Asset Protection: Legal Issues and eDiscovery in Office 365

May 2, 2018

Learn how the Office 365 Security and Compliance Center protects your data in the cloud and serves as a hub for legal needs.

ediscovery office 365

Part two of a series.

This blog does not provide any type of post-incident legal guidance but works instead to provide you with the tools available in Office 365 so you can match them to the needs of your organization and make such incidents more manageable.

This topic may include the discussion of tools related to other topics in this series as well, especially in the area of auditing and compliance that pervade throughout the lifecycle of the Office 365 journey.

For security and legal compliance, transparency, and reporting, the tools to use are in the Office 365 Security and Compliance Center and various external Microsoft sites specific to these topics. This Security and Compliance center is the hub for legal work and protects your data using specific user roles for different operations in the center.

Microsoft maintains a high-level of transparency, trust, and certifications surrounding the services it offers in the cloud and any information required by your legal department can be easily located using the above links.

How To Use Office 365 for Legal Issues

What about Office 365’s practical uses for legal issues? There was no shortage of security incidents in 2017 and all of them had legal implications in some measure. I was fortunate enough to be in a position to provide guidance and technical assistance in an incident involving an Office 365 user in a foreign country who was involved in a legal investigation.

The request from the legal team was to have the email held, which is as simple as a checkbox and a duration option (see note at the end about this product). But they were unaware that there were also options for locating and holding data in-place in other locations like Groups, Teams, SharePoint and OneDrive.

For this particular incident, we used an eDiscovery case to perform all the holds, content searches and exports required. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it and finally export it for transport.

I only encountered a few issues at the time and that was the time frame. I didn’t know anything about the case – and I like to keep it that way – but we had 72 hours to make usable data available to the legal team in the other country.

With about 150Gb in the mailbox, it was slow – improvements have been made by Microsoft to increase the speed of operations and it is much faster now – and had to be split into multiple files.

One thing we know for sure: narrow down those searches using filters and locations to get exactly what you need for your case! You will save time, throughput issues like timeouts, space, and probably some more time.

Security and Compliance Center Capabilities

So what do you need and what are your capabilities in the Security and Compliance center for legal cases? Let’s talk about those.

First, you’ll need an Office 365 Enterprise E3 license and/or a la carte P2 licenses for Exchange and SharePoint in order to retain user data. Also, if you need more enhanced security and management, you’ll need an EM+S license to use AIP, Azure Information Protection, as well as advanced features of AD, MFA, and more.

Next, use the following tools as you need them in your organization:

Classification labels and DLP policies – To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.
Content Search – To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.
Audit Log – To search to locate any administrative activities for an individual or by a particular administrator.
eDiscovery – Serves as a complete management tool for legal cases, including to search, hold, export and report on user data. I’ve also used the eDiscovery tool in the past to retain departed employees’ information for a required period of time

There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.

It is important to remember that once a user’s data location is put on hold, that data, and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I’ve seen some really large operations using a lot of space!).

Final Thoughts

These tools are easy to use, tightly controlled or secured, and really geared toward finding everything related to a user in response, of course, to the GDPR requirements enforceable at the end of May.

Introducing Microsoft Azure products will further enhance your ability to locate usable user data like sentiment analysis, a hot topic right now in the HR world.

*Note on duration option – This is being removed from the Exchange Admin Center, where it lives today, and best practice is to use the Security and Compliance Center for eDiscovery, Holds, Auditing, DLP and retention as they are now integrated with Groups, Teams, SharePoint and OneDrive.

About the Author

Tad Yoke

Solutions Architect and Senior Consultant | Modern Workplace

Tad has over 20 years of experience assessing, designing and deploying technical solutions for Microsoft 365, Office 365, and Enterprise Mobility + Security (EMS); Azure directory and network management, Microsoft SharePoint and Microsoft SQL Server.

He is particularly passionate about developing Roadmaps, performing Security Assessments, and configuring Microsoft Teams Governance and Policy for our clients. Tad has numerous Microsoft certifications including his most recent accomplishment as a Microsoft Certified Security Customer Immersion Experience(CIE) facilitator. Follow Tad on Twitter.

Contact Centric | More Articles