Business Case

Office 365 customer has several departments, each with its own eDiscovery team. Normally, an organization would have a centralized eDiscovery team. In this case we have a set of very unique requirements to keep all eDiscovery teams separate while a centralized IT Administration group would be in charge of assigning permissions to the various eDiscovery teams. For this article, I will use Contoso, Inc as the organization. Contoso has 3 departments. The diagram below outlines Contoso's management structure.

Requirements were documented as follows:

 

  1. Contoso, Inc wishes to have dedicated resources in each department that will own any requests for that department pertaining to eDiscovery/Litigation/internal investigation/FOIA (Freedom of Information Act). These resources will be referred to as eDiscovery Officers
  2. eDiscovery Officers from one department should not have access to mailboxes in another department.
  3. Configuration must allow for each department to regulate the number of people who have access to any given case assigned to that department.
  4. Each eDiscovery Officer will only have access to search and view the results of their respective department.
  5. eDiscovery Officers will be able to export the relevant data with minimal assistance from the IT support teams, keeping the chain of custody simple and removing any bottlenecks in the process.

To address this requirements we decided that the best course of action would be to leverage the SharePoint Online eDiscovery Center site template and create appropriate management scopes for each department. In addition to the department scopes; we also suggested creating individual scopes for cases where the number of eDiscovery Officers involved had to be limited to a smaller number of officers.

 

The resulting model is represented in the diagram below:

 


 

 

 The IT Administrator will create:

  • Management Scope
  • Role Group
  • Distribution Group
  • SPO eDiscovery Site Collection

The department's primary eDiscovery Officer will create cases inside the eDiscovery Site Collection and manage access to each case. The IT Administrator will not have access to the cases.

The high level steps for implementing this model at Contoso, Inc. are:

  1. Create a new Distibution Group in Exchange Online via Remote PowerShell
  2. Add the mailboxes to be searched to the respective Distribution Group
  3. Add eDiscovery Officers to the Distribution Group
  4. Create a Management Scope in Exchange Online via remote PowerShell
  5. Create a Role Group in Exchange Online via remote PowerShell
  6. Add eDiscovery Officers as members to the Role Group
  7. Create the SPO eDiscovery Site Collection
  8. Grant permissions to the eDiscovery Site Collection

 

For the purposes of this article and its associated configuration steps, we are going to use a Distribution Group called FIN.2014.001234.Members This follows a standard naming context of <Department>.<Year>.<Case ID>.Members.

 

Configuration Procedure

Exchange online Configuration

Requirement: Organization Administration permissions

 

Using FIN (Department of Finance) as an example, the following tasks will be performed:

  1. Create a new Distribution Group in Exchange Online via Remote PowerShell by executing the following commands:

New-DistributionGroup -Name "FIN.2014.001234.Members" -Alias FIN2014001234Members  -MemberJoinRestriction 'Closed'  -MemberDepartRestriction 'Closed' -ModerationEnabled $true  -PrimarySmtpAddress ‘FIN2014001234Members@Contoso.onmicrosoft.com’

 

Set-DistributionGroup -Identity "FIN.2014.001234.Members" -HiddenFromAddressListsEnabled $true

 

Add-DistributionGroupMember –Identity "FIN.2014.001234.Members" –Member “John.Smith@FIN.Contoso.com”

 

NOTE: It is important that all Distribution Groups used for eDiscovery use the ‘@Contoso.onmicrosoft.com’ UPN suffix. This will prevent admins in other departments from modifying the group’s membership. The John.Smith@FIN.Contoso.com address in the example above is the Discovery Officer for the case. All Discovery Officers assigned to the case are to be added to the Distribution Group. Add all target mailboxes to the Distribution Group as well.

 

 2. Run the following command to obtain and save the DistinguishedName of the new Distribution Group to a variable.

$DG = Get-DistributionGroup -Identity 'FIN.2014.001234.Members’

 

NOTE: We will use the value of the DistinguishedName property to create the scope.

 

 3. Create a Management Scope in Exchange Online via remote PowerShell by executing the following command:

New-ManagementScope -Name "FIN.2014.001234.SCOPE" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"

 

NOTE: The scope is created by filtering on membership using the DistinguishedName obtained in the previous step.

 

4. A Role Group must be created to tie these components together. The Role Group allows members to manage the mailboxes that are bound by the filtering of the Management Scope in step 1. Permissions are assigned to the Role Group that allow the user to execute discovery activities against mailboxes. Using the FIN departments as an example, the following command is executed to create the Role Group:

 

New-RoleGroup "FIN.2014.001234.ROLEGROUP" -Roles "Mailbox Search","Legal Hold" –CustomRecipientWriteScope “FIN.2014.001234.SCOPE”

 

Add-RoleGroupMember "FIN.2014.001234.ROLEGROUP" -Member “John.Smith@FIN.Contoso.com” -BypassSecurityGroupManagerCheck

           

NOTE: The Add-RoleGroupMember command adds John.Smith@FIN.Contoso.com as a member of the Role Group and grants him access to execute eDiscovery searches on the mailboxes within this scope.  Members can be added using either the Exchange Admin Center or PowerShell.


SharePoint eDiscovery Site Collection

Each department eDiscovery resource will utilize a SharePoint Online eDiscovery site to conduct searches and exports. Each department will have a Site Collection containing subsites used for each case, created as needed.

 

Creating the Site Collection

  1. From the SharePoint Admin Center, create a new Site Collection by clicking New a Private Site Collection
  2. For the Site Collection information, follow this guidance for the requested information:
    1. Title: <Department>-eDiscovery
    2. Web Site Address: https://Contoso.sharepoint.com/sites/<Department>-eDiscovery
    3. Select Experience version: 2013
    4. Select a language: English
    5. Select a template: EnterpriseàeDiscovery Center
    6. Time Zone: UTC – 05:00
    7. Admistrator: <Your ADM account>
    8. Storage Quota: 3000
    9. Server Resource Quota: 300

 

NOTE: After clicking OK, you will be taken back to the SharePoint Admin Center, where you will see a message indicating that the site creation is in progress. You will also see a spinning circle next the newly requested site indicating that the action is in progress.

 

3. Upon completion, you will see “NEW” next to the site. Select the checkbox next to the site on the list, and then choose Owners à Manage Administrators from the top menu

 

Add the Site Collection Administrators who will be in charge of the Site Collection.

NOTE: Site Collection Administrators will have the ability to access and modify any and all sites in the collection. It is recommended that the number of Site Collection Administrators is restricted to a few select people.

 


Operations

Opening the Site Collection

  1. From the list of Site Collections, click the newly created site to bring up the properties
  2. Click on the link next to the Web Site Address to open the newly created site collection

Configuring the Search Source

The Site Collection must be configured to search in Exchange. Follow the steps below to accomplisht this task: 

  1. Click on the gear icon in the upper-right corner and choose Site settings from the list.
  2. Click on Search Result Sources under Site Collection Administration 
  3. Click on  New Result Source
  4. Enter a Name, select Exchange
  5. Check Use AutoDiscover, and click the Save button

 

 Granting Access for Members

  1. Click on the gear icon in the upper-right corner and choose Site settings from the list.
  2. Click on People and Groups
  3. In order to provide the proper level of access to create new cases in the site, add the designated Department resources to the site Owners group:
  4. Select the group, and choose New à Add Users
  5. Add the Department resources who will conduct the search. The window will provide guidance for names that do not resolve or if there are more than one.
  6. After selecting the appropriate users for the Department, expand the Show Options area and clear the checkbox for “Send an email invitation”. Once this is complete, select Share. The selected users will now have access to the site.

 

Tags: spo, Ediscovery, Management Scopes, Exchange Online, EXO