Creating a Hold Report for Purview eDiscovery Cases

Posted on by Tony Redmond

Replicating the Hold Report Microsoft plans to Introduce in January 2024

On 8 December, Microsoft published message center notification MC696859 to announce the preview of a tenant wide hold report for eDiscovery (Premium). This change is covered by Microsoft 365 roadmap item 93268. Preview will begin in mid-December and is expected to finish by mid-January 2024.

The report includes information about all the hold policies for eDiscovery cases (standard and premium) and will be available under the Reports tab in the eDiscovery Premium section of the Purview compliance portal. Microsoft’s report will cover holds set by eDiscovery standard and premium cases. The report lists all locations that are part of any hold policies within the tenant (whether the hold policy is turned on or off).

There’s no reports available for eDiscovery standard, and that’s likely the reason why Microsoft choose to reveal the report in the eDiscovery premium section.

Creating the Hold Report with PowerShell

I’ve been down the path of reporting compliance policies before and thought that it would be a good idea to replicate the report that Microsoft plans to deliver using PowerShell compliance cmdlets. Once Microsoft releases their version of the hold report, I’ll review what it contains and consider if any changes to the script code are necessary. Some of the information available to Microsoft through internal interfaces might be inaccessible via PowerShell, so some of the features they build into their version might be unique.

The structure of the script is straightforward:

  • Connect to the compliance endpoint with Connect-IPPSession.
  • Run the Get-ComplianceCase cmdlet to create arrays of standard and premium cases. Deliberately, the script ignores data subject requests (DSRs), which show up as standard eDiscovery cases. If necessary, it would be easy to add these cases to the mix by running Get-ComplianceCase -CaseType DSR.
  • A case is a container for the objects (like holds) that combine together to allow investigators to manage eDiscovery cases. The next step is to find the holds, which we do by running the Get-CaseHoldPolicy cmdlet.
  • Extract the information about the case holds and report the data.

Premium and standard cases have the same basic structure. The difference between the two is the level of sophistication built on the structure. As an example of what the script does, here’s the processing for standard cases:

$Report = [System.Collections.Generic.List[Object]]::new()
[int]$i = 0
Write-Host "Processing standard cases"
ForEach ($Case in $Cases) {
    $i++
    Write-Host ("Processing case {0} ({1}/{2})" -f $Case.Name, $i, $Cases.Count)
    [array]$CaseHolds = Get-CaseHoldPolicy -Case $Case.Identity -DistributionDetail
    If ($CaseHolds) {
        ForEach ($CaseHold in $CaseHolds) {
            $CaseData = [PSCustomObject][Ordered]@{
                Name            = $CaseHold.Name
                Workload        = $CaseHold.Workload
                Enabled         = $CaseHold.Enabled
                Mode            = $CaseHold.Mode
                Exchange        = $CaseHold.ExchangeLocation
                SharePoint      = $CaseHold.SharePointLocation
                PublicFolders   = $CaseHold.PublicFolderLocation
                LastUpdate      = $Rule.LastStatusUpdateTime
                CaseType        = 'Standard'
            }
            $Report.Add($CaseData)
      }
   }
}

Figure 1 shows the output. As noted above, I might refresh the code when I see what Microsoft delivers.

Results of an eDiscovery hold report created with PowerShell.
Figure 1: Results of an eDiscovery hold report created with PowerShell

You can download the script from GitHub. As always, this code is to illustrate a principal rather than being a full solution. It needs better error handling and should generate a report in a more accessible fashion than a CSV file and the Out-GridView cmdlet. The PSWriteHTML module or a simple HTML file might be useful options here.

Navigating Compliance Holds

EDiscovery is one of the better areas of Microsoft Purview when it comes to PowerShell support. I suspect that this is because Exchange Server has supported holds since Exchange 2010. For whatever reason, the cmdlets are available and that’s why we have a hold report, which is nice.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.