1. Home
  2. Training Library
  3. Microsoft 365
  4. Microsoft 365 Courses
  5. Auditing and eDiscovery in Microsoft 365

Core eDiscovery

Start course

This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.

You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.

Learning Objectives

  • Learn about Content Search and other search and investigation tools that are used to perform content searches
  • Export Content Search results
  • Learn how to configure audit log retention and audit policy
  • Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
  • Configure Core eDiscovery and how to create cases
  • Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases

Intended Audience

This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.


To get the most out of this course, you should already have some basic experience of working with Microsoft 365.


Welcome to Core eDiscovery! As I mentioned earlier, the Core eDiscovery offering in Microsoft 365 is a basic eDiscovery tool that is used to search and export content in both Microsoft 365 and Office 365. It’s used to place eDiscovery holds on content locations, like Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams. 

The Core eDiscovery workflow that you see on your screen highlights the general flow of how things are done. The workflow kicks off when you create a case. Once the case is created, you create the eDiscovery hold. Although the creation of an eDiscovery hold is optional, what it does is preserve any content that you might be interested in as part of an investigation. 

An eDiscovery hold preserves all content in a specific location, or you can use a query-based hold that preserves only specific content that matches your query. For example, if you are investigating a leak of corporate secrets, you might only want to preserve all emails sent from a specific user inside the organization to a specific user outside the organization.

Once you’ve created the hold, you can search for the content you are interested in. You can search by using keywords, properties, and even certain conditions via search queries. These search queries then return data that's most likely relevant to your case.

Once you’ve found what you are searching for, you can then export and download your search results. The export process is actually a two-step process. First, you export the results of your search out of Office 365. To complete this step, you copy the results of your search to a Microsoft-provided Azure Storage location. Once the results are copied to your Azure storage location, you use the eDiscovery Export tool to download the content to your local computer, so you can review it.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.