How to setup eDiscovery boundaries

Office 365 offers eDiscovery, which is the search for information across the tenant. This enables selected users to search virtually all the data in Office 365, which means, for example, user mailboxes. This is useful when it is necessary, for example, to search for some information for a courtroom.

For some larger organizations, however, it may be a problem if these selected users could actually search the entire tenant across all of the data and all user mailboxes. It may therefore be necessary to limit such searches, for example, so that a compliance manager from the Czech Republic can search only across Czech users, but not across the tenant and therefore users from other countries. Or it may be limited by business departments.

Microsoft therefore offers so-called eDiscovery boundaries, which is the ability to specify, which users (or user groups) can search what data, or what mailboxes.

Setting eDiscovery boundaries

The settings can be done partially in the GUI (roles in Exchange Online, a roles in the Security & Compliance Center), but because not everything is available via GUI, I will use PowerShell in this tutorial.

User groups definition

First, you need to define user groups that can be searched by one group of administrators. This may be all users from one country or one department. For this we can use Azure Active Directory (AAD) attributes Company , CountryCode , CustomAttribute1 – CustomAttribute15 , Department or Office .

In this example, I use the attribute value  CustomAttribute8 , which in my case takes on values czech , usa , denmark .

Creating role groups in Security & Compliance Center

The next step is to create Role Groups for each group of administrators who can search over one group of users defined by one AAD attribute.

You can assign these role groups to specific users or to security groups. Importantly, each group of users, in this case each group of administrators for each country, must have their own role group.

These role groups are then required to give rights to the search itself, which is best done by copying the predefined eDiscovery Managers role group.

In my case, I’m creating three new role groups ( Local Compliance Managers - Czech , Local Compliance Managers - USA  and Local Compliance Managers - Denmark ) with rights copied from eDiscovery Managers.

First you need to connect to Security & Compliance Center

We can then create new role groups

Create role groups in Exchange Online

In Exchange Online, we no longer need to have an extra role group for each group of users, but one role group is sufficient for all users or user groups.

First, connect to Exchange Online PowerShell

We can then create a new group of Local Compliance Managers with the necessary rights Legal Hold  and Mailbox Search .

Create a compliance filter

The final step is to create a filter itself that will “map” the compliance managers’ rights to users. This filter will allow compliance manager to search only those mailboxes that belong to the defined user group specified by CustomAttribute8.

We do this again through Security & Compliance Center PowerShell

This is it. At this point, the settings are already applied and active.