If your business faces a lawsuit, HR issue, investigation, or audit, you’ll need to find relevant digital data. This is called eDiscovery, and it’s the process of producing & preserving digital evidence related to what people said or did inside your company’s systems – including communication tools like Microsoft 365.

Between email, Teams, SharePoint, and OneDrive, Microsoft 365 often sits at the center of eDiscovery campaigns, with Microsoft Teams eDiscovery now just as important as traditional email searches. The catch is that matters rarely stay inside one system. A harassment complaint might involve Teams and Slack DMs, while a trade secret talk could span email and cloud storage. Without guidance, searches can seem overwhelming. Studies show that the top issue for teams dealing with eDiscovery is “increasing the different types of data.”

This Microsoft Office 365 eDiscovery guide explains how to run defensible searches and how to handle data from other workplace comms tools, like Slack. It’s written as practical eDiscovery for IT, eDiscovery for legal teams, and eDiscovery for HR, so each group can clearly see their role in the process.

Core eDiscovery Concepts in Microsoft 365

First up in our Microsoft Office 365 eDiscovery guide: core concepts you need to know.

• Custodians: Every eDiscovery matter starts with identifying custodians – the people whose data you need to preserve or search.
• Locations: Each custodian is tied to multiple data locations. For example, their Outlook mailbox, Teams chats and channel messages, SharePoint sites they belong to, and their OneDrive files
• Retentions vs. legal holds: Retention policies control how long content is kept or deleted as part of normal lifecycle management. Legal holds require that information or data be retained while an investigation is pending. When both policies are in place, legal holds typically override retention.
• Standard vs. Premium eDiscovery: Microsoft has its own internal eDiscovery solutions. With Standard, you get capabilities such as search and export, case management, and legal hold. With Premium, you also get advanced controls like custodian management, advanced indexing, review set filtering, and analytics. 

The Microsoft 365 eDiscovery Toolkit

The Microsoft Purview discovery compliance portal is your home base for eDiscovery in Microsoft 365, whether you’re handling a quick inquiry or full-scale litigation. 

There are three different plan options available. Content search is the most basic tool, and it allows you to search for content across Microsoft 365 data sources and export the results.

The other two options are Standard and Premium.

Standard (previously called Core eDiscovery) gives you essential eDiscovery tools most teams need:

• Search for content stored in Microsoft mailboxes and sites.
• Keyword queries and search conditions to narrow searches to match criteria. 
• Export search results to your computer. 
• Role-based permissions, to control which users can perform what eDiscovery tasks. 
• Legal holds for content locations to preserve data related to your investigation.

Premium (previously called Advanced eDiscovery) provides more sophisticated features, such as:

• Review sets, which are secure, Microsoft-provided Azure Storage locations in the Microsoft cloud. When you add data to a review set, it’s copied to the new location, and becomes a place where you can search, filter, tag, analyze, and predict relevancy.
• Analytics features to analyze documents. You can detect duplicates, review threaded email messages, and assign documents by theme.
• Tagging (when volume/complexity demands it), which helps you cull non-relevant content, and spot things that are relevant.

For routine issues with a manageable number of custodians, Standard is typically enough. When matters grow larger, involve overlapping custodians, or require deeper filtering before export, Premium becomes the more defensible and scalable option.

Running an eDiscovery Case in Microsoft 365

Want to run an eDiscovery case in Microsoft 365? Start by confirming roles and permissions between IT, legal, and HR. IT might control access to the Purview portal, while legal and HR need the ability to place holds, run searches, and review results.

Then, create a case in the Purview portal and add the people who will work on it. Each participant’s access should match their responsibility: legal reviewers may only need to search and export, while IT may handle holds and location scoping.

Next, identify scope: which users (custodians) are involved, which Teams they’re part of, and which sites they use. Timeframe scoping is also important to narrow the window to where the issue occurred, reduce noise, and speed up your search. 

Holds, Search, and Review – The Practical eDiscovery Workflow

The first operational step in any Microsoft 365 eDiscovery matter is placing legal holds on relevant mailboxes/Teams/sites. This locks content in place, ensuring key data isn’t deleted or moved.

Once holds are active, build targeted searches to focus your results. Start with the basics: related keywords, a tight date range, and known participants.

Lastly, use Microsoft 365’s quick review tools to skim the data and cull excess. This isn’t a full document review: it’s a step before, to validate scope and avoid exporting unnecessary items. When the matter is large or requires structured review, teams often move data into a dedicated platform like Relativity, Everlaw, or another eDiscovery system. These tools are built for deep review that is targeted and compliant, and can handle scale and complexity that Microsoft 365 isn’t optimized for.

Exporting Data from Microsoft 365

Once your search is complete, Microsoft 365 gives you a few standard export options, such as PSTs. Purview also includes load-ready metadata – CSV or JSON files that describe items, timestamps, participants, and source locations.

A defensible export also depends on a visible chain of custody. Purview’s audit logs record who placed holds, who ran searches, who generated exports, and the timestamps for each action. As long as you avoid ad-hoc manipulation of the exported data, the combination of audit logs and native metadata provides a clean, traceable record.

If you’re working with outside counsel or eDiscovery service providers, make exports easy to ingest. Clean scoping and untouched metadata reduce processing time and cut confusion. Most review platforms are built to ingest Microsoft 365’s default output with minimal prep.

Where Slack Fits Next to Microsoft 365

Even when eDiscovery starts in Microsoft 365, Slack often becomes part of the picture, and you’ll need a Slack eDiscovery process to keep everything aligned. Why? Many matters involve both platforms, like HR issues, leaks, and sensitive chats. 

While Slack’s data might be important to your eDiscovery process, its export model complicates things. Slack exports arrive as a ZIP of nested JSON files, which can be overwhelming and nearly impossible to review without outside tools.

Here’s an eDiscovery playbook you can use for Slack exports:

1. Request an export from Slack based on your plan level (exports can be executed by Workspace Owners/Admins, Org Owners/Admins, and those in an Export Admin system role).
2. Load the export into a Slack viewer/search tool, such as ViewExport, to make the data readable and searchable.
3. Export a scoped dataset (e.g. CSV) that can be passed into your primary eDiscovery platform alongside your Microsoft 365 data.

This simple process keeps Slack aligned with the rest of your search, and ensures results are organized, defensible, and ready for easy downstream review. 

Common Mistakes (and How to Avoid Them)

Microsoft 365 eDiscovery might seem straightforward enough, but there are common pitfalls that can quickly complicate things.

Typical mistakes include:

Over-collecting in Microsoft 365 and drowning reviewers

Casting a wide search net usually does more harm than good. Research shows that workers spend an average of 20 hours a week using digital communication tools, which results in a flood of data. Collection that’s too broad will sweep up tons of irrelevant (and non-compliant) information, while burying what you actually need.

Missing key locations.

Many matters hinge on places people forget to check: Teams private channels, shared mailboxes, and small SharePoint sites. Always map custodians to every location they touch, not just the obvious ones.

Treating Slack as an afterthought until a production deadline hits

Teams often focus on Microsoft 365, only to discover that the meat of what they need happened in Slack. Slack’s JSON export format isn’t review-ready, so last-minute work creates delays and defensibility risks. The solution? Pull Slack into the workflow early, and process it the same way you do Microsoft 365.

Poor documentation of holds, searches, and exports

If you can’t show how you preserved and collected data, your eDiscovery search can fall apart. Document who placed holds, who ran which searches, and who exported what. Purview captures much of this automatically, but you still need a clear internal record.

Bringing It All Together

This Microsoft Office 365 eDiscovery guide gives you a structured way to preserve, search, and export key data for investigations and disputes that involve email, Teams messages, SharePoint content, and OneDrive files. In practice, that means planning for Microsoft Teams, SharePoint eDiscovery, and OneDrive eDiscovery alongside your Exchange email collections.

While these workflows are straightforward, modern investigations rarely stay in one system. Slack and other collaboration tools run in parallel to Microsoft 365, not inside it, which means they require their own eDiscovery documented workflows.

Teams that plan for both Microsoft 365 and Slack up front move faster when it comes to subpoenas, HR issues, and internal investigations – and deal with much less risk. A clear, repeatable process across both ecosystems is what turns a scramble into a reliable response.

Next Steps for Your eDiscovery Team

If your next matter is likely to include Slack data alongside Microsoft 365, don’t wait until a subpoena lands on your desk to figure out your Slack workflow. Microsoft 365 already gives you a clear, repeatable process; Slack requires the same level of structure. Create an export and search process with a secure, dedicated Slack export viewer like ViewExport, so when legal or HR comes calling, you can get to the right conversations in minutes – not days.

Set up your Slack export workflow with ViewExport now, so the next time Microsoft 365 and Slack are both in scope for a matter, you already know exactly how you’ll find, filter, and produce the right conversations.