Merge pull request #50046 from MicrosoftDocs/NEW-purview-ediscovery-search

New purview ediscovery search

Author: JamesJBarnett

learn-pr/paths/purview-audit-search/index.yml

@@ -3,7 +3,7 @@ uid: learn.wwl.purview-audit-search
 metadata:
   title: 'Audit and search activity in Microsoft Purview (SC-401)'
   description: 'Logging actions and locating content are essential for investigating events, supporting compliance efforts, and maintaining transparency. Microsoft Purview provides audit and content search capabilities to help organizations understand what actions were taken and find specific items across Microsoft 365 services. This learning path aligns with exam SC-401: Microsoft Information Security Administrator.'
-  ms.date: 03/25/2025
+  ms.date: 04/17/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: learning-path
@@ -26,7 +26,7 @@ subjects:
 - security
 modules:
 - learn.wwl.purview-audit-search-investigate
-- learn.wwl.search-for-content-security-compliance-center
+- learn.wwl.purview-ediscovery-search
 
 trophy:
   uid: learn.wwl.purview-audit-search.trophy

learn-pr/wwl-sci/purview-ediscovery-search/conduct-ediscovery-search.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-search.conduct-ediscovery-search
+title: Conduct an eDiscovery search
+metadata:
+  title: Conduct an eDiscovery search
+  description: "Conduct an eDiscovery search."
+  ms.date: 04/17/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 10
+content: |
+  [!include[](includes/conduct-ediscovery-search.md)]

learn-pr/wwl-sci/purview-ediscovery-search/create-ediscovery-search.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-search.create-ediscovery-search
+title: Create an eDiscovery search
+metadata:
+  title: Create an eDiscovery search
+  description: "Create an eDiscovery search."
+  ms.date: 04/17/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/create-ediscovery-search.md)]

learn-pr/wwl-sci/purview-ediscovery-search/ediscovery-prerequisites.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-search.ediscovery-prerequisites
+title: Prerequisites for using eDiscovery in Microsoft Purview
+metadata:
+  title: Prerequisites for using eDiscovery in Microsoft Purview
+  description: "Prerequisites for using eDiscovery in Microsoft Purview."
+  ms.date: 04/17/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/ediscovery-prerequisites.md)]

learn-pr/wwl-sci/purview-ediscovery-search/export-results.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ediscovery-search.export-results
+title: Export eDiscovery search results
+metadata:
+  title: Export eDiscovery search results
+  description: "Export eDiscovery search results."
+  ms.date: 04/17/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 7
+content: |
+  [!include[](includes/export-results.md)]

learn-pr/wwl-sci/purview-ediscovery-search/includes/conduct-ediscovery-search.md

@@ -0,0 +1,118 @@
+As an information security administrator, one of your responsibilities might be to investigate activity that could indicate a data leak or misuse of sensitive information. eDiscovery searches in Microsoft Purview help you locate potentially relevant content across Microsoft 365 services, such as email, files, and Teams messages.
+
+For example, you might need to identify messages and documents shared externally by members of the Sales department during a specific time period. To do that, you'll create a search in an eDiscovery case, define the locations to search, and configure your query to find the relevant content.
+
+## Supported Microsoft 365 workloads
+
+When you conduct a search, the results might include content from the following workloads, depending on the locations you choose:
+
+- **Exchange Online**: Email messages and calendar items
+- **SharePoint Online and OneDrive for Business**: Files and document metadata
+- **Microsoft Teams**:
+  - **Chat messages** (1:1 and group chats)
+  - **Channel messages**
+  - **Files shared in chat and channels**
+- **Microsoft 365 Groups and Viva Engage**: Group conversations and shared documents
+
+## Conduct an eDiscovery search
+
+eDiscovery searches in Microsoft Purview are typically conducted in phases. Each phase helps narrow the focus of the investigation and ensures that the results are accurate and relevant.
+
+The phases include:
+
+1. Define the scope of your search
+1. Identify data sources
+1. Build the query
+1. Run and review the results
+
+You might return to earlier phases to adjust sources or refine your query based on the results. Once you're confident in the results, you can move on to the next steps in the investigation, such as exporting data or adding it to a review set.
+
+### Phase 1: Define search criteria
+
+When configuring a search, you'll specify:
+
+- A **search name** and optional description
+- One or more **data sources**, such as users, groups, or sites
+- A **query** using conditions, keywords, or Keyword Query Language (KQL)
+
+You can use the **Conditions** tab to apply filters like date range or sender, and the Keywords tab to build your query using text or KQL.
+
+### Phase 2: Identify data sources
+
+Before you can run a search, you need to specify the sources where content should be collected. In Microsoft Purview eDiscovery, this includes users, groups, SharePoint sites, OneDrive accounts, and Teams.
+
+To add sources:
+
+1. In the **Data sources** section, select **Add sources** or choose **Add tenant-wide sources** if you want to search across the entire organization.
+1. In the **Search for sources** pane, you can filter by:
+   - All people and groups (default)
+   - People only
+   - Groups only
+
+1. Enter the name, email address, or URL of the source. For SharePoint and OneDrive, enter a full site or account URL.
+1. Optionally, select **Exclude inactive users** to limit the results.
+1. Choose your sources, then select **Save and close**.
+
+   :::image type="content" source="../media/select-data-sources.png" alt-text="Screenshot showing where to select data sources in eDiscovery." lightbox=" ../media/select-data-sources.png":::
+
+You can select individual sources or include all active users and groups in the tenant. For most investigations, narrowing the scope of your data sources helps return more relevant results and improves performance.
+
+### Phase 3: Build the query
+
+The **Condition builder** lets you define filters to narrow the results returned by your search. You can use simple matching logic or combine conditions to focus on specific types of content.
+
+To add conditions:
+
+1. In the **Query** tab, under **Condition builder**, select **Add conditions**.
+1. Choose from the available options:
+   - **KeyQL**: Write advanced queries using Keyword Query Language.
+   - **Date**: Filter content based on sent, received, or modified dates.
+   - **Subject/Title**: Match specific terms in email subjects or document titles.
+   - **Participants**: Filter by sender, recipient, or other participants.
+   - **Type**: Filter by message kind, such as Email, Chat, or Teams.
+
+Each condition supports different operators, such as **equals**, **contains**, or **starts with**. Conditions are combined using **AND**, meaning content must meet all specified criteria to be included.
+
+   :::image type="content" source="../media/condition-builder.png" alt-text="Screenshot showing an example query in the condition builder in eDiscovery." lightbox=" ../media/condition-builder.png":::
+
+You can add multiple conditions and adjust or remove them as needed. When using both the condition builder and a keyword query, the system will apply both sets of criteria to your results.
+
+#### Use Copilot to generate queries (preview)
+
+If available, Microsoft Security Copilot can help build a query from a natural language prompt. For example:
+
+_Find Teams messages sent by Alex Wilber between March 1 and March 15 that contain attachments related to budget planning._
+
+:::image type="content" source="../media/generate-keyql-copilot.png" alt-text="Screenshot showing Copilot generating KeyQL code with Copilot." lightbox=" ../media/generate-keyql-copilot.png":::
+
+Copilot generates a suggested KeyQL query that you can review and edit.
+
+#### Search by file (preview)
+
+If you're working with evidence like chat logs, documents, or audit exports, you can use the Search by file option to find related content. This preview feature lets you upload sample data and use it as the basis for your search instead of writing manual queries.
+
+To use Search by file:
+
+1. Select the **Search by file (preview)** tab.
+1. Choose **Attach files**, then select one of the following:
+   - **Find similar content (.txt file)**: Upload a plain text file containing sample content to match against.
+   - **Find reference content (.csv file)**: Upload a CSV file, such as one generated from audit logs, to identify messages or files tied to specific users and actions.
+1. After uploading, your file appears in the table with its details.
+
+Each file must be 10 MB or smaller and in `.txt` or `.csv` format. When using this method, KQL and condition builder options are disabled. Instead, Microsoft Purview analyzes the uploaded content to find matches.
+
+This feature is especially useful when you're investigating suspicious behavior and already have sample evidence to work from.
+
+### Phase 4: Run and review the results
+
+After you've configured your search criteria, you're ready to run the query and review the results.
+
+1. Select **Run query**.
+1. Choose your preferred result type:
+
+   - **Statistics**: View summary data about the search, including the number of items found, size of the results, and breakdown by location.
+   - **Sample**: View a random sample of the search results to validate your query before proceeding.
+
+Results appear in the **Query** and **Statistics** tabs. If the results don't match what you expected, you can update your conditions or data sources and run the query again.
+
+After confirming that the results are accurate, you can export the content or add it to a review set, depending on what your investigation requires.

learn-pr/wwl-sci/purview-ediscovery-search/includes/create-ediscovery-search.md

@@ -0,0 +1,47 @@
+To search for content in Microsoft Purview eDiscovery, you must first create a case. A case provides the workspace where searches, holds, and exports are managed. Creating a search also creates a case, which ensures that access to investigation data is controlled and auditable. This ensures that access to investigation data is controlled and auditable.
+
+## Why cases are required
+
+Every search must be associated with a case. The case model provides:
+
+- Controlled access to investigation data
+- An auditable trail of search and export actions
+- A consistent structure for managing investigation tasks
+
+The person who creates the case is automatically added as a member. Other users must be added manually. Even with the correct eDiscovery roles, users can’t access a case unless they’re listed as a member.
+
+## Create a search
+
+You can either create a case and search in a single step or create a search through a case.
+
+### Create a search directly
+
+1. In the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true), go to **Solutions** > **eDiscovery** > **Cases**.
+1. Select the arrow next to **+ Create case**, then select **Create search**.
+
+   :::image type="content" source="../media/create-search-split-button.png" alt-text="Screenshot showing split button and where to create a search in eDiscovery." lightbox=" ../media/create-search-split-button.png":::
+
+1. Enter a **case name** and a **search name**.
+1. Optionally, provide descriptions for the case and search.
+1. Select **Create** to create the case and search.
+
+   :::image type="content" source="../media/create-search-fields.png" alt-text="Screenshot showing the fields to create an eDiscovery search." lightbox=" ../media/create-search-fields.png":::
+
+This creates a case and a search at the same time, so you can move directly into configuring your search criteria without setting up the case separately.
+
+### Create a search through a case
+
+If you prefer to create the case first and then add a search from within it:
+
+1. Go to **Solutions** > **eDiscovery** > **Cases**.
+1. Select **+ Create case**.
+1. Enter a **name** and optional **description**.
+1. Select **Create** to create a case.
+
+   :::image type="content" source="../media/create-case-fields.png" alt-text="Screenshot showing the fields to create an eDiscovery case." lightbox=" ../media/create-case-fields.png":::
+
+1. On the **Searches** tab of your case, select **Create search**.
+1. Enter a **name** and optional **description**.
+1. Select **Create** to create the search.
+
+Once the search is created, you can begin configuring the search criteria to locate the content relevant to your investigation.

learn-pr/wwl-sci/purview-ediscovery-search/includes/ediscovery-prerequisites.md

@@ -0,0 +1,32 @@
+Before using eDiscovery to search for content, certain roles and access must be assigned to ensure users can view cases, create searches, and export results. These prerequisites help maintain a secure and auditable investigation process.
+
+## Required roles
+
+**Global** and **Compliance Administrators** can't access eDiscovery cases or search user content unless they're explicitly assigned to the **eDiscovery Manager** or **eDiscovery Administrator** role group. This permission model ensures that access to sensitive data is intentional and auditable.
+
+To access eDiscovery, users need to be assigned one of the following roles:
+
+- **eDiscovery Manager**: Allows users to create and manage eDiscovery cases, run content searches, and export results.
+- **eDiscovery Administrator**: Includes all eDiscovery Manager permissions, plus the ability to manage role assignments and settings across all cases.
+
+These roles can be assigned in the Microsoft Purview portal under **Permissions > Roles**.
+
+## Assign users to eDiscovery roles
+
+Administrators can assign users to eDiscovery roles by doing the following:
+
+1. In the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true), select **Settings** > **Roles and Scopes** > **Role groups**.
+1. Search for and select the appropriate eDiscovery role group.
+1. Add users or groups to the role group.
+
+Once assigned, users might need to sign out and sign back in to see the eDiscovery interface.
+
+## Confirm access to eDiscovery
+
+To verify that the role assignment was successful:
+
+1. Open the Microsoft Purview portal.
+1. In the left-hand navigation, select **eDiscovery**.
+1. The **Cases** page should load. If not, confirm the user has been assigned the appropriate role and that the Microsoft 365 license includes eDiscovery access.
+
+With the right roles and access in place, users can begin creating cases and searching for content across Microsoft 365 workloads.

learn-pr/wwl-sci/purview-ediscovery-search/includes/export-results.md

@@ -0,0 +1,89 @@
+After you've confirmed that your search results contain the content you need, you can export those results directly from Microsoft Purview eDiscovery. Exporting creates a downloadable package of items and metadata that can be used for legal review, investigation documentation, or external handoff.
+
+Exporting is often the final step in the eDiscovery search process. If your organization performs deeper analysis before exporting, you might add results to a review set first. But if you're ready to hand off data or archive results, exporting is the most direct approach.
+
+## Choose what to export
+
+When you're ready to export:
+
+1. Go to the **Searches** tab in your case.
+1. Select a completed search.
+1. Select **Export**.
+
+In the export pane, you'll provide a name for your export and decide what types of items to include. You can export:
+
+- **Only indexed items** that matched your search query
+- **Indexed items and partially indexed items** (useful if you're concerned about items that couldn't be fully processed)
+- **Only partially indexed items** (useful in special cases, such as if you're following up on indexing issues)
+
+   :::image type="content" source="../media/ediscovery-export.png" alt-text="Screenshot showing the index options for an eDiscovery export." lightbox=" ../media/ediscovery-export.png":::
+
+These choices control how comprehensive your export will be. For most investigations, the first or second option is appropriate.
+
+## Configure export settings
+
+Depending on the types of content in your search results, you can configure additional export options.
+
+### OneDrive and SharePoint
+
+If your search includes sites or document libraries, you can customize how much document history or folder context to include. You can choose:
+
+- How many document versions to include (latest, recent 10 or 100, or all versions)
+- Whether to include subfolder items that didn't match the query
+- Whether to include attachments from SharePoint lists
+
+   :::image type="content" source="../media/ediscovery-export-onedrive-sharepoint.png" alt-text="Screenshot showing the OneDrive and SharePoint export options for eDiscovery." lightbox=" ../media/ediscovery-export-onedrive-sharepoint.png":::
+
+These options are helpful if you're dealing with collaborative content or list-based business processes.
+
+### Mailboxes and Teams
+
+These options help preserve conversational context, especially for Teams chats or messages with cloud attachments. For Exchange and Teams content, you can:
+
+- **Thread conversations** into HTML transcripts (especially useful for chat review)
+- **Include contextual Teams and Viva Engage messages** (up to 12 hours of related conversation)
+- **Include cloud attachments** from SharePoint or OneDrive, and choose the version range to include
+
+   :::image type="content" source="../media/ediscovery-export-mailbox-teams.png" alt-text="Screenshot showing the message and mailbox export options for eDiscovery." lightbox=" ../media/ediscovery-export-mailbox-teams.png":::
+
+These settings help ensure that the content you export preserves its original context and includes linked documents when applicable.
+
+## Select format and structure
+
+Next, choose how your exported items are packaged:
+
+- Export mailbox content as **PST** files or **MSG files**
+- Organize data by **source location**
+- Include or condense the **original folder path**
+- Generate **friendly names** for items to make them easier to reference
+
+   :::image type="content" source="../media/ediscovery-export-type-format.png" alt-text="Screenshot showing the type and format export options for eDiscovery." lightbox=" ../media/ediscovery-export-type-format.png":::
+
+These options help shape the output to meet your internal or legal team's requirements.
+
+## Start the export and track progress
+
+Once you've configured your export, select Export to begin. A confirmation message appears, and the process starts in the background.
+
+You can monitor the export from the **Process manager**, where you'll see:
+
+- Export status and completion time
+- Number of items and locations
+- Export options used
+
+This helps you keep track of multiple exports and ensures you know when everything is ready for download.
+
+## Download the export package
+
+After the export finishes, go to the **Exports** tab in your case to view the results. Completed exports appear in the table with their name, status, search name, and creation details.
+
+To download the export package:
+
+1. Select the export to open its **Overview**.
+1. In the **Export packages** section, review the list of downloadable files, including message content, reports, and item metadata.
+1. Select the checkboxes next to the files you want to download.
+1. Select Download.
+
+:::image type="content" source="../media/download-export.png" alt-text="Screenshot showing the download packages view in eDiscovery." lightbox=" ../media/download-export.png":::
+
+The download includes all exported content along with reports that summarize what was included.