

You can preserve data in Microsoft 365, and Microsoft 365 Government, after completing the integration between RelativityOne and Microsoft 365.
See these related topics:
For more information on setting up and connecting the Preservation app to Microsoft 365, see Relativity Learning's Preservation Foundations: Registering Microsoft 365 data sources.
You must create and configure a Microsoft 365 preservation data source before creating a preservation hold for a custodian. A legal hold admin will need to run through a one-time setup to connect Microsoft 365 to Relativity. Creating the data source temporarily grants admin permissions to the specified account user to find the custodian SharePoint site access privileges during target discovery. For more information, see Setting up a Microsoft data source.
Preservation in-place functionality uses modern authentication. Modern authentication is certificate-based authentication (CBA) that allows for multi-factor authentication (MFA).
You can preserve data from Microsoft 365 or both Microsoft 365 and Microsoft 365 Government. This depends on your RelativityOne license, commercial or government, and your Microsoft tenant, Microsoft 365 or Microsoft 365 Government
Preservation in-place is set up to point at commercial APIs. Commercial users can only preserve in Microsoft 365 tenants.
To use Microsoft's APIs, all custodians must have a E3 license, or higher.
Preservation in-place is also set up to point at Government APIs instead of commercial APIs. Government users can use Legal Hold in Microsoft 365 and Government 365 tenants. These data sources have different icons within Preservation in-place.
To use Microsoft's Government APIs:
Consider the following information before creating a Microsoft 365 data source.
Microsoft Outlook
Microsoft OneDrive
Preserve custodian Teams chat attachments by placing a custodians OneDrive on hold.
Microsoft Teams
Microsoft Government
Follow the steps to create and configure preservation hold credentials. This is a one-time setup to create data sources for a preservation hold.
There is a required, one-time setup to create data sources for a preservation hold. This setup takes place in Microsoft 365. The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.
The Azure Admin must complete all steps to create and configure preservation hold credentials before creating a preservation data source in Relativity:
Note: You must complete all steps to use Preservation in-place.
After completing all these required steps, you can set up the Microsoft 365 data source in Relativity. For more information, see Creating the Microsoft 365 data source.
Follow the steps below to set up app-only authentication in Entra ID. For more information, see Microsoft's documentation for setting up app-only authentication in Entra ID. The person performing the steps below should be a Microsoft Azure admin and familiar with setting up certificates.
Start with registering your app by following the steps below:
Note: The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.
After registering the application, you must modify the manifest to add the Exchange.ManageAsApp permission to the application. For more information, see Modify the manifest.
From the app's page, modify the app manifest and add permissions to the web API. During this procedure, you will add the Exchange.ManageAsApp permission to the application. To update the manifest, follow the steps below:
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
You have updated the manifest and added the Exchange.ManageAsApp permission to the application. This permission is needed so that the application can run cmdlets in Exchange Online in each tenant organization.
To verify that you added the Exchange.ManageAsApp permission:
Note: If you have trouble with the adding to the manifest, we recommend deleting the manifest and creating a new one.
Next, you must assign the Sites.Read.All API permission. For more information, see Assign API permissions.
You must add the Sites.Read.All API permissions to your application. The Sites.Read.All permission is needed to do OneDrive & SharePoint Discovery in Relativity.
To add the Sites.ReadAll permission,
The Sites.ReadAll permission should now be added to your application.
Next, you must generate a self-signed certificate. For more information, see Generate certificate.
You must create a self-signed certificate. Use the script below. The script below will create two files:
The script creates a certificate that is valid for one year. After a year, you must replace this certificate with a new valid certificate.
To generate a self-signed certificate,
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
# Export certificate to .pfx file
$password = ConvertTo-SecureString "test" -AsPlainText -Force
$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $password
# Export certificate to .cer file
$mycert | Export-Certificate -FilePath mycert.cer
To assign the required application roles,
You now have the Compliance Administrator Entra role assigned to the application. For information on roles, see Microsoft’s documentation.
You will use the information created for the next steps.
After setting up an app in Entra ID in the Register the application section, you need to create a Service Principal to associate with the app.
You may need to install the AzureAD and ExchangeOnlineManagement modules.
To install the modules:
1
2
3
4
Install-Module AzureAD
Import-Module AzureAd
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
To create the Service Principal and assign it to the application, you must have a Global Admin run the following PowerShell script.
Note: Use the copy button to copy the script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
## Authenticate with Microsoft (including providing answer for MFA)
$AppId = "Application-ID-FROM-AZURE-AD"
$appName = "AppNAME-FROM-Azure-AD"
$spDisplayName = "your_sp_displayname"
# access token is passed to Connect-AzureAD
# the user logging, will require admin permissions.
Connect-AzureAD
$AADApp = Get-AzureADServicePrincipal -SearchString $appName
# create service principal in scc
connect-ippssession
New-ServicePrincipal -AppId $AADApp.AppId -ServiceId $AADApp.ObjectId -DisplayName $spDisplayName
$SP = Get-ServicePrincipal -Identity $spDisplayName
Add-eDiscoveryCaseAdmin -Confirm:$false -User $appId
disconnect-exchangeonline -Confirm:$false
Replace these values in the script with your information:
Next, you can open Relativity and use the information to create the Microsoft 365 data source. For more information, see Creating the Microsoft 365 data source.
Then create the Microsoft 365 data source in RelativityOne:
In RelativityOne, you must add Microsoft 365-specific data into the fields in the Default Category during the creation of a Microsoft 365 data source.
After saving the credentials, you have the option to validate the connection to Compliance Center. This step also validates that Relativity can place a hold in Exchange Mailbox and OneDrive.
On the Preservation Data Source page:
You will get a pop-up window to authenticate into Microsoft with the admin login credentials.
Click the Re-validate Authentication button to update the status bar near the top of the page.
Each data source details page includes a console to complete actions. Each data source has different actions.
For Microsoft 365:
On the data source details page, there is the Services section. In the Services section, you can click on a data source to see the service information.
For Microsoft OneDrive, you can override the entity field with the Entity OneDrive URL field.
The Sites.Read.All GraphAPI permission is required for automated look up of a custodian's OneDrive Site URL. If the preservation account cannot be granted the Sites.Read.All GraphAPI permission, then enter the Entity OneDrive URL field for each custodian so that automated look up is not required.
When the preservation account used for Microsoft 365 preservations does not have the Sites.Read.All GraphAPI permission the Entity OneDrive URL field is the alternative way to put a custodian's OneDrive source on a preservation hold. When the Entity SharePoint URL is provided, Relativity Legal Hold uses it to put a custodian's OneDrive content on a hold.
If the User Principal Name in your Entra ID account does not match the email address, you can use the Entity OneDrive URL field to put a custodian's OneDrive account on hold. Sharepoint Sites cannot be placed on Hold if the User Principal Name is different from Email in your Entra ID account.
If the Entity OneDrive URL field setting is empty, Legal Hold reverts to the original logic and queries SharePoint directly for this information.
An administrator needs to perform additional setup for this functionality to work. Use an existing field or create a new field on the entity object to host OneDrive URL information for each custodian. Use Integration Points or the Import/Export to populate this field with fully qualified OneDrive URL for each custodian.
Point Relativity to use such field as a reference to OneDrive URL information:
Why was this not helpful?
Check one that applies.
Thank you for your feedback.
Want to tell us more?
Great!