Microsoft Defender Office365 E-Discovery Cases
  • 25 Mar 2025
  • 4 Minutes to read
  • Dark
    Light

Microsoft Defender Office365 E-Discovery Cases

  • Dark
    Light

Article summary

Microsoft Defender for Office 365 E-Discovery Cases is a comprehensive tool designed to assist organizations in managing, identifying, and securing data during legal investigations or compliance reviews. It streamlines the process of searching, collecting, and preserving relevant email and file content from Office 365 environments. For detailed information, please refer to the Microsoft’s official documentation.

Integration Method: API

Tables: Incident Finding (2005)

The integration supports the following events.

Event

Description

Cases

Allows organizations to automate eDiscovery workflows, integrate with existing tools, and build repeatable processes for legal needs, investigations, and regulatory requests, focusing on Microsoft 365 data

This integration supports the following versions.

Microsoft Graph API Version

v1

Note:

Microsoft Defender Office365 E-Discovery Cases API version doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service. As for this document preparation, the latest release was in March 2025.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privileges.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data.

    1. Create an application

    2. Add endpoint access

    3. Create the client secret

  2. Create Microsoft Defender for Office365 E-Discovery data feed in the DataBee console with the required Client credentials.

    DataBee Feed Parameter

    Azure Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL(<tenant_id>)

    Directory (Tenant) ID

    Username

    Username

    Password

    Password

    Note:

    Username and Password mentioned above are the user credentials used for logging in.

Microsoft Defender Office365 Configuration

Create an application

  1. Log on to Azure portal with an account that has the Global Administrator privileges.  

  2. In the search bar, search for App registrations and select it.
     Inserting image...

  3. On the “App registrations” page, select New registration, thenRegister an application” window will appear.
     Inserting image...

  4. On the “Register an application” window:

    1. Under ‘Name’ enter your Application Name then click on Register to create the application.

    Inserting image...

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     Inserting image... 

Add Endpoint Access

Once the application is created, one permission to the Graph API is needed. This section details how to configure and add permission to the required endpoints.  

Add Permissions

From the Azure Active Directory portal:

  1. Select the application registered in the previous step.

  2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.
     

  3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
     Inserting image...

  4. The following permissions need to be granted for the endpoint to function properly:

     Event

    Type

     Permission

    Cases

    Application

    eDiscovery.Read.All

  5. From the ‘eDiscovery’ dropdown, select eDiscovery.Read.All

  6. Click the Add permissions button after selecting all required permissions.
     

  7. On the “API permissions” page, click Grant Admin Consent for <tenant>.
     

  8. Click the Yes button on the consent confirmation.
     

  9. The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown.
     

    Note:

    If you found any difficulties while configuring. You can refer to Microsoft's official documentation.

Creating the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

  1. Select the application created above.

  2. Under Manage, click Certificates & secrets, and then Client secrets
     Inserting image...

  3. Click on New client secret.


    Inserting image...

  4. On “Add a client secret” window:

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

    2. Then click on Add to create the client secret.

    Inserting image...

    Note:

    The user needs to re-create the client secret when it expires.

  5. Copy Client secrets Value field for later use.
     Inserting image...

    Note:

    The API restricts data retrieval to the last 7 days. Older data cannot be fetched.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     Inserting image...

  2. Search for Microsoft Defender for Office365 E-Discovery Cases and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     Inserting image...

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, enter the following:

  6. Click Submit.

    Note:

    The URL for the API endpoint that you use is based on the type of Microsoft 365 or Office 365 subscription plan for your organization. Here, we have used the URL for Microsoft Graph global service. You can change the URL as per subscription plan for your organization. Below are the list of URLs as per the subscription plans.

    Microsoft Graph global service:https://graph.microsoft.com

    Microsoft Graph for US Government L4:https://graph.microsoft.us

    Microsoft Graph for US Government L5 (DOD):https://dod-graph.microsoft.us

    Microsoft Graph China operated by 21Vianet:https://microsoftgraph.chinacloudapi.cn

Troubleshooting Tips

  • If you encounter an Invalid client or Unauthorized client error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the DataBee feed.

  • If you receive an Unauthorized error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.

  • If we encounter response code 401, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.

    • For example:
      {"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence