrators can select one or more specific mailboxes to analyze, set a date range to search within, enter search criteria such as keywords, stipulate sender or recipient addresses, and message types (including contacts, documents, email, journal, meetings, and notes).

Once the search is completed, administrators can decide how to handle the results. For example, administrators can get a prediction of the search size and number of items involved based on the search criteria. Administrators can then refine the search before content review. In-Place eDiscovery previews the search results by locating and reviewing searched messages from each mailbox involved. If the administrator is satisfied with the search results, the content can be copied to a discovery mailbox or exported to a PST file to let an administrator or other users to open or print the content through Outlook.

One key issue in In-Place eDiscovery is the assignment and support for administrators. Generally, eDiscovery administrators are non-technical personnel -- such as lawyers or corporate compliance officers -- that require broad access to content but prevent access to Exchange Server configurations or parameters. Such administrators are typically assigned to the Discovery Management role and group through role based access control (RBAC) methods. There are two principal roles available for In-Place eDiscovery. The mailbox search role allows an authorized administrator to perform searches, and the legal hold role allows the authorized user to put a mailbox into In-Place Hold or Litigation Hold. Holds ensure that content is preserved until the matter is resolved.

These assignments can be made by Exchange administrators that are members of the Organization Management role group. Authorized administrators can then use the Exchange Administration Center (EAC) as the eDiscovery search interface, though more sophisticated users can also use the Exchange Management Shell for searches.

Searches can cross hybrid environments that include on-premises and cloud services, such as Office 365. This is accomplished using In-Place eDiscovery searches through the EAC on-premises. However, search results must be copied to an on-premises discovery mailbox.

In-Place eDiscovery searches produce logs. Basic logging is available by default and captures information about the search and which administrator performed it. Basic logging details are sent to the discovery mailbox where the search results are stored. By comparison, full logging provides detailed information about the messages involved in the search as a comma-separated value file sent with an email to the discovery mailbox. Full logging must be selected when the search results are copied to the discovery mailbox.

Mailbox management

A discovery mailbox is a specialized target mailbox that provides additional security features for the organization. For example, discovery mailboxes are the only acceptable target repositories for copied In-Place eDiscovery search results. This prevents discovery administrators from selecting other users' mailboxes by accident or compromising the integrity of the searches. Only authorized administrators authorized can access a discovery mailbox, and users cannot send email to a discovery mailbox. Exchange 2016 creates a default discovery mailbox called Discovery Search Mailbox, though it is possible to create additional discovery mailboxes for the enterprise. For example, it may be prudent to create a separate discovery mailbox to accommodate separate litigations or investigations.

This was last updated in November 2017

Continue Reading About Microsoft Exchange In-Place eDiscovery

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop