Office 365 customer has several departments, each with its own eDiscovery team. Normally, an organization would have a centralized eDiscovery team. In this case we have a set of very unique requirements to keep all eDiscovery teams separate while a centralized IT Administration group would be in charge of assigning permissions to the various eDiscovery teams. For this article, I will use Contoso, Inc as the organization. Contoso has 3 departments. The diagram below outlines Contoso's management structure.
Requirements were documented as follows:
To address this requirements we decided that the best course of action would be to leverage the SharePoint Online eDiscovery Center site template and create appropriate management scopes for each department. In addition to the department scopes; we also suggested creating individual scopes for cases where the number of eDiscovery Officers involved had to be limited to a smaller number of officers.
The resulting model is represented in the diagram below:
The IT Administrator will create:
The department's primary eDiscovery Officer will create cases inside the eDiscovery Site Collection and manage access to each case. The IT Administrator will not have access to the cases.
The high level steps for implementing this model at Contoso, Inc. are:
For the purposes of this article and its associated configuration steps, we are going to use a Distribution Group called FIN.2014.001234.Members This follows a standard naming context of <Department>.<Year>.<Case ID>.Members.
Requirement: Organization Administration permissions
Using FIN (Department of Finance) as an example, the following tasks will be performed:
Create a new Distribution Group in Exchange Online via Remote PowerShell by executing the following commands:
New-DistributionGroup -Name "FIN.2014.001234.Members" -Alias FIN2014001234Members -MemberJoinRestriction 'Closed' -MemberDepartRestriction 'Closed' -ModerationEnabled $true -PrimarySmtpAddress ‘FIN2014001234Members@Contoso.onmicrosoft.com’
Set-DistributionGroup -Identity "FIN.2014.001234.Members" -HiddenFromAddressListsEnabled $true
Add-DistributionGroupMember –Identity "FIN.2014.001234.Members" –Member “John.Smith@FIN.Contoso.com”
NOTE: It is important that all Distribution Groups used for eDiscovery use the ‘@Contoso.onmicrosoft.com’ UPN suffix. This will prevent admins in other departments from modifying the group’s membership. The John.Smith@FIN.Contoso.com address in the example above is the Discovery Officer for the case. All Discovery Officers assigned to the case are to be added to the Distribution Group. Add all target mailboxes to the Distribution Group as well.
2. Run the following command to obtain and save the DistinguishedName of the new Distribution Group to a variable.
$DG = Get-DistributionGroup -Identity 'FIN.2014.001234.Members’
NOTE: We will use the value of the DistinguishedName property to create the scope.
3. Create a Management Scope in Exchange Online via remote PowerShell by executing the following command:
New-ManagementScope -Name "FIN.2014.001234.SCOPE" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"
NOTE: The scope is created by filtering on membership using the DistinguishedName obtained in the previous step.
4. A Role Group must be created to tie these components together. The Role Group allows members to manage the mailboxes that are bound by the filtering of the Management Scope in step 1. Permissions are assigned to the Role Group that allow the user to execute discovery activities against mailboxes. Using the FIN departments as an example, the following command is executed to create the Role Group:
New-RoleGroup "FIN.2014.001234.ROLEGROUP" -Roles "Mailbox Search","Legal Hold" –CustomRecipientWriteScope “FIN.2014.001234.SCOPE”
Add-RoleGroupMember "FIN.2014.001234.ROLEGROUP" -Member “John.Smith@FIN.Contoso.com” -BypassSecurityGroupManagerCheck
NOTE: The Add-RoleGroupMember command adds John.Smith@FIN.Contoso.com as a member of the Role Group and grants him access to execute eDiscovery searches on the mailboxes within this scope. Members can be added using either the Exchange Admin Center or PowerShell.
Each department eDiscovery resource will utilize a SharePoint Online eDiscovery site to conduct searches and exports. Each department will have a Site Collection containing subsites used for each case, created as needed.
NOTE: After clicking OK, you will be taken back to the SharePoint Admin Center, where you will see a message indicating that the site creation is in progress. You will also see a spinning circle next the newly requested site indicating that the action is in progress.
3. Upon completion, you will see “NEW” next to the site. Select the checkbox next to the site on the list, and then choose Owners à Manage Administrators from the top menu
NOTE: Site Collection Administrators will have the ability to access and modify any and all sites in the collection. It is recommended that the number of Site Collection Administrators is restricted to a few select people.
The tenant must be configured to search in Exchange. The search source can also be configured at the Site Collection level for each Site Collection. Making this configuration change at the trenant level simplifies management of the search sources going forward.
Follow the steps below to accomplisht this task:
NOTE: In some cases the Autodiscover feature may fail. In this case modify the source, uncheck Autodiscover, and enter this value in the Exchange Source URL field: https://outlook.office365.com/EWS/Exchange.asmx
Tags: spo, Ediscovery, Management Scopes, Exchange Online, EXO