Assign eDiscovery permissions in Exchange Online

If you want users to be able to use Microsoft Exchange Server In-Place eDiscovery, you must first authorize them by adding them to the Discovery Management role group. Members of the Discovery Management role group have Full Access mailbox permissions for the Discovery mailbox that's created by Exchange Setup.

Caution

Members of the Discovery Management role group can access sensitive message content. Specifically, these members can use In-Place eDiscovery to search all mailboxes in your Exchange organization, preview messages (and other mailbox items), copy them to a Discovery mailbox and export the copied messages to a .pst file. In most organizations, this permission is granted to legal, compliance, or Human Resources personnel. >

To learn more about the Discovery Management role group and role based access control (RBAC), see Permissions in Exchange Online.

Interested in scenarios where this procedure is used? See the following topics:

What do you need to know before you begin?

  • Estimated time to complete: 1 minute.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Role assignments" entry in the Feature permissions in Exchange Online topic.

  • By default, the Discovery Management role group doesn't contain any members. Administrators with the Organization Management role are also unable to create or manage discovery searches without being added to the Discovery Management role group.

  • In Exchange Server, members of the Organization Management role group can create an In-Place Hold and Litigation Hold to place all mailbox content on hold. However, to create a query-based In-Place Hold, the user must be a member of the Discovery Management role group or have the Mailbox Search role assigned.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts for the Exchange admin center.

Use the EAC to add a user to the Discovery Management role group

  1. Go to Permissions > Admin roles.

  2. In the list view, select Discovery Management and then click Edit Edit icon.

  3. In Role Group, under Members, click Add Add Icon..

  4. In Select Members, select one or more users, click Add, and then click OK.

  5. In Role Group, click Save.

Use Exchange Online PowerShell to add a user to the Discovery Management role group

This example adds the user Bsuneja to the Discovery Management role group.

Add-RoleGroupMember -Identity "Discovery Management" -Member Bsuneja

For detailed syntax and parameter information, see Add-RoleGroupMember.

How do you know this worked?

To verify that you've added the user to the Discovery Management role group, do the following:

  1. In the EAC, go to Permissions > Admin roles.

  2. In the list view, select Discovery Management.

  3. In the details pane, verify that the user is listed under Members.

You can also run this command to list the members of the Discovery Management role group.

Get-RoleGroupMember -Identity "Discovery Management"

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.