eDiscovery within Microsoft 365 or any platform is a massive topic to cover. While discussing this with multiple organizations, it is evident that there is a need for it, but only a few people understand it. It is okay, as it is a particular feature that most end-users do not use.

There is training required and support from IT to create and manage cases for those that will utilize these features. Luckily, if you like scripting processes like me, PowerShell provides the commands you need. There are two ways to achieve this: the Security and Compliance PowerShell or the Microsoft Graph PowerShell commands.

The Two Different Types of Connecting

Either approach requires importing a PowerShell module:

# Import Exchange Online and Connect
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName user@domain.onmicrosoft.com

# Import Microsoft Graph and Connect
Install-Module Microsoft.Graph
Select-MgProfile -Name "beta"
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "Policy.Read.All", "eDiscovery.ReadWrite.All","Application.Read.All"

Each option creates a connection to Microsoft 365 ready for using the specific eDiscovery commands.

How to Create an eDiscovery Case Using Security and Compliance PowerShell Commands

There are eight core PowerShell commands for creating and managing eDiscovery cases. They are:

To create a Core eDiscovery Case, we can use the “New-ComplianceCase” command.

$casename = "Project Adele Litigation"
$case = New-ComplianceCase `
	-Name $casename

If you want to create the eDiscovery case directly within the Advanced eDiscovery tool, you must add another parameter.

$casename = "Project Adele Litigation"
$case = New-ComplianceCase `
	-Name $casename `
	-CaseType AdvancedEdiscovery

After saving the case, next, we can create a legal hold for specific content.

$holdname = "Project Adele Litigation Hold"
$holdpolicy = New-CaseHoldPolicy `
	-Name $holdname `
	-Case $casename `
	-ExchangeLocation "Adele Vance" `
	-SharePointLocation "https://m365x.sharepoint.com/sites/finance"

We then add a hold rule to the existing hold policy to filter as needed.

$rulename = "Project Adele Litigation Spreadsheet Hold Rule"
$holdrule = New-CaseHoldRule `
	-Name $rulename `
	-Policy $holdpolicy `
	-ContentMatchQuery "filename:2021 filetype:xlsx"

Lastly, we search the case based on either the held content or a more comprehensive query search.

$searchname = "Project Adele Litigation Spreadsheet Hold Content Search"
New-ComplianceSearch `
	-Name $searchname `
	-Case $casename `
	-HoldNames "All"

Now we can start the content search.

Start-ComplianceSearch `
	-Identity $search.Identity

Lastly, after reviewing the content, we can export a zip file as required.

New-ComplianceSearchAction `
	-SearchName $search.Name `
	-Export

How to Create an Advanced eDiscovery Case Using the Microsoft Graph PowerShell Commands

NOTE: These commands create Advanced eDiscovery Cases. I will also not cover every command required as eDiscovery cases, actions, sources, and processes are different for each organization.

There are many core PowerShell commands for creating and managing eDiscovery cases when using the Microsoft Graph PowerShell commands. They are:

To create an Advanced eDiscovery Case, we can use the “New-MgComplianceEdiscoveryCase” command.

$casename = "Project Adele Litigation"
$case = New-MgComplianceEdiscoveryCase `
	-DisplayName $casename

After saving the case, next, we can provide the custodians, data sources, and legal holds for specific content.

$custodian = New-MgComplianceEdiscoveryCaseCustodian `
	-CaseId $case.Id `
	-Email "adelev@m365x.onmicrosoft.com"

$custodiansite = New-MgComplianceEdiscoveryCaseCustodianSiteSource
 `
	-CaseId $case.Id `
	-CustodianId $custodian.Id `
	-Site @{ WebUrl = "https://m365x.sharepoint.com/sites/contosobrand" }

$custodianuser = New-MgComplianceEdiscoveryCaseCustodianUserSource
 `
	-CaseId $case.Id `
	-CustodianId $custodian.Id `
	-Email "adelev@m365x.onmicrosoft.com" `
	-IncludedSources "mailbox,site"

$holdname = "Project Adele Litigation Graph Hold"
$hold = New-MgComplianceEdiscoveryCaseLegalHold `
	-DisplayName $holdname `
	-CaseId $case.Id

$sitehold = New-MgComplianceEdiscoveryCaseLegalHoldSiteSource `
	-CaseId $case.Id `
	-LegalHoldId $hold.Id `
	-Site @{ WebUrl = "https://m365x.sharepoint.com/sites/contosobrand" }

$sitehold = New-MgComplianceEdiscoveryCaseLegalHoldUserSource `
	-CaseId $case.Id `
	-LegalHoldId $hold.Id `
	-Email "adelev@m365x.onmicrosoft.com" `
	-IncludedSources "mailbox"

Next, if required, we could create Collections and Review Sets of the content placed on Legal Hold. The final task is to export the content out, similar to how the Core eDiscovery process works.

# Example Collection, and Review Set Creation
$collectionname = "Project Adele Litigation Graph Collection"
$collection = New-MgComplianceEdiscoveryCaseSourceCollection `
	-CaseId $case.Id `
	-DisplayName $collectionname `
	-DataSourceScopes "allCaseCustodians"

$reviewsetname = "Project Adele Litigation Graph Review Set"
$reviewset = New-MgComplianceEdiscoveryCaseReviewSet `
	-CaseId $case.Id `
	-DisplayName $reviewsetname

$reviewsetqueryname = "Project Adele Litigation Graph Review Set Query"
$reviewsetquery = New-MgComplianceEdiscoveryCaseReviewSetQuery `
	-CaseId $case.Id `
	-ReviewSetId $reviewset.Id `
	-DisplayName $reviewsetqueryname `
	-Query "filename:2021 filetype:xlsx"

As you can see, PowerShell is powerful in creating all aspects of an eDiscovery case. My only criticism is that to understand the format of the parameters, you need to read lots and lots of documentation and then test it directly with the Graph Explorer, which helps in being able to visualize the property values and know what some of the values need to be.