By John Patzakis
Microsoft reports 345 million paid users worldwide of its Microsoft 365 platform (“M365”), spanning over two million companies, with more than one million of them based in the United States. M365’s cloud-based data sources such as OneDrive, Outlook mail, Teams and SharePoint online represent arguably the majority of ESI being produced in litigation going forward. However, M365 presents significant eDiscovery challenges and costs, requiring legal and eDiscovery professionals to be aware of the various methods to address this critical data source.
This article briefly addresses the benefits and challenges of each of the three main approaches to addressing eDiscovery and information governance in M365: 1) Utilizing Microsoft Purview; 2) Outsourced Services; or 3) Relying on a 3rd Party Purpose-build eDiscovery Solution.
Microsoft Purview
Microsoft Purview is the built-in M365 eDiscovery tool. It comes in different licensing tiers, the highest and most useful being Premium, or also known as E5 licenses. A key benefit of utilizing Purview Premium is that it’s integrated with M365, which is obviously convenient for workflow and also budgeting. Purview features a good legal hold process that allows the application of legal holds in place for key M365 data sources.
There is also a good consultant ecosystem to provide training and add-on services, which are often needed to address the larger projects at extra cost. And a premium license provides other functionalities unrelated to eDiscovery such as data analytics for business as well as a lot of security functions.
As far as the challenges of MS Purview Premium that we hear from users, a common complaint is that it can be very expensive, with licenses costing about $600 per employee annually. For large cases, licenses for several thousand custodians run in the millions of dollars and well into the tens of millions when you are dealing with a company with about 40,000 employees.
But the biggest complaint that we hear is that it’s not suited for large cases, M365 is built for user productivity, and the shared architecture is designed to support hundreds of millions of global users with normal individual workloads. eDiscovery and information governance projects are very large and aberrant workloads, so the system is designed to throttle large data throughputs. For instance, when you start a case in Purview, a separate and new index is created to allow eDiscovery and compliance searches in Purview, but there is a 2 GB hourly limit when creating this index — according to Microsoft’s own documentation — which limits your ability to address larger cases in a timely manner. There are many documented concerns about the accuracy and transparency of search results and data exports, especially as cases get bigger and there’s more custodians with higher volumes. Also, large attachments over 150 mb are not being a supported, as well as many filetypes such as engineering files like CAD drawings. MS only supports 50 file types, while the right eDiscovery software will support over 500.
These search accuracy and throughput limitations were called out by a Special Master Phillip Favro in the case of Deal Genius, LLC v. O2COOL, LLC, No. 21-C-2046, 2022 WL 17418933, at *1–2 (N.D. Ill. Oct. 24, 2022), and further expounded upon by Favro is his recent technical whitepaper:
“Purview eDiscovery does not provide the advanced features offered by a full service e-discovery platform needed to support discovery efforts in complex cases such as multidistrict litigation and class actions or regulatory investigations like Hart-Scott-Rodino Second Requests. Even small lawsuits that involve high volumes of ESI can present difficulties for organizations that wish to manage much of their discovery process with Purview eDiscovery. Responding parties that rely on Purview eDiscovery may not be able to perform a comprehensive search to reasonably identify relevant information. Responding parties who wish to incorporate Purview eDiscovery functionality into their discovery workflows must understand its search limitations and take steps to address them so they can establish the defensibility of their discovery process.” “Microsoft Purview eDiscovery: Key Features and Limitations,” Practical Law (July 2024).
Finally, Purview only addresses data within 365. It’s not going to address data sources such as Slack, or on-premises sources including laptops, fileshares, even on prem exchange or on-Prem SharePoint.
Outsourced Services
The second approach to addressing M365 for eDiscovery is to retain an outsourced service provider. There are well over 100 consulting firms that perform such services, and the main benefit is that the right consultants can get the job done. The consultants know how to export M365 data into a standard eDiscovery workflow, are very good at project management, and are well-versed with working with attorneys and their litigation deadlines. For companies that are smaller without the internal resources or expertise or have backlogs, this can be a good approach.
The main drawback is that it can be very expensive, because often times what we generally see is the service providers parachute in and run very basic scripts to conduct a mass data export from M365. After that, it defaults to a traditional eDiscovery workflow with processing tools, a lot of manual services, and then an upload to a standard review platform. This reactive approach results in a high amount of expensive data overcollection. Additionally, outsourced service providers typically require very high level, super-admin privileges in order to run their bulk data download scripts, which can be a significant concern from a security standpoint. These privileges can be delegated sometimes without the company’s knowledge, so it is important to be aware of and audit the privileges that are being granted.
Also, we have seen that for large eDiscovery collection projects in Europe, EU based companies are required to perform a data protection impact analysis (DPIA), and mass bulk collections involving copying of all the employees’ emails and other sensitive files and taking that data offsite are frowned upon by privacy auditors. That approach runs afoul of the GDPR’s proportionality and data minimalization requirements.
Third Party eDiscovery Software Solution
And finally, a third approach is utilizing a non-Microsoft eDiscovery solution that’s purpose- built to conduct eDiscovery, including by connecting to M365. A benefit of this approach is that the right solution can scale for larger data sets. This is particularly important for information governance projects such as data compliance audits. The good solutions will not require expensive Premium Purview licensing for every custodian and will enable you to employ it as an established and repeatable process. It can also address the indexing throughput and completeness challenges in Purview. And finally, a platform like this should be able to support data outside of M365 such as on-premises sources or data such as slack.
One of the challenges of an in-house system is that internal IT resources or tech savvy paralegals are needed to run the process. Some technology platforms still require you to have the most expensive Purview Premium licensing to support essential functionality, such as collection of hyper-linked documents, and other key features. Further, many of these vendors are simply providing repurposed email archiving platforms, which function by a mass copy and transfer of all the organization’s data in M365. This poses significant logistical challenges in terms of scalability, not to mention unnecessary cost. M365 does not easily allow for the mass data download, which can lead to errors and data corruption, as in the recent case of FTC v. Match Group, No. 3:19-CV-2281-K, 2025 WL 46024, at *4 (N.D. Tex. Jan. 7, 2025) where MS Purview exports to an email archival system failed, resulting in court imposed discovery sanctions. So, if the solution does not allow for index in place functionality, but a bulk download, copy and data transfer, then there can be significant challenges with that approach.
The X1 Enterprise platform for 365 and on-premises sources takes a unique approach with a micro indexing architecture so that each data source and each custodian is associated with their own index. This enables a true index in place keep capability for targeted search and analytics at the point of collection, which enables the bypassing of most of the M365 throttling issues so that hundreds of custodians can be addressed in hours, not weeks. Our customers have successfully addressed matters involving thousands of custodians and upwards of 80 terabytes of M365 data that was indexed in a very short period of time. X1 Enterprise does not require Purview Premium licensing to address all the required functionality, such as the search and collection of hyperlinked files, archived email, inactive mailboxes, as well as many other detailed requirements.
Simply put, we believe X1 Enterprise is the best solution available to address M365 data for eDiscovery and information governance requirements.
Ready to Learn More?
For companies navigating complex information governance and eDiscovery requirements, including those involving M365, organizations that rely on the X1 Enterprise Platform not only reduce costs and save valuable time but also gain a strategic advantage in managing their eDiscovery and information governance needs. For a demonstration of the X1 Enterprise Platform, contact us at sales@x1.com. For more details on this innovative solution, please visit www.x1.com/solutions/x1-enterprise-platform.