Merge pull request #50464 from MicrosoftDocs/NEW-purview-ediscovery-manage-data-sources-holds

New purview ediscovery manage data sources holds

Author: AnnaMHuff

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/add-data-source.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-manage-data-sources-holds.add-data-source
+title: Select and manage data sources
+metadata:
+  title: Select and manage data sources
+  description: "Select and manage data sources"
+  ms.date: 05/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/add-data-source.md)]

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/create-holds.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-manage-data-sources-holds.create-holds
+title: Create holds in eDiscovery
+metadata:
+  title: Create holds in eDiscovery
+  description: "Create holds in eDiscovery"
+  ms.date: 05/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 8
+content: |
+  [!include[](includes/create-holds.md)]

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/identify-report-mailbox-holds.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-manage-data-sources-holds.identify-report-mailbox-holds
+title: Identify and report on mailbox holds
+metadata:
+  title: Identify and report on mailbox holds
+  description: "Identify and report on mailbox holds"
+  ms.date: 05/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 7
+content: |
+  [!include[](includes/identify-report-mailbox-holds.md)]

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/includes/add-data-source.md

@@ -0,0 +1,61 @@
+Once a case has been created, eDiscovery allows you to define which content sources should be included in a search. Adding data sources ensures that you're querying the right locations tied to the individuals or groups involved in your investigation.
+
+In the new eDiscovery experience, data sources are added directly from within a search. This streamlines the workflow and provides a clear view of what locations are included. Sources can be added manually or using broader organization-wide options, depending on the scope of your investigation.
+
+## Add sources to a search
+
+To add data sources in the new experience:
+
+1. Go to the Microsoft Purview portal and navigate to **Solutions** > **eDiscovery** > **Cases**.
+
+1. Select a case, then select the **Searches** tab to open an existing search or create a new one.
+
+1. Select **Add sources** or **Add tenant-wide sources**.
+
+1. Use the **Search for sources** panel to look up people, groups, or locations.
+
+   :::image type="content" source="../media/add-data-sources.png" alt-text="Screenshot showing where to add data sources in an eDiscovery search." lightbox="../media/add-data-sources.png":::
+
+1. Apply filters to narrow your selection. You can:
+
+   - Limit the results to people or groups only
+   - Show or hide inactive users
+   - Focus only on sources already connected to the case
+
+1. Select the users or groups to include.
+
+   After selecting users or groups as sources, use the **Manage** button to review and adjust which data locations are included for each source. For users, you can choose their mailbox and OneDrive site. For groups, you can choose the group mailbox and any associated SharePoint site.
+
+    :::image type="content" source="../media/manage-data-sources.png" alt-text="Screenshot of the Manage sources panel showing users and groups with mailboxes and sites selected." lightbox="../media/manage-data-sources.png":::
+
+1. Save your selections.
+
+Once saved, your chosen sources appear in the **Data sources** list for the search. Each source displays icons to indicate which content types are included, such as mailboxes or SharePoint sites.
+
+If your case requires broader coverage, you can use the **Add tenant-wide sources** option. This includes:
+
+- **All people and groups**, which covers all mailboxes, OneDrive sites, and group content across the organization
+- **All public folders**, which includes all content in Exchange public folder mailboxes
+
+> [!NOTE]
+> The list of available users and groups in the **Search for sources** panel depends on the case's data source settings. These settings are configured when creating or editing a case and include options like departed users, guest users, and shared Teams channels. You can review or update these settings in the **Settings** tab of the case. For more information, see [Learn about data sources settings in eDiscovery cases](/purview/edisc-settings-data-sources).
+
+## Review or modify data sources
+
+After saving your selections, you can return to the search at any time to update the data sources. From the **Searches** tab within the case, open the relevant search, and select the **Manage sources** icon in the data sources section. This allows you to:
+
+- Add or remove users and groups
+- Change which content types are included (mailbox, OneDrive, SharePoint)
+- Review location mappings for each source
+
+   :::image type="content" source="../media/manage-sources.png" alt-text="Screenshot showing the options to Manage sources after data sources are added." lightbox="../media/manage-sources.png":::
+
+Any changes you make affect the scope of the search results and can be saved immediately.
+
+You can also select the **Sync** (⟳) button to check whether any of the data sources have changed, such as new Teams channels being added. This ensures your search includes the most current content locations. Sync doesn't reflect changes to group membership. If new users are added to a group after it's selected, their mailboxes and OneDrive sites won't be included automatically.
+
+## Considerations
+
+You can include distribution lists in your search. eDiscovery automatically resolves these lists into individual mailboxes, helping you quickly target a defined group of users without manually adding each one.
+
+Defining data sources early helps ensure that search results are accurate and makes it easier to apply holds without needing to reselect sources later.

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/includes/create-holds.md

@@ -0,0 +1,102 @@
+When an investigation is underway, you might need to preserve content that could be relevant to the case. In Microsoft Purview eDiscovery, this is done by placing content locations such as mailboxes, SharePoint sites, and OneDrive accounts on hold. This action prevents data from being permanently deleted until the hold is removed or the case is closed.
+
+You create a hold by defining a policy in an eDiscovery case. The policy determines which content to preserve and how long it should be retained. Depending on the investigation, a hold can preserve everything in a source or only content that matches a specific query.
+
+> [!TIP]
+> Hold policies are designed for investigation and litigation. For long-term retention scenarios unrelated to legal investigations, retention policies or retention labels are a better fit.
+
+## Step 1: Create the hold policy
+
+Every hold begins with a policy. The policy is stored in the case and defines which data sources and filters to apply.
+
+To create a hold policy:
+
+1. In the [Microsoft Purview portal](https://purview.microsoft.com/), go to **eDiscovery** > **Cases** and open the case you want to work in.
+1. Select the **Hold policies** tab.
+1. Select **Create policy**.
+1. Give the policy a name (required) and an optional description.
+1. Select **Create**.
+
+   :::image type="content" source="../media/create-hold-policy.png" alt-text="Screenshot showing the creation of a new hold policy." lightbox="../media/create-hold-policy.png":::
+
+The hold policy is now part of the case but doesn't preserve any data yet. You'll add sources and define the scope in the next steps.
+
+## Step 2: Add sources to the hold
+
+To preserve content, you need to specify where it lives. This means selecting the mailboxes, OneDrive accounts, or SharePoint sites that contain the data you want to keep.
+
+1. From the **Hold policy** tab, select the policy you created.
+1. Choose **Add data sources**.
+1. Use the **Manage data sources** panel to select the users, groups, or sites you want to preserve.
+
+You can hold mailboxes, OneDrive accounts, and SharePoint sites. For Microsoft Teams or Microsoft 365 groups, you need to select the group mailbox and associated SharePoint site.
+
+> [!NOTE]
+> If you add a distribution list, it expands to show current members. However, the list doesn't stay updated. If membership changes later, you need to readd the list to reflect those updates.
+
+At least one data source is required before you can apply the hold.
+
+## Step 3: Define the hold scope
+
+By default, a hold preserves all content in the selected locations. But if you're trying to limit the scope of what gets preserved, you can build a search query to target specific content types or events.
+
+There are two ways to define a query-based hold:
+
+- **Condition builder** lets you add filters like keywords, participants, and dates through a visual interface.
+- **Keyword Query Language (KQL)** provides a freeform text field for more complex queries.
+
+1. In the **Hold policy** tab, use the **Condition builder** to define filters that match the content you want to preserve.
+
+1. To switch to KeyQL, select it from the **Add conditions** menu. This replaces the condition builder with a single query field for advanced query input.
+
+1. Select **Apply hold** to finalize the scope.
+
+   :::image type="content" source="../media/configure-hold-policy.png" alt-text="Screenshot showing a hold policy being configured with data sources and conditions in the Condition builder." lightbox="../media/configure-hold-policy.png":::
+
+> [!NOTE]
+> All content is initially preserved when you create a hold. Content that doesn't match the query is cleared from the hold within 7 to 14 days, unless it's covered by another hold or can't be indexed.
+
+Use the **Apply a hold** interactive guide to walk through creating and managing a hold policy.
+
+[:::image type="content" source="../media/guide-apply-hold.png" alt-text="Illustration showing the opening page to the Apply a hold interactive guide." lightbox="../media/guide-apply-hold.png":::](https://mslearn.cloudguides.com/guides/Apply%20a%20hold%20with%20Microsoft%20Purview%20eDiscovery?azure-portal=true)
+
+## Step 4: Confirm the hold
+
+After applying the hold, go to the **Details** tab to confirm that the policy is active and functioning as expected.
+
+You can view:
+
+- The names and locations of data sources
+- The hold status for each location (on hold, not on hold, or error)
+- Whether the source is a person or a group
+- Whether the location is a mailbox or a site
+
+   :::image type="content" source="../media/hold-details.png" alt-text="Screenshot showing the Details tab within an eDiscovery hold." lightbox="../media/hold-details.png":::
+
+## Create a hold from an existing search
+
+If you've already created a search that scoped the right content, you can use that search as the starting point for a hold.
+
+To create a hold from a search:
+
+1. Go to the **Searches** tab.
+1. Open an existing search.
+1. Select **Create a hold** from the command bar.
+
+The new hold copies the sources from the search. Keep in mind:
+
+- Tenant-wide sources are excluded.
+- Distribution lists are expanded at creation and don't stay updated automatically.
+
+## Considerations
+
+- When a data source is removed from a hold, a **30-day delay hold** is applied before content can be permanently deleted.
+- If a user's **OneDrive URL changes** (such as from a UPN update), the existing hold still preserves the content, but you need to update the URL to reflect the new path for ongoing visibility and management.
+- Teams and group content is stored in group mailboxes and SharePoint sites, while user chats and shared files are stored in individual mailboxes and OneDrive. Hold all relevant locations to ensure complete coverage.
+- When you place a hold on a group, member content isn't preserved unless their mailboxes and OneDrive accounts are added separately.
+
+## Apply a hold interactive guide
+
+Use the **Apply a hold** interactive guide to walk through creating and applying a hold policy.
+
+[:::image type="content" source="../media/guide-apply-hold.png" alt-text="Illustration showing the opening page to the Apply a hold interactive guide." lightbox="../media/guide-apply-hold.png":::](https://mslearn.cloudguides.com/guides/Apply%20a%20hold%20with%20Microsoft%20Purview%20eDiscovery?azure-portal=true)

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/includes/identify-report-mailbox-holds.md

@@ -0,0 +1,136 @@
+When responding to investigations or audits, it's important to confirm whether mailbox content is being preserved and why. Microsoft Purview supports several types of holds that prevent mailbox content from being permanently deleted. This includes holds applied through eDiscovery cases, retention policies, retention labels, and litigation holds.
+
+## Identify mailbox hold types
+
+You can use Exchange Online PowerShell to identify the types of holds placed on a mailbox.
+
+Before you check hold status, it helps to understand what types of holds you might see:
+
+- **Litigation Hold** keeps mailbox content for legal reasons, even if the user deletes it.
+- **eDiscovery holds** are tied to eDiscovery cases and preserve content relevant to investigations.
+- **Retention policies** apply to entire mailboxes or groups of mailboxes based on organizational rules.
+- **Retention labels** apply to specific items or folders and can trigger preservation even without a policy.
+- **Delay holds** apply after a hold is removed, giving time before content is purged.
+
+You might see one or more of these on the same mailbox, depending on how your environment is configured.
+
+To check for Litigation Hold and unified holds (eDiscovery holds and retention policies):
+
+```powershell
+Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
+```
+
+- **LitigationHoldEnabled** indicates whether a mailbox is on Litigation Hold.
+- **InPlaceHolds** contains GUIDs for other hold types.
+
+Hold GUIDs use different prefixes to indicate the type:
+
+- `UniH` = eDiscovery hold
+- `mbx`, `skp`, or `grp` = retention policy
+- `-mbx` = explicitly excluded from a retention policy
+
+If a GUID starts with `-mbx`, it means the mailbox has been explicitly excluded from an organization-wide policy. This can be used to prevent retention from applying to specific mailboxes, even when the policy is scoped broadly.
+
+If **InPlaceHolds** is empty, check for organization-wide retention policies:
+
+```powershell
+Get-OrganizationConfig | FL InPlaceHolds
+```
+
+To check if content is preserved due to retention labels:
+
+```powershell
+Get-Mailbox <username> | FL ComplianceTagHoldApplied
+```
+
+- If **ComplianceTagHoldApplied** is `True`, the mailbox is treated as on hold because a retention label that retains content has been applied to at least one item.
+
+To view delay hold status after a hold is removed:
+
+```powershell
+Get-Mailbox <username> | FL DelayHoldApplied,DelayReleaseHoldApplied
+```
+
+These properties show whether a delay hold is in place, temporarily extending retention after the original hold is removed.
+
+## Match hold GUIDs to specific cases and policies
+
+After identifying hold GUIDs on a mailbox, you might need to trace those values back to a specific case, policy, or content location.
+
+### For eDiscovery holds
+
+eDiscovery hold GUIDs start with `UniH`. To match a GUID to a specific case and hold:
+
+1. Remove the `UniH` prefix.
+1. In Security & Compliance PowerShell, run:
+
+   ```powershell
+   $CaseHold = Get-CaseHoldPolicy <GUID without UniH>
+   Get-ComplianceCase $CaseHold.CaseId | FL Name
+   $CaseHold | FL Name,ExchangeLocation
+   ```
+
+These commands reveal the name of the eDiscovery case, the hold name, and the mailboxes under hold.
+
+### For retention policies
+
+Retention policy GUIDs often start with `mbx`, `skp`, or `grp`. To match a GUID to a Microsoft Purview retention policy:
+
+1. Remove the prefix and suffix (such as `:1`, `:2`, or `:3`).
+1. Run:
+
+   ```powershell
+   Get-RetentionCompliancePolicy <GUID without prefix or suffix> -DistributionDetail | FL Name,*Location
+   ```
+
+This shows the name of the retention policy and the content locations it's scoped to.
+
+Matching GUIDs to holds can help verify why a mailbox is preserved, confirm scope, and support defensible investigations.
+
+## Use a script to report on eDiscovery holds
+
+While PowerShell can help you check individual mailbox holds, Microsoft also provides a sample script to generate a report of all eDiscovery case holds across your organization.
+
+Use this script during audits or investigations to:
+
+- Show which cases have active holds
+- See who created or modified the holds
+- List the content locations in scope
+- Identify cases that don’t include any holds
+
+It also creates a separate report listing eDiscovery cases that have **no holds**.
+
+### What the script collects
+
+When you run the script, it generates two CSV files:
+
+- `CaseHoldsReport_<timestamp>.csv` with details about each hold, including:
+
+  - Case name, type, and status
+  - Hold name and whether it's enabled
+  - Hold creator and last modifier
+  - Query-based syntax, if applicable
+  - Mailboxes and SharePoint sites in scope
+  - Hold creation and modification timestamps
+- `CasesWithNoHolds_<timestamp>.csv`, which lists any eDiscovery cases that don't have associated holds
+
+### How to run the script
+
+1. Connect to [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
+
+1. Create a new `.ps1` script file in a text editor and paste in the script provided in the [official documentation](/purview/edisc-hold-report-script#step-2-run-the-script-to-report-on-holds-associated-with-ediscovery-cases). Save the file as `CaseHoldsReport.ps1`.
+
+1. In your PowerShell session, run the script:
+
+   ```powershell
+   .\CaseHoldsReport.ps1
+   ```
+
+1. When prompted, enter a folder path where the reports will be saved.
+
+> [!TIP]
+> To save the report in the same folder as the script, type a period (`.`) when prompted. To use a subfolder, type the subfolder name.
+
+Once the script completes, you'll see confirmation in the PowerShell window and can open the CSV files from the path you specified.
+
+Using this report can help you quickly validate whether content is under legal hold and identify any gaps, especially during time-sensitive investigations.

learn-pr/wwl-sci/purview-ediscovery-manage-data-sources-holds/includes/introduction.md

@@ -0,0 +1,11 @@
+In Microsoft Purview eDiscovery, identifying the right content sources and preserving data are essential steps in responding to legal, regulatory, or internal investigations. Without a clear definition of where to search and what to preserve, organizations risk missing critical evidence or failing to meet compliance obligations.
+
+Defining and managing data sources, applying and maintaining holds, and validating that preservation is working as expected are key parts of managing investigations in Microsoft Purview. This includes support for preserving metadata, applying delay holds after removal, and using tools to troubleshoot or report on hold status.
+
+By the end of this module, you'll be able to:
+
+- Identify the types of data sources used in eDiscovery searches and holds
+- Add and manage data sources in the new eDiscovery experience
+- Create and configure hold policies to preserve relevant content
+- View, edit, and troubleshoot existing holds
+- Confirm hold status using PowerShell and interpret preservation behavior