Office 365 is moving mainstream eDiscovery off-premises, making Microsoft compelling and convenient for many organizations. If you’re an IT, legal, compliance or HR professional and answered “yes” to the question posed above, it’s important to understand the strengths of Office 365 and why it may not work for every organization or every case.

Office 365 was introduced by Microsoft in 2011, and it added the eDiscovery Center in 2012. According to a May 2016 Gartner survey, 78% of organizations reported they are either using or planning to use Office 365.

As one of the fastest growing enterprise platforms, its eDiscovery functionality adoption has been driven by migrations of Office 365 and its “in-place” capabilities (versus traditional method of extracting data and ingesting into separate repositories). For organizations that mainly deal with Microsoft content for eDiscovery, these native “in place” capabilities make Microsoft an appealing option.

There are numerous versions of Office 365, however, and different licenses have different eDiscovery functionality. For example, E1 offers no functionality; E3 offers the legal hold, search and data export functionality; and E5 offers the Advanced Discovery module (which integrates Microsoft Equivio functionality based on the company’s acquisition by Microsoft in 2015). This is a full-featured ECA tool with export functionality to review platforms.

Furthermore, there is the cloud service (E1, E3 and E5) and the hybrid version, which is partially cloud-based, such as SharePoint, and partially behind-the-firewall, such as Exchange Servers). Each deployment model and version may have very different sets of support features and limitations.

In this posting, we discuss the key strengths and challenges of the Office 365 cloud service for eDiscovery, and key considerations organizations should be aware of when seeking to employ its capabilities for legal and compliance matters.

Ideal eDiscovery Use Cases for Office 365

Ideal use cases for eDiscovery include support for Microsoft technologies and format types, with data preservation, legal hold and ECA analytics that now include text analytics, machine learning and predictive coding, and other advanced analytics found in most sophisticated eDiscovery review platforms (i.e., near-duplicate analysis and email threading). However, access to Office 365’s suite of advanced tools requires an Office 365 Enterprise E5 subscription.

Microsoft continues to evolve its eDiscovery capabilities, with new bolt-on functionality and an expanding ecosystem of third-party vendors that provide other capabilities within the EDRM process. Below is a snapshot of limitations that exist today:

eDiscovery Use Case Limitations

Office 365’s built-in eDiscovery capabilities may not meet every organization’s needs. For example, some need more sophisticated and granular functionality, including stronger legal hold management, case management when doing online reviews, and review functionality (versus ECA culling and review). For organizations seeking end-to-end EDRM capabilities, it is important that they be aware of some limitations:

Overall: The Office 365 Security & Compliance Center provides tools which allow an organization to create and manage cases and assign roles to perform eDiscovery tasks to search, preserve and export data from supported data sources including Microsoft Exchange, SharePoint and OneDrive for Business. Notably, workflow, functionality and features created by Microsoft specific eDiscovery use-case presumes limited overlap between matters with focused-support for its core services and limited support for imported and archived data sources through third-party data sources.

Significantly, due to the velocity and variety of new data sources, new functionality must be added by Microsoft on a continual basis. Thus, its feature set, volume parameters and other tools may be constantly changing.

Legal Hold: Legal hold workflow, the sending out and tracking legal hold notices, is not part of any of the Office 365 toolset—it must be conducted outside of the application as a disparate process. Here are some other considerations:

• A hold keeps all the data in the mailbox or another source until the administrator releases it.
• The in-place hold feature additionally does not capture distribution list membership of Bccs, and thus does not offer a complete record of every message recipient and sender, making this information (which could be relevant) potentially undiscoverable.
• Finally, if an employee leaves the organization, his or her mailbox will be permanently deleted if not placed on hold within 30 days of its deactivation, thus putting heavy reliance on HR and IT to thoroughly understand company retention and preservation policies, processes and implementation protocols.

Search and Export: While Office 365 allows administrators to create and manage eDiscovery cases and perform keyword and content search functions Office 365 does not support real-time, large scale search that is iterative across concurrent matters, instead relying on a batch-based search process in which IT must break up search requests into numerous smaller searches. Additionally:

• There are limits on how many content sources can be searched: in SharePoint sites, it’s unlimited when a search is conducted across all sites in the organization; otherwise, the limit is 100 if individual sites are selected. Exchange mailboxes can be searched up to 10,000 at a time when a search is conducted among distribution groups or all mailboxes in the organization; otherwise, it is limited to 1,500 individual mailboxes.
• Keywords/search terms are limited to 500. This makes Office 365’s search functionality less than ideal for investigations where a set of keywords are known, but the custodian scope and size is not yet defined.
• Limited indexing support for specific file types and artefacts.
• Linguistic search features are supported, but appear to be limited to SharePoint Server 2013.
• As stated above, there is also limited search of metadata fields which could obfuscate potentially relevant information.

Data Processing: For organizations that need to process their data (say, for example, for use with the Advanced Discovery module for analysis or to export into a third-party review platform), only the E5 license tier supports processing and other advanced analytics functions within the service. For organizations on E1 or E3 versions, processing is not part of the Office 365 eDiscovery service, which makes it challenging since the average litigation deals with tens, if not hundreds or more of different types of attachments within e-mail alone, and search must be able to capture the text and metadata of these file types.

Review Tools: Organizations seeking a robust review tool may find this functionality limited in Office 365. In E1 and E3 search results are copied to a discovery mailbox, then accessed through either Outlook or OWA, which can make review more time-consuming. (E5 license users, through the Office 365 Advanced eDiscovery module, can now export results into their own review platform, including Relativity.)

Additional Considerations

Even organizations that have the most robust Office 365 eDiscovery capabilities may have limited in-house resources and expertise to do the work, especially for high-volume concurrent matters. In designing a defensible ESI process, the legal department must develop and employ a best practices approach and process for managing the content search and export process (at a minimum). This includes collaborating with IT and outside counsel, determining the overall scope of the matter, obtaining search criteria, creating holds for specific mailboxes and/or SharePoint sites, performing basic and advanced search functions, and exporting data for processing and review.

For organizations using the Microsoft Office 365 service, partnering with an eDiscovery Services provider can reduce the burden by managing the content search and export process leveraging the Microsoft Office 365 Security & Compliance Center as well as other sources of potentially relevant data.

Jon Hagan is a Senior Forensic Consultant at Xerox Legal Business Services (US).