SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: eDiscovery and Legal Hold Readiness
description: Audit Microsoft Purview eDiscovery legal holds, collection integrity and search or export readiness for litigation and regulatory response.
---
# eDiscovery and Legal Hold Readiness
> **TL;DR:** This skill inspects your Microsoft Purview eDiscovery cases, legal holds and collection sources, then produces a prioritised readiness report so you can prove evidence is preserved, searchable and exportable before a matter escalates.
## What does Microsoft Purview eDiscovery legal hold readiness involve?
Microsoft Purview eDiscovery lets your organisation preserve, search and export content from Exchange Online, SharePoint, OneDrive and Microsoft Teams in response to litigation, regulatory requests or internal investigations. A legal hold suspends retention and deletion so custodian data stays defensible. This skill reads the configuration of cases, holds, custodians and collection sources across Microsoft Entra identities so you can confirm preservation is genuinely in force. It surfaces gaps such as inactive holds, unscoped locations or missing custodian mappings before they become a discovery failure.
## When should you run this skill?
- "We have just received a litigation notice and need to confirm holds are actually preserving data."
- "Are any of our eDiscovery legal holds disabled, expired or scoped to the wrong locations?"
- "Show me which custodians have no preservation applied across mailboxes and OneDrive."
- "Can we still search and export collected content for this matter today?"
- "Our legal team wants assurance that retention and deletion are suspended for in-scope users."
- "We are preparing for an external audit and need evidence of defensible eDiscovery readiness."
- "Has anyone changed or released a hold without the matter being formally closed?"
## How this skill works, step by step
1. Connect read-only to Microsoft Purview eDiscovery and enumerate all eDiscovery (Premium) and Standard cases and their current status.
2. For each case, retrieve every associated legal hold and record whether the hold is enabled, disabled or in an error state.
3. Inspect each hold's content locations across Exchange Online, SharePoint, OneDrive and Microsoft Teams to confirm in-scope sources are actually covered.
4. Map custodians to their Microsoft Entra identities and flag custodians with no hold applied or with locations that fail to resolve.
5. Review collection and search definitions for each case to confirm queries return results and have not silently errored.
6. Check export and review-set readiness, noting any pending, failed or stale exports that would block evidence production.
7. Detect risk signals such as expired hold durations, recently released holds on open matters and mailboxes excluded from preservation.
8. Derive a risk score per case from hold coverage, custodian completeness, collection health and export readiness, weighting active matters with gaps highest.
9. Compile the findings into a prioritised report with clear remediation guidance for the compliance and legal teams.
## Output format
The skill returns a per-case readiness summary followed by a prioritised findings table.
| Case | Hold status | Custodian coverage | Collection health | Risk |
| --- | --- | --- | --- | --- |
| Contoso v. Litigant 2026 | Disabled hold detected | 8 of 10 custodians held | Last search errored | High |
| Internal HR Review Q2 | All holds enabled | 12 of 12 custodians held | Searches healthy | Low |
Summary highlights:
- Total cases assessed and the count flagged High, Medium or Low risk.
- Holds that are disabled, in error or released against an open matter.
- Custodians with no preservation applied across one or more locations.
- Collections or exports that are failed, stale or returning no results.
## Scope and safety
This skill is read-only by default and makes no changes to your Microsoft Purview, Microsoft Entra or Microsoft 365 configuration. It only reads case, hold, custodian, collection and export metadata to assess readiness.
This skill does NOT:
- Create, modify, enable, disable or release any legal hold or eDiscovery case.
- Run, export or alter collections, searches or review sets that touch custodian content.
- Change retention policies, custodian assignments or content locations.
- Read or extract the body of preserved messages, files or chats.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| eDiscovery (Standard) cases, holds and content search | Microsoft 365 E3 (or Exchange Online Plan 2 / Business Premium) |
| eDiscovery (Premium): custodians, collections, review sets and advanced export | Microsoft 365 E5 or E5 Compliance / E5 eDiscovery and Audit add-on |
### Least-privilege roles
- Compliance Data Administrator or Global Reader for read-only visibility of cases, holds and configuration.
- eDiscovery Manager (read-only members are scoped to their assigned cases) where case-level access control is required.
### Microsoft Graph permissions (read-only)
- Microsoft Purview eDiscovery is administered through the Microsoft Purview portal and Security and Compliance PowerShell (for example `Get-CaseHoldPolicy`, `Get-ComplianceCase` and `Get-ComplianceSearch`) rather than Microsoft Graph, so no Graph scopes are required for the core hold and case inspection.
- Where eDiscovery (Premium) case, custodian, search and review-set metadata is read via the Graph eDiscovery APIs, the read-only scope `eDiscovery.Read.All` applies.
## Sources and compliance
- [Microsoft Purview eDiscovery](https://learn.microsoft.com/en-us/purview/ediscovery)
- [Create eDiscovery holds](https://learn.microsoft.com/en-us/purview/ediscovery-create-holds)
- Supports the Essential Eight control of regular backups by validating that defensible preservation and data integrity are maintained for in-scope matters.
- Aligns with ISM guidance on event logging, data retention and integrity of records held for legal and regulatory purposes.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
eDiscovery and Legal Hold Readiness
TL;DR: This skill inspects your Microsoft Purview eDiscovery cases, legal holds and collection sources, then produces a prioritised readiness report so you can prove evidence is preserved, searchable and exportable before a matter escalates.
What does Microsoft Purview eDiscovery legal hold readiness involve?
Microsoft Purview eDiscovery lets your organisation preserve, search and export content from Exchange Online, SharePoint, OneDrive and Microsoft Teams in response to litigation, regulatory requests or internal investigations. A legal hold suspends retention and deletion so custodian data stays defensible. This skill reads the configuration of cases, holds, custodians and collection sources across Microsoft Entra identities so you can confirm preservation is genuinely in force. It surfaces gaps such as inactive holds, unscoped locations or missing custodian mappings before they become a discovery failure.
When should you run this skill?
- “We have just received a litigation notice and need to confirm holds are actually preserving data.”
- “Are any of our eDiscovery legal holds disabled, expired or scoped to the wrong locations?”
- “Show me which custodians have no preservation applied across mailboxes and OneDrive.”
- “Can we still search and export collected content for this matter today?”
- “Our legal team wants assurance that retention and deletion are suspended for in-scope users.”
- “We are preparing for an external audit and need evidence of defensible eDiscovery readiness.”
- “Has anyone changed or released a hold without the matter being formally closed?”
How this skill works, step by step
- Connect read-only to Microsoft Purview eDiscovery and enumerate all eDiscovery (Premium) and Standard cases and their current status.
- For each case, retrieve every associated legal hold and record whether the hold is enabled, disabled or in an error state.
- Inspect each hold’s content locations across Exchange Online, SharePoint, OneDrive and Microsoft Teams to confirm in-scope sources are actually covered.
- Map custodians to their Microsoft Entra identities and flag custodians with no hold applied or with locations that fail to resolve.
- Review collection and search definitions for each case to confirm queries return results and have not silently errored.
- Check export and review-set readiness, noting any pending, failed or stale exports that would block evidence production.
- Detect risk signals such as expired hold durations, recently released holds on open matters and mailboxes excluded from preservation.
- Derive a risk score per case from hold coverage, custodian completeness, collection health and export readiness, weighting active matters with gaps highest.
- Compile the findings into a prioritised report with clear remediation guidance for the compliance and legal teams.
Output format
The skill returns a per-case readiness summary followed by a prioritised findings table.
| Case | Hold status | Custodian coverage | Collection health | Risk |
|---|---|---|---|---|
| Contoso v. Litigant 2026 | Disabled hold detected | 8 of 10 custodians held | Last search errored | High |
| Internal HR Review Q2 | All holds enabled | 12 of 12 custodians held | Searches healthy | Low |
Summary highlights:
- Total cases assessed and the count flagged High, Medium or Low risk.
- Holds that are disabled, in error or released against an open matter.
- Custodians with no preservation applied across one or more locations.
- Collections or exports that are failed, stale or returning no results.
Scope and safety
This skill is read-only by default and makes no changes to your Microsoft Purview, Microsoft Entra or Microsoft 365 configuration. It only reads case, hold, custodian, collection and export metadata to assess readiness.
This skill does NOT:
- Create, modify, enable, disable or release any legal hold or eDiscovery case.
- Run, export or alter collections, searches or review sets that touch custodian content.
- Change retention policies, custodian assignments or content locations.
- Read or extract the body of preserved messages, files or chats.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| eDiscovery (Standard) cases, holds and content search | Microsoft 365 E3 (or Exchange Online Plan 2 / Business Premium) |
| eDiscovery (Premium): custodians, collections, review sets and advanced export | Microsoft 365 E5 or E5 Compliance / E5 eDiscovery and Audit add-on |
Least-privilege roles
- Compliance Data Administrator or Global Reader for read-only visibility of cases, holds and configuration.
- eDiscovery Manager (read-only members are scoped to their assigned cases) where case-level access control is required.
Microsoft Graph permissions (read-only)
- Microsoft Purview eDiscovery is administered through the Microsoft Purview portal and Security and Compliance PowerShell (for example
Get-CaseHoldPolicy,Get-ComplianceCaseandGet-ComplianceSearch) rather than Microsoft Graph, so no Graph scopes are required for the core hold and case inspection. - Where eDiscovery (Premium) case, custodian, search and review-set metadata is read via the Graph eDiscovery APIs, the read-only scope
eDiscovery.Read.Allapplies.
Sources and compliance
- Microsoft Purview eDiscovery
- Create eDiscovery holds
- Supports the Essential Eight control of regular backups by validating that defensible preservation and data integrity are maintained for in-scope matters.
- Aligns with ISM guidance on event logging, data retention and integrity of records held for legal and regulatory purposes.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on