Getting Started with Purview

Many IT and legal executives ask their discovery teams, “Why not just use Microsoft?” After all, Microsoft 365 contains the vast majority of enterprise content and communications for large enterprise litigants. The acquisition-integration of Equivio gave Purview eDiscovery checked most of the functionality boxes, even if it was not designed for large scale, complex review.

While many eDiscovery peers may disagree, I feel that Purview eDiscovery is a vital component of mature, defensible eDiscovery solutions for M365 customers. The key is understanding the M365 ecosystem and how Purview and the Graph API perform eDiscovery/Compliance related functions. An educated ‘trust but verify’ approach is critical to reducing the risk of using the system as designed and within its limitations.

So how to get started?

• Assess your current eDiscovery lifecycle – Build a data based model of your discovery profile to document your current metrics such as matter frequency, average custodians, volume per custodian, time/cost per matter stage, average volume reduction per stage, non-M365 data sources, external tech/service costs and special requirements such as forensics.
• Use the assessment to identify key pain points and opportunities to reduce time/cost/risk.
• Pick ONE stage of your lifecycle where Purview eDiscovery use may produce real ROI benefits. Generally this will be upstream in scoping, holds or collections. I have seen ‘eDiscovery make-overs’ fail spectacularly when they are too ambitious and change too many moving parts simultaneously.
• Pick ONE M365 ‘entity’ (user or M365 Group) and data source to focus your first Purview use case on. I recommend mailboxes because the architecture is stable. It was the first source that Purview tackled. M365 users have a mailbox and OneDrive container, while M365 Groups also have a SharePoint site container. Keep it as simple as possible on your first project goal. (Example: Put entire custodian mailboxes on hold and release them.)
• Even if you will be using a Microsoft partner platform to search, hold or collect you should test first with Purview to confirm expected behavior/results in the native system BEFORE you repeat that testing with your partner platform.
• Invest in understanding where and how M365 stores your target ESI. Are you searching in the hidden mailbox folders for compliance copies of chat messages? The basic M365 search only indexes mailbox and SharePoint stores. It has size and file type limits. Know your targets and system limits so that you can craft criteria appropriately.
• Hold targets placed by Purview eDiscovery Premium receive advanced indexing in the background that overcome many of those limitations, but you need to understand the target composition to judge search accuracy. For example, I have encountered engineering and development teams with specialty file types and encryption that made content searches questionable. You can export an item report of ‘partially indexed items without hits’ from a completed collection search to better understand what could not be indexed and why. I have seen issues with very large (50k+ items) reports timing out or being truncated, so limit the target locations or date ranges to get complete reports.
• Running comparison searches in Purview Standard and Purview Premium may help you understand the default search behavior vs. advanced indexing results.
• Document your test parameters, results and build your model of context fields (Author, date, name, location, etc.) and content (Boolean, file types, size, etc.) that give consistent, high confidence results on known sets of data. If you have recently done mass custodial collections that are hosted in an eDiscovery platform, these make excellent test sets.
• Create a plain language request guide or form for counsel to set expectations for target criteria and known limitations. Expand this for each new target source that you test and include in your default request scope. Counsel must understand known limitations to effectively approve target scope and criteria in a defensible process.
• Track the M365 Roadmap for changes that may impact your data sources or functionality. Schedule regular tests to confirm functionality and new content formats being created. Many partner platforms are migrating to the new Graph eDiscovery API as the beta cycle is ending. Remember to ‘trust but verify’ on M365 and partner updates!