By Claude and Gemini with Sid Newby | May 2026
On May 14, 2026, a consulting firm called Five Star Legal stood up at the CLOC Global Institute in Chicago and announced a product whose entire job is to tell legal teams what their own software is already doing.[1] The product is eDig365. It costs $2,500 a month, flat. It places no holds, runs no searches, and exports nothing. It reads the activity logs of Microsoft Purview eDiscovery — the eDiscovery engine that ships inside Microsoft 365 — and turns them into dashboards a lawyer can actually read.[1]
Sit with that for a second. There is now a paying market for a translator that explains the eDiscovery tool you already bought. That tells you two things at once. First, Purview eDiscovery is everywhere. It lives in the same tenant as the email and SharePoint sites of a large share of corporate America. Second, almost nobody on the legal side understands how it works. The people who can see its inner workings are the IT administrators who hold the permissions. They speak a different language than the litigation team waiting on a collection report.
So let's open the box. Not the marketing version where "AI-powered discovery accelerates your workflow," but the actual plumbing — where data sits, when it gets copied, what the license tier gates, and where the audit trail goes dark. If you are going to rely on this thing for a litigation hold, you should know what it does when nobody is watching.
The eDiscovery Tool You Already Bought
Microsoft 365 holds roughly 30% of the global office-productivity market, and its commercial seat count grew 12% year over year through 2025.[2] Every one of those enterprise seats sits on top of an eDiscovery substrate most buyers never selected on purpose. It came in the box. When a litigation hold lands, the reflex at a lot of organizations is to call an outside vendor and start a per-gigabyte meter running. The tool to preserve and collect Exchange, SharePoint, OneDrive, and Teams content was already paid for, sitting one admin login away.
That tool changed shape dramatically in 2025, and if your mental model of it predates last summer, throw it out. For years the M365 compliance suite offered three separate eDiscovery experiences. Content Search handled ad-hoc keyword sweeps. eDiscovery (Standard) covered basic case management and holds. eDiscovery (Premium) delivered the full review-set-and-analytics treatment. Microsoft collapsed all three into one unified Purview eDiscovery interface. The new experience began rolling out on May 26, 2025, and the classic versions retired on August 31, 2025.[3][4] Content searches created before the cutover were swept into a case literally named "Content Search."[4] Tony Redmond's office365itpros walkthrough is the clearest practitioner account of what actually moved and when.[5]
The unification is real, but it papers over a hard line that did not disappear: licensing. The functionality you can touch is determined by the license the custodian holds, not by which menu you click.[6] Microsoft 365 E3 lists at $36 per user per month and includes the equivalent of the old Standard tier — search, holds, basic export. E5 lists at $57 and unlocks the Premium machinery: review sets, advanced indexing, near-duplicate detection, email threading, and predictive coding.[7] That $21 spread is the difference between "I can preserve and pull data" and "I can actually cull, analyze, and produce it inside Microsoft's cloud." Most enterprises run hybrid environments — some custodians on E5, plenty on E3 — which means the capability you have on any given matter depends on which employees happen to be involved.[1]
Figure 1: Three separate eDiscovery experiences became one interface in 2025. The tiering didn't vanish — it moved from the menu to the license.
How Data Actually Moves Through Purview
The dashboards hide this part. Purview eDiscovery is a pipeline with distinct stages. The one thing to understand above all others is when your data gets copied and where it goes. The official Microsoft Learn workflow documentation lays out the stages. The practical implications are what matter for defensibility.[8]
A matter begins as a case — a container that holds every search, hold, and review set tied to one investigation, plus the access list of who can see inside it.[8] Cases can spin up from a trigger event: a regulatory request, a litigation notice, or even an alert escalated from Microsoft's Insider Risk Management module.[8]
From the case, you run a search across content locations — Exchange mailboxes, SharePoint sites, OneDrive accounts, and the mailboxes and sites behind Teams and Microsoft 365 Groups.[8] You build the query two ways: a guided condition builder for people who think in keywords and dates, or raw Keyword Query Language (KQL) for people who want Boolean precision and proximity operators with autocompletion.[9] A search at this stage is an in-place operation. Nothing has been copied. You are looking at statistics and previews against data still living in its original location. You can refine the query, rerun it, and watch the hit count move before you commit to anything.[8]
To stop that data from changing or disappearing, you place a hold. A hold preserves content in Exchange, SharePoint, OneDrive, Teams, and Groups, either wholesale across a location or scoped to a query.[8] Critically, a hold and a search are independent acts. You can search without holding. You can hold without ever previewing what you preserved. That independence is where a lot of preservation failures hide. A team runs a slick search and exports the results, but never actually placed the hold. The departing employee's mailbox then gets purged on the standard retention schedule, and the evidence is gone.
When you decide the data is worth working with, you add it to a review set. This is the moment of the copy. A review set is a secure, Microsoft-provided Azure Storage location, and adding data to it physically duplicates the items out of their live source into that static container.[10] Once copied, the set is frozen — a known, fixed population you can search, filter, tag, and analyze without worrying that someone is still emailing into the source mailbox. You can add all search hits or configure statistical sampling to pull a representative subset.[8]
Inside the review set, the E5 machinery comes alive. Advanced indexing re-processes every item — running optical character recognition on images, extracting text from attachments, and normalizing metadata so the analytics have something consistent to chew on.[11] Then analytics runs the culling tools litigation support has used for fifteen years under other brand names. Near-duplicate detection groups documents that are 90% identical. Email threading collapses a forty-message chain down to the few inclusive messages that hold the whole conversation. Theme clustering sorts the rest by topic.[11] You tag documents — responsive, privileged, needs-attorney-review — and those tags become the organizing structure of the production.[8] The newest addition is an Advanced review set explorer that runs KQL directly against the review set data for aggregation and pattern matching, currently in preview.[8]
Finally, export. And this is where another fork trips people up. You can export search results directly — mailbox items come out as PST files or individual messages, SharePoint and OneDrive documents come out as native files — but those search exports expire 14 days after creation and then auto-delete.[8] Or you can export from a review set, which produces a richer package: the documents plus an export report, a summary report, and an error report. Review-set export processes are retained for the life of the case, and you have 30 days to download any given package before it's purged.[8][12] Miss the window and you re-run the export.
Figure 2: The Purview eDiscovery pipeline. The single most consequential fact is the copy step — data lives in place until it lands in a review set, and the E5-gated processing and analytics only run after that copy.
The Two-Searches Problem
Once you see the in-place search versus the review-set copy as two different animals, a recurring confusion resolves itself. People treat "I searched and found 12,000 hits" as if it were a collection. It is not. It is a statistic about live data that is still mutating. A custodian can delete, a retention policy can expire content, and a mailbox can be purged between the moment you ran that search and the moment you got around to acting on it — unless a hold is sitting underneath.
The review set is the collection. That is the static, defensible population. And because the copy into Azure is the trigger for indexing and analytics, the cull happens after you've committed storage and processing, not before. That ordering has cost consequences on large matters and defensibility consequences on every matter. Your validation story — recall, precision, the proportionality argument you'll make at the meet-and-confer — attaches to the review set, not to the in-place hit count you quoted in an early status call.
There's a licensing trap buried here too. Review sets, advanced indexing, and the analytics that make a large collection reviewable are all E5 features.[7] An organization running E3 custodians can search and hold and export raw search results, but it cannot pull those results into a review set to dedupe and thread them inside Purview. On a matter with mixed-license custodians, you may be able to do the full Premium workflow on the E5 people and only the blunt search-and-export on the E3 people in the same case. Nobody tells you that until you hit the wall mid-collection.
| Stage | E3 (Standard equivalent) | E5 (Premium) |
|---|---|---|
| Create cases & search (KQL) | Yes | Yes |
| Place holds (full or query-based) | Yes | Yes |
| Export search results (PST / native) | Yes | Yes |
| Review sets (copy to Azure) | No | Yes |
| Advanced indexing & OCR | No | Yes |
| Near-duplicate detection & email threading | No | Yes |
| Predictive coding / theme analytics | No | Yes |
| Detailed process reports | Limited | Full |
Table 1: What each license tier can actually do inside the unified Purview eDiscovery interface. Source: Microsoft licensing guidance and EPC Group E3/E5 comparison.[6][7]
Where the Visibility Goes Dark
Now we can explain why a $2,500-a-month dashboard has a market. It exists because of three structural blind spots in how Purview exposes — or fails to expose — its own activity.[1]
The permissions wall. The roles that let you create cases, place holds, and run exports in Purview are eDiscovery administrator permissions, and at most organizations those live with IT or security, not with the legal department.[1] So the lawyer responsible for the litigation hold often cannot directly see whether the hold succeeded. The traditional fix, per Five Star Legal's own pitch, is "IT teams taking screenshots, copying data into spreadsheets, and manually generating reports."[1] An eDiscovery program defended in screenshots is one bad audit away from an embarrassing 30(b)(6) deposition.
The 12-month audit horizon. Microsoft's audit logs for Microsoft 365 activity expire after 12 months on standard licensing.[1] Discovery disputes do not respect that horizon. A spoliation motion in 2026 can turn on whether a hold was properly placed in 2024 — and the systematic record of who held what, when, may simply have aged out of the system that created it. eDig365's reason for being is to capture and retain that activity history before Microsoft drops it.[1]
The E5 reporting gate. Detailed processing reports inside Purview are an E5-licensed feature.[1] An organization on a hybrid E3/E5 footprint — which is most of them — can run holds and searches against E3 custodians but cannot pull the granular process reporting that proves what happened. Microsoft's own Process reports and Process managers exist to track concurrency and daily limits and to scope activity to cases, searches, holds, and review sets, but the depth you get depends on what you pay.[8]
Put those three together and you get the gap eDig365 monetizes: hold-state reporting that distinguishes successful holds from pending, failed, and — the genuinely scary one — holds that have silently flipped to an "off" state; custodian-level detail down to folder structures and Teams memberships; and year-over-year trend reporting that survives the 12-month log purge.[1] None of that is data Purview fails to generate. It's data Purview generates and then makes hard for the legal side to see and keep.
Figure 3: The visibility gap. The legal team carries the preservation obligation but sits on the wrong side of the permissions wall, the audit-retention clock, and the license gate. Third-party tools sell the bridge.
What This Actually Means for Litigation Teams
Strip away the product news and a clearer picture emerges of where Purview fits. For a meaningful slice of matters — single-tenant data, custodians inside one M365 organization, volumes that don't demand a specialist platform — Purview can run the whole arc from hold to export without a per-gigabyte invoice from an outside processor. That is a real cost story, and it cuts in the direction I care about. A small firm or a corporate legal department that already pays for M365 has a defensible preservation-and-collection engine sitting in its tenant. The barrier to a first-pass collection is an admin login, not a processing PO.
The catch is that "free with your subscription" was never the whole price. The capability that makes a large collection actually reviewable inside Purview — review sets, indexing, dedup, threading — lives behind the E5 upgrade. And the audit trail that proves you did it right lives behind a permissions wall, a 12-month clock, and another license gate. The tool is bundled; the defensibility is sold separately, either as an E5 upgrade or as a third-party dashboard or as the staff hours someone spends taking screenshots.
So the practical posture: use Purview as the first-pass instrument it's good at being. Preserve fast, search in place, scope the matter. But know its edges. Know that the hold and the search are separate acts and that one without the other is a trap. Know that nothing is collected until it's copied into a review set. Know that on a mixed-license matter your toolset changes custodian by custodian. And know that when a matter outgrows single-tenant simplicity — cross-border data, third-party sources, productions that need a litigation-grade review platform and audit trail you control — the right move is to export out of Purview and into a system built for that, rather than bending the bundled tool past what it was designed to do.
The deeper point is about who can see the machine. The complaint about eDiscovery has always been the price of the meter. Microsoft answered that by putting a capable engine in a box almost everyone already owns. But it answered the cost problem by creating a transparency problem: the people legally responsible for preservation are structurally blind to whether it worked, and the record that would prove it ages out in a year. A market sprang up to sell that visibility back at $30,000 a year.[1] That's progress of a kind. It's also a reminder that in legal technology, the thing you can't see is usually the thing that costs you — and somebody is always ready to charge you for the flashlight.
Related Reading
- Copilot Is Everywhere: AI Sprawl Creating the Biggest eDiscovery Blind Spot Since BYOD
- Hybrid Search in eDiscovery: How AI Retrieval Actually Works
- Sixty Metadata Fields: Craig Ball's 2026 ESI Refresh