How to enable, verify and test Litigation Hold in Office 365 – Step by Step

How to enable, verify and test Litigation Hold in Office 365 – Step by Step

In this blog post, I’ll demonstrate step by step how to enable, verify and test litigation hold in Office 365.  I’ll be focusing specifically on the Exchange Online workload.

  1.  Enabled Litigation Hold

You can enable litigation hold for a mailbox by running the following command from the Exchange Online shell (note:  steps to connect PowerShell to Exchange Online can be found here)

Set-Mailbox -identity o365test1@domain.ie -LitigationHoldEnabled $true

lit1

You can enable litigation hold for all users using the following command

Get-Mailbox -RecipientTypeDetails UserMailbox -Filter {PersistedCapabilities -eq “BPOS_S_Enterprise” -and LitigationHoldEnabled -ne $true}

If you want to automate the process, so that when new mailboxes are created they are automatically enabled for litigation hold, please see this blog from Vasil Michev.

2.  Verify Litigation Hold is enabled

To verify Litigation hold is enabled, run the following command

Get-Mailbox -identity o365test1@domain.ie |fl Identity, LitigationHold*

lit2

3.  How to test litigation hold

In the next steps we are going to delete an email so that it cannot be retrieved by the end users in Outlook, and then as an admin perform a search in the Office 365 portal to retrieve the email.

When a user deletes an item, it goes to the deleted items folder, where it can be recovered by the end user.

lit3

lit4

If the item is emptied / deleted from the “Deleted items” folder,

lit5

it goes into the “recoverable items”, where it can still be retrieved by the end user

Note:  14 days retention period for items removed from the Deleted Items folder, after which they cannot be retrieved by the end user. (Details here).

lit6

Once the item is removed from the Deleted Items folder (either automatically by Office 365 after 14 days, or manually by the end user choosing “Purge Selected Items”), it is no longer retrievable by the end user

lit7

If the mailbox is on litigation hold, the item can be retrieved by an Office 365 Administrator.  If the mailbox is not on litigation hold, the item cannot be retrieved.

Next, we will use Office 365 e-Discovery search to retrieve an item that has been deleted from the Delete Items folder, for a mailbox that is on litigation hold

Log into the Office 365 portal (https://portal.office.com) with an account that has a minimum of E-Discovery Manager permissions and navigate to the Security & Compliance admin centre

Note:  E-Discovery Manager permissions are set here

lit8

Navigate to the Security & Compliance admin centre

lit9

Navigate to Search & Investigation and choose “Content Search”

lit10

Choose “New Search”

lit11

Under Locations > Specific locations click Modify

lit12

For “Exchange Email”, select “Choose users”

lit13

Search for required user

lit14

In Keywords, add a “condition” to filter the search for specific details about the email to be retrieved.  Then click Save & Run

lit15

lit16

Enter a description for the Search

lit17

The results show the mail item to be retrieved

lit18

There are a few options here as to how the email item is recovered into the mailbox

  1. Export to EML file
  2. Export to PST file

 

Export to EML File

For single email items, you can choose “Download Original Item”.  This will allow you to save the email as an .EML file

lit19

The file can then be open on a client that has Outlook installed

lit20

lit21

And saved back into the mailbox using the “Move” option

lit22

lit23

Export to PST file

For recovery of many items, exporting to PST file might be a better option

From the results preview, choose More > Export Results

lit24

Choose export options and then select EXPORT

lit25

Click on the EXPORT tab, copy the export key, and then select “Download Results”

lit26

Click to install the Microsoft Office 365 eDiscovery Export Tool

lit27

Paste the export key and choose a download location, click start

lit28

lit29

When complete, a pst file is created

lit30

Finally, this can then be opened using outlook and / or imported into the mailbox

lit31

That’s all for now, hope you found it useful.

Leave a Reply

Your email address will not be published. Required fields are marked *