ArtikelRahmen V5 MS365 Purview 2025

Microsoft Purview | eDiscovery & Content Search

12. July 2025 MS365, MS365-Purview, Nicht kategorisiert

In the modern world of work, data volumes are exploding. What used to be “just” a well-sorted email inbox is now a complex web of Teams chats, OneDrive documents, SharePoint lists and Exchange messages. For IT administrators and compliance officers, this is a growing challenge.

grafik 370

Imagine the following scenario: The legal department is at your desk. There is a legal incident or an urgent GDPR request for information. You must immediately present any communication between two specific employees on a specific project from the last two years.

Is the simple search function sufficient for this? No. When push comes to shove, data must not only be found, but also exported in a legally compliant manner and protected from accidental deletion.

That’s where Microsoft Purview comes in. But many administrators are faced with the question: When do I use the basic content search and when do I have to open a full eDiscovery process ?

Microsoft Purview eDiscovery

👉 tothe article: Data protection with Microsoft Purview

⚠️ Important note: The eDiscovery tools provide deep insights into employee communications. Before the assignment, clarify internally (data protection officer, works council) whether a works agreement exists. Technical “ability” does not automatically mean legal “may”. Use the four-eyes principle.

What is Content Search?

Content search is the basic tool in Microsoft 365 to search for data across all services. It is ideal for ad-hoc requests that are purely about finding and exporting information without a legal “case” behind it.

Areas of application:

  • Check whether a certain file or mail exists in the tenant.
  • Recover accidentally deleted items for users.
  • Quick analysis of mail traffic in case of technical problems.

Important: Content search does not offer a “Legal Hold”. This means that while you’re searching, users could theoretically still delete the data, and it would be irretrievably gone (unless a retention policy applies).

The path in the portal: You can usually find the search directly in the eDiscovery area or as a standalone item, depending on the current portal version.

Microsoft Purview Content Search

What is eDiscovery (Standard & Premium)?

eDiscovery (Electronic Discovery) is technically based on content search, but adds the crucial process layer . Here you don’t work with loose search queries, but with cases.

This is necessary as soon as there is legal relevance. Microsoft distinguishes (based on licenses) between standard and premium.

The core features

  1. Case Management: All searches, holds, and exports are mapped to a “case.” This allows different teams (HR, Legal, IT) to keep track of everything.
  2. Legal Hold: The most important feature. You can put mailboxes or OneDrive sites on hold.
    • The effect: The user can continue to work and delete whatever he wants. In the background, however, Microsoft Purview keeps a copy of the original data. The user does not notice anything.
  3. Review Sets (Premium): Here, found documents can be viewed, redacted and marked directly in the browser before they are exported.
grafik 354

Content Search vs. eDiscovery (Standard & Premium)

The user interfaces in Microsoft Purview often seem similar, but the purpose is fundamentally different. If you take “guns on sparrows” (eDiscovery Premium for a simple mail search), you are wasting time and licenses. If you use a tool that is too weak (content search for a legal dispute), you risk compliance violations.

The direct comparison

Feature / AspectContent SearcheDiscovery(Standard)eDiscovery (Premium)
Main PurposeFast Research & Data ExportManage Legal Cases & Preserve EvidenceComplex Legal Cases & Deep Analysis
Case ManagementNo (Ad-hoc Search)Yes (Administration in “Cases”)Yes (Advanced Case Management)
Legal HoldNo (data can be deleted during this time)Yes (data is “frozen”)Yes (incl. notification to user)
Custodian Mgmt.Manual Selection of LocationsManual SelectionYes (Custodian Management)
Analysis & AINobasic statisticsYes (duplicate detection, threading, themes)
Typical scenario“Does user X still have the mail?”“We have received a lawsuit.”“We have to check 100,000 documents.”

When do you use what?

1. Use Content Search if:

  • You just want to check if certain information exists (e.g. “Was file XY sent?”).
  • You perform a one-time search to recover accidentally deleted items.
  • There is no legal context that requires a “legal hold” of the data.

2. Use eDiscovery (default) if:

  • A specific case (internal investigation or litigation) exists.
  • You need to make sure that the affected data cannot be deleted (legal hold) without the user noticing.
  • You need to control access permissions (e.g., the outside attorney is only allowed to see the data of that specific case).

3. Use eDiscovery (Premium) if:

  • The amount of data is huge and you need AI support to sort out redundancies (near-duplicates).
  • You have to logically reconstruct the entire communication process in Teams (threading) instead of reading individual chat snippets.
  • You have to manage custodians and automatically inform them about the retention obligation.

The licensing jungle: What do you need for what?

Technically, the features in the portal are often visible, but grayed out or throw errors if the license is missing. Microsoft makes a strict distinction here according to the range of functions.

Here’s an overview of which Microsoft 365 plans unlock which features:

Level 1: The Basic (Search & Export Only)

Here you can use the content search , but you can’t manage real cases and – this is critical – often don’t set a legal hold .

  • Microsoft 365 Business Standard
  • Office 365 E1
  • Limitation: Business Standard often lacks the Exchange Online Plan 2 functionality for legally compliant archives/holds, unless an “Exchange Online Archiving” add-on is booked.

Level 2: eDiscovery Standard (Cases & Holds)

This is the “sweet spot” for most medium-sized companies. You can create cases , set legal holds and manage searches in a structured way.

  • Microsoft 365 Business Premium
  • Office 365 E3 / Microsoft 365 E3
  • Exchange Online Plan 2 (for mail-only holds)

Level 3: eDiscovery Premium (AI, Custodians & Review)

For the full range of functions (deep learning, OCR, custodian notifications, review sets), you need the large compliance licenses.

  • Office 365 E5 / Microsoft 365 E5
  • Microsoft 365 E5 Compliance (Add-On for E3)
  • Microsoft 365 E5 eDiscovery and Audit (Minor add-on for E3)

Summary table

FeatureBusiness Std.Business Prem.E3 (O365/M365)E5 (or E3 + AddOn)
Content Search
Case Management
Legal Hold
OCR / AI Analysis
Review Sets

⚠️ License Warning: Who Needs the License? A common misconception: “As an admin, I have E5, so I can use everything.” False: In the Microsoft compliance model, the user who is searched or placed on hold (custodian) usually needs the appropriate license. So if you want to apply premium features (such as AI analysis) to John Doe’s mailbox, John Doe must have an E5 license (or add-on) assigned to John Doe. Be sure to check this with your license partner before an audit!

Before you start: The permissions (RBAC)

A common stumbling block: You’re a Global Admin, but you don’t see the eDiscovery menus. This is a security feature (“Security by Design”). Microsoft separates operational admin rights from data viewing rights.

To perform searches, you must assign special rights to yourself under Roles & Scopes in the Microsoft Purview portal:

  • eDiscovery Manager: Can create and edit cases. But he only sees his own cases.
  • eDiscovery Administrator: A very powerful right. This person can view and manage all eDiscovery cases across the organization.

Tip: Assign these roles sparingly and use PIM (Privileged Identity Management) if you have the appropriate licenses (Entra ID P2) to activate the rights only temporarily.

grafik 356

Best Practices for Practice: Search Like a Pro

Order is half the battle, and this is especially true in the area of compliance. An eDiscovery case is like a digital file folder. Before you collect data, you need to create and configure this folder properly.

A. Structure is everything: Setting up the case correctly

If you click on New case , the creation mask will open. Here you make decisions that are difficult to correct later. Go through the fields strategically:

1. Case Name (Naming Conventions) Never simply call cases “Test” or “Search”. Use a fixed scheme so that you can still assign the case in three years.

  • Scheme: YYYY-MM_Abteilung_Thema_TicketID
  • Example: 2025-12_HR_Mitarbeiter-Austritt_Ticket-4921

2. Case Description (Context is King) Use this field to document the reason for the investigation. Who gave the order? Which Jira or service desk ticket is included?

  • Example: “Suspicion of data leak after termination. Assignment by HR management on 26.12.2025.”

3. Advanced settings: The premium decision Here you will often find the eDiscovery (Premium) option inconspicuously with the note:

“Enable eDiscovery (Premium) to use premium features such as searchable query conditions, search for files, and sensitivity types.”

  • Decision support: If you want to use AI analytics, notify custodians, or use review sets, you’ll need to check this box here. Without activation, you start in standard mode, which is functionally more limited.
grafik 367

B. Fine-tuning: Case settings

After the case has been created, it is worth taking a look at the settings . This is where you decide on efficiency vs. data chaos. The default values are okay, but for a professional workflow, you should adjust them.

grafik 363

Permissions & Role Groups: Here you have granular control over who is allowed to see this specific case. This is the big advantage over the global admin role.

  • The principle: Add users here who are only supposed to handle this one case , but otherwise have no rights in the tenant (e.g., external lawyers, HR managers, or department heads).
  • Role groups: You can add entire role groups (e.g., eDiscovery Manager) or individual users.
  • Best Practice: Work strictly according to the “need-to-know” principle. An external auditor doesn’t need to know what other compliance cases are currently going on against other departments.
grafik 364

Search & Analytics The heart of eDiscovery Premium. This is where you define how much “intelligence” Microsoft Purview applies to the data before you see it.

  • Threshold for document similarity (near-duplicates):
    • Recommendation: Leave the value at 95% or higher.
    • What it brings: Purview recognizes documents that are almost identical (e.g., the same contract, once as Word, once as PDF, or with only one changed date). The system groups them.
    • The advantage: You mark a document in the Review Set as “Relevant”, and the system automatically applies this mark to all duplicates. This saves hundreds of clicks with large amounts of data.
  • Optical Character Recognition (OCR):
    • Recommendation: Activate when images, scans or faxes are expected.
    • Attention: OCR requires computing time. As a result, the processing of the data takes longer (“processing time”). If it’s in a hurry and only Office files are expected, you can disable it.
  • Ignore Text:
    • Here you can store standard texts that would falsify the analysis.
    • Classics: Long disclaimers (“This email is intended for…”), privacy footers or company logos in the signature. If these are ignored, the theme recognition works much more precisely.
grafik 365

Review Sets & Grouping Data is worthless without context. Under this point, you configure how the results are displayed in the review tool.

  • Grouping: Leave the checkmarks set for Family ID and Entertainment ID .
    • Family ID: Tightly links emails to their attachments. An Excel file attached is often not interpretable without the explanatory e-mail.
    • Conversation Threading ID: Especially important for teams! A single chat snippet (“Yes, do it.”) is useless. The threading feature reconstructs the entire chat history so you can see what the “yes” referred to.
    • The goal: You don’t check thousands of individual parts, but logical units.
grafik 366

4. Conclusion: Case Status & Lifecycle A case is not a static object, it has a life cycle.

  • Active status: The case is running, holds are active, review sets are taking up memory.
  • Close Case:
    • When? Only when the procedure has been legally concluded and all data has been exported.
    • Warning: Closing a case removes all legal holds. Data that was only protected by this case will be removed afterwards according to the regular retention policy (or by user deletion). This step is often final!

C. Search Like a Pro: 3 KQL Templates (Copy & Paste)

If you only type simple terms in the search line of Microsoft Purview, you will often receive thousands of irrelevant hits. To work efficiently, professionals use the Keyword Query Language (KQL).

You can copy these queries directly into the Content Search Editor (under “Query Editor”):

Scenario 1: Find and clean phishing emails The situation: You are looking for a dangerous email with a specific subject that came from outside. However, you want to exclude internal calendar entries or meeting invitations that have the same subject.

subject:"Dringende Überweisung" AND senderauthor:externe-domain.com AND NOT kind:meetings

Why this helps: senderauthor checks the actual sender (helps with spoofing). NOT kind:meetings ensures that your results list stays clean and doesn’t get clogged with calendar spam.

Scenario 2: Find confidential documents (DLP check) The situation: You need to check whether Word files or PDFs that have “Secret” or “Internal” in the file name are on SharePoint or OneDrive (e.g. in folders that are shared with guests).

filename:"*Geheim*" AND (filetype:docx OR filetype:pdf)

Why this helps: The asterisks * serve as wildcards. For example, you can find “Geheim_ProjektA.docx” as well as “2025_Bericht_Geheim.pdf”. The bracketing at (docx OR pdf) is important so that the logic is correct.

Scenario 3: An employee’s complete history The situation: The legal department needs all communication from “John Doe” from 2024 – whether it’s sent mail, received mail or Teams chat.

(from:max.mustermann@firma.de OR participants:max.mustermann@firma.de) AND received:2024-01-01..2024-12-31

Why this helps:

  • from: Finds everything Max has sent.
  • participants: This is the “Secret Sauce” for teams! It finds chats in which Max was only a participant, as well as emails in which he was CC.
  • ..: The two dots define the date range (from-to).
grafik 360
grafik 361

D. Technical Stumbling Blocks (Limits & Export)

You structured the case, tuned the settings and fired the KQL search. Now it’s time for export. To ensure that it runs smoothly, observe the following limits based on Microsoft guidelines (see also official limits):

1. The 2 GB denomination in PST export Don’t be surprised if you get a lot of small ones instead of one huge file.

  • The limit: While PST files can technically be much larger (up to 50 GB), to avoid corruption errors, the Microsoft Export tool often automatically splits the files into 2 GB chunks.
  • The episode: Plan enough local space for the download and make sure your Outlook clients can mount multiple PSTs.

2. Throttling in bulk searches The cloud has many resources, but they are not infinite.

  • The problem: If you start 10 complex searches or exports at the same time in a tenant, Microsoft 365’s self-protection kicks in.
  • The effect: The system throttles the speed. Your exports then take hours, not minutes.
  • Tip: Start big jobs sequentially (one after the other) or run them overnight.

3. The Blind Spot: “Unindexed Items” Not every file can be searched by Microsoft Purview.

  • The cause: Password-protected ZIP files, encrypted attachments, extremely large files, or unknown file formats.
  • The risk: Purview lists these as “unindexed items”. In a strict eDiscovery case (e.g. suspected fraud), this is dangerous, as the password-protected ZIP file could be the very proof.
  • Solution: In eDiscovery Premium, there are tools to fix these errors (remediation), but in the standard case, you often have to download and check these items manually.

Conclusion: Strategy instead of just “searching”

The tools in Microsoft Purview are powerful. The current move to the Unified eDiscovery Experience clearly shows that Microsoft is serious about governance and compliance.

For you as an admin, this means:

  1. Separate the processes: Use the content search for everyday IT operations (e.g. mail recovery).
  2. Protect yourself legally: As soon as lawyers or works councils are involved, an eDiscovery case is mandatory to prevent manipulation by “legal hold”.
  3. Practice the emergency: Don’t wait for the panic request on Friday afternoon. Create a test case and try the KQL search.

My tip: Don’t wait for the first emergency. Create a “test case” in your tenant and run through a search with the above KQL examples. If there’s a fire, you need to know where the fire extinguisher is hanging.

Other sources

Basics & Getting Started

Cases & Workflow

Search & KQL

Holds, Export & Review (Premium)

This post is also available in: Deutsch English

Related Articles