CMMC Level 2 eDiscovery And Legal Hold Setup In Purview

If you’re handling CUI in Microsoft 365, you don’t get to treat retention and holds like a “set it once” task. Under CMMC Level 2, I’ve found auditors and incident reviewers want something tougher: a defensible process that proves you can preserve data, limit access, and show evidence on demand.

This post is my practical guide to a Purview eDiscovery legal hold setup that I’m comfortable defending in 2026. I’ll cover least-privilege roles, click-paths, eDiscovery Standard vs Premium, GCC and GCC High notes, and the evidence artifacts I like to keep ready.

The goal is simple: when legal, HR, or security says “preserve it,” you can do it fast, prove it happened, and prove no one tampered with it.

What CMMC Level 2 expects from eDiscovery and legal holds (in plain terms)

CMMC Level 2 maps to NIST SP 800-171, so the pressure is less about one “legal hold control” and more about repeatable, auditable operations. When I set this up for small contractors, I plan for three questions that always come up:

First, can you preserve content across the places users actually work? In Microsoft 365, that usually means Exchange mailboxes, OneDrive, SharePoint, and Teams. A hold that only covers email is like locking the front door while leaving the garage open.

Second, can you prove who did what, and when? That’s where Purview audit logging and case artifacts matter. I save screenshots of the hold policy scope, export summaries, and case settings. I also keep an admin runbook that states who’s allowed to create cases, who approves holds, and how releases work.

Third, is your workflow defensible when staff changes happen? Custodians leave, mailboxes convert, sites get archived, and permissions drift. If you don’t document the lifecycle, your “hold” becomes a hope.

Gotcha I plan around: Purview UX changes can limit what you see historically in the interface. I treat exports and audit logs as my durable record, not the screen view.

If you want Microsoft’s step-by-step reference on how holds are created in a case, I keep this bookmarked: Create eDiscovery holds in an eDiscovery case.

Least-privilege role assignments that still let the work get done

For CMMC, least privilege is not a slogan, it’s your survival skill. I separate “case work” from “platform power,” because eDiscovery access can expose sensitive content fast.

Here’s the role model I use most often in the Microsoft Purview portal:

• eDiscovery Manager (small, named group): This is my core team for creating cases, searches, exports, and hold policies. I keep this group tight and approved in writing.
• Reviewer (Premium workflows): If we use eDiscovery Premium review sets, reviewers should not be able to change holds. They should only review what’s assigned.
• Global Admin (break-glass only): I avoid using Global Admin for daily eDiscovery. For evidence, I want my audit logs to show normal admins acting in their intended roles.

Click-path to assign roles (common 2026 path): Purview portal → Settings → Roles and scopes (or Role groups) → find the eDiscovery role group → Edit → add members.

Two practical CMMC habits help more than people expect. First, I use a ticket or approval record for every hold action, even for “test holds.” Second, I keep a simple access review cadence so old accounts don’t stay in eDiscovery roles.

This is also where my broader stack decisions show up. As a Business Technology Partner, I’m usually tying eDiscovery into Cybersecurity Services, Endpoint Security, and Device Hardening so custodians’ endpoints don’t become the weak link. For many clients, that includes Small Business IT, Cloud Infrastructure, Cloud Management, Secure Cloud Architecture, and IT Strategy for SMBs as part of a documented operating model. If they’re migrating in, I wrap it into Office 365 Migration planning. If they still run on-prem workloads, I account for Data Center Technology and Infrastructure Optimization so content locations don’t surprise anyone later. Even restaurant groups end up needing this discipline, because Restaurant POS Support and Kitchen Technology Solutions often create records that intersect with contracts and incidents. In short, good holds are part of Managed IT for Small Business and Business Continuity & Security, not a side quest.

Step-by-step: Purview eDiscovery legal hold setup, evidence artifacts, and validation

I set up holds inside a case, then I capture artifacts as I go. That way, I can answer the “show me” request without scrambling.

Create the case and name it like you mean it

In the Purview portal: eDiscovery → Cases (preview) → Create case.

I use naming that survives time, for example: 2026-03 Incident ACME-Phish-014 or 2026-04 Legal HR-Claim-002. Then I record:

• Case name, ID, and created-by
• Business purpose
• Approval reference (ticket number or email)

Build the hold policy with tight scope

From the case: Hold policies → Create policy.

Then I lock down three things:

1. Custodians and locations: mailboxes, OneDrive accounts, SharePoint sites, and Teams locations that match your CUI boundary.
2. Query scope (when needed): some matters call for “everything,” others need criteria. For CMMC defensibility, I document why I chose broad or targeted.
3. Hold duration and release rules: I write down who can approve a release and how it’s recorded.

Next, I take screenshots of the hold policy summary and the included locations. I also export any available case summaries.

eDiscovery Standard vs Premium, and when I use each

This table is the quick way I explain it to admins and leadership before licensing talks start.

Capability that matters in CMMC work	eDiscovery Standard	eDiscovery Premium
Create cases and place holds	Yes	Yes
Basic search and export	Yes	Yes (stronger workflow)
Review sets and review workflow	No	Yes
Custodian management depth	Limited	Stronger features
Advanced tracking and reporting needs	Limited	Better for audits and complex matters

If I’m supporting a small team that mainly needs preservation and basic export, Standard can be enough. When the matter requires review workflow, analytics, or heavier chain-of-custody expectations, I push toward Premium.

GCC and GCC High notes that affect planning

Feature availability can vary by tenant type and licensing, and your contract requirements may force the choice. For many DoD contractors handling CUI, GCC High comes up because of compliance expectations tied to government workloads. I’ve used this as a starting point for cost and fit conversations: Microsoft 365 GCC High Business Premium.

Evidence you should collect (so you’re not chasing it later)

I keep these artifacts in a restricted “compliance evidence” library:

• Screenshots of the hold policy scope and included locations
• Case membership and role assignments at time of hold
• Export job summary files and export settings
• Audit events showing hold creation and changes
• A recurring “holds report” export for open matters

For holds reporting, Microsoft documents a practical approach here: Use a script to create an eDiscovery holds report.

Validation tests to confirm holds are actually working

I don’t trust a hold until I test it. These are the tests I run in a non-production pilot case, then repeat for each production pattern.

1. Mailbox test: Put a test user on hold, send an email, then delete it, then verify it’s still discoverable via case search/export.
2. SharePoint test: Upload a file to a held site, delete it, then confirm discovery still returns it.
3. Teams test: Post a message in a held Team location, delete it if possible, then verify it’s preserved for discovery.
4. Role test: Confirm a non-eDiscovery user cannot access the case or run exports.
5. Change test: Modify the hold scope (with approval), then confirm the audit trail shows who changed it and when.

One more operational warning: Microsoft has introduced secured administrative workflows that can affect how holds and retention interact, so I always document who can use those elevated actions and how they’re approved. This Message Center archive is a good example of the kind of update I track: New secure workflow to bypass legal holds and retention policies.

Conclusion: make your hold process boring, repeatable, and provable

CMMC Level 2 doesn’t reward clever setups, it rewards evidence. When I build a Purview eDiscovery legal hold workflow, I focus on least privilege, clean case structure, and artifacts that stand on their own. If you want this to hold up in November 2026 and beyond, document the process, test it, and keep reports you can hand to an assessor without a long meeting. Purview eDiscovery legal hold is only as strong as the proof you can produce.