Overview of Microsoft 365 Advanced eDiscovery
Start course

This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.

You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.

Learning Objectives

  • Learn about Content Search and other search and investigation tools that are used to perform content searches
  • Export Content Search results
  • Learn how to configure audit log retention and audit policy
  • Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
  • Configure Core eDiscovery and how to create cases
  • Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases

Intended Audience

This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.


To get the most out of this course, you should already have some basic experience of working with Microsoft 365.


Hello, and welcome to Advanced eDiscovery. Advanced eDiscovery is an additional search and discovery solution offered in Microsoft 365. As the name might imply, Advanced eDiscovery offers more features and capabilities over that of the Core eDiscovery feature.

Advanced eDiscovery offers organizations a complete end-to-end workflow. You can use Advanced eDiscovery to preserve, collect, analyze, review, analyze again, and export content as part of your investigations. 

Once you’ve identified a person of interest and the data sources you are interested in, you can use Advanced eDiscovery to apply a hold to preserve the user’s data. You can then manage the legal hold communication process. Because Advanced eDiscovery allows you to collect data from the source, it allows you to quickly search the live Microsoft 365 platform for the information you are interested in. 

The machine learning capabilities, like deep indexing, email threading, and near-duplicate detection, help reduce the amount of data that you need to sift through.

A key benefit of Advanced eDiscovery is the ability to discover and collect data in-place. This means that you can use Advanced eDiscovery to discover data at the source, while remaining within your Microsoft 365 security and compliance boundary. The ability to collect data in-place like this reduces the amount of work needed, because you don’t have to go back and forth to and from the source to find missing content, which will often happen due to journal lags in other eDiscovery solutions.

Advanced eDiscovery offers native search and collection capabilities for data stored in Teams, Yammer, SharePoint Online, OneDrive for Business, and Exchange Online. These capabilities vastly improve the data discovery process.

For example, if you need to retrieve data from a Teams conversation, what Advanced eDiscovery will do is completely reconstruct Teams conversations. This is vastly superior to just returning individual messages from those Teams conversations.

Advanced eDiscovery also supports hundreds of non-Microsoft 365 file types right out of the box. It can also collect data that’s been imported from third-party sources and archived in Microsoft 365 by data connectors. Some third-party data you can collect with Advanced eDiscovery includes things like Facebook data, Slack data, and Zoom Meetings.

The workflow in Advanced eDiscovery is shown on-screen.

Notice that the first step in the workflow, after creating a case, is to add custodians. Custodians are people that have administrative control of documents that may be relevant to a case.

Once the custodians have been added to the case, you then search for data that you think might be relevant to the case at hand. Like you can do with Core eDiscovery, you can use keywords, properties, and conditions to build search queries. These search queries will then return search results with data that's most likely relevant to the case.

Once the search is complete, you need to add the search results to a review set. Adding this data to a review set causes the returned items to be copied from their original locations to a secure Azure Storage location.

With the returned data added to a review set, you can view and analyze the case data. What you want to do at this stage is reduce the data set to only what is most relevant to your investigation.

Lastly, once you’ve collected, reviewed, and analyzed your case data, you can export the data out of Advanced eDiscovery so it can be reviewed externally or by people who are not part of the immediate investigation team.

Join me in the next lesson, where I’ll explain how to set up Microsoft 365 Advanced eDiscovery.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.