Legal Hold
Preserve content in place, preventing deletion or modification. Legal holds ensure evidence is protected for litigation, regulatory investigations, and compliance requirements. Content Search provides the foundation for identifying and collecting content subject to holds.
Note: Content Search is available with Microsoft 365 E3 and above. eDiscovery (Premium) features require E5 or eDiscovery add-on licensing.
Hold Locations
Exchange Mailboxes
- Primary and archive mailboxes
- Recoverable Items folder
- Calendar, contacts, tasks
SharePoint Sites
- Document libraries
- Site pages
- Versions of documents
OneDrive Accounts
- All user files
- Synced content
- Shared files
Teams Content
- Channel messages (via group site)
- Chat messages (via user mailbox)
- Shared files
Query-Based Holds
Place holds on content matching specific criteria rather than entire mailboxes. Use KQL queries to define scope. Reduces over-preservation and storage costs.
KQL Query Examples
| Query | Purpose |
|---|---|
project AND confidential | Keyword search for project-related confidential content |
"quarterly report" | Exact phrase search |
from:john@contoso.com AND subject:"budget" | Property-based search by sender and subject |
sent:2024-01-01..2024-03-31 | Date range search |
filetype:xlsx AND filename:budget | File type and name search |
project* AND 202* | Wildcard search |
Common Search Properties
| Property | Description | Example |
|---|---|---|
from: | Email sender | from:user@domain.com |
to: | Email recipient | to:legal@domain.com |
subject: | Email subject line | subject:contract |
sent: | Date email was sent | sent>=2024-01-01 |
received: | Date email was received | received<=2024-12-31 |
hasattachment: | Has attachments | hasattachment:true |
filename: | File name | filename:report.pdf |
author: | Document author | author:"John Smith" |
Creating a Legal Hold
- Create or open an eDiscovery case
- Navigate to the Holds tab
- Select locations (mailboxes, sites) to place on hold
- Optionally define KQL query to narrow scope
- Name and describe the hold for tracking
Hold Notifications (Premium)
Send legal hold notices to custodians with automated tracking:
- Initial hold notification — With acknowledgment tracking
- Reminder notices — On configurable schedule for non-acknowledgment
- Release notices — When hold is removed
- Escalation notices — For non-acknowledgment after reminders
Common Use Cases
| Use Case | Description |
|---|---|
| Legal Hold / Litigation | Identify and preserve documents relevant to legal matters. Export for legal review and production. |
| Data Subject Request (GDPR) | Find all content associated with a specific individual for access, rectification, or deletion requests. |
| Internal Investigation | Search for evidence of policy violations, misconduct, or inappropriate communications. |
| Departed Employee | Retrieve and preserve content from users who have left the organization. |
Managing Holds
- Monitor hold status — Verify holds are active and applied correctly
- Modify scope — Add or remove locations as investigation evolves
- Release holds — Remove holds when legal obligation ends to allow normal deletion
Warning: Always coordinate with legal counsel before creating or releasing holds. Premature release could result in spoliation of evidence.
Export Options
| Option | Description |
|---|---|
| All Items | Export all items matching search criteria for full data collection |
| Indexed Items Only | Export only searchable items, excludes unindexed content |
| Unindexed Items Only | Export items that could not be indexed (encrypted, corrupted, unsupported) |
| De-duplicated | Remove duplicate items. One copy per unique message across mailboxes |
Best Practices
- Place holds early — Once litigation is anticipated, place holds immediately to preserve evidence
- Use query-based holds — Narrow holds to relevant content to avoid over-preservation costs
- Track acknowledgments — Ensure custodians acknowledge hold notifications
- Release holds when matter closes — Remove holds after legal obligation ends to allow normal deletion
- Document everything — Maintain records of hold creation, scope changes, and releases for defensibility
- Narrow your search scope — Start with specific locations and date ranges to reduce results
- Preview before exporting — Review sample results to verify query accuracy before full export
API Reference
GET /api/compliance/content-search— List all content searchesPOST /api/compliance/content-search— Create a new content searchPOST /api/compliance/content-search/:id/run— Start search executionGET /api/compliance/content-search/:id/results— Get search results and statisticsPOST /api/compliance/content-search/:id/export— Export search resultsGET /api/compliance/ediscovery/cases/:id/holds— List holds in a casePOST /api/compliance/ediscovery/cases/:id/holds— Create legal hold
Last updated on