Manage holds in eDiscovery (preview)

You can use eDiscovery (preview) to create hold policies to preserve content that might be relevant to your cases. When you place content locations on hold, content is held until you release the hold in the case, remove a specific data location, or delete the hold policy entirely. You can place holds on data sources, including:

  • User mailboxes and OneDrive sites.
  • Microsoft Teams mailboxes and SharePoint and OneDrive sites
  • Microsoft 365 group mailboxes and SharePoint and OneDrive sites

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Hold policy dashboard

The Hold policies dashboard lists all the holds associated with a case. This dashboard allows you to create hold policies and displays information about hold policies in the case and allows you to filter and group the hold policies. The Hold policies dashboard contains the following information and controls:

  • Name: The name of the hold policy.
  • Created by: The user that created the hold policy.
  • Last modified: The date and time the hold policy was last modified. Select Time zone to switch between using local time and Coordinated Universal Time (UTC).
  • Hold policy Status: The current status of the hold policy.

Select a hold policy to view the details, data sources, and condition and KeyQL filters.

To customize the columns display on the Hold policies dashboard, select Customize columns to choose the columns to display or drag and drop the columns in the list to reorder. To search for a specific hold policy, enter a keyword in the Search field. To download the list of hold policies and the column information, select Download list to create a .csv file containing this information.

Hold policy states

The state of a hold is shown next to the hold name on the hold policy page. Hold policies have the following states:

  • Draft: Displayed when a new policy is created and hasn't been applied. Navigating away from the policy draft cancels the draft and all policy changes are lost.
  • On: The policy is applied and all locations in the policy are on hold. Select the Details tab to view location information.
  • Off: The policy is off for a previously applied hold. All included locations aren't on hold.
  • In progress: The hold policy is in the process of being applied or updated.
  • Pending deletion: The hold policy is in the process of being deleted.

Create a hold policy

To create a new hold policy, see Create holds in eDiscovery (preview).

Edit a hold policy

You can edit the hold policy name, description, or the policy details (data sources, condition filters, and KeyQL filters) as applicable.

To edit the hold policy name or description, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to edit.
  5. Select the edit (pencil) icon next to the policy name.
  6. Update the policy name or description, then select Continue.

To edit a hold policy details, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to edit.
  5. On the Hold policy page for the selected policy, select the Hold policy tab.
  6. Update data sources, condition filters, and KeyQL filters as applicable.
  7. Select Apply hold.

Retry a hold policy

Retry hold policy triggers the hold process to restamp all mailboxes/sites in the policy to enforce hold. You may also encounter errors while placing a hold on data sources. For a list of possible errors, see the Manage hold status errors section in this article.

To retry a hold policy, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to retry.
  5. On the Hold policy page for the selected policy, select Policy actions > Retry policy.

Turn off a hold policy

Turning off a hold policy might result in the permanent deletion of any content currently being preserved. It doesn't affect content preserved by other hold policies.

To turn off a hold policy, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to turn off.
  5. On the Hold policy page for the selected policy, select Policy actions > Turn off.

Turn on a hold policy

Policy edits are made and it doesn't affect content preserved by other hold policies.

To turn on a hold policy, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to turn on.
  5. On the Hold policy page for the selected policy, select Policy actions > Turn on.

Delete a hold policy

Deleting a hold policy removes all associated holds and release all sites and mailboxes. This might result in permanent deletion of any content currently being preserved.

To delete a hold policy, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
  2. Select the eDiscovery solution card and then select Cases (preview) in the left nav.
  3. Select a case, then select the Hold policies tab.
  4. On the Hold policies dashboard, select the hold policy you want to delete.
  5. On the Hold policy page for the selected policy, select Policy actions > Delete policy.
  6. On the Delete policy? dialog, select Yes, delete.

Manage hold status errors

You may encounter errors while placing a hold on data sources. The following table lists the errors that you may encounter and the recommended resolution.

Hold error types Description Resolution
Policy deployment interrupted A system error indicating a problem was encountered while applying the hold. Select Policy actions > Retry policy in the hold policy to retry the hold application.
Site inaccessible Indicates the SharePoint location associated with the requested hold request isn't accessible and may be read only. Contact your SharePoint site administrator to configure the site as writable and then select Policy actions > Retry policy in the hold policy to retry the hold application.
Site not found. Indicates the SharePoint location associated with the requested hold may have been moved, deleted, or the site URL may not exist. Check the site URL and confirm if the SharePoint site exists. Once confirmed, edit the data source for the site and then select Policy actions > Retry policy in the hold policy to retry the hold application.
Mailbox not found Indicates the mailbox associated with the requested hold isn't a valid mailbox. Verify the email address and check that it's a valid Exchange Online mailbox. Once confirmed, edit the data source for the mailbox and then select Policy actions > Retry policy in the hold policy to retry the hold application..
Distribution group has too many members Indicates the distribution group associated with the requested hold has more than 1,000 email addresses. Currently, a distribution group having more than 1,000 email addresses can't be expanded and placed on hold. Add the individual email addresses as data sources or split the distribution group into groups with less than 1,000 email addresses and then select Policy actions > Retry policy in the hold policy to retry the hold application..
Invalid email address or URL Indicates the location associated with the requested hold has an invalid email address or site URL. Specify a valid email address or URL that exists within your organization.

Place a hold on Microsoft Teams and Microsoft 365 groups

Microsoft Teams is built on Microsoft 365 groups. Therefore, placing them on hold in eDiscovery is similar. Keep the following things in mind when placing Microsoft 365 groups and Microsoft Teams on hold:

  • To place content located in Microsoft 365 groups and Microsoft Teams on hold, you have to specify the mailbox and SharePoint site that associated with a group or team.

  • Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for a Microsoft 365 group or Microsoft Team. This is a good way to get the URL for the site that's associated with a Microsoft 365 group or a Microsoft Team. For example, the following command displays selected properties for a Microsoft 365 group named Senior Leadership Team:

    Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl
    DisplayName            : Senior Leadership Team
    Alias                  : seniorleadershipteam
    PrimarySmtpAddress     : seniorleadershipteam@contoso.onmicrosoft.com
    SharePointSiteUrl      : https://contoso.sharepoint.com/sites/seniorleadershipteam
    

    Note

    To run the Get-UnifiedGroup cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

  • When a user's mailbox is searched, any Microsoft 365 group or Microsoft Team that the user is a member of won't be searched. Similarly, when you place a Microsoft 365 group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive sites of group members aren't placed on hold unless you explicitly add them to a case or place their data sources hold. Therefore, if you need to place a Microsoft 365 group or Microsoft Team on hold for a specific user, consider mapping the group site and group mailbox to the user. If the Microsoft 365 group or Microsoft Team isn't attributable to a single user, consider adding the source to a hold.

  • To get a list of the members of a Microsoft 365 group or Microsoft Team, you can view the properties on the Home > Groups page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:

    Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddress
    

    Note

    To run the Get-UnifiedGroupLinks cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.

  • Channel conversations that are part of a Microsoft Teams channel are stored in the mailbox that's associated with the Team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you have to place the Microsoft Team mailbox and SharePoint site on hold to retain conversations and files in a channel.

  • Alternatively, conversations that are part of the Chat list in Microsoft Teams are stored in the mailbox of the user's who participate in the chat. Files that a user shares in Chat conversations are stored in the OneDrive site of the user who shares the file. Therefore, you have to place the individual user mailboxes and OneDrive sites on hold to retain conversations and files in the Chat list.

  • Every Microsoft Team or team channel contains a Wiki for note-taking and collaboration. The Wiki content is automatically saved to a file with a .mht format. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can place the content in the Wiki on hold by placing the team's SharePoint site on hold.

    Note

    The capability to retain Wiki content for a Microsoft Team or team channel (when you place the team's SharePoint site on hold) was released on June 22, 2017. If a team site is on hold, the Wiki content will be retained starting on that date. However, if a team site is on hold and the Wiki content was deleted before June 22, 2017, the Wiki content was not retained.

Additional resources