1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Auditing and eDiscovery in Microsoft 365

DEMO: Create and Manage an Advanced eDiscovery Case

Start course

This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.

You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.

Learning Objectives

  • Learn about Content Search and other search and investigation tools that are used to perform content searches
  • Export Content Search results
  • Learn how to configure audit log retention and audit policy
  • Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
  • Configure Core eDiscovery and how to create cases
  • Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases

Intended Audience

This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.


To get the most out of this course, you should already have some basic experience of working with Microsoft 365.


Hello, and welcome back. What we're going to do here real quickly is run through the process of creating an advanced eDiscovery case. It's not terribly difficult, it's actually pretty straightforward, but in the interest of completeness, I wanted to at least show you the actual steps that are required to create a case.

Now on the screen here, I'm logged into my Microsoft 365 portal, and I'm in Microsoft 365 Compliance. And the URL for that is compliance.microsoft.com. Now, to create this case using Advanced eDiscovery what I need to do here, in the left pane, is scroll down and under eDiscovery, under the Solutions heading if we select the dropdown, we have both our core and advanced options what I'm going to do here is select Advanced.

Now, before I do that, I do want to mention, I mean Azure is more notorious for it, but keep in mind that sometimes these user interfaces will change a little bit. I don't want you to get too wrapped up in click here, click here, click here. Instead, I want you to just understand that you're going to run that eDiscovery from the Advanced option here. So, if tomorrow, the interface changes and the menu is over here in the top right corner, then so be it. So, don't get too tied up in where I'm clicking rather than on what I'm clicking.

So, let's go ahead with that PSA out of the way and click Advanced here for Advanced eDiscovery. And when we do that, we're going to be taken to our overview page, where I've created a few cases already just for testing and some other demos.

To create a new case, what I'm gonna do is select Cases here and, again, this lists out the cases and then, we'll create a case. When you do that, you can give your case a name which is required, and then you can give it a case number and a description. For this exercise here, I'm just gonna give my eDiscovery case and name. We'll just call it Email Discovery Case, then you have an option, here, to configure additional settings. So, I'll go ahead and leave this at the default.

Yes, so you can see what happens here. So, we'll go ahead and save our case. And then, from here, what we need to do, under Settings, is we can add and remove members using the access and permissions option. If we select this, we can see what members are included. I'm already included here, so that's all I need. But if I needed to add other members, I could do that here. Same thing with role groups, if I wanted to add a role group here, I could do that.

What we're going to do here is exit. And then what I'm going to do is define a search, here, for this case. We can see we don't have any searches defined yet, so we'll go ahead and new search it. And what we're going to do here is we'll just call our search Virus Search. Essentially I'm going to do is search my email mailbox for a keyword called virus, just in this example here.

So, we'll call this Virus Search. Now, under Custodians, here, we can select specific custodians and what that means is this will search data sources that are associated with that particular user. To simplify things here, I'm just going to select all. And the same thing for non-custodians, essentially, this refers to sites, groups, or other sources not attributed to the original custodian. So, we'll select all here and we'll next it. And then, what we're gonna do is search exchange mailboxes, so they're included. So, we'll go ahead and next it again.

So, now, what we're gonna do here is we're gonna search the mailbox for a phrase of Bad Virus because I've sent myself a few emails with that in the body of the email. So, that's what we're gonna search for. So, we'll go ahead and type in Bad Virus. Well next it, and we'll submit it. Now, the search is gonna be processed, so it takes a little while for this to happen. So, we'll go ahead and click Done and let's refresh here. And we can see the search is in the submitted status.

Now, if you remember earlier in the course, I mentioned review sets and if we select Review Sets for this case, we can see we don't have any. So, we'll add a review set here. And I'll just call this Virus Review and we'll add it. And if we select it, this is where we can define queries. But we'll go back to our case for now. And we can see our Virus Search search was successful.

So, what we'll do here is we'll select Virus Search, and when we do that this blade opens. And, from here, we can add the results to a review set. So, we'll go ahead and add it. And, we can see, we already have our existing review set defined. So, we'll select this here by default. Now, we could create a new one if we wanted to. And then, you have your collection options here. But we're good with the default options. So, we'll go ahead and add this to the review set.

Then, we can close this and if we refresh this, we can see that it's been submitted to the review set. Now, we can see that the add to review set has now changed to In Progress. Now, since I'm the impatient type, let's go ahead and try a search in the review set while this is still being added. We'll see if we can get lucky here. If we go into Review Sets here and select it what we'll do here is we'll create our new query. And we'll just call this Virus Query.

Now, what we're gonna do is query our information or the data that we're collecting for, in this case, we're gonna set a condition for keywords. So, we'll call it Virus Query, and then we'll add a condition here. And in this Add a condition blade you can specify what you're looking for. For this example here, we're gonna search for keywords. And then, you can use the dropdown to specify how you want to search. We'll just contains all, and we'll search for Bad Virus, and then we'll save it.

Now, we can see here in our Virus Review search, here, we're already told that processing jobs are still in progress and it might affect the search and analytics results. Now, since we don't have anything showing up yet that's mostly because we're not done with the processing jobs, so we'll go back out to our email discovery case.

Come back in and we're doing the query right now, and you notice we don't have anything yet, zero items selected. And you can see we're still being added to the review set. Let me refresh this one more time here. And if we select the search, we can actually look down here at the bottom at the estimate, we can see that there's an estimate of two items non or unindexed, and we're searching one mailbox because it's just my mailbox. So we'll go ahead and close this.

What I'll do is I'll let this run for a little bit. I'm going to pause my video and, once this finishes, we'll come back and I'll show you what the results look like in the review set query. Now, before I do that let's just bounce back over to Overview here. So, I can show you that from this Overview page you can see the job status and, right now, the export is at 77%. The analysis is complete, but the export of the data is not. That's why it was able to tell us that there were a couple items already identified but it's still not showing in the query because that data hasn't been exported yet. So, we'll let this run, and then we'll come back when it's completed, and then I'll show you what the search looks like in the review set.

Welcome back, so we can now see that the export is successful and 100% complete. So, with that, let's go into Review Sets here and we can see our Virus Review set. Now, we can see by default, since the search was only looking for Bad Virus it's already found the two emails. If I select the Virus Query, we can see those queries as well, and then, what I can do from here is select that email. We can look at the source view, the text view, and then what we can do is close this and go back out to Advanced eDiscovery.

So, that's how you create a case, perform a search and then find the data within your search.

About the Author
Thomas Mitchell
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.