Skip to content

Control 1.19: eDiscovery for Agent Interactions

Overview

Control ID: 1.19 Control Name: eDiscovery for Agent Interactions Regulatory Reference: SEC 17a-4, FINRA 4511, SOX 802, GLBA 501(b) Setup Time: 4-8 hours (requires E5 or eDiscovery add-on licensing)

Purpose

Enable legal discovery and regulatory response capabilities for Microsoft 365 Copilot and Copilot Studio agent interactions. This control ensures that AI-generated content, agent conversations, and related data can be preserved, searched, and exported for litigation, regulatory examinations, and internal investigations.

Description

eDiscovery capabilities in Microsoft Purview enable legal hold, search, and export of Microsoft 365 Copilot conversations and agent interactions for litigation, regulatory inquiries, and internal investigations. Agent interactions stored in Microsoft 365 locations (Teams, SharePoint, OneDrive) are searchable through eDiscovery cases.

See eDiscovery solutions for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
Case management Organize searches and exports Investigation structure
Content search KeyQL queries across M365 Find agent interactions
Legal hold Preserve and secure content Litigation readiness
Export Export results for review Regulatory response
Search statistics Top data sources, sensitive info types Scope assessment

Prerequisites

Primary Owner Admin Role: Purview eDiscovery Roles Supporting Roles: None

Licenses Required

License Purpose Required For
Microsoft 365 E3 Basic eDiscovery Level 1-2
Microsoft 365 E5 Advanced eDiscovery Level 3-4
Microsoft 365 E5 Compliance Standalone compliance Alternative to E5
eDiscovery Add-on Advanced features for E3 Optional

Permissions Required

Role Purpose Assignment Method
eDiscovery Manager Create and manage cases Purview RBAC
eDiscovery Administrator Full eDiscovery admin Purview RBAC
Compliance Administrator Access compliance features Entra ID
Case Member Access specific cases Per-case assignment

Dependencies

Dependency Description Verification
Unified Audit Logging Required for activity search Check Purview → Audit
Content Locations Teams, SharePoint, Exchange Verify agent data locations
Retention Policies Ensure data isn't deleted Check retention settings
Legal Team Access Legal/compliance portal access Verify permissions

Pre-Setup Checklist

  • [ ] E5 or E5 Compliance licenses assigned
  • [ ] eDiscovery roles assigned to legal/compliance team
  • [ ] Agent data locations documented
  • [ ] Retention policies prevent premature deletion
  • [ ] Legal hold procedures documented
  • [ ] Case naming conventions established

Governance Levels

Level 1 - Baseline

Requirement Configuration
eDiscovery access Designated eDiscovery administrators
Basic awareness Understand agent content locations
Documentation Document eDiscovery procedures

Minimum requirements:

  • Assign eDiscovery administrator role
  • Document where agent content is stored
  • Establish basic search procedures
Requirement Configuration
Case templates Predefined case structures for common scenarios
Search procedures Documented search queries for agent content
Hold policies Defined hold procedures for agent data
Training eDiscovery team trained on agent content

FSI recommendations:

  • Create case templates for regulatory inquiries
  • Document KeyQL queries for agent searches
  • Train legal/compliance on agent content locations
  • Integrate with litigation hold procedures

Level 4 - Regulated/High-Risk

Requirement Configuration
Proactive holds Standing holds for Tier 3 (enterprise-managed) agent content
Comprehensive procedures Full eDiscovery runbook for agents
Regular testing Quarterly eDiscovery drills
Audit integration Combine with audit log searches

FSI requirements:

  • Proactive legal holds for customer-facing agent interactions
  • Documented procedures for regulatory examination response
  • Quarterly testing of agent content searchability
  • Integration with information governance program

Setup & Configuration

eDiscovery Navigation

Accessing eDiscovery

  1. Open Microsoft Purview
  2. Navigate to eDiscovery in left navigation
  3. Select the appropriate sub-page

eDiscovery Sub-Pages

Page Purpose Key Features
Overview Dashboard and quick start Get started guides, learning resources
Cases Case management Create, manage, track cases
Content Search Direct content search Search without case context
Dashboards Analytics and reporting Search statistics, trends

Located in the left navigation under "Related solutions":

Solution Purpose
Audit Activity logging and search
Data Security Investigations (preview) Security-focused investigations

Note

The eDiscovery interface displays a banner: "Welcome to the new eDiscovery experience. Learn about the latest updates and improvements" with a link to documentation.

Case Management

Cases Page Toolbar

Action Description
Create case Start a new eDiscovery case
Export list Export case list to file
Refresh Update case list
Filter by keyword Search cases by name
Filter Advanced filtering options
Group Group cases by attribute
Customize columns Configure visible columns

Creating a Case

Cases organize searches, holds, and exports for specific matters:

  1. Navigate to eDiscovery → Cases
  2. Click Create case
  3. Enter case name and description
  4. Assign case members and permissions
  5. Save and open case

Case Components

Tab Purpose Actions
Searches Content search queries Create a search, export results
Hold policies Legal hold configuration Preserve content
Review sets Content review workspace Review and tag content
Exports Export management Download search results
Data sources Custodian and location management Add people, sites, groups

Case List Columns

Column Description
Case name Unique identifier for the case
Status Active, Closed
Created Case creation date
Last modified Most recent update
Modified by User who made last change
Number System-assigned case number
Description Case summary

Searching for Agent Content

Search Locations

eDiscovery searches across M365 locations where agent interactions are stored:

Location Agent Content
Microsoft Teams Copilot in Teams conversations
SharePoint Agent knowledge sources, Copilot in SharePoint
OneDrive User files referenced in agent interactions
Exchange Email-based agent notifications
Groups Group-based agent interactions
  1. Open a case or use Content Search
  2. Click Create a search
  3. Define search query using KeyQL
  4. Select data sources (people, groups, locations)
  5. Run search and review results
  6. Export as needed

Search Query Examples for Agents

Scenario Query Approach
All Copilot interactions Search Teams conversations with Copilot
Specific agent interactions Search by agent name in metadata
Sensitive data in AI Combine with sensitive info type filters
Date range Use date filters for specific periods

Legal Hold for Agent Content

Creating a Hold

Preserve agent-related content for litigation or investigation:

  1. Open case → Hold policies tab
  2. Click Create a hold
  3. Select custodians and locations
  4. Define hold conditions (optional)
  5. Apply hold

Hold Considerations for Agents

Content Type Hold Approach
Copilot conversations Hold user mailboxes and Teams
Agent knowledge sources Hold SharePoint sites
Agent configurations Document separately (not in M365)
Audit logs Preserved via audit retention

AI-Assisted Features

Summarize This Case

eDiscovery includes AI-assisted case summarization:

  • Click Summarize this case button
  • AI generates summary of case contents
  • Helps understand scope and key findings

PowerShell Configuration

Connect to Security & Compliance Center

# Connect to Security & Compliance PowerShell
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Verify connection
Get-ComplianceCase | Select-Object Name, Status | Format-Table

Create eDiscovery Case for Agent Investigation

# Create a new eDiscovery case
$caseParams = @{
    Name = "FSI-Agent-Investigation-$(Get-Date -Format 'yyyy-MM')"
    Description = "Investigation of Copilot Studio agent interactions"
}

$case = New-ComplianceCase @caseParams
Write-Host "Created case: $($case.Name)"

# Add case members
Add-ComplianceCaseMember -Case $case.Name -Member "legal@contoso.com"
Add-ComplianceCaseMember -Case $case.Name -Member "compliance@contoso.com"

# List case members
Get-ComplianceCaseMember -Case $case.Name

Create Search for Agent Content

# Create a compliance search for Copilot interactions
$searchParams = @{
    Name = "Agent-Content-Search-$(Get-Date -Format 'yyyyMMdd')"
    Case = "FSI-Agent-Investigation-$(Get-Date -Format 'yyyy-MM')"
    ExchangeLocation = "All"
    SharePointLocation = "All"
    ContentMatchQuery = '(subject:"Copilot" OR body:"Agent" OR body:"AI assistant") AND (sent:>=2024-01-01)'
    Description = "Search for AI agent-related content"
}

New-ComplianceSearch @searchParams

# Start the search
Start-ComplianceSearch -Identity "Agent-Content-Search-$(Get-Date -Format 'yyyyMMdd')"

# Check search status
Get-ComplianceSearch -Identity "Agent-Content-Search-$(Get-Date -Format 'yyyyMMdd')" |
    Select-Object Name, Status, Items, Size

Search for Specific Agent Interactions

# KeyQL queries for agent content
$agentSearchQueries = @{
    "Copilot-Chats" = 'kind:microsoftteams AND (from:"Microsoft Copilot" OR participants:"Copilot")'
    "Agent-Knowledge" = 'path:"https://contoso.sharepoint.com/sites/AgentKnowledge/*"'
    "Agent-Transcripts" = '(filename:transcript OR filename:conversation) AND (body:"agent" OR body:"copilot")'
    "Sensitive-Agent-Data" = 'sensitivitylabel:"Highly Confidential" AND (body:"agent" OR body:"copilot")'
}

# Create searches for each query
foreach ($searchName in $agentSearchQueries.Keys) {
    $query = $agentSearchQueries[$searchName]

    New-ComplianceSearch -Name "FSI-$searchName" `
        -ExchangeLocation "All" -SharePointLocation "All" `
        -ContentMatchQuery $query

    Start-ComplianceSearch -Identity "FSI-$searchName"
    Write-Host "Started search: FSI-$searchName"
}

# Create a hold policy for agent-related content
$holdParams = @{
    Name = "FSI-Agent-Legal-Hold"
    Case = "FSI-Agent-Investigation-$(Get-Date -Format 'yyyy-MM')"
    ContentMatchQuery = 'kind:microsoftteams AND (from:"Copilot" OR subject:"Agent")'
    SharePointLocation = @(
        "https://contoso.sharepoint.com/sites/AgentKnowledge",
        "https://contoso.sharepoint.com/sites/CustomerData"
    )
    ExchangeLocation = "All"
}

New-CaseHoldPolicy @holdParams

# Create hold rule
New-CaseHoldRule -Policy "FSI-Agent-Legal-Hold" -Name "Agent-Content-Hold-Rule"

# Verify hold is applied
Get-CaseHoldPolicy -Case "FSI-Agent-Investigation-$(Get-Date -Format 'yyyy-MM')" |
    Select-Object Name, Enabled, SharePointLocation

Export Search Results

# Export compliance search results
$exportParams = @{
    SearchName = "Agent-Content-Search-$(Get-Date -Format 'yyyyMMdd')"
    ExportFormat = "IndividualMessage"  # or "PST" for Exchange content
    Scenario = "GeneralExport"
    ExportLocation = "PremiumExchange"
}

# Note: Export is typically done through the portal for large datasets
# PowerShell is useful for automation and smaller exports

New-ComplianceSearchAction -SearchName $exportParams.SearchName -Export -Format $exportParams.ExportFormat

# Check export status
Get-ComplianceSearchAction | Where-Object { $_.SearchName -eq $exportParams.SearchName -and $_.Action -eq "Export" }

Audit eDiscovery Activities

# Search audit log for eDiscovery activities
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

$ediscoveryAudit = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -RecordType ComplianceSearch -ResultSize 500

$ediscoveryAudit | Select-Object CreationDate, UserIds, Operations | Format-Table

# Export eDiscovery audit trail
$ediscoveryAudit | ForEach-Object {
    $data = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Date = $_.CreationDate
        User = $_.UserIds
        Operation = $_.Operations
        CaseName = $data.Case
        SearchName = $data.SearchName
    }
} | Export-Csv -Path "eDiscovery-Audit-Trail.csv" -NoTypeInformation

Financial Sector Considerations

Regulatory Mapping

Regulation eDiscovery Requirement Control Implementation
SEC 17a-4 Preserve and produce AI communications Legal holds for agent content
FINRA 4511 Searchable records of AI interactions Saved search templates
SOX 802 Document preservation for investigations Proactive holds for Tier 3 (enterprise-managed)
GLBA 501(b) Protect and produce customer data Data source identification
SEC Reg S-P Privacy in discovery Redaction procedures

Tier-Specific eDiscovery Configuration

Tier Hold Requirement Search Scope Export Controls
Tier 1 As needed Personal environments Standard export
Tier 2 Case-by-case Department environments Tracked export
Tier 3 Proactive/standing All production environments Controlled export with approval

Agent Content Locations for FSI

Content Type Location Search Approach
Copilot chats Teams, Exchange kind:microsoftteams
Agent transcripts SharePoint, Dataverse File path search
Agent knowledge SharePoint sites Site-scoped search
Audit logs Unified Audit Log Audit log search
Configuration history Power Platform API export

FSI Example: Regulatory Examination Response

Scenario: SEC Examination Request for AI Trading Assistant
Request: "Provide all communications involving AI trading assistant for Q4 2024"

eDiscovery Response Process:
  1. Case Creation:
     Name: SEC-Exam-2025-AI-Trading
     Members: Legal, Compliance, IT Security

  2. Content Identification:
     - Copilot Studio agent: "Trading-Desk-Assistant"
     - Knowledge sources: Trading policies SharePoint site
     - User interactions: Teams channel "Trading-AI"
     - Audit logs: Agent publish and config changes

  3. Search Queries:
     Query1: 'kind:microsoftteams AND (from:"Trading-Desk-Assistant" OR subject:"Trading AI")'
     Query2: 'path:"https://contoso.sharepoint.com/sites/TradingPolicies/*"'
     Query3: 'sent:>=2024-10-01 AND sent:<=2024-12-31'

  4. Legal Hold:
     Scope: All identified locations
     Duration: Until SEC closes examination

  5. Export:
     Format: PST for Exchange, Native for SharePoint
     Chain of custody: Documented

  6. Evidence Package:
     - Search methodology document
     - Export verification report
     - Chain of custody log
     - Certification statement

Licensing Requirements

Feature License Required
Basic eDiscovery Microsoft 365 E3
Advanced eDiscovery Microsoft 365 E5 or eDiscovery add-on
Review sets E5 or add-on
AI summarization E5 or add-on

Regulatory Context

Primary Regulations: SEC 17a-4, FINRA 4511, SOX 802, GLBA 501(b)

Regulation eDiscovery Requirement
SEC 17a-4 Preserve and produce AI-related communications
FINRA 4511 Maintain searchable records of AI interactions
SOX 802 Preserve documents related to audits/investigations
GLBA 501(b) Protect and produce customer information

Examination Considerations

Regulators may request:

  • Agent interaction records for specific time periods
  • Evidence of legal hold procedures
  • Search methodology documentation
  • Export of specific agent conversations
  • Demonstration of eDiscovery capabilities

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of eDiscovery that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply ensure agent interactions/content are discoverable and hold-capable for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain case settings + sample holds/searches.
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for eDiscovery and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain case settings + sample holds/searches.
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Navigate to purview.microsoft.com → eDiscovery eDiscovery dashboard displayed
2 Create test case Case created successfully
3 Create search for agent content Search returns results
4 Apply test hold Hold applied to locations
5 Export search results Export completes
6 Verify audit logging eDiscovery actions logged

Troubleshooting & Validation

Issue: Search Returns No Results for Known Content

Symptoms: Content exists but eDiscovery search returns empty

Solutions:

  1. Verify content is in indexed locations (Exchange, SharePoint, Teams)
  2. Check search query syntax - use Keyword Query Language (KQL) correctly
  3. Confirm date ranges include the content dates
  4. Verify user has eDiscovery Manager role
  5. Check if content is on legal hold preventing indexing issues

Issue: Cannot Find Copilot/Agent Specific Content

Symptoms: General search works but agent content not appearing

Solutions:

  1. Agent interactions may be in Teams chat - use kind:microsoftteams
  2. Check agent knowledge sources are in SharePoint (not Dataverse only)
  3. Verify audit logs are being searched (separate from content search)
  4. Agent transcripts may require specific file path searches
  5. Review with Power Platform Admin for data storage locations

Issue: Legal Hold Not Preserving Content

Symptoms: Content deleted despite active hold policy

Solutions:

  1. Verify hold policy is enabled and not in error state
  2. Check that locations are correctly specified in hold
  3. Confirm hold rule is created and active
  4. Review if user has litigation hold directly vs. policy-based
  5. Check for conflicts with retention policies

Issue: Export Fails or Incomplete

Symptoms: Export times out, fails, or missing expected content

Solutions:

  1. Break large exports into smaller date ranges
  2. Check export format compatibility with content types
  3. Verify sufficient storage for export container
  4. Use portal instead of PowerShell for large exports
  5. Check for network timeout issues

Issue: Cannot Access eDiscovery or Create Cases

Symptoms: eDiscovery section not visible or permission denied

Solutions:

  1. Verify eDiscovery Manager role is assigned in Purview
  2. Check license includes eDiscovery (E3 for basic, E5 for advanced)
  3. Confirm role was assigned recently (may take up to 1 hour)
  4. Try accessing via compliance.microsoft.com instead of purview
  5. Contact Global Admin to verify role group membership

Additional Resources

Control Relationship
Control 1.7: Audit Logging Activity records
Control 1.9: Data Retention Retention policies
Control 1.6: DSPM for AI AI interaction visibility
Control 2.13: Documentation Record keeping

Support & Questions

For implementation support or questions about this control, contact:

  • Legal/Compliance Officer: Legal hold procedures and examination response
  • eDiscovery Administrator: Case management and search configuration
  • Microsoft Purview Administrator: Portal access and permissions
  • AI Governance Lead: Agent content scope and data locations

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification