The Microsoft 365 Substrate is a core component of the Microsoft 365 platform, providing a unified data layer that enables compliance features across various services. It is important to understand the overall relationship between Entities, Apps, Services, Containers and the Objects that eDiscovery holds and requests target.
Diagram by Tony Snover and good description of Substrate by Tony Redmond.
Entities – Custodians in M365
Traditional discovery organizes ESI in the context of the people, systems or organizations that created, owned or managed that ESI. Purview eDiscovery holds, searches and collections use Custodians and Locations to define scope. Confusion frequently arises because practitioners are used to having to chase down and collect from individual cloud/enterprise applications. Microsoft conquered many of the architectural challenges of enterprise-wide search by creating the Substrate unified data layer (service) that constantly manages storage of app objects in just two containers, mailboxes and SharePoint databases.
Custodians can be users (people) or groups (resource identity). Either entity is provisioned with a mailbox and a SharePoint site. The user SharePoint site is their OneDrive. Entities can generate hidden mailboxes such as App mailboxes, Teams channel mailboxes, scheduling mailboxes, audit log mailboxes, inactive mailboxes and cloud mailboxes (guest/external users).
Substrate Compliance Copies
Instead of federating search to every possible application, Microsoft Substrate creates digital twins (compliance records) of objects extracted from the apps into the entity mailboxes and SPOD containers to enable centralized searches, preservation and management.
Compliance records are imperfect copies that many not have all associated properties/metadata. They may not have contextual information that resides in the source app, such as Teams chat reactions. The Purview eDiscovery (Premium) service may restore some of these properties when items are processed in a Review Set, but metadata from 3rd party Teams apps and other custom apps should be tested.
Most of these compliance records are stored in hidden folders that are inaccessible to users. That is one way that legal holds and App activities can consume mailbox/SPOD storage.
Entity – the key to scope
Finding active users (people) is relatively easy. Finding potential Teams channels, departmental sites, Yammer threads, etc. is much harder. The key is understanding that everything searchable is stored under M365 Group entities that your custodians are members of. There will be another doc exploring methods of mapping users, access and groups.
Microsoft 365 Group
Foundation for collaboration and user associations within the Office 365 environment. When you create a Microsoft 365 Group, it automatically generates several resources:
- A group mailbox and calendar
- A OneNote notebook
- A Planner workspace
- A SharePoint Team site
- Additionally, you can integrate Power Apps and connectors to enhance functionality.
Members within the group have equal permissions, except for the group owner who has additional privileges. You can include both internal and external users in a Microsoft 365 Group. When users create Teams in Microsoft Teams or Yammer groups, they essentially create Microsoft 365 Groups, allowing them to collaborate effectively. On the other hand, a Shared Mailbox is primarily for email management. It resembles a regular user mailbox, with folders and a calendar. It’s useful for scenarios where a team or department needs a central mailbox that multiple employees can access. Delegated access allows employees to view and respond to emails within the Shared Mailbox
