Exchange Online · Compliance & Security
Discovery Management
Members can perform searches of mailboxes for data that meets specific criteria and can configure legal holds on mailboxes. By default, this role group has no members.
Scope: All mailbox content for eDiscovery and legal hold purposes
Permissions
- Legal Hold - Place mailboxes on Litigation Hold or In-Place Hold
- Mailbox Search - Search mailbox content using In-Place eDiscovery
Common use cases
- Legal discovery requests and litigation
- Internal investigations
- Compliance audits
- Placing mailboxes on legal hold
Best practices
- Limit membership to legal and compliance teams only
- Audit all discovery activities
- Use Microsoft Purview eDiscovery for comprehensive searches
- Document the legal basis for each hold and search
Security considerations
- Can search and view any mailbox content in the organization
- Can place indefinite holds on mailboxes preventing deletion
- Discovery actions are logged but should be monitored
- By default, no users have these permissions - not even admins
Common questions
When should I assign the Discovery Management role?
Assign Discovery Management when you need to: Legal discovery requests and litigation; Internal investigations; Compliance audits; and Placing mailboxes on legal hold. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Discovery Management role do?
The Discovery Management role grants permissions including: Legal Hold - Place mailboxes on Litigation Hold or In-Place Hold; and Mailbox Search - Search mailbox content using In-Place eDiscovery. See the Permissions section above for the full list.
What are the security risks of the Discovery Management role?
Key considerations when assigning Discovery Management: Can search and view any mailbox content in the organization; Can place indefinite holds on mailboxes preventing deletion; Discovery actions are logged but should be monitored; and By default, no users have these permissions - not even admins. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.