Assigning Roles for Core eDiscovery Case
Question
You are the global administrator of an organization with a Microsoft 365 subscription.
You have a Core eDiscovery case, and due to legal reasons, you need to assign user 1 permission to put the case content on hold.
The solution must use the principle of least privilege.
Which role should you assign?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C
eDiscovery Manager is the least privileged role with permissions to put eDiscovery content on hold.
![LPedatiOn OF FOrWarGinig/reairect rule
ft Home > Alert policy
@ Compliance Manager ae . ae ae ‘ fan . a . Pa wae .
Use alert policies to track user and admin activities, malware threats, or data loss incidents in your organization. After choosing the activity you want to be alerted on, refine the policy by adding conditions, deciding when to trigger tl 2 kdit pe
D Data classification policies
More advanced alerting capabilities are available through E5, Threat intelligence or Advanced compliance subscriptions. Learn more
Pa Detjeonnectars A Some sections of this alert cannot be edited because it's a default policy.
A Ast + New alert policy Search PT ater Status @q =
a Description This alert is triggered when someone in your
}* Reports
B organization sets up auto-forwarding, email
= Pol (Name Severity Type Category forwarding, redirect rule or a mail flow rule -V1.0.0.5
= Polici
2} Permissions (1 Successful exact data match upload @ low system Threat management Severity Informational
Category Threat management
C1 Elevation of Exchange admin privilege @ low stem Permissions
Solutions .
Policy
Hl cone (1 User restricted from sharing forms and collecting responses @ High Threat management contains tags
# Catalog
‘avait mail reported by user as malware or phish © ow system Threat management
Conditions Activity is MailRedirect
C1 Admin triggered manual investigation of email Informatio: stem Threat management
P Content search ‘99% 9 3 Aggregation _ Single event
2) Communication compliance C1 eDiscovery search started or exported Informational Threat management Scope Allusers
[2 Data loss prevention (Phish delivered because a user's Junk Mail Folder is disabled Informational System Threat management
- TenantAdmins
E\ Gaaiipssiremecs (1 Admin Submission Result Completed Informatio tem Threat management recipients
ff eDiscovery v Edit
C1 Email sending limit exceeded @ Medium Threat management No limit
=] Information governance
C1 Remediation action taken by admin on emails or URL or sender Informational System Threat management
[4 Information protection
ZZ Creation of forwarding/redirect rule Informational System Threat management
% Insider risk management](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/Microsoft-365-Security-Administration-(MS-500)/answer/imgckeditor_19.png)
Since the answer is given in the documentation, the other options are incorrect.
To know more about eDiscovery roles and permissions, please refer to the link below:
To assign the least privilege role to a user for putting a Core eDiscovery case on hold, you should assign the Reviewer role to the user.
The Reviewer role can view, search, and export content from the Core eDiscovery case, but cannot modify or delete content. This role is appropriate for individuals who need to review content for responsiveness, confidentiality, and privilege.
On the other hand, the eDiscovery Administrator role can perform all the functions of the Reviewer role, as well as modify and delete content from the Core eDiscovery case. This role is appropriate for individuals who manage the eDiscovery process, including creating cases and managing holds.
The eDiscovery Manager role is a higher-level role than the eDiscovery Administrator role, and it includes all the permissions of the eDiscovery Administrator role. This role is appropriate for individuals who manage eDiscovery processes across multiple cases.
The Logic App Contributor role is unrelated to eDiscovery and is used to manage logic apps that automate business processes.
Therefore, in this scenario, the Reviewer role is the most appropriate role to assign to the user who needs to put the Core eDiscovery case on hold, as it provides the necessary permissions without granting unnecessary privileges.