Electronic Discovery

Microsoft 365 and Google Workspace Collection

Tenant-level discovery requires more than exporting a user's mailbox. Microsoft 365 and Google Workspace contain mail, files, calendars, chats, shared drives, audit records, permissions, and hold settings that need to be understood before collection scope is treated as complete.

Tenant Context Shapes the Evidence

Microsoft 365 and Google Workspace are administrative environments, not just storage locations. A user may have a mailbox, OneDrive, Google Drive, calendars, Teams or Chat activity, shared-drive access, group membership, delegated permissions, archived content, and audit records. A collection that captures only the obvious mailbox can miss the systems that explain how evidence was created, shared, edited, or deleted.

PowellPath helps counsel identify the tenant-level sources that matter and the permissions needed to preserve or export them. The collection plan should account for licensing, administrator roles, retention settings, legal holds, deleted items, shared drives, cloud attachments, and logs where available.

Scope Must Be Technical and Legal

A discovery request may name a person, a date range, and a topic. The platform may require more detail: mailbox, site, drive, group, team, channel, chat, calendar, label, custodian, search query, export format, or audit log. Counsel should understand how the legal scope translates into platform scope before relying on the result.

Search syntax, indexing limits, attachment handling, file versions, shared links, and deleted-item behavior can all affect collection. A defensible export should document what was searched, what was excluded, what errors occurred, and what platform limitations remain.

Holds and Exports Are Related but Not Identical

A hold may preserve data that is not immediately exported. An export may collect data without preserving future changes. A tenant may have retention labels, legal holds, litigation hold settings, Vault matters, or eDiscovery cases that affect what remains available. Counsel should not assume that a successful export means preservation is complete.

PowellPath separates preservation planning from collection execution. That helps attorneys decide whether to place or verify holds, export specific repositories, preserve audit records, or request administrator action before records age out.

Sources Commonly Reviewed

  • Exchange Online mailboxes, calendars, contacts, archives, and deleted items.
  • OneDrive, SharePoint, Google Drive, shared drives, folder permissions, and file versions.
  • Teams, Google Chat, groups, channels, meetings, and linked files where available.
  • Audit logs, login activity, sharing activity, administrator actions, and export records.
  • Retention policies, legal holds, Vault matters, labels, and eDiscovery case settings.
  • Exceptions, inaccessible records, unsupported file types, and search limitations.

What Counsel Receives

Deliverables may include a tenant-source map, collection plan, mailbox or drive export, audit-log preservation list, collection log, exception report, metadata review, and follow-up questions for administrators or opposing parties. The work is designed to give counsel a clear record of what was collected and what still may exist.

Selected Sources

The discussion above is grounded in platform documentation, federal discovery rules, and forensic collection principles reflected in the following materials: