O365 Ediscovery

the microsoft graph apis for ediscovery provide functionality for organizations to automate repetitive tasks and integrate with their existing ediscovery tools to build repeatable workflows that might be required based on industry regulations you can use the ediscovery apis to help with your legal needs the microsoft graph apis for ediscovery are intended for the use of ediscovery operations for litigation, investigation, and regulatory requests asset setup for an app to get authorization and access to microsoft graph using the client credentials flow, you must follow these five steps register the app with microsoft entra id configure microsoft graph application permissions on the app request administrator consent request an access token call microsoft graph using the access token for a detailed steps for the token generation, please refer to the https //learn microsoft com/en us/graph/auth v2 service?context=graph%2fapi%2fbeta\&view=graph rest beta\&tabs=http capabilities this connector provides the following capabilities create ediscoveryholdpolicy get ediscoverycase list ediscoverycases list ediscoverycustodian list ediscoveryholdpolicies create review set add to review set export review set limitations apis under the /beta version in microsoft graph are subject to change notes https //learn microsoft com/en us/graph/api/security ediscoverycase get?view=graph rest beta\&tabs=http https //learn microsoft com/en us/graph/auth v2 service?context=graph%2fapi%2fbeta\&view=graph rest beta\&tabs=http configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add to review set start the process of adding a collection from microsoft 365 services to a review set after the operation is created, you can get the status of the operation by retrieving the location parameter from the response headers endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/reviewsets/{{ediscoveryreviewsetid}}/addtoreviewset method post input argument name type required description path parameters ediscoverycaseid string required parameters for the add to review set action path parameters ediscoveryreviewsetid string required parameters for the add to review set action search object optional parameter for add to review set search id string required the id of the ediscovery search you'd like to add to the review set additionaldataoptions string optional the options for adding items to reviewset input example {"json body" {"search" {"id" "c17e91d6 6bc0 4ecb b388 269ea3d4ffb7"},"additionaldataoptions" "linkedfiles"},"path parameters" {"ediscoverycaseid" "58399dff cebe 478f b1af d3227f1fd645","ediscoveryreviewsetid" "63ef0fd7 0db2 45eb a9d7 7d75c8239873"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 202,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se create ediscoveryholdpolicy this action creates a new ediscoveryholdpolicy object endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/legalholds method post input argument name type required description path parameters ediscoverycaseid string required parameters for the create ediscoveryholdpolicy action displayname string optional name of the resource description string optional parameter for create ediscoveryholdpolicy usersources\@odata bind array optional response data usersources\@odata bind \@odata type string optional response data usersources\@odata bind email string optional response data sitesources\@odata bind array optional response data sitesources\@odata bind \@odata type string optional response data sitesources\@odata bind site object optional response data sitesources\@odata bind site weburl string optional response data input example {"json body" {"displayname" "my legalhold with sources","description" "created from graph api","usersources\@odata bind" \[{"@odata type" "microsoft graph security usersource","email" "salesteam\@m365x809305 onmicrosoft com"}],"sitesources\@odata bind" \[{"@odata type" "microsoft graph security sitesource","site" {"weburl" "https //m365x809305 sharepoint com/sites/design topsecret"}}]},"path parameters" {"ediscoverycaseid" "b0073e4e 4184 41c6 9eb7 8c8cc3e2288b"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data isenabled boolean output field isenabled errors array error message if any description string output field description createddatetime string time value lastmodifieddatetime string time value status string status value id string unique identifier displayname string name of the resource createdby object output field createdby createdby application object output field createdby application createdby user object output field createdby user createdby user id string unique identifier createdby user displayname object name of the resource lastmodifiedby object output field lastmodifiedby lastmodifiedby application object output field lastmodifiedby application lastmodifiedby user object output field lastmodifiedby user lastmodifiedby user id string unique identifier lastmodifiedby user displayname object name of the resource output example {"status code" 201,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se create review sets this action creates a new ediscoveryreviewset object endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/reviewsets method post input argument name type required description path parameters ediscoverycaseid string required parameters for the create review sets action @odata type string optional response data id string optional the review set unique identifier read only displayname string optional the name of the review set createdby object optional parameter for create review sets createdby \@odata type string optional the user who created the review set read only createddatetime string optional the datetime when the review set was created the timestamp type represents date and time information using iso 8601 format and is always in utc time input example {"json body" {"@odata type" "#microsoft graph security ediscoveryreviewset","id" "string (identifier)","displayname" "string","createdby" {"@odata type" "microsoft graph identityset"},"createddatetime" "string (timestamp)"},"path parameters" {"ediscoverycaseid" "b0073e4e 4184 41c6 9eb7 8c8cc3e2288b"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data displayname string name of the resource id string unique identifier createddatetime string time value createdby object output field createdby createdby application object output field createdby application createdby user object output field createdby user createdby user id string unique identifier createdby user displayname object name of the resource createdby user userprincipalname string name of the resource output example {"status code" 201,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se export review set this action initiates an export from a reviewset endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/reviewsets/{{ediscoveryreviewsetid}}/export method post input argument name type required description path parameters ediscoverycaseid string required parameters for the export review set action path parameters ediscoveryreviewsetid string required parameters for the export review set action outputname string optional name of the export description string optional description of the export exportoptions string optional pecifies options that control the format of the export possible values are originalfiles, text, pdfreplacement, fileinfo, tags the fileinfo member is deprecated and has stopped returning data the summary and load file are always included exportstructure string optional options that control file structure and packaging of the export input example {"json body" {"outputname" "export via api","description" "export for the contoso investigation","exportoptions" "originalfiles,fileinfo,tags","exportstructure" "directory"},"path parameters" {"ediscoverycaseid" "58399dff cebe 478f b1af d3227f1fd645","ediscoveryreviewsetid" "273f11a1 17aa 419c 981d ff10d33e420f"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 202,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se get ediscoverycase this action reads the properties and relationships of an ediscoverycase object endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}} method get input argument name type required description path parameters ediscoverycaseid string required parameters for the get ediscoverycase action parameters count boolean optional parameters for the get ediscoverycase action parameters expand string optional parameters for the get ediscoverycase action parameters filter string optional parameters for the get ediscoverycase action parameters format string optional parameters for the get ediscoverycase action parameters orderby string optional parameters for the get ediscoverycase action parameters search string optional parameters for the get ediscoverycase action parameters select string optional parameters for the get ediscoverycase action parameters skip number optional parameters for the get ediscoverycase action parameters top number optional parameters for the get ediscoverycase action input example {"parameters" {"count"\ false,"expand" "members","filter" "startswith(givenname,'j')","format" "json","orderby" "displayname desc","search" "example","select" "givenname,surname","skip" 11,"top" 2},"path parameters" {"id" "ediscoverycaseid"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data description string output field description lastmodifieddatetime string time value status string status value closeddatetime object time value externalid string unique identifier id string unique identifier displayname string name of the resource createddatetime string time value lastmodifiedby object output field lastmodifiedby closedby object output field closedby output example {"status code" 200,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se list ediscoverycases this action retrieves a list of ediscoverycase objects and their properties endpoint url /security/cases/ediscoverycases method get input argument name type required description parameters count boolean optional parameters for the list ediscoverycases action parameters expand string optional parameters for the list ediscoverycases action parameters filter string optional parameters for the list ediscoverycases action parameters format string optional parameters for the list ediscoverycases action parameters orderby string optional parameters for the list ediscoverycases action parameters search string optional parameters for the list ediscoverycases action parameters select string optional parameters for the list ediscoverycases action parameters skip number optional parameters for the list ediscoverycases action parameters top number optional parameters for the list ediscoverycases action input example {"parameters" {"count"\ false,"expand" "members","filter" "startswith(givenname,'j')","format" "json","orderby" "displayname desc","search" "example","select" "givenname,surname","skip" 11,"top" 2}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value description string value for the parameter value lastmodifieddatetime string value for the parameter value status string status value value closeddatetime object value for the parameter value externalid string unique identifier value id string unique identifier value displayname string name of the resource value createddatetime string value for the parameter value lastmodifiedby object value for the parameter value lastmodifiedby application object value for the parameter value lastmodifiedby user object value for the parameter value lastmodifiedby user id object unique identifier value lastmodifiedby user displayname string name of the resource value closedby object value for the parameter value closedby application object value for the parameter value closedby user object value for the parameter value closedby user id object unique identifier value closedby user displayname string name of the resource output example {"status code" 200,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se list ediscoverycustodian get a list of the custodian objects and their properties endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/custodians method get input argument name type required description path parameters ediscoverycaseid string required parameters for the list ediscoverycustodian action input example {"path parameters" {"ediscoverycaseid" "2192ca408ea2410eba3bec8ae873be6b"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value status string status value value holdstatus string status value value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value releaseddatetime object value for the parameter value id string unique identifier value displayname string name of the resource value email string value for the parameter value acknowledgeddatetime string value for the parameter output example {"status code" 200,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se list ediscoveryholdpolicies get a list of the ediscoveryholdpolicy objects and their properties for a case endpoint url /security/cases/ediscoverycases/{{ediscoverycaseid}}/legalholds method get input argument name type required description path parameters ediscoverycaseid string required parameters for the list ediscoveryholdpolicies action parameters count boolean optional parameters for the list ediscoveryholdpolicies action parameters expand string optional parameters for the list ediscoveryholdpolicies action parameters filter string optional parameters for the list ediscoveryholdpolicies action parameters format string optional parameters for the list ediscoveryholdpolicies action parameters orderby string optional parameters for the list ediscoveryholdpolicies action parameters search string optional parameters for the list ediscoveryholdpolicies action parameters select string optional parameters for the list ediscoveryholdpolicies action parameters skip number optional parameters for the list ediscoveryholdpolicies action parameters top number optional parameters for the list ediscoveryholdpolicies action input example {"parameters" {"count"\ false,"expand" "members","filter" "startswith(givenname,'j')","format" "json","orderby" "displayname desc","search" "example","select" "givenname,surname","skip" 11,"top" 2},"path parameters" {"ediscoverycaseid" "700cd868 d868 700c 68d8 0c7068d80c70"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value isenabled boolean value for the parameter value errors array value for the parameter value contentquery string value for the parameter value description object value for the parameter value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value status string status value value id string unique identifier value displayname string name of the resource value createdby object value for the parameter value createdby application object value for the parameter value createdby user object value for the parameter value createdby user id string unique identifier value createdby user displayname object name of the resource value lastmodifiedby object value for the parameter value lastmodifiedby application object value for the parameter value lastmodifiedby user object value for the parameter value lastmodifiedby user id string unique identifier value lastmodifiedby user displayname object name of the resource output example {"status code" 200,"response headers" {"date" "mon, 30 oct 2023 17 08 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "origin, access control request method, access control request headers, origin, a ","content encoding" "gzip","expires" "0","cache control" "no cache, no store, max age=0, must revalidate","x xss protection" "1; mode=block, 1; mode=block","pragma" "no cache","x content type options" "nosniff, nosniff","strict transport se response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 81e54323fddf9a90 nag connection http response header connection keep alive content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self' content type the media type of the resource application/json date the date and time at which the message was originated mon, 30 oct 2023 17 08 47 gmt expires the date/time after which the response is considered stale 0 permissions policy http response header permissions policy xr spatial tracking=(self) pragma http response header pragma no cache referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=31536000 ; includesubdomains, max age=63072000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary origin, access control request method, access control request headers, origin, access control request method, access control request headers x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny, deny x xss protection http response header x xss protection 1; mode=block, 1; mode=block