Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Active hold policies that you create in cases in the legacy eDiscovery experience are automatically migrated and available in the new Microsoft Purview eDiscovery experience. Review the hold report to check policy status and retry any policies that need attention.
Use eDiscovery to create hold policies that preserve content relevant to your cases. When you place content locations on hold, the content is held until you release the hold in the case, remove a specific data location, or delete the hold policy. You can place holds on data sources such as:
- User mailboxes and OneDrive sites.
- Microsoft Teams mailboxes and SharePoint and OneDrive sites.
- Microsoft 365 group mailboxes and SharePoint and OneDrive sites.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Hold policy dashboard
The Hold policies dashboard lists all the holds associated with a case. This dashboard lets you create hold policies, displays information about hold policies in the case, and lets you filter and group the hold policies. The Hold policies dashboard contains the following information and controls:
- Name: The name of the hold policy.
- Created by: The user that created the hold policy.
- Last modified: The date and time the hold policy was last modified. Select Time zone to switch between using local time and Coordinated Universal Time (UTC).
- Hold policy Status: The current status of the hold policy.
Select a hold policy to view the details, data sources, and condition and KeyQL filters.
To customize the columns display on the Hold policies dashboard, select Customize columns to choose the columns to display or drag and drop the columns in the list to reorder. To search for a specific hold policy, enter a keyword in the Search field. To download the list of hold policies and the column information, select Download list to create a .csv file containing this information.
Hold policy states
The hold policy page shows the state of a hold next to the hold name. Hold policies have the following states:
- Draft: Displayed when you create a new policy but don't apply it. If you navigate away from the policy draft, you cancel the draft and lose all policy changes.
- On: The policy is applied and all locations in the policy are on hold. Select the Details tab to view location information.
- Off: The policy is off for a previously applied hold. All included locations aren't on hold.
- In progress: The hold policy is in the process of being applied or updated.
- Pending deletion: The hold policy is in the process of being deleted.
Create a hold policy
To create a new hold policy, see Create holds in eDiscovery.
Edit a hold policy
You can edit the hold policy name, description, or the policy details (data sources, condition filters, and KeyQL filters) as applicable.
To edit the hold policy name or description, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to edit.
- Select the edit (pencil) icon next to the policy name.
- Update the policy name or description, then select Continue.
To edit a hold policy details, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to edit.
- On the Hold policy page for the selected policy, select the Hold policy tab.
- Update data sources, condition filters, and KeyQL filters as applicable.
- Select Apply hold.
Retry a hold policy
A retry hold policy triggers the hold process to restamp all mailboxes and sites in the policy to enforce the hold. You might also encounter errors while placing a hold on data sources. For a list of possible errors, see the Manage hold status errors section in this article.
To retry a hold policy, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to retry.
- On the Hold policy page for the selected policy, select Policy actions > Retry policy.
Turn off a hold policy
Turning off a hold policy might result in the permanent deletion of any content currently being preserved. It doesn't affect content preserved by other hold policies.
To turn off a hold policy, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to turn off.
- On the Hold policy page for the selected policy, select Policy actions > Turn off.
Turn on a hold policy
When you edit a policy, it doesn't affect content preserved by other hold policies.
To turn on a hold policy, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to turn on.
- On the Hold policy page for the selected policy, select Policy actions > Turn on.
Delete a hold policy
When you delete a hold policy, you remove all associated holds and release all sites and mailboxes. This action might result in permanent deletion of any content currently being preserved.
To delete a hold policy, complete the following steps:
- Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned eDiscovery permissions.
- Select the eDiscovery solution card, then select Cases (preview) in the left nav.
- Select a case, then select the Hold policies tab.
- On the Hold policies dashboard, select the hold policy you want to delete.
- On the Hold policy page for the selected policy, select Policy actions > Delete policy.
- On the Delete policy? dialog, select Yes, delete.
Manage hold status errors
You might encounter errors while placing a hold on data sources. The following table lists the errors that you might encounter and the recommended resolution.
| Hold error types | Description | Resolution |
|---|---|---|
| Distribution group has too many members | The distribution group associated with the requested hold has more than 1,000 email addresses. Currently, a distribution group with more than 1,000 email addresses can't be expanded and placed on hold. | Add the individual email addresses as data sources or split the distribution group into groups with fewer than 1,000 email addresses. Then select Policy actions > Retry policy in the hold policy to retry the hold application. |
| Invalid email address or URL | The location associated with the requested hold has an invalid email address or site URL. | Specify a valid email address or URL that exists within your organization. |
| Mailbox not found | The mailbox associated with the requested hold isn't a valid mailbox. | Verify the email address and check that it's a valid Exchange Online mailbox. Once confirmed, edit the data source for the mailbox and then select Policy actions > Retry policy in the hold policy to retry the hold application. |
| Policy deployment interrupted | A system error indicating a problem was encountered while applying the hold. | Select Policy actions > Retry policy in the hold policy to retry the hold application. |
| Site inaccessible | The SharePoint location associated with the requested hold request isn't accessible and might be read only. | Contact your SharePoint site administrator to configure the site as writable. Then select Policy actions > Retry policy in the hold policy to retry the hold application. |
| Site failed to apply hold | If the site URL changed for any reason (due to user UPN or tenant domain change), you must update the policy to include the site with the new name and URL. | Update the policy by removing the original site, then add the new site URL to the hold policy and re-apply the hold. |
| Site not found | The SharePoint location associated with the requested hold might have been moved, deleted, or the site URL might not exist. | Check the site URL and confirm if the SharePoint site exists. Once confirmed, edit the data source for the site and then select Policy actions > Retry policy in the hold policy to retry the hold application. |
Place a hold on Microsoft Teams and Microsoft 365 groups
Microsoft Teams is built on Microsoft 365 groups. Therefore, placing them on hold in eDiscovery is similar. Keep the following things in mind when placing Microsoft 365 groups and Microsoft Teams on hold:
To place content located in Microsoft 365 groups and Microsoft Teams on hold, you need to specify the mailbox and SharePoint site that are associated with a group or team.
Run the Get-UnifiedGroup cmdlet in Exchange Online to view properties for a Microsoft 365 group or Microsoft Team. This cmdlet is a good way to get the URL for the site that's associated with a Microsoft 365 group or a Microsoft Team. For example, the following command displays selected properties for a Microsoft 365 group named Senior Leadership Team:
Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl DisplayName : Senior Leadership Team Alias : seniorleadershipteam PrimarySmtpAddress : seniorleadershipteam@contoso.onmicrosoft.com SharePointSiteUrl : https://contoso.sharepoint.com/sites/seniorleadershipteamNote
To run the Get-UnifiedGroup cmdlet, you need to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
When you search a user's mailbox, the search doesn't include any Microsoft 365 group or Microsoft Team that the user is a member of. Similarly, when you place a Microsoft 365 group or Microsoft Team hold, only the group mailbox and group site are placed on hold; the mailboxes and OneDrive sites of group members aren't placed on hold unless you explicitly add them to a case or place their data sources hold. Therefore, if you need to place a Microsoft 365 group or Microsoft Team on hold for a specific user, consider mapping the group site and group mailbox to the user. If the Microsoft 365 group or Microsoft Team isn't attributable to a single user, consider adding the source to a hold.
To get a list of the members of a Microsoft 365 group or Microsoft Team, you can view the properties on the Home > Groups page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:
Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddressNote
To run the Get-UnifiedGroupLinks cmdlet, you need to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
Channel conversations that are part of a Microsoft Teams channel are stored in the mailbox that's associated with the Team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you need to place the Microsoft Team mailbox and SharePoint site on hold to retain conversations and files in a channel.
Alternatively, conversations that are part of the Chat list in Microsoft Teams are stored in the mailbox of the users who participate in the chat. Files that a user shares in Chat conversations are stored in the OneDrive site of the user who shares the file. Therefore, you need to place the individual user mailboxes and OneDrive sites on hold to retain conversations and files in the Chat list.
Every Microsoft Team or team channel contains a Wiki for note-taking and collaboration. The Wiki content is automatically saved to a file with a .mht format. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can place the content in the Wiki on hold by placing the team's SharePoint site on hold.
Note
The capability to retain Wiki content for a Microsoft Team or team channel (when you place the team's SharePoint site on hold) was released on June 22, 2017. If a team site is on hold, the Wiki content is retained starting on that date. However, if a team site is on hold and the Wiki content was deleted before June 22, 2017, the Wiki content wasn't retained.