ARMA Greater Columbus Office 365 eDiscovery and Information Governance Workshop
May 17, 2018 2 Both Sides Now by Joni Mitchell
3 Agenda
– O365: monumental impact on IG and eDiscovery
– Background on O365
– Dynamics introduced by moving to O365
– What is O365?
– Key elements of O365
– How does O365 work?
– Security & Compliance Center
– Information Governance features in O365
– eDiscovery features in O365
– O365 Resources
4 IG considerations in context of O365
Executive Sponsor • IG is primary stakeholder for O365 planning, strategy, and management Information policy development and communications • Policies created to account for and/or adapt to O365 Information organization and classification • Labels and auto-classification and what to use when Information security • Identifying and protecting sensitive content with data loss prevention and information rights management Information accessibility • Right people at the right time via Teams, Groups, SharePoint Information control • Identify, classify, access, preserve, review, records management, eDiscovery Information governance monitoring and auditing • Data loss prevention, Supervision, Data Governance dashboards
5 Keep in mind
– Pros and cons of O365 adoption from your perspective – What features and functions to adopt? – Technology replacement opportunities?
– SourceOne – DMS – DLP – Others
6 O365: monumental impact on information governance and eDiscovery
The widespread adoption of O365 is one of the most disruptive and significant trends to hit the Information Governance and eDiscovery professions in the past 20 years
7 Why? Reason #1: Office 365 is an evidence factory and warehouse
• Factory for creating ESI: – Email – Files: Word, Excel, PowerPoint, OneNote – Web pages – Chats: Instant Messages
• Warehouse for storing ESI: – Mailboxes – SharePoint document libraries – OneDrive for Business – Teams – Yammer – Groups
9 Reason #2: Office 365 is becoming the leading enterprise and business email system worldwide
• Email is involved in MOST cases and frequently is KEY evidence • Whatever system houses email naturally is a focal point for discovery • The email system impacts—in part or in whole:
– Where email is stored – How email is stored – How long email is retained – Whether email is purged on a regular basis – How easy or difficult it is to identify, preserve, and collect
10 10 Reason #3: Office 365 is a powerful reflection and amplification of general IT trends
• Cloud computing: Office 365 is THE quintessential cloud computing platform
– Massively scalable “utility” computing – IT infrastructure owned and managed by provider (DR, backup, etc. under exclusive control of Microsoft)
• “Apps” with rapid development and deployment
• Social media infused user experience
– Facebook, Snapchat, Instagram – Communicating using acronyms, emoticons, graphics, pictures, video, giphy
11 11 Reason #4: built-in eDiscovery and Information Governance tools
• eDiscovery tools: – Identification – Preservation – Collection – Processing – Analysis
• Information Governance tools: – Retention and disposition – Compliance – Information Security
12 Background
13 Some history
14 Adoption of O365 is fast and furious
• 35% growth in commercial seats
• 50k small businesses adopt Office 365 every month
• 80% of Fortune 1000 have Office 365
• Office 365 is Microsoft’s fastest growing commercial product ever
• Office 365 eclipsed Salesforce.com as the most widely used cloud-based business application
• 100 million active commercial Office 365 users
15 Why do organizations move to Office 365?
• Cost and financial implications
– Fixed predictable pricing /$ per user per month – Operational vs. capital expense • Reduced burden on IT: easier to deploy and manage than on-prem
– Less infrastructure to integrate and manage – Basic patching, updates, server replacements handled by Microsoft – New features and functions rolled out automatically • Tools! Apps! Something for everyone to be more collaborative and productive
– Groups, Teams, Planner, StaffHub • Built to be deployed on multiple devices and available 24/7
– Mobile and cloud first! Microsoft’s mantra 16 Dynamics introduced by the move to O365
17 Dynamics introduced by moving to Office 365
• New content types
– Conversations and Chat-based communications with emoji, emoticons, Memes, Giphy, etc. – Planner – Sway • New storage locations
– OneDrive for Business – Office 365 Groups – Teams – Yammer • Change
– Persistent, continuous, and at high velocity • Lower bar to deployment
– Heavy IT integration and configuration is handled by Microsoft – Easier to deploy and consume features such as Instant Messaging, collaboration, Information Rights Management, etc. 18 Dynamics introduced by moving to Office 365: what ESI to move?
“Information Governance” “Information Forklift move? cleanup prior to move? Everything Governance” cleanup – Identify Redundant Obsolete and Trivial (“ROT”) data after move? • Not subject to legal hold – Move ESI into O365 then turn on • Not subject to legal, regulatory, or business retention policies • Develop criteria (age, author, duplicate, etc.) – Identify data subject to legal hold – Identify data subject to legal, regulatory, or business retention requirements (records, work in progress, etc.) – Document actions taken • Approval for disposition • What was disposed, when, by whom
19 19 Dynamics introduced by moving to Office 365: adoption
• Email is typically 100% adoption Server
– PSTs PST – Archive Archive
• OneDrive for Business adoption:
PC – Will we adopt? Documents – Will it become our corporate standard for user file Home OneDrive sharing? Share File Sharing – Will we migrate home share, My Documents? Service
Department • File shares to SharePoint Online document libraries Shares Public adoption Shares
– Will we adopt? Project Shares – Will SPO replace file server based file sharing? 20 – Will me migrate file shares to SPO? 20 Dynamics introduced by moving to Office 365: adoption
• Groups • Teams • Planner • Yammer • StaffHub • PowerBI
–*Adoption of these tools have IG implications
21 21 What is Office 365? What is Office 365?
• Suite of Services/Products – E-mail, Instant Messaging, Collaboration, File Sharing – Office (Word, Excel, PowerPoint, Access, etc.), Exchange, SharePoint, Skype for Business
• Cloud
– Quintessential example of cloud computing Cloud – Hardware, storage, backup and disaster recovery are handled by Microsoft
• Software as a Service (SaaS) – Individuals, companies, organizations subscribe to the service for a fixed monthly or annual fee
23 Elements of Office 365: The Periodic Table
icsh.pt/O365Table
24 Key elements of Office 365
Exchange Online SharePoint Online Yammer Built-In Information -Email -Collaboration: Team Sites -Enterprise social media: “Facebook for the Governance Tools corporation” -Calendar -Intranet/portals -Retention and disposition -Groups and communities -Contacts -Blogs/wikis -Compliance -Application development -Posts: free-text entries, comments, -Tasks conversations -Information Security -Enterprise Content Management -Notes Unique -Upload files (Word, Excel, etc.) -Document libraries -Journal ESI Unique -Polls, praise -Enterprise file sharing: OneDrive for ESI NOT -Exchange Public Folders NOT -Like, share, unlike foundBusiness in & document libraries found in user’s user’s mailbox mailbox
Skype for Business “Mashups” Office ProPlus Built-In eDiscovery Applications and tools that are cross-platform -Word Tools -Instant Messaging (IM chats) and/or built from the ground upSubject in Office to365 eDiscovery -Excel -Identification -Voice (call logs) --Groups tools? -PowerPoint -Preservation -Online meetings -Planner -Outlook -Collection -Presence -Teams -OneNote -Analytics Install -Access -Processing Unique on up to -Publisher ESI NOT 15 found in devices! user’s mailbox
25 Key elements of Office 365: OneDrive for Business
• What is it?
– Individual file storage tool that competes with DropBox, Box, GoogleDrive – Potentially replace “My Documents” and home-share on file server – Technically it’s a SharePoint site – Access via the web or local copy on user’s device Work with files on local • eDiscovery and IG implications device…
– ESI stored in OneDrive for Business is subject to eDiscovery tools – ESI stored in OneDrive for Business is subject to Information Governance tools – Centralized repository reduces need to collect from desktop, laptop, tablet • FYI
– There is OneDrive for Business AND “OneDrive” consumer – OneDrive consumer – Consumer oriented service
– Provided with certain Office and Office 365 subscriptions …but your files are ALSO stored in the cloud Cloud 26 Key elements of Office 365: “Groups”
• What is it?
– Collaboration tool – Each has a: – Mailbox – Stores messages and conversations – SharePoint document library – Calendar – OneNote • eDiscovery and IG implications
– ESI stored in a Group is subject to eDiscovery tools – ESI stored in a Group is subject to Information Governance tools – Centralized repository reduces need to collect from file shares (group, dept., project, etc.) • Why are they of interest?
– Individuals can enable and invite others – Upload and create Office files – Participate in conversations – Emails – Calendar (SEPARATE FROM EXCHANGE!)
27 Key elements of Office 365: Planner
• What is it? • Collaboration tool • Each has a: • Mailbox • Stores messages and conversations • SharePoint document library • Calendar • OneNote • Also includes “Planner” or “Plan,” a Microsoft Project “lite” (very) • eDiscovery and IG implications • ESI stored in a Group is subject to eDiscovery tools • ESI stored in a Group is subject to Information Governance tools • Centralized repository reduces need to collect from file shares (group, dept., project, etc.) • Why are they of interest? • Individuals can enable and invite others • Upload and create Office files • Participate in conversations • Emails • Calendar (SEPARATE FROM EXCHANGE!)
28 Key elements of Office 365: Teams
• “Chat” oriented collaboration tool with heavy social media influence • Each “Team” has
– Chat – Files (SharePoint document library) – Calendar – Wiki • TeamChannels
– General team – Sub-channels to address specific topics • Desktop, web, mobile apps • Business, Enterprise, Education, NOT Government • Are they subject to eDiscovery tools?
– Yes BUT…
29 Key elements of Office 365: Yammer
• Private social network or “Facebook for the company”
– Internal – External access is optional • Employs concept of “Groups”
– Public or private (only group members see posts) – Department, project, community of interest • Features include:
– Inbox for messages – Post public or private messages – File post (upload) – “Like” posts – Announcements, Praise – Notes (free text) – Notifications – “Follow” people – User profile – Mobile app 30 Built for teamwork
Email and calendar with Exchange
Connect to people, content, and apps with SharePoint
Voice, video, and chat with Skype and Microsoft Teams
Network across the organization with Yammer
Co-author with Office 365 ProPlus
Office 365 Groups Cross-application group membership Microsoft 365 Teamwork: Where to Start a Conversation
Inner Loop Outer Loop Files Sites Content
SharePoint
Office 365 Groups 32 How does Office 365 work? How does Office 365 Work?
Backend infrastructure resides in Microsoft’s data centers Backup and disaster recovery controlled by Microsoft
Highly specialized hardware configured specifically for Office 365
34 How does Office 365 Work?
Unlike many SaaS applications, Office 365 has a robust locally installed “client” software component: Office
35 How does Office 365 Work?
Backend infrastructure hosted and operated Users connect to and consume resources via Subscribing company has control over certain by Microsoft in their data centers locally installed software and the web features, functions, and capabilities
36 SINGLE OFFICE 365 TENANT SPANNING MULTIPLE GEOS Contoso.onmicrosoft.com Available geos & services in Multi-Geo 25K Office 365 Users Home: NAM GLOBAL GEOS Satellite: EUR & AUS
Asia-Pacific Australia Canada European Union (EMEA) India1 Japan United Kingdom United States (North America) EUR 5K South Korea1 NAM 15K TO BE LAUNCHED France
AVAILABLE SERVICES • Exchange Online IN PREVIEW • OneDrive for Business IN PREVIEW AUS 5K • SharePoint Online IN DEVELOPMENT
1 India and South Korea Geos are currently only available for customers with licenses and billing addresses in those geos Security & Compliance Center Security & Compliance Center Overview
• “Portal” in Office 365 • Only certain users have access
– Global Administrators – Role Based Access Control (RBAC) – Out of the box and custom roles
– Audit trail of who was assigned what access, when, and by whom – Security trimmed (only see what you have access to) • 10 tabs organized around thematic areas
– Data Governance (retention & disposition) – Search and investigation (eDiscovery) – etc. • Dashboard
– Customize the “widgets” you want to appear
39 Information Governance Features in Office 365 Information Governance features in Office 365
– Retention and Disposition
– Retention Policies – Labels – Disposition Review – Event based retention – Data Loss Prevention (DLP) – Supervision – Preservation Lock – Azure Evidence Protection
41 Information Governance features: retention and disposition
• Retain data • Delete data • Data Governance (E3) • Across multiple O365 • Retention Policies locations • Labels • Single or multiple • Advanced Data policies Governance (E5) • Auto-classification via: • Manual or automatic • Labels classification • Retention policies
42 Data Governance: Retention Policies
• (E3): retain OR delete based on:
• Created • Last modified • (E5): auto-apply based on:
• Keywords • Sensitive information types • Apply to:
• Exchange • OneDrive for Business • SharePoint sites • O365 groups • Exchange public folders • Teams channel messages* • Teams chats* • Skype for Business* • Multiple policies allow for tailoring to department’s requirements • Maximum of 10 org-wide polices • Maximum of 1,000 include/exclude policies (1,000 mailboxes and 100 sites max)
* Auto-apply currently not available 43 Data Governance: Labels
• (E3): apply labels manually and to folders and libraries
• Apply manually • retain OR delete OR label • Retain-delete based on
• Created • Last modified • Date of labeling • (E5): auto-apply labels
• Keywords • Exchange, SharePoint, OneDrive for Business, Groups
• Sensitive information types • SharePoint, OneDrive for Business
• (E5): disposition reviews (next slide) • Labels appear in:
• OWA, Outlook 2010 or later, OneDrive, SharePoint, O365 Groups • NOTE: labels can be applied to folders, document sets, and document libraries
44 Data Governance: Disposition Review
• Requires E5 license • Disposition review options:
• Apply different label • Extend retention period • Permanently delete item • Based on labels • Includes ESI in
• SharePoint • OneDrive for Business • O365 Group sites • Does NOT include Exchange, Skype, Exchange Public Folders, Group Mailboxes
45 Example framework
– Set framework for retention and Keep 5 years Exchange disposition as follows: – 1) Set a retention policy calling for
– Deletion of items 3 years after last modified OneDrive date Keep 5 years Keep 5 years – Users can delete items sooner if they want SharePoint – 2) Provide labels for user’s to Team Messages retain items for 5 years
– Can apply labels to folder, document library, Skype for Business individual items Team Chats – NOTE: labels not currently available in Teams, Skype for Business
46 NEW! Event driven retention and disposition
– Create categories of events
– Contracts – NDA – Create label and choose “an event” to base retention/deletion – Label items
– SharePoint, OneDrive include field for “Asset ID” – Create event to target items
47 NEW! Label Activity Explorer
– Requires E5 – How frequently a label is applied – Who applied label – Label changes – Export information
48 Retention and disposition alternatives
– Out-of-the-Box SharePoint Records Management
– In-Place vs. Records Center site – Managed Metadata Service, Content Types, Content Organizer, Policies, Document Sets – Lacks key features such as event based retention, physical records mgt., – Out-of-the Box PLUS 3rd Party Tool
– File plan management, auto-classification, event based retention, bulk disposition – Enterprise Content Management (ECM) or Enterprise Records Management (ERM)
– Centralized, integration with multiple repositories, physical records management
49 Data Loss Prevention (DLP)
– Detects sensitive data and information
– At-rest and in-motion
Conditions • If contains – Based on policy PII
– Educates users about sensitive data • Restrict Actions access – Reports for compliance, legal, and User • Contains information governance Notifications PII
User • Ok to send – Currently addresses: Overrides
– Exchange (more robust capabilities for email) Reports – SharePoint – OneDrive for Business
50 Supervision
– Monitor and review messages sent or received by identified users – Report on reviewed messages – Create lexicon and choose sampling % – Built-in review
51 Compliance: Preservation “Lock”
– Preserve ESI for a minimum period of time – No alteration or changes permitted to policy once its “locked” – Supports compliance with financial industry regulations
– SEC 17A-4 – FINRA 2210 (12-29) – FINRA 3012 – Activation via PowerShell
52 52 Azure Information Protection
– Cloud based information protection – Classification
– Manual or automatic – Label and marking – Information Rights Management (IRM) – Two major components:
– Administrator configuration – Client 53 Data Import
54 eDiscovery in Office 365 What types of ESI may be found in Office 365? ESI available for discovery in O365
Exchange Online SharePoint Online Teams Sway -Content creation tool -Email -Files of virtually any type (maximum -Chats (group and private) of 10 GB) -Calendar -Calendar -Content itself -Web pages, such as blogs/wikis -Contacts -Files (SharePoint Document Library) -Lists -Tasks -OneNote -App data -Notes -SharePoint Team Site -Journal *Exchange Public Folders
OneDrive for Skype for Business Groups and Planner Yammer -Messages Business -Instant Messaging (IM chats) -Conversations (emails) -Announcements -Files created using web apps (Word, -Voice call logs -Calendar -Notes PowerPoint, Excel) -Files (SharePoint Document Library) -Files -Files uploaded (maximum of 10 GB) -OneNote -Notifications -Files uploaded can be virtually any -SharePoint Team Site type ****Yammer can now have a Group -Planner
Subject to built- Not Subject to in tools built-in tools
57 History of O365’s eDiscovery tools
Office 365 available 3/2011
Exchange 2010 Exchange 2013 SharePoint 2013 Equivio Security & Exchange Control Exchange Admin SharePoint Acquisition Compliance Panel (ECP) Center (EAC) eDiscovery Center Center*
• January 2015 • Discovery Search • Introduce In-Place Hold • SharePoint and acquisition date • Built from ground up in Exchange content O365 • Discovery Mailbox • Improved indexing • Structured analytics • Case model • More scalable, faster • Litigation Hold • New search syntax • Technology Assisted exports (KQL) • Filtering Review
2011 February 2013 February 2013 December 2015 Q1 2016
• eDiscovery tools differ significantly between legacy and Security & Compliance Center Litigation • Underlying PowerShell cmdlets are different Hold In-Place Hold • Some organizations are still using “litigation hold” legacy cmdlets due to processes set up pre-Security & Compliance Center: -LitigationHoldEnabled $True 58 58 Legacy tools
Exchange Admin Center (EAC) SharePoint eDiscovery Center
59 In a nutshell: eDiscovery Features in Office 365
“Standard” eDiscovery (E3)
1. Search across one or more mailboxes, OneDrive for Business, SharePoint sites, O365 Groups, Teams – Keywords, proximity, date range, metadata
2. Preserve In-Place (hold) – No disruption to custodians—they don’t know they are on hold – No collect or copy to preserve – No journaling
3. “Preview” preserved content – Not a review tool!
4. Collect and export – Mailbox ESI PST or MSG – ODB and SharePoint ESI Native
60 Standard eDiscovery workflow
Options
Boolean, Proximity, Wildcard, date Exchange = range, metadata PST, MSG
Skype for Mailboxes Business SharePoint = Natives, .csv
SharePoint Exchange Sites Public Folders
OneDrive for Groups Business
Teams
61 In a nutshell: eDiscovery Features in Office 365
• “Advanced” eDiscovery (Equivio Zoom) (E5) – Advanced Analytics * • Near-duplicate detection Advanced eDiscovery E5 • Thread analysis • Predictive coding (“relevance”) • Themes
Advanced – Processing: export review-ready eDiscovery E5 load file • Includes native files • Metadata • HTML • Advanced analytic values
62 Advanced eDiscovery Workflow
Options Options
3. In-place 6. Advanced 7. Advanced 2. Assign hold on entire 4. Create 5. Preview eDiscovery 8. Export load- 9. Eyeballs on 1. Create case eDiscovery permissions source or content search search results Express ready data data Relevance scoped Analysis
Boolean, Proximity, Wildcard, date Themes Themes range, metadata
Skype for Mailboxes Near Near Business duplicate duplicate detention detention Exchange SharePoint Public Sites Folders Email Email threading threading
OneDrive for Groups Business Predictive Coding
Teams
E3 E5 Provider
Identification, Preservation, Collection Processing, Analysis Review, Production
63 What DOESN’T Office 365 eDiscovery do “out-of-the-box?”
• Legal hold notification and workflow
– Telling custodians they are on hold and tracking acknowledgements – Sending out questionnaires – Providing audit trail of when and who is on legal hold
• Does not identify, preserve, or collect ESI located outside of Office 365-for example:
– Desktop, laptop, tablet computers – File (network) shares – Smartphones
• “Full” eDiscovery processing
• Review
• Production
64 Enabling defensible legal hold: Recoverable Items Folder
• Users do not have access to the recoverable items folder
• eDiscovery search and hold does have access
• Has its own quota of 100 gig (if legal hold enabled)
• Can view via MFCMAPI client
• Deletions
• Contains all items deleted from the Deleted Items folder. • This folder is “seen” by end users via “Recover Deleted Items” • Versions
• If hold in effect, contains original and modified copies of the deleted items • Purges
• If hold OR SIR in effect contains all items that are “purged” (“dumpster” deleted/triple deleted) • Audits
• If mailbox logging is enabled, contains mailbox audit entries • DiscoveryHolds
• If “scoped” hold in effect this is where purged items go • Calendar Logging
• Contains calendar changes that occur within a mailbox
65 Enabling Defensible Legal Hold: Preservation Hold Library
• A “preservation hold library” is created the first time a SharePoint site is put under hold. • Users can continue to work on content without disruption • Content on hold-including web pages, documents, lists, and other items are preserved as needed (if user edits an item it prompts preservation) • Users don’t see the preservation hold library • To preserve all versions of content in a site versioning must be enabled
66 eDiscovery permissions
– eDiscovery Administrator
– Can see all cases – Can create new cases Assign to – Can assign cases to self or eDiscovery outside managers counsel and – eDiscovery Manager service provider – Can see own cases or those assigned to *Does not him/her require a – Can create new cases license – Can assign other eDiscovery Manager to their cases – Permissions filtering
– Restrict the mailboxes and sites an eDiscovery Manager can access – May use recipient fields to limit (country, department, title, custom, etc.) https://support.office.com/en-us/article/Assign-eDiscovery-permissions-in-the-Office-365-Security-Compliance- Center-5b9a067b-9d2e-4aa5-bb33-99d8c0d0b5d7?ui=en-US&rs=en-US&ad=US 67 Permissions Filtering (Scoping eDiscovery Manager Access)
• eDiscovery Administrators and Managers by default can search all mailboxes, SharePoint sites, Groups, Teams, etc. • Restrict eDiscovery Manager to searching:
– Subset of mailboxes AND sites – Content that meets specific search criteria (i.e., must contain word “Microsoft”) • Recipient filter
– City, Company, Country Code, Custom Attribute, etc. (https://technet.microsoft.com/library/bb738157(EXCHG.150).aspx) • Searchable message property filter • Managed via PowerShell (requires Organization Management membership) • Requires connecting to BOTH Exchange Online and SCC • Applies to inactive mailboxes • Does NOT apply to Exchange Public Folders
68 eDiscovery Permissions
Compliance eDiscovery Manager Organization Role Reviewer Administrator & Administrator Management Case Management Lets users create, edit, delete, and control access to eDiscovery cases in the Security & Compliance Center. For more information, see Manage eDiscovery cases in the Office 365 Security & Compliance Center. As previously explained, a user must be assigned the Case Management role before you can use the Add-eDiscoveryCaseAdmin cmdlet to make them an X X X eDiscovery Administrator. Compliance Search Lets users run the Content Search tool in the Security & Compliance Center to search mailboxes and public folders, SharePoint Online sites, OneDrive for Business sites, Skype for Business conversations, Office 365 Groups, and Microsoft Teams. This role allows a user to get an estimate of the search results, but additional roles are needed to perform actions such as previewing, exporting, or deleting search results. X X X For more information about Content Search, see Run a Content Search in the Office 365 Security & Compliance Center. Export Lets users export the results of a Content Search to a local computer. It also lets them prepare search results for analysis in Advanced eDiscovery. For more information about exporting search results, see Export search results from the Office 365 Security & Compliance Center. X Hold Lets users place content in mailboxes, public folders, sites, Skype for Business conversations, and Office 365 groups on hold. When content is on hold, content owners will still be able to modify or delete the original content, but the content will be preserved until the hold is removed or until the hold duration expires. For more information about holds, see: X X X Manage eDiscovery cases in the Office 365 Security & Compliance Center Overview of retention policies Preview Lets users view a list of items that were returned from a Content Search. They’ll also be able to open and view each item from the list to view its contents. X Review Let's users see and open the list of the cases on the eDiscovery page in the Security & Compliance Center that they are members of. They can't perform any other case management tasks. X X RMS Decrypt Let's users decrypt RMS-encrypted email messages when exporting search results or preparing search results for analysis in Advanced eDiscovery. For more information about decrypting search results during export, see Export search results from the Office 365 Security & Compliance Center. X Search And Purge Lets users perform bulk removal of data matching the criteria of a content search. For more information, see Search for and delete email messages in your Office 365 organization. X 69 Versions: copy-on-write
70 File Formats Indexed by Exchange Search in Office 365
Email message .eml Graphics Interchange Format .gif JPEG .jpeg Microsoft Excel .xls, .xlt, .xlsx, .xlsm, .xlb, .xlc, .xlsb Excel File odbcexcel Microsoft InfoPath .infopathml Microsoft Office Binder .obt, obd Items Not Indexed Include… Microsoft PowerPoint .pptx, .pptm, .ppt, .ppsx, .ppsm, .pps, .ppam, .potm, .pot, .potx Microsoft Publisher .pub AVI .avi Microsoft Word .doc, .docm, .dotx, .dotm, .dot, .docx Microsoft XML Paper Specification .xps Bitmap .bmp OneNote .one MP3 .mp3 OpenDocument Presentation .odp MPEG .mpeg OpenDocument Spreadsheet .ods PNG .png OpenDocument Text .odt Outlook Item .msg Microsoft Portable Document Format .pdf Windows Rich Text .rtf .wav Text .txt Wave vCalendar .vcs Audio vCard .vcf Visio .vdw, .vsd, .vss, .vst, .vsx, .vtx, .vssx, .vssm, .vsdm, .vstx, .vstm, .vdx Web archive .mhtml Web page .html XML document .xml ZIP archive .zip 71 File Formats Indexed by SharePoint in Office 365
72 Security & Compliance Center Search Metrics
https://support.office.com/en-us/article/Run-a-Content-Search-in-the-Office-365-Security-Compliance-Center-61852fd9-fe8a-4880-a339- cb19ed3bff4a?ui=en-US&rs=en-US&ad=US#moreinfo 73 Limits: eDiscovery cases & holds
74 Estimated vs. actual eDiscovery search results
• Estimate search results are different than the search results generated when an export is created • Live index (O365) vs. processed or journaled ESI • What causes the differences?
– Estimated search results are based on the retrieval of email message IDs – Export search results are based on retrieval of the actual email messages – Changes that occur between time when estimate search is run versus export search – Unindexed items – Exporting results of a Content Search that includes all content locations – Raw file formats versus exported file formats – Document versions (for SharePoint, not included in estimate) – De-duplication https://support.office.com/en-us/article/Differences-between-estimated-and-actual-eDiscovery-search- results-in-Office-365-8f20ca4f-a908-46ec-99e6-9890d269ecf2
75 Security & Compliance Center Exports
• You can export a maximum of 2TB from a single Content Search
• Maximum size of PST export is 10 GB (can be modified via registry setting on target computer)
• Max of 10 simultaneous exports
– Max of 3 per user • Max of 2TB per day per tenant
• RMS encrypted items (email only)
– To decrypt must export as individual (.MSG) messages – Will NOT decrypted RMS protected attachments—only the email • Office 365 encrypted items located inside of Inbox are NOTE decrypted
• Reports
– Export Summary; content sources searched, estimated and actuals for search results and downloads – Manifest: XML load file – ResultLog: spreadsheet with information about each item downloaded – Message location in mailbox
– Sent or received date of message
– Subject line from message
– Sender and recipients
– URL for document
– URL for site collection from which document came Export: https://support.office.com/en-US/article/Export-Content-Search-results-
– Date document was last modified from-the-Office-365-Security-Compliance-Center-ed48d448-3714-4c42-85f5-
– Name of the document 10f75f6a4278 Change PST size: https://support.office.com/en-US/article/Use-Content-Search-to- search-the-mailbox-and-OneDrive-for-Business-site-for-a-list-of-users-5f4f8206- 76 2d6a-4cb2-bbc6-7a0698703cc0 Security & Compliance Center Exports: best practices
• Increase download speed
– https://support.office.com/en-US/article/Increase-the- download-speed-when-exporting-eDiscovery-search-results- from-Office-365-c4c8f689-9d52-4e80-ae4b-1411ee9efc43 • Launch and manage exports on separate machine
– Located in optimized network segment for bandwidth, minimal latency to internet – Run 24 x 7 uninterrupted • Multiple “export” accounts: single user able to launch 10 simultaneous exports • Microsoft asserts exports run faster in bulk
– Create an export job of 22 mailboxes NOT 22 separate export jobs (one per mailbox)
77 Limitations and Caveats (Security & Compliance Center)
Description of Limit Limit https://support.office.com/en-US/article/Limits-for-Content-Search-in-the-Office-365-Security-Compliance-Center-78fe3147-1979-4c41-83bb-aeccf244368d Maximum # of mailboxes searched in a single search: Unlimited Maximum # simultaneous searches Unlimited Maximum # of items per user mailbox presented in Preview 100 Maximum # of items from all user mailboxes presented in Preview 1,000 (Newest items) Maximum # of user mailboxes presented in Preview 1,000 (Mailboxes with most search results ) Maximum # of items from any given SharePoint site and ODB presented in 200 (Newest items) Preview Maximum # of sites that can be presented in Preview 200 (Sites with most search results) Maximum # of items per Exchange Public Folder presented in Preview 100 Maximum # of items found in all Exchange Public Folders presented in 200 Preview Maximum # of Exchange Public Folders presented in Preview 500 (Mailboxes with most search results)
78 Limitations and Caveats (Security & Compliance Center)
Description of Limit Limit Maximum # of keywords in search 500 Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a 10,000 keyword search query of when using a prefix wildcard and the NEAR OR ONEAR Boolean operator Maximum # of characters for the search query (including operators and conditions) for a Content Search Mailboxes=10,000; Sites=4,000 when searching all sites OR 2,000 when searching up to 20 sites Minimum # of variants returned when using a prefix wildcard to search for an exact phrase in a search 10,000 query or when using a prefix wildcard and the NEAR or ONEAR Boolean operator Minimum # of alpha characters for prefix wildcards 3
79 Preview
• File types that can be previewed
– txt, html, mhtml – eml – doc, docx, docm – pptm, pptx – pdf • Contain file types: can view list of files in the container
– zip – gzip
80 De-duplication
– E-mail de-duplication based on hash value calculated using:
• InternetMessageId This property specifies the Internet message identifier of an email message, which is a globally unique identifier that refers to a specific version of a specific message. This ID is generated by the sender's email client program or host email system that sends the message. If a person sends a message to more than one recipient, the Internet message ID will be the same for each instance of the same message. Subsequent revisions to the original message will receive a different message identifier.
• ConversationTopic This property specifies the subject of the conversation thread of a message. The value of the ConversationTopic property is the string that describes the overall topic of the conversation. A conservation consists of an initial message and all messages sent in reply to the initial message. Messages within the same conversation have the same value for the ConversationTopic property. The value of this property is typically the Subject line from the initial message that spawned the conversation.
• BodyTagInfo This is an internal Exchange store property. The value of this property is calculated by checking various attributes in the body of the message. This property is used to identify differences in the body of messages. • If values for two or more of above are the same the message is deemed duplicate • ****Messages a user edits but doesn’t send are identified erroneously as duplicates
– https://support.office.com/en-us/article/De-duplication-in-eDiscovery-search-results-5af334b6-a15d-4f73-97f8-1423457d9f6b?ui=en-US&rs=en- US&ad=US
81 De-duplication
82 Unindexed Items
• Certain email attachments • Certain files uploaded to SharePoint, OneDrive for Business, and other repositories within Indexing limit Maximum value Maximum attachment size (excluding 150 MB O365 Excel files) • Examples of unindexed items Maximum size of Excel files 4 MB – Image files (TIFF, non-search PDF, etc.) Maximum number of attachments 250 – CAD, CAM Maximum attachment depth 30 – Large Excel files (4 MB+) Maximum number of attached images 0 – Encrypted Maximum time spent parsing an item 30 seconds 2 million – Password protected Maximum parser output characters – File formats that can’t be indexed such as Bitmap, MP3 Maximum annotation tokens 2 million • “If the search that your exporting results from was a search of specific content 67 million Maximum body size in index locations or all content locations in your organization, only the unindexed items from characters content locations that contain items that match the search criteria will be exported…to export unindexed items from all content locations for a search, configure the search to Maximum unique tokens in body 1 million return all items (by removing any keywords from the search query) and then export only unindexed items when you export the search results…” • If you create a query based hold, ALL unindexed items are placed on hold
83 Unindexed items
Exchange SharePoint, OneDrive
84 Office 365 Resources support.office.com
https://support.office.com/en-us/article/Security-and-Compliance-in-Office-365-for-business-Admin-Help-7fe448f7-49bd-4d3e-919d-0a6d1cf675bb?ui=en-US&rs=en- 86 US&ad=US docs.Microsoft.com
https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview
87 TechNet
https://technet.microsoft.com/en-us/library/dn532171.aspx
88 Trust Center
https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security
89 Excellent Reference
http://store.exchangeserverpro.com
90 Video blog
https://www.youtube.com/playlist?list=PLXPr7gfUMmKwn422HmCx7b7D5qh9T6frb 91 Roadmap
https://products.office.com/en-us/business/office-365-roadmap
92 Microsoft Ignite
• Annual conference • 20k+ attendees • Major product announcements • Roadmaps • eDiscovery sessions with Microsoft experts, including E.J. Bastien and Rachi Messing – Reduce legal fees and gain insight into your data leveraging Office 365 Advanced eDiscovery – How Microsoft Legal drives down eDiscovery costs with machine learning in Office 365 – Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365 To access free recorded sessions go to: https://www.microsoft.com/en-us/ignite/default.aspx
93 White papers
https://www.microsoft.com/itshowcase/Article/Content/ https://www.dtiglobal.com/resources/article/office-365-primer-ediscovery- 843/Office-365-meets-evolving-eDiscovery-challenges-in- professionals/ 94 a-cloudfirst-world