Manage holds in eDiscovery (Premium)

Tip

eDiscovery (preview) is now available in the new Microsoft Purview portal. To learn more about using the new eDiscovery experience, see Learn about eDiscovery (preview).

You can use a Microsoft Purview eDiscovery (Premium) case to create holds to preserve content that might be relevant to your case. Using the eDiscovery (Premium) hold capabilities, you can place holds on custodians and their data sources. Additionally, you can place a noncustodial hold on mailboxes and OneDrive for Business sites. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for a Microsoft 365 group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you release the custodian, remove a specific data location, or delete the hold policy entirely. After you create an eDiscovery hold, it may take up to 24 hours for the hold to be applied.

Important

For long term data retention not related to eDiscovery investigations, it is strongly advised to use retention policies and retention labels. For more information, see Learn about retention policies and retention labels.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

View custodian-based holds

In some cases, you may have a set of custodians that you've identified and decided to preserve their data during the case. In eDiscovery (Premium), when these custodians are placed on hold, the user and their selected data sources are automatically added to a custodian hold policy.

Points to remember about hold policies:

  • The best policy status is fetched when a location is viewed in a data source
  • If the existing applied policy is deleted or released, the system replaces the hold policy status and name with next best applied or active policy.
  • Only 1 policy per location is reported. However, there can be more than 1 policy impacting the location within the case. View the hold report to determine all applicable policies.
  • The status for a location is fetched only from the policies applicable to the case. A policy from another case won't be referred to highlight the Hold status of the location.
  • The hold status of a location is displayed in the Hold status column in the hold report.

To view the custodian hold policy:

Note

For a limited time, this classic eDiscovery experience is also available in the new Microsoft Purview portal. Enable Compliance portal classic eDiscovery experience in eDiscovery (preview) experience settings to display the classic experience in the new Microsoft Purview portal.

  1. In the Microsoft Purview compliance portal, select eDiscovery > Premium to display the list of cases in your organization.
  2. Go to the Sources tab to add custodians within your case. To learn how you can add and place custodians on hold within an eDiscovery (Premium) case, see Add Custodians to a case. If you have already added custodians and placed them on hold, go to step 3.
  3. Go to the Holds tab and select CustodianHold(HoldId) and ensure the hold is placed successfully.

The hold status shown for a custodian in the data source tab is the most restrictive status for all holds in the underlying locations within the custodian or noncustodial data source. For example, if a custodian is added and includes their mailbox, OneDrive, and several Teams channels, all these data sources are placed on hold. However, if the hold for OneDrive returns an error but hold on all other data sources is successful, the hold status for the custodian is Not on Hold because the most restrictive status also applies to all of the underlying holds.

For an individual location within a data source, the hold status of that location is determined using all the hold policies applied on that location and the distribution status. The hold status of any successfully applied hold is applied. For example, a location is part of three hold policies and two policies have a Failed/error hold status. If the third policy has a hold successfully applied, then the hold status of the location would be On Hold based on the success of the hold on the third policy.

View noncustodial holds

In some cases, you may have a set of data that isn't tied to a specific custodian, but you need to identify the data as relevant to the case and preserve it. When these noncustodial sources are placed on hold in eDiscovery (Premium), the selected data sources are automatically added to a noncustodial hold policy.

To view a noncustodial hold for an eDiscovery (Premium) case:

Note

For a limited time, this classic eDiscovery experience is also available in the new Microsoft Purview portal. Enable Compliance portal classic eDiscovery experience in eDiscovery (preview) experience settings to display the classic experience in the new Microsoft Purview portal.

  1. In the compliance portal, select eDiscovery > Premium to display the list of cases in your organization.
  2. Select the Sources tab to add noncustodial locations within your case. To learn how you can add and place noncustodial data on hold within an eDiscovery (Premium) case, see Add noncustodial data sources to an eDiscovery (Premium) case. If you've already added noncustodial location and placed them on hold, go to step 3.
  3. Select the Holds tab and select NCDSHold(HoldId) and ensure hold is placed successfully.

The source policy for the noncustodial location is shown below the hold status. The hold status of that location is determined using all the hold policies applied to the location and the distribution status. The least restrictive hold status of all the statuses is applied.

Placing custodial and noncustodial locations on hold

Placing custodial and noncustodial locations on hold preserves all the content in the locations. For steps to place query-based hold in eDiscovery (Premium), see Create eDiscovery holds in an eDiscovery case.

Note

When you create a query-based hold, all content from selected locations is initially placed on hold. After the timer job in either Exchange or SharePoint runs, any content that doesn't match the specified query is cleared from the hold. After the character count across all queries on a single location exceeds 10,000 characters, the entire location is placed on hold.

Note

If the SMTP address of the user changes after you place the user's mailbox on hold, the mailbox remains on hold. To use the new SMTP address to place hold, create a new hold.

Place a hold on Microsoft Teams and Microsoft 365 groups

Microsoft Teams is built on Microsoft 365 groups. Therefore, placing them on hold in eDiscovery (Premium) is similar. Keep the following things in mind when placing Microsoft 365 groups and Microsoft Teams on hold:

  • To place content located in Microsoft 365 groups and Microsoft Teams on hold, you have to specify the mailbox and SharePoint site that associated with a group or team.

  • Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for a Microsoft 365 group or Microsoft Team. This method is a good way to get the URL for the site that's associated with a Microsoft 365 group or a Microsoft Team. For example, the following command displays selected properties for a Microsoft 365 group named Senior Leadership Team:

    Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl
    DisplayName            : Senior Leadership Team
    Alias                  : seniorleadershipteam
    PrimarySmtpAddress     : [email protected]
    SharePointSiteUrl      : https://contoso.sharepoint.com/sites/seniorleadershipteam
    

    Note

    To run the Get-UnifiedGroup cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

  • When a user's mailbox is searched, any Microsoft 365 group or Microsoft Team that the user is a member of isn't searched. Similarly, when you place a Microsoft 365 group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive sites of group members aren't placed on hold unless you explicitly add them as custodians or place their data sources hold. Therefore, if you need to place a Microsoft 365 group or Microsoft Team on hold for a specific custodian, consider mapping the group site and group mailbox to the custodian (See Managing Custodians in eDiscovery (Premium)). If the Microsoft 365 group or Microsoft Team isn't attributable to a single custodian, consider adding the source to a noncustodial hold.

  • To get a list of the members of a Microsoft 365 group or Microsoft Team, you can view the properties on the Home > Groups page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:

    Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddress
    

    Note

    To run the Get-UnifiedGroupLinks cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

  • Channel conversations that are part of a Microsoft Teams channel are stored in the mailbox that's associated with the Team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you have to place the Microsoft Team mailbox and SharePoint site on hold to retain conversations and files in a channel.

  • Alternatively, conversations that are part of the Chat list in Microsoft Teams are stored in the mailbox of the user's who participate in the chat. Files that a user shares in Chat conversations are stored in the OneDrive site of the user who shares the file. Therefore, you have to place the individual user mailboxes and OneDrive sites on hold to retain conversations and files in the Chat list.

  • Every Microsoft Team or team channel contains a Wiki for note-taking and collaboration. The Wiki content is automatically saved as a .mht file. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can place the content in the Wiki on hold by placing the team's SharePoint site on hold.

    Note

    The capability to retain Wiki content for a Microsoft Team or team channel (when you place the team's SharePoint site on hold) was released on June 22, 2017. If a team site is on hold, the Wiki content will be retained starting on that date. However, if a team site is on hold and the Wiki content was deleted before June 22, 2017, the Wiki content was not retained.

Hold status

The following table lists the status of holds for items:

Hold Status Definition
Applied A hold is applied on the location. Content is preserved based on the hold policy conditions.
Apply Failed The hold policy trying to apply Hold on the location has failed. Check the distribution errors in the hold policy.
Applying A hold is being applied on the location. The hold job is in progress.
Not on Hold A hold isn't applied on the location. Content preservation isn't force.
Released A hold is released on the location. Content preservation is disabled.
Release failed The hold policy releasing a hold on the location failed. Check the distribution errors in the hold policy.
Releasing A hold release for the location is in progress.
Unknown The hold status is unknown for the location. Check hold policies, distribution status, and the hold report. This status may appear in cases where the system isn't able to map a hold policy to the location, indicating there isn't a hold present or applied on the location.

Manage hold status errors

You may encounter errors while placing a hold on custodial or noncustodial data sources. The following table lists the errors that you may encounter and the recommended resolution.

Hold error types Description Resolution
Policy deployment interrupted A system error indicating a problem was encountered while applying the hold. Select Retry hold action on the custodial/non-custodial data source flyout page command bar to retry the hold application.
Site inaccessible Indicates the SharePoint location associated with the requested hold request isn't accessible and may be read only. Contact your SharePoint site administrator to configure the site as writable and retry the hold with Retry hold action on the custodial/non-custodial data source flyout page command bar.
Site not found. Indicates the SharePoint location associated with the requested hold may have been moved, deleted, or the site URL may not exist. Check the site URL and confirm if the SharePoint site exists. Once confirmed, edit the custodial/non-custodial data source for the site and retry the hold action.
Mailbox not found Indicates the mailbox associated with the requested hold isn't a valid mailbox. Verify the email address and check that it's a valid Exchange Online mailbox. Once confirmed, edit the custodial/non-custodial data source for the mailbox and then retry the hold action.
Distribution group has too many members Indicates the distribution group associated with the requested hold has more than 1,000 email addresses. Currently, a distribution group having more than 1,000 email addresses can't be expanded to be placed on hold. Add the individual email addresses as custodial or noncustodial data sources or split the distribution group into groups with less than 1,000 email addresses and retry the hold action.
Invalid email address or URL Indicates the location associated with the requested hold has an invalid email address or site URL. Specify a valid email address or URL that exists within your organization.

Additional resources