Legal Holds: Data Preservations


Table of Contents

Introduction to data preservations

Users can create, track, and release Microsoft Purview holds on custodian data within Everlaw, and view these preservation-in-place objects alongside hold notices pertaining to the same matter.


To set up a Microsoft hold in Everlaw’s legal hold system, users will need to create a data preservation.  Each data preservation is defined by:

  • a set of services (such as Microsoft or Google), 
  • a set of custodians, 
  • a query (including optional dates and keywords), 
  • and a set of data sources within those services (such as Exchange mailbox).

The only service currently supported by Everlaw Legal Holds is Microsoft 365. Available data sources include Exchange Mailbox, including emails and private channel messages stored in that mailbox, and OneDrive site.

Permissions required for Microsoft data preservations

To leverage Microsoft data preservation, organizations must have access to Premium eDiscovery; see Microsoft’s documentation for a list of the licenses that include Premium eDiscovery.

The process of logging into Microsoft for the first time takes place at the beginning of the data preservation wizard, described in the section below. You will be prompted to log in to your organization as a particular user. The Microsoft holds created via Everlaw will be attributed to this Microsoft user account in Microsoft Purview.

You must select a Microsoft user account with eDiscovery Admin permissions. If you log in as a Microsoft user with eDiscovery Manager permissions only, you will still be able to create Microsoft cases and holds in Everlaw, but those cases may not be accessible by other eDiscovery Managers by default. (Permissions on these cases can be altered in Microsoft Purview but not in Everlaw.) If a different eDiscovery Manager account is used to log in at a later time, Everlaw will not be able to retrieve any updates about the holds created by the first user, and displayed information may be inaccurate.

Creating a new data preservation

There are two ways to create a new data preservation. First, you can click on the “+ New” button at the top right of the Legal Holds page and select “New data preservation” from the dropdown. From here, a dialog box will prompt you to enter a name for your data preservation and select the service(s) in which you want to create preservations. For now, Microsoft 365 is the only available service.


Second, you can also select the relevant custodians from the Directory tab, then click “Add to data preservation”. From there, you can select whether you want to add those custodians to an existing preservation or create a new data preservation. Selecting “New data preservation” will bring you to the same dialog box shown above.

After clicking Continue, a Microsoft popup will appear, prompting you to log in with your Microsoft credentials. As mentioned above, you must choose a Microsoft user account with eDiscovery Admin permissions.


After logging into Microsoft, select an existing Microsoft Purview case in which the holds will be created or create a new Microsoft Purview case. Each case can only contain one custodian preservation, so some cases will be disabled by default. You will be able to see this case, and the holds created later in this flow, in your Microsoft Purview account.


After selecting or creating a new Microsoft case, select custodians to include in the data preservation. You can select custodians from your directory, which will be shown here, or paste or upload a list of new custodians. If you came to the data preservation wizard via the directory page, the custodians you selected there will be preselected in the directory at this step.


Everlaw will automatically detect which of these custodians exist in your Microsoft organization. If any custodians are not detected in your Microsoft organization, you will see a warning page where you will be able to view a list of those custodians before proceeding with the preservation.

If any custodians exist in your Microsoft organization but have not yet been added to the Everlaw directory, you can automatically add them to the directory at this step. The directory entry will be populated with the custodian’s name, email, manager name, and manager email address. These properties will be pulled from your organization’s Microsoft Azure Active (Entra ID) Directory.


If any of the custodians in your organization have a Microsoft User Principal Name (UPN) that differs from their email address, we will still be able to identify that custodian and add them to the directory with the correct email address. However, we cannot guarantee that we will be able to identify all data sources associated with a particular user if their email address and UPNs do not match. We highly recommend ensuring that users’ email addresses and UPNs match before creating data preservations on those users.

Next, users can add an optional query, including a start and end date and keyword query. Keywords should follow Microsoft search syntax.

Users should also select the data sources on which the preservation should be placed. Currently, users can choose Exchange mailbox, including the custodian’s mailbox and private channel messages stored in that mailbox, and OneDrive site. To learn more about what these data sources entail, please see Microsoft’s documentation here


Finally, users will be taken to the following summary page, from which they can create the data preservation.


Once the data preservation has been created, a new Data Preservation card will appear on the Legal Holds tab, described in the following section.

Viewing a data preservation


The data preservation card displays all the high-level information about the data preservation object, including the total number of errored, pending, active, and released custodians; the data sources preserved; the date and keyword query, if any; and date of creation of the hold. 

Above the card, next to the “Data preservations” header, you will see a “Manage login” link. Clicking on the arrow next to the link will show you whether you’re logged into Microsoft, and if you are, which Microsoft user account you’re currently logged in to. You can also log out and log in to a different account from this dropdown.


Selecting the “View” button on the card will take you to that data preservation’s summary page. The status of many custodians is likely to be “Pending” at first as Microsoft Purview works its way through creating holds on each custodian.


You will need to press the “Sync with Microsoft 365” button in order to see the most recent status of the hold. Everlaw intentionally does not take automatic actions on behalf of that user, as the ability to do so consistently would require us to store user passwords in a decryptable format. As a result, Everlaw displays the status of the data preservation at the time of the most recent user-initiated sync.

After creation, Microsoft may take some time to set up the holds on each custodian, so it is possible (and likely) that many of your custodians will be pending for several minutes or more. If you press Sync right away and still see some custodians marked as Pending, it is likely that this is an accurate representation of the current state of the holds on those custodians. You will need to press Sync again later to see that the holds on those custodians were successfully created.

You can also check the status of your hold in Microsoft itself, as described in the section below.

To see the status of each data source belonging to each custodian in a table format, click on the Custodians tab. From here, you can also perform actions on subsets of custodians, including releasing active custodians, reactivating released custodians, or exporting reports.


Selecting a particular custodian in this table will bring up the same custodian side panel that is accessible anywhere else this custodian appears in Legal Holds, including in the directory and within a particular hold notice. The custodian side panel contains information about all hold objects to which the custodian belongs, including both hold notices and data preservations. You can page through the tabs at the top of the custodian side panel to see this custodian’s directory properties, the hold notices and data preservations this custodian is on, and any collected documents associated with this custodian.


To see all recorded activity on the data preservation, including custodian statuses (successful, pending, or errored) at each sync event, click on the Activity tab. From here, you can also see who performed each action, filter by date, and export a report of all activity.


Clicking on the eye icon in the “View details” column will provide a more detailed breakdown by custodian and data source for each event. This information is also included in the export.

Accessing your hold in Microsoft Purview

To see the status of the holds in Microsoft, you can click on the linked name below “Case”. In the example here, the Microsoft case is titled “Example Case”.


Clicking on “Example Case” will bring you to the Data Sources tab of the selected case in Microsoft Purview. All custodians placed on hold will be shown here. 


Within the Microsoft Purview environment, you can also select the Hold tab to see details of the newly created custodian hold. To verify that the query entered in Everlaw was added to the Microsoft hold, click on that hold, then select “Edit” to see the existing settings. However, it is important that you do not save any edits to an Everlaw-created hold in Microsoft. To preserve accurate hold status reporting in Everlaw, edits to an Everlaw-created hold should only be made in Everlaw.



Modifying the data preservation

You can modify a data preservation in Everlaw by adding custodians to the data preservation or by editing the query.

To edit the query, click the Edit button next to the Query header. 


To add custodians to the preservation, click the three-dot menu next to Release Custodians, then select Add More Custodians.


You can also add custodians from the directory tab. Select the custodians you want to add to the data preservation, then click “Add to data preservation”. From there, you can choose whether you want to create a new data preservation for these custodians or select an existing one.


There is no way to edit the data sources (Exchange mailbox, OneDrive site) associated with a hold while the hold is active. You can only edit the data sources if you fully release the hold and then recreate it with new data sources.

Releasing the data preservation

To release all custodians from a data preservation, click the “Release all custodians” button at the top right of the page.


After releasing, your hold and case will still exist in Microsoft, but the Hold column will now display False instead of True.


You can also release individual custodians from the Custodians tab by selecting the ones you want to release and clicking the “Release” button from there.


Finally, if you want to release all hold notices and data preservations in your database at once, you can do so from the database's main Legal Holds page. Simply click on the “Release all” button next to the “New” button at the top of the page.


After selecting “Release all”, you will see a dialog listing all holds from which custodians will be released. If desired, you will be able to draft a release notice for the included hold notices.


Reactivating the data preservation

Once your data preservation has been released, you can reactivate it by clicking on the “Reactivate all custodians” button at the top right of your data preservation. You will be taken to a short wizard that will allow you to modify the query and data sources associated with this data preservation. Just like for creation, releasing the hold in Microsoft will not be instantaneous, so the status of the released data preservation is likely to be Pending at first. You may need to press the Sync button later to see the data preservation status change to Released.


You can also reactivate individual custodians that have been released. To do so, select the released custodians you want to reactivate from the Custodians tab, then click the Reactivate button. If you reactivate custodians on a data preservation while other custodians are still active, you will not be able to modify the query during the reactivation process. This is because the query and data sources must match for all custodians in a particular data preservation.


Deleting the data preservation

We generally do not recommend deleting data preservations, as you will permanently lose the entire history and record of that preservation in Everlaw. Deletion should only be used for preservations created as a test or in error.

To delete a data preservation, the preservation must first be fully released in Microsoft. Once the preservation has been released, the Delete button in the three-dot menu will become active.


Deleting the data preservation in Everlaw will not delete the corresponding hold in Microsoft. To delete the released hold in Microsoft, you will need to delete the hold in Microsoft Purview itself.





Have more questions? Submit a request


Article is closed for comments.