I have listened to many providers and even some expert peers proclaim that M365 content search does not comply with FRCP 26(G) requirements. In my perspective they are right AND wrong. M365’s default business index (ambient) prioritizes productivity over completeness. Microsoft clearly documents the wide range of ‘partially indexed items’ resulting from item size, complexity and parsing time limits. Relying on the ambient index for content (search term) vs. context (location & metadata) based collections raises risks. Provider volume pricing creates incentives to just ‘pump and dump’ custodians and SPOD sites for processing and hosting. Microsoft implemented ‘Advanced Indexing’ for Premium (E5 license) customers to reprocess the partially indexed items and provides export options for QC. See my Purview eDiscovery E3 v. E5 page for license comparison.
What is Advanced Indexing and what triggers it?
When you add custodians/data sources, promote to review or export items in a Premium Purview eDiscovery matter (E5 license) the system automatically reindexes any partially indexed or errored items. It also runs OCR on images and creates indexing reports (dashboard and CSV). You can limit the reindexing to locations with existing search hits or all locations searched.
Ambient (E3) vs. Advanced (E5) index Search
Context searches (location and metadata) on in place items are identical. This supports broad custodial or location legal holds that may be refined by dates, participants, extensions or subject/file names with reasonable reliability (validate in your tenant). Content searches for terms, phrases or Boolean combinations can be used against the ambient index for investigations, scoping and QC. E3 custodians or sites with E3 members will NOT be reindexed for more reliable content searches. Items promoted to Purview Review Sets WILL be reindexed, have additional metadata and retrieve cloud attachments for export. That draws a pretty clear line between when you can use content criteria. There are add-on SKUs that will enable this functionality for custodians (all site group members required), but managing license promotions against legal holds is complicated.
Strategic workflow considerations
“Preserve broadly, collect selectively” has been the dominant eDiscovery strategy for the last decade. I have had to build metrics demonstrating the minimal impact of holds on tenant storage costs for clients recently. Immature retention and information governance practices contribute far more to storage costs than most legal holds. That being said, the pressure is on to adopt the Microsoft eDiscovery lifecycle that invests up front is defensible scoping for selective holds. The Purview eDiscovery architecture is not designed to export giant perpetual custodial mailboxes and OneDrives packed with meeting recordings. Items promoted to Review Sets create new copies in Azure, which takes time and Microsoft will eventually start charging for the storage. Depending on the request parameters and potential risk, I usually recommend broad in-place holds and prioritizing selective collections to get counsel the highest value items up front. This works with clear volume caps, short SLA times and iterative search/exports to keep counsel fed as they use their favorite platform and AI to meet the request.
Hidden Gotchas
- External platform integrations that use the Graph APIs may NOT understand the license level of targets or trigger the Advanced Indexing. Integrations such as RelativityOne that create the searches, holds and exports within Purview should trigger the reindexing or stage as a Review Set. Remember that reindexing is a process that takes time and the logs should be checked before relying on a remote system.
- As mentioned above, all Teams and SharePoint members of a site must be E5 licensed to trigger the Advanced Indexing. This may require extra steps in the scoping process.
- Teams conversations are extracted as individual message atoms for E3 targets. If Teams conversations are in scope, upgrade to E5.
- The Purview E3 (basic) audit log has a default 90 day window. That is usually too fast by the time a problem has been spotted that requires the logs to untangle. I can make an argument for log shipping or scheduled reports to build a defensible tracking system, but Premium extends the default to 1 year.
- There are automated workflows to upgrade/downgrade custodians using M365 groups. However, there are potential issues with retention versioning and other premium features that can come back to bite you. Safe to say that ‘promote on hold’ is complicated and requires extensive validation testing to avoid pitfalls.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Reach out for a free 15 minute ‘Good Karma’ call if he has availability. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer an investigative journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.
Greg’s latest nature, art and diving photographs on Instagram.
