Exporting Data from OneDrive or SharePoint Online for eDiscovery Cases

Most, if not all, organizations will encounter a time when electronic data discovery is required for one reason or another.  Typically these reasons include review by Legal or HR personnel.  In these times of need, the eDiscovery functionality in Office 365 can help facilitate the requests.  Data from Exchange and SharePoint Online can be extracted, or placed on “hold” so that even deleted information is retained.  Obtaining the data from Exchange Online is fairly straightforward, but there are some caveats to getting data from OneDrive.  NOTE: The same process outlined below can be used for any SharePoint Online site.  Instead of using a OneDrive URL, the site URL would be used instead.

Overview

  1.  Grant permissions to the Office 365 Compliance Center
  2. Add a Site Collection Administrator
  3. Create the eDiscovery Case
  4. Add Sources
  5. Create Queries
  6. Export the data

Permissions

Before an eDiscovery case can be created, there are a couple of permissions needed.  First, access to the Compliance Center is required.  There are multiple roles that grant this functionality – Global Admin, Compliance Administrator, eDiscoveryManager, etc.  Just granting access to the Compliance Center is not enough for OneDrive access, though.  To get that data, the person performing the search must also be a Site Collection Administrator for each OneDrive in question.

After connecting to SharePoint Online remote PowerShell, the example command below can be issued to add a Site Collection Administrator.  The path to OneDrive will be different for each user, but can be easily determined based on the Windows account name, or email address that is used to sign in.

set-SPOUser -Site https://<path to OneDrive to be exported> -LoginName <user doing the export>-IsSiteCollectionAdmin $true

Example: set-SPOUser -Site https://dollarunderscore-my.sharepoint.com/personal/John_Smith_dollarunderscore_com -LoginName Sally.Jenkins@dollarunderscore.com -IsSiteCollectionAdmin $true

IMPORTANT: It took an hour or so after adding a user as a Site Collection Admin before I was able to get complete results when doing the export below.  I suspect this time would vary based on the size of the OneDrive in question.

Creating the Case

Now that we’ve granted access to the Compliance Center, and set the investigator as a Site Collection Admin, we can create the eDiscovery case and extract data.  When creating the case a title, URL, and permissions to the case are all assigned.  In most cases, the option to “Use same permissions as parent site” will suffice.  If  special permissions are required for a case, they can be configured at initial setup.

Next, Sources will need to be added.  These sources can be either mailboxes, or SharePoint Online locations.  Since we are using OneDrive in this blog, the source will be the path to the OneDrive in question.

eDiscovery-Sources.PNG

After Sources have been added, we’ll need to create queries to get the data.  The query can be very granular, only searching for particular file types, mailbox items, or specific date ranges.  To just get all data, all that is needed is a query name and source(s).  Clicking the “Search” button will show the number of items and size.  Be sure to SAVE the query rather than just closing it or you will have to do this step again…not that I did that or anything.eDiscovery-Query.PNG

The final step is to just choose the “Export” option at the bottom of the query, pick a location to save the data, and wait.

Cleanup

After the discovery case is closed, or after the needed data is obtained it is a good practice to circle back around and remove the Site Collection Admin permissions that were added.  Simply changing the -IsSiteCollectionAdmin from $true to $false will do the trick.

Example: set-SPOUser -Site https://dollarunderscore-my.sharepoint.com/personal/John_Smith_dollarunderscore_com -LoginName Sally.Jenkins@dollarunderscore.com -IsSiteCollectionAdmin $false

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s