Microsoft Purview

Microsoft Purview eDiscovery API

APIs for automating eDiscovery operations through Microsoft Graph, including managing cases, custodians, review sets, searches, and exports for litigation, investigation, and regulatory requests.

GitHub OpenAPI

Documentation

📖
Documentation
https://learn.microsoft.com/en-us/graph/api/resources/security-ediscovery-apioverview?view=graph-rest-1.0
📖
Authentication
https://learn.microsoft.com/en-us/graph/security-ediscovery-appauthsetup
📖
GettingStarted
https://learn.microsoft.com/en-us/purview/edisc-ref-api-guide

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/openapi/microsoft-purview-ediscovery-openapi.yml

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/capabilities/ediscovery-cases.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/capabilities/ediscovery-custodians.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/capabilities/ediscovery-legal-holds.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/capabilities/ediscovery-review-sets.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/microsoft-purview/refs/heads/main/capabilities/ediscovery-searches.yaml

OpenAPI Specification

microsoft-purview-ediscovery-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Microsoft Purview eDiscovery API
  description: >-
    APIs for automating eDiscovery operations through Microsoft Graph, including
    managing cases, custodians, review sets, searches, and exports for
    litigation, investigation, and regulatory requests.
  version: v1.0
  contact:
    name: Microsoft Purview Support
    url: https://learn.microsoft.com/en-us/graph/api/resources/security-ediscovery-apioverview
  license:
    name: Microsoft API License
    url: https://azure.microsoft.com/en-us/support/legal/
servers:
  - url: https://graph.microsoft.com/v1.0
    description: Microsoft Graph v1.0 endpoint
security:
  - oauth2: []
tags:
  - name: Cases
    description: Operations for managing eDiscovery cases
  - name: Custodians
    description: Operations for managing custodians within cases
  - name: Legal Holds
    description: Operations for managing legal holds
  - name: Review Sets
    description: Operations for managing review sets
  - name: Searches
    description: Operations for managing eDiscovery searches
paths:
  /security/cases/ediscoveryCases:
    get:
      operationId: listEdiscoveryCases
      summary: Microsoft Purview List eDiscovery cases
      description: Get a list of eDiscovery cases in the organization.
      tags:
        - Cases
      parameters:
        - name: $top
          in: query
          schema:
            type: integer
            format: int32
        - name: $skip
          in: query
          schema:
            type: integer
            format: int32
        - name: $filter
          in: query
          schema:
            type: string
        - name: $orderby
          in: query
          schema:
            type: string
        - name: $select
          in: query
          schema:
            type: string
      responses:
        '200':
          description: eDiscovery cases listed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/EdiscoveryCase'
                  '@odata.nextLink':
                    type: string
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
    post:
      operationId: createEdiscoveryCase
      summary: Microsoft Purview Create an eDiscovery case
      description: Create a new eDiscovery case for investigation or litigation.
      tags:
        - Cases
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoveryCase'
      responses:
        '201':
          description: eDiscovery case created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryCase'
        '400':
          description: Bad request
        '401':
          description: Unauthorized
  /security/cases/ediscoveryCases/{ediscoveryCaseId}:
    get:
      operationId: getEdiscoveryCase
      summary: Microsoft Purview Get an eDiscovery case
      description: Get an eDiscovery case by its identifier.
      tags:
        - Cases
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: eDiscovery case retrieved successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryCase'
        '401':
          description: Unauthorized
        '404':
          description: Not found
    patch:
      operationId: updateEdiscoveryCase
      summary: Microsoft Purview Update an eDiscovery case
      description: Update the properties of an eDiscovery case.
      tags:
        - Cases
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoveryCase'
      responses:
        '200':
          description: eDiscovery case updated successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryCase'
        '401':
          description: Unauthorized
    delete:
      operationId: deleteEdiscoveryCase
      summary: Microsoft Purview Delete an eDiscovery case
      description: Delete an eDiscovery case and all associated data.
      tags:
        - Cases
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '204':
          description: eDiscovery case deleted successfully
        '401':
          description: Unauthorized
  /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians:
    get:
      operationId: listCustodians
      summary: Microsoft Purview List custodians in a case
      description: Get the list of custodians associated with an eDiscovery case.
      tags:
        - Custodians
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Custodians listed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/EdiscoveryCustodian'
        '401':
          description: Unauthorized
    post:
      operationId: createCustodian
      summary: Microsoft Purview Add a custodian to a case
      description: Create a new custodian and add them to an eDiscovery case.
      tags:
        - Custodians
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoveryCustodian'
      responses:
        '201':
          description: Custodian added successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryCustodian'
        '401':
          description: Unauthorized
  /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets:
    get:
      operationId: listReviewSets
      summary: Microsoft Purview List review sets in a case
      description: Get the list of review sets associated with an eDiscovery case.
      tags:
        - Review Sets
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Review sets listed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/EdiscoveryReviewSet'
        '401':
          description: Unauthorized
    post:
      operationId: createReviewSet
      summary: Microsoft Purview Create a review set
      description: Create a new review set in an eDiscovery case.
      tags:
        - Review Sets
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoveryReviewSet'
      responses:
        '201':
          description: Review set created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryReviewSet'
        '401':
          description: Unauthorized
  /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches:
    get:
      operationId: listEdiscoverySearches
      summary: Microsoft Purview List searches in a case
      description: Get the list of searches associated with an eDiscovery case.
      tags:
        - Searches
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Searches listed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/EdiscoverySearch'
        '401':
          description: Unauthorized
    post:
      operationId: createEdiscoverySearch
      summary: Microsoft Purview Create a search in a case
      description: Create a new eDiscovery search within a case.
      tags:
        - Searches
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoverySearch'
      responses:
        '201':
          description: Search created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoverySearch'
        '401':
          description: Unauthorized
  /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds:
    get:
      operationId: listLegalHolds
      summary: Microsoft Purview List legal holds
      description: Get the list of legal holds associated with an eDiscovery case.
      tags:
        - Legal Holds
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Legal holds listed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/EdiscoveryHoldPolicy'
        '401':
          description: Unauthorized
    post:
      operationId: createLegalHold
      summary: Microsoft Purview Create a legal hold
      description: Create a legal hold policy within an eDiscovery case.
      tags:
        - Legal Holds
      parameters:
        - name: ediscoveryCaseId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EdiscoveryHoldPolicy'
      responses:
        '201':
          description: Legal hold created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EdiscoveryHoldPolicy'
        '401':
          description: Unauthorized
components:
  securitySchemes:
    oauth2:
      type: oauth2
      description: Microsoft Identity Platform OAuth2
      flows:
        authorizationCode:
          authorizationUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
          tokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
          scopes:
            eDiscovery.Read.All: Read eDiscovery data
            eDiscovery.ReadWrite.All: Read and write eDiscovery data
  schemas:
    EdiscoveryCase:
      type: object
      description: An eDiscovery case for litigation or investigation
      properties:
        id:
          type: string
          readOnly: true
        displayName:
          type: string
        description:
          type: string
        externalId:
          type: string
        status:
          type: string
          enum: [unknown, active, pendingDelete, closing, closed, closedWithError]
          readOnly: true
        createdDateTime:
          type: string
          format: date-time
          readOnly: true
        lastModifiedDateTime:
          type: string
          format: date-time
          readOnly: true
        closedBy:
          $ref: '#/components/schemas/IdentitySet'
        closedDateTime:
          type: string
          format: date-time
        lastModifiedBy:
          $ref: '#/components/schemas/IdentitySet'
    EdiscoveryCustodian:
      type: object
      description: A custodian in an eDiscovery case
      properties:
        id:
          type: string
          readOnly: true
        displayName:
          type: string
          readOnly: true
        email:
          type: string
        status:
          type: string
          enum: [active, released]
        createdDateTime:
          type: string
          format: date-time
          readOnly: true
        lastModifiedDateTime:
          type: string
          format: date-time
          readOnly: true
        holdStatus:
          type: string
          enum: [notApplied, applied, applying, removing, partial]
        acknowledgedDateTime:
          type: string
          format: date-time
    EdiscoveryReviewSet:
      type: object
      description: A review set for reviewing collected data
      properties:
        id:
          type: string
          readOnly: true
        displayName:
          type: string
        createdDateTime:
          type: string
          format: date-time
          readOnly: true
        createdBy:
          $ref: '#/components/schemas/IdentitySet'
    EdiscoverySearch:
      type: object
      description: An eDiscovery search
      properties:
        id:
          type: string
          readOnly: true
        displayName:
          type: string
        description:
          type: string
        contentQuery:
          type: string
          description: The KQL query for the search
        createdDateTime:
          type: string
          format: date-time
          readOnly: true
        lastModifiedDateTime:
          type: string
          format: date-time
          readOnly: true
        createdBy:
          $ref: '#/components/schemas/IdentitySet'
        lastModifiedBy:
          $ref: '#/components/schemas/IdentitySet'
    EdiscoveryHoldPolicy:
      type: object
      description: A legal hold policy
      properties:
        id:
          type: string
          readOnly: true
        displayName:
          type: string
        description:
          type: string
        isEnabled:
          type: boolean
        status:
          type: string
          enum: [pending, error, success, unknownFutureValue]
          readOnly: true
        contentQuery:
          type: string
        createdDateTime:
          type: string
          format: date-time
          readOnly: true
        lastModifiedDateTime:
          type: string
          format: date-time
          readOnly: true
        createdBy:
          $ref: '#/components/schemas/IdentitySet'
    IdentitySet:
      type: object
      properties:
        application:
          $ref: '#/components/schemas/Identity'
        device:
          $ref: '#/components/schemas/Identity'
        user:
          $ref: '#/components/schemas/Identity'
    Identity:
      type: object
      properties:
        displayName:
          type: string
        id:
          type: string