Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2017-11-19 19:00:00Format, images and links may no longer function correctly.
Several months back I wrote a very careful piece detailing some potential errors or unexplained behavior seen with clients using Office 365’s Compliance Center (E3 license level) to apply holds and export search results. I was careful not to ring the ‘O365 is broken’ bell without full explanation and giving Microsoft the chance to debug the behavior. I have been a product manager and had to put out reputation fires sparked by well-meaning customers who fundamentally misunderstood the system or with unstable data/infrastructure. Luckily for me, we had redundant data repositories and although it would have been nice to shift to O365 for some things, it was not required. That meant we wanted to get to the bottom of the behavior, but it was not high client priority. The first line tech support did their best, but really could not understand why we cared about result sets that did not match up exactly. A friend in Redmond caught wind of things and got the tickets escalated. I would love to say that I was 100% sure that we understood the source of all the search behavior, but I do have a much better appreciation for the recent changes to the Office 365 search architecture and data sources. I covered some of the information dump in my recent RelativityFest 2017 blog and I wanted to circle back on the actual search/export issues.
Let’s start with export/productions from the Compliance Center. My interpretation is that all of the real development for large scale retrieval has been focused on the Advanced eDiscovery functionality (E5 level customers) as opposed to the lowly E3 customers on the Compliance Center. Remember that is my opinion, not any statement from Microsoft. The export of Sharepoint results from Compliance Center continues to be unusable for my clients do to the minimal metadata, changes in names and other issues. I was assured that the Advanced eDiscovery load files and results meet expected industry standards. They are busy unifying the storage of new O365 data sources like Yammer, Skype, etc. for full preservation and export capabilities.
The big warning here is that unless the Microsoft team has moved faster than expected, large Compliance Center exports to PST can fail without throwing an error. We only experienced this when exporting the entire mailboxes of 5+ custodians, but I confirmed the behavior with several service providers. Whether it is your connectivity or O365’s memory issue, don’t close a session prematurely and check your results. We did not see items dropped from complete PSTs, just the PST creation process crashing before completion. Microsoft has no real interest in enabling you to export full mailboxes anyway. Their eDiscovery strategy is that you will migrate it to the Advanced eDiscovery tool for ECA or just use search criteria for selective retrieval. So that explains our truncated exports, but not the search result differences.
In rerunning the same searches with a fixed date range we saw results that did not match (increasing and decreasing). This is a standard validation tests for any system and it did educate us in how many moving parts there are in a global cloud repository. The decreasing numbers were our key concern, obviously. Microsoft has a couple tech notes that try to explain changing search results, but our tests had accounted for the known issues. The first potential source was that whole mailbox searches may retrieve system items and internal mailbox logs that are not put on hold or exported. The second possible cause was attributed to draft items. These are not preserved via the hold mechanism, but they do show up as search results. So you might get hits on draft items that would vanish when the item was deleted or sent (thus changing the date). I know that the Microsoft team is working to get the tech notes and documentation updated and I will bet that first line tech support has a lot more information available.
The only other important hold search item that came to light was why entire mailboxes would be put on hold. The hold search process has a character limit that includes all of the target paths. When that character limit is exceeded, the system defaults to placing the entire targets (mailboxes/SP sites) under hold instead of trying to execute searches that might eat up index servers and kill performance across the system. It is a conservative solution to deliver results without crashing the system, but I can see scenarios where it may cause over preservation of key executive custodians. Because the limit includes target information that we do not have access to, it is not possible to give you ‘best practice’ guidance on breaking up large hold searches. I do recommend that you get a report of all mailboxes that are on mailbox level legal hold if that is not part of your preservation strategy. More information as I get it and ALWAYS verify things with Microsoft and every other tech provider in this agile development world.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients. His active research topics include analytics, mobile device discovery, the discovery impact of the cloud, Microsoft’s Office 365/2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment. Greg is no longer a journalists and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being posted. Do you want to share your own perspective? eDJ Group is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.
Below the fold:
Thank you to everyone for the kind wishes and condolences at the loss of my 17 year old Vizsla companion last month. He was a truly special dog with more fans that I have. We started our long-term search for another companion to keep me company in my home office and go running every day. The universe laughed at our ‘sometime next year’ plans and we adopted Beau yesterday. Meet the latest family member.
