eDiscovery in Microsoft 365: What Houston Businesses Need to Know Before a Legal Request Arrives

eDiscovery isn't just for big law firms or Fortune 500 companies. Any Houston business can find itself needing to search, preserve, and produce electronic data for:

• Litigation: You're sued (or suing someone). Discovery requests demand email, documents, and communications between specific parties during specific time periods. Failure to preserve and produce can result in sanctions.
• Regulatory examination: HIPAA audit wants access logs and PHI handling records. SEC examination requests trade-related communications. FINRA reviews advisor correspondence. ITAR audit requires documentation of controlled data handling.
• Internal investigations: HR investigates harassment allegations, policy violations, or suspected IP theft. You need to search an employee's email and Teams conversations without alerting them.
• Compliance audits: SOC 2, PCI-DSS, or CMMC audit requires evidence of data handling, access controls, and retention policy enforcement.
• Data subject requests: Under CCPA or GDPR, individuals can request all personal data your organization holds about them. Content search is how you find it.

---

Purview eDiscovery searches across your entire M365 ecosystem — not just email:

• Exchange Online: Email messages, calendar items, contacts, tasks — including deleted items if retention policies preserved them
• SharePoint Online: Documents in all site collections, including version history
• OneDrive for Business: All files in user OneDrive accounts
• Microsoft Teams: 1:1 chats, group chats, channel messages, meeting recordings, and transcripts
• Microsoft 365 Groups: Group mailbox and associated SharePoint content
• Yammer / Viva Engage: Community posts and messages
• Inactive mailboxes: Mailboxes of former employees preserved by retention policies

What It Cannot Search (Without Additional Tools)

• On-premises Exchange or file servers (cloud only)
• Third-party applications (Slack, Salesforce, etc.) — require separate eDiscovery connectors
• Personal devices or personal email accounts
• Data that was permanently deleted before litigation hold was applied

---

Content Search (Basic — Included in All M365 Plans)

Simple keyword and date-range searches across mailboxes and sites. Good for quick lookups and small-scope requests. No case management, no holds, limited export options. Available in Microsoft Purview compliance portal.

eDiscovery Standard (Included in M365 E3/Business Premium)

Full case management with custodian identification, litigation holds, content searches scoped to specific cases, and export in standard formats (PST, EML). Suitable for most small to mid-sized litigation matters and regulatory responses.

eDiscovery Premium (Requires M365 E5 or E5 Compliance Add-on)

Advanced capabilities: custodian communication workflows, review sets with AI-assisted relevance scoring, near-duplicate detection, email threading, and privilege detection. Required for large-scale litigation with significant document volumes.

---

When litigation is reasonably anticipated — not just when you're formally served — you have a legal obligation to preserve relevant data. This is called a litigation hold (or legal hold), and failing to implement one can result in severe penalties.

Steps to Place a Hold in M365

1. Navigate to Microsoft Purview → eDiscovery → Standard
2. Create a new case and name it (e.g., "Smith v. Acme Corp 2026")
3. Add custodians — the people whose data needs to be preserved
4. Place holds on their mailboxes and OneDrive accounts
5. Optionally scope the hold: specific date ranges, keywords, or sender/recipient pairs
6. Document when the hold was placed, who authorized it, and what scope was defined

What a hold does: Prevents users from permanently deleting email and documents in the held locations. Items the user "deletes" are preserved in a hidden Recoverable Items folder. The user doesn't see the hold — they can continue working normally.

What a hold does NOT do: It doesn't freeze the mailbox or prevent new activity. Users can still send, receive, and create documents. The hold only ensures that nothing is permanently destroyed.

---

Microsoft Purview uses Keyword Query Language (KQL) for content searches. Simple searches are straightforward; complex ones require expertise:

Simple Search

subject:"invoice" AND from:[email protected] AND date:2025-01-01..2025-12-31

Complex Multi-Condition Search

(from:[email protected] OR to:[email protected]) AND (subject:"merger" OR subject:"acquisition" OR body:"confidential") AND date:2025-06-01..2026-03-31 NOT kind:meetings

Common Pitfalls

• Overly broad searches return millions of results and take hours to export. Start narrow and expand.
• Missing Teams data — Teams messages are stored in Exchange mailboxes but require specific search parameters to capture correctly.
• Deleted items — if no retention policy or hold was in place, permanently deleted items may be gone. This is why proactive retention policies matter.

---

The worst time to learn eDiscovery is during an emergency. Houston businesses should have these foundations in place before a legal request arrives:

1. Retention Policies

Configure M365 retention policies to preserve email, documents, and Teams messages for a defined period (typically 3-7 years depending on industry). Without retention, deleted data is gone and your eDiscovery scope is limited to what currently exists.

2. Licensing Verification

Confirm your M365 licensing supports the eDiscovery level you need. E3 includes Standard eDiscovery. E5 includes Premium. Business Basic/Standard plans only include Content Search.

3. Role Assignments

eDiscovery requires specific admin roles. Don't wait until a legal emergency to discover that nobody in your organization has the eDiscovery Manager role assigned. Pre-assign roles to your IT lead and legal counsel.

4. Outside Expertise

Identify a managed IT provider with eDiscovery experience before you need one. Scope, pricing, and availability are much better when you're not calling at 4 PM on the day counsel needs results by morning.

---

DIY eDiscovery works for simple, single-custodian searches. Call for professional help when:

• Multiple custodians are involved (5+)
• The date range spans years of data
• Complex keyword queries require iterative refinement
• Export volume exceeds what your team can handle
• The matter is adversarial (opposing counsel will scrutinize your methodology)
• Regulatory formatting requirements apply (SEC, FINRA, HIPAA)
• You need it done in 24-48 hours

LayerLogix provides managed eDiscovery and content search services for Houston businesses — project-based for specific matters or ongoing for organizations with recurring compliance needs. Call 713-571-2390.

Related: eDiscovery & Content Search Services | Compliance Hub | M365 Security Hardening | M365 Managed Services