+# [PowerShell](#tab/powershell)

+# [Go](#tab/go)

+# [Go](#tab/go)

+```

+# [C#](#tab/csharp)

+# [Java](#tab/java)

+# [PowerShell](#tab/powershell)

+# [C#](#tab/csharp)

+# [Java](#tab/java)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [C#](#tab/csharp)

+# [Java](#tab/java)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+ Title: "Get caseOperation"

+description: "Read the properties and relationships of a caseOperation object."

+ms.localizationpriority: medium

+# Get caseOperation

+Namespace: microsoft.graph.security

+Read the properties and relationships of a [caseOperation](../resources/security-caseoperation.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/operations/{caseOperationId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [caseOperation](../resources/security-caseoperation.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_caseoperation"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/operations/850c2f64b1ee44a4a69729327aac2b04

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.caseOperation"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/operations/$entity",

+ "@odata.type": "#microsoft.graph.security.ediscoveryAddToReviewSetOperation",

+ "createdDateTime": "2022-05-23T16:51:34.8281972Z",

+ "completedDateTime": "0001-01-01T00:00:00Z",

+ "percentProgress": 50,

+ "status": "running",

+ "action": "addToReviewSet",

+ "id": "850c2f64b1ee44a4a69729327aac2b04",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+}

+```

+ Title: "Delete ediscoveryCase"

+description: "Deletes an ediscoveryCase."

+ms.localizationpriority: medium

+# Delete ediscoveryCase

+Namespace: microsoft.graph.security

+Deletes an [ediscoveryCase](../resources/security-ediscoverycase.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_ediscoverycase"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/eDiscoverycases/22aa2acd-7554-4330-9ba9-ce20014aaae4

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "List ediscoveryCases"

+description: "Get a list of the eDiscovery cases"

+ms.localizationpriority: medium

+# List ediscoveryCases

+Namespace: microsoft.graph.security

+Get a list of the [ediscoveryCase](../resources/security-ediscoverycase.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryCase](../resources/security-ediscoverycase.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoverycase"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/ediscoveryCases

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryCase)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases",

+ "@odata.count": 22,

+ "value": [

+ {

+ "description": "",

+ "lastModifiedDateTime": "2022-05-19T23:30:41.23Z",

+ "status": "active",

+ "closedDateTime": null,

+ "externalId": "",

+ "id": "60f86305-ac3e-408b-baa2-ea585dd8b0c0",

+ "displayName": "My case 1",

+ "createdDateTime": "2022-05-19T23:30:41.23Z",

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": "MOD Administrator"

+ }

+ },

+ "closedBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": ""

+ }

+ }

+ },

+ {

+ "description": "",

+ "lastModifiedDateTime": "2022-05-18T23:05:07.82Z",

+ "status": "active",

+ "closedDateTime": null,

+ "externalId": "",

+ "id": "7acdda75-3559-4f93-9827-cbd4c89db033",

+ "displayName": "My case 2",

+ "createdDateTime": "2022-05-18T23:05:07.82Z",

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": "MOD Administrator"

+ }

+ },

+ "closedBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": ""

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "Create ediscoveryCase"

+description: "Create a new eDiscovery case."

+ms.localizationpriority: medium

+# Create ediscoveryCase

+Namespace: microsoft.graph.security

+Create a new [ediscoveryCase](../resources/security-ediscoverycase.md) object.

+>[!NOTE]

+> This API only creates an eDiscovery (Premium) case using the new case format. To learn more about the new case format in eDiscovery, see [Use the new case format in eDiscovery (Premium)](/microsoft-365/compliance/advanced-ediscovery-new-case-format).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryCase](../resources/security-ediscoverycase.md) object.

+You can specify the following properties when creating an **ediscoveryCase**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the eDiscovery case. Required.|

+|description|String|The case description. Optional.|

+|externalId|String|The external case number for customer reference. Optional.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryCase](../resources/security-ediscoverycase.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverycase_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases

+Content-Type: application/json

+{

+ "displayName": "CONTOSO LITIGATION-005",

+ "description": "Project Bazooka",

+ "externalId": "324516"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCase"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases/$entity",

+ "description": "Project Bazooka",

+ "lastModifiedDateTime": "2022-05-22T18:36:48.0834353Z",

+ "status": "active",

+ "closedDateTime": "2022-05-22T18:36:48.083436Z",

+ "externalId": "324516",

+ "id": "22aa2acd-7554-4330-9ba9-ce20014aaae4",

+ "displayName": "CONTOSO LITIGATION-005",

+ "createdDateTime": "2022-05-22T18:36:48.0834351Z",

+ "lastModifiedBy": null,

+ "closedBy": null

+}

+```

+ Title: "Close eDiscoveryCase"

+description: "Close an eDiscoveryCase."

+ms.localizationpriority: medium

+# Close eDiscoveryCase

+Namespace: microsoft.graph.security

+Close an eDiscovery case. For details, see [Close a case](/microsoft-365/compliance/close-or-delete-case#close-a-case).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/close

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `204 No Content` response code.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "close_ediscoverycase"

+}

+-->

+``` http

+POST https://graph.microsoft.com/security/cases/eDiscoveryCases/061b9a92-8926-4bd9-b41d-abf35edc7583/close

+```

+### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Delete ediscoveryHoldPolicy"

+description: "Deletes an ediscoveryHoldPolicy object."

+ms.localizationpriority: medium

+# Delete ediscoveryHoldPolicy

+Namespace: microsoft.graph.security

+Deletes an [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_ediscoveryholdpolicy"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalholds/a4d3421d-b756-47ac-ad43-5d587c5dfe75/

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Delete ediscoverySearch"

+description: "Deletes an ediscoverySearch object."

+ms.localizationpriority: medium

+# Delete ediscoverySearch

+Namespace: microsoft.graph.security

+Deletes an [ediscoverySearch](../resources/security-ediscoverysearch.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_ediscoverysearch"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/searches/60150269-9758-4439-9bc4-453c864d082f

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Remove ediscoveryReviewTag"

+description: "Remove an ediscoveryReviewTag object."

+ms.localizationpriority: medium

+# Remove ediscoveryReviewTag

+Namespace: microsoft.graph.security

+Remove an [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags/{tagId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_parent_from_ediscoveryreviewtag"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags/d05c2ef9369d49c293b5a6a6d18a5fd9

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get ediscoveryCase"

+description: "Read the properties and relationships of an ediscoveryCase object."

+ms.localizationpriority: medium

+# Get ediscoveryCase

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryCase](../resources/security-ediscoverycase.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryCase](../resources/security-ediscoverycase.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoverycase"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/22aa2acd-7554-4330-9ba9-ce20014aaae4

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCase"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases/$entity",

+ "description": "",

+ "lastModifiedDateTime": "2022-05-22T18:36:46.597Z",

+ "status": "active",

+ "closedDateTime": null,

+ "externalId": "324516",

+ "id": "22aa2acd-7554-4330-9ba9-ce20014aaae4",

+ "displayName": "CONTOSO LITIGATION-005",

+ "createdDateTime": "2022-05-22T18:36:46.597Z",

+ "lastModifiedBy": null,

+ "closedBy": null

+}

+```

+ Title: "List ediscoveryCustodian"

+description: "Get a list of the ediscovery custodian object."

+ms.localizationpriority: medium

+# List ediscoveryCustodian

+Namespace: microsoft.graph.security

+Get a list of the [custodian](../resources/security-ediscoverycustodian.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoverycustodian_from_"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCustodian"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians",

+ "@odata.count": 1,

+ "value": [

+ {

+ "status": "active",

+ "holdStatus": "notApplied",

+ "createdDateTime": "2022-05-23T00:58:19.0702426Z",

+ "lastModifiedDateTime": "2022-05-23T00:58:19.0702436Z",

+ "releasedDateTime": null,

+ "id": "0053a61a3b6c42738f7606791716a22a",

+ "displayName": "Alex Wilber",

+ "email": "AlexW@M365x809305.OnMicrosoft.com",

+ "acknowledgedDateTime": "0001-01-01T00:00:00Z"

+ }

+ ]

+}

+```

+ Title: "List ediscoveryHoldPolicies"

+description: "Get a list of the ediscoveryHoldPolicy objects and their properties."

+ms.localizationpriority: medium

+# List ediscoveryHoldPolicies

+Namespace: microsoft.graph.security

+Get a list of the [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryholdpolicy"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalHolds

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryHoldPolicy)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/legalHolds",

+ "@odata.count": 2,

+ "value": [

+ {

+ "isEnabled": false,

+ "errors": [],

+ "contentQuery": "",

+ "description": null,

+ "createdDateTime": "2022-05-23T01:09:53Z",

+ "lastModifiedDateTime": "2022-05-23T02:36:26Z",

+ "status": "pending",

+ "id": "783c3ea4-d474-4051-9c13-08707ce8c8b6",

+ "displayName": "CustodianHold-b0073e4e-4184-41c6-9eb7-8c8cc3e2288b",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ }

+ },

+ {

+ "isEnabled": false,

+ "errors": [],

+ "contentQuery": "",

+ "description": null,

+ "createdDateTime": "2022-05-23T02:09:27Z",

+ "lastModifiedDateTime": "2022-05-23T02:41:26Z",

+ "status": "pending",

+ "id": "ff7e8841-b1ac-41f0-87c5-fa00da045ae0",

+ "displayName": "NCDSHold-b0073e4e-4184-41c6-9eb7-8c8cc3e2288b",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoveryNoncustodialDataSource"

+description: "Get a list of the ediscoveryNoncustodialDataSource object."

+ms.localizationpriority: medium

+# List ediscoveryNoncustodialDataSource

+Namespace: microsoft.graph.security

+Get a list of the [non-custodial data sources](../resources/security-ediscoverynoncustodialdatasource.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverynoncustodialdatasource_from_"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources?$expand=dataSource

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryNoncustodialDataSource"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources(dataSource())",

+ "@odata.count": 3,

+ "value": [

+ {

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "2022-05-23T02:09:11.1395287Z",

+ "lastModifiedDateTime": "2022-05-23T02:09:11.1395287Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "35393639323133394345384344303043",

+ "displayName": "U.S. Sales",

+ "dataSource@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources('35393639323133394345384344303043')/dataSource/$entity",

+ "dataSource": {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "displayName": "U.S. Sales",

+ "createdDateTime": "2022-05-23T02:09:11.1395535Z",

+ "holdStatus": "0",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/USSales",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdDateTime": "2022-05-23T02:09:11.1395535Z"

+ }

+ }

+ },

+ {

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "2022-05-23T02:09:11.1395287Z",

+ "lastModifiedDateTime": "2022-05-23T02:09:11.1395287Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "31453237353743363432414242344641",

+ "displayName": "Sales and Marketing",

+ "dataSource@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources('31453237353743363432414242344641')/dataSource/$entity",

+ "dataSource": {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/74f6c798-fc32-4dbe-9e5b-8e11459b9f44",

+ "displayName": "Sales and Marketing",

+ "createdDateTime": "2022-05-23T02:09:11.1397925Z",

+ "holdStatus": "0",

+ "id": "74f6c798-fc32-4dbe-9e5b-8e11459b9f44",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/SalesAndMarketing",

+ "id": "74f6c798-fc32-4dbe-9e5b-8e11459b9f44",

+ "createdDateTime": "2022-05-23T02:09:11.1397925Z"

+ }

+ }

+ },

+ {

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "2022-05-23T02:09:11.1395287Z",

+ "lastModifiedDateTime": "2022-05-23T02:09:11.1395287Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "46333131344239353834433430454335",

+ "displayName": "Retail",

+ "dataSource@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources('46333131344239353834433430454335')/dataSource/$entity",

+ "dataSource": {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/dbe4b18e-2765-4989-8647-48139180c45f",

+ "displayName": "Retail",

+ "createdDateTime": "2022-05-23T02:09:11.1399861Z",

+ "holdStatus": "0",

+ "id": "dbe4b18e-2765-4989-8647-48139180c45f",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Retail",

+ "id": "dbe4b18e-2765-4989-8647-48139180c45f",

+ "createdDateTime": "2022-05-23T02:09:11.1399861Z"

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List caseOperations"

+description: "Get a list of the caseOperation objects and their properties."

+ms.localizationpriority: medium

+# List caseOperations

+Namespace: microsoft.graph.security

+Get a list of the [caseOperation](../resources/security-caseoperation.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/operations

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [caseOperation](../resources/security-caseoperation.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_caseoperation"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/operations

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.caseOperation)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/operations",

+ "value": [

+ {

+ "createdDateTime": "2022-05-23T01:09:36.834501Z",

+ "completedDateTime": "2022-05-23T01:10:08.8710734Z",

+ "percentProgress": 100,

+ "status": "succeeded",

+ "action": "holdUpdate",

+ "id": "1ab699d7e53d46de944144c4a650d66f",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7",

+ "displayName": null,

+ "userPrincipalName": null

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoveryReviewSet"

+description: "Get the ediscoveryReviewSet resources from an eDiscovery case object"

+ms.localizationpriority: medium

+# List ediscoveryReviewSet

+Namespace: microsoft.graph.security

+Get the [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) resources from the reviewSet navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryreviewset"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/reviewSets

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryReviewSet)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/reviewSets",

+ "value": [

+ {

+ "displayName": "My review set",

+ "id": "025852b3-5062-4169-9609-9861a6fe2fe5",

+ "createdDateTime": "2022-05-23T16:26:08.7203883Z",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoverySearch"

+description: "Get the list of searches from an eDiscovery case"

+ms.localizationpriority: medium

+# List ediscoverySearch

+Namespace: microsoft.graph.security

+Get the list of [ediscoverySearch](../resources/security-ediscoverysearch.md) resources from from a [eDiscoveryCase](../resources/security-ediscoverycase.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoverySearch](../resources/security-ediscoverysearch.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoverysearch"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoverySearch)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/searches",

+ "value": [

+ {

+ "dataSourceScopes": "none",

+ "description": "My first search",

+ "lastModifiedDateTime": "2022-05-23T04:38:07.5787454Z",

+ "contentQuery": "(Author=\"edison\")",

+ "id": "46867792-68e6-41db-9cd0-f651c2290d91",

+ "displayName": "My search 2",

+ "createdDateTime": "2022-05-23T04:38:07.5787454Z",

+ "lastModifiedBy": null,

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+ },

+ {

+ "dataSourceScopes": "none",

+ "description": "My first search",

+ "lastModifiedDateTime": "2022-05-23T04:35:36.5424818Z",

+ "contentQuery": "(Author=\"edison\")",

+ "id": "80b9d59a-12a6-4273-a3d4-ab78f9a04ea5",

+ "displayName": "My search 1",

+ "createdDateTime": "2022-05-23T04:35:36.5424818Z",

+ "lastModifiedBy": null,

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoveryReviewTag"

+description: "Get the list of ediscoveryReviewTag objects from an eDiscovery case object."

+ms.localizationpriority: medium

+# List ediscoveryReviewTag

+Namespace: microsoft.graph.security

+Create a new ediscoveryReviewTag object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryreviewtag_from_"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewTag"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/tags",

+ "@odata.count": 5,

+ "value": [

+ {

+ "displayName": "My tag",

+ "lastModifiedDateTime": "2022-05-23T19:41:01.7432683Z",

+ "childSelectability": "Many",

+ "id": "062de822f17a4a2e9b833aa3f6c37108",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ },

+ {

+ "displayName": "Responsive",

+ "description": "",

+ "lastModifiedDateTime": "2022-05-23T19:41:24.4237284Z",

+ "childSelectability": "One",

+ "id": "d3d99dc704a74801b792b3e1e722aa0d",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ },

+ {

+ "displayName": "Not responsive",

+ "lastModifiedDateTime": "2022-05-23T19:41:31.3381716Z",

+ "childSelectability": "One",

+ "id": "ced26633616a434abd83762d49a25a6c",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ },

+ {

+ "displayName": "Processing",

+ "description": "Determine whether to outsource processing",

+ "lastModifiedDateTime": "2022-05-23T19:46:03.8746996Z",

+ "childSelectability": "Many",

+ "id": "d8580989505c4fb3a25b845013697cf7",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ },

+ {

+ "displayName": "External",

+ "lastModifiedDateTime": "2022-05-23T19:46:10.5212362Z",

+ "childSelectability": "One",

+ "id": "d05c2ef9369d49c293b5a6a6d18a5fd9",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "Create ediscoveryCustodian"

+description: "Create a new ediscoveryCustodian object."

+ms.localizationpriority: medium

+# Create ediscoveryCustodian

+Namespace: microsoft.graph.security

+Create a new [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) object.

+After the custodian object is created, you will need to create the custodian's [userSource](../resources/security-usersource.md) to reference their mailbox and OneDrive for Business site.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) object.

+You can specify the following properties when creating an **ediscoveryCustodian**.

+|Property|Type|Description|

+|:|:|:|

+|email|String|Custodian's primary SMTP address. Required.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverycustodian_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians

+Content-Type: application/json

+{

+ "email":"AdeleV@contoso.com",

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCustodian"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('4c8f8f70-7785-4bd4-b296-c98376a2c5e1')/custodians/$entity",

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "2022-05-23T00:58:19.0702426Z",

+ "lastModifiedDateTime": "2022-05-23T00:58:19.0702436Z",

+ "releasedDateTime": null,

+ "id": "0053a61a3b6c42738f7606791716a22a",

+ "displayName": "Adele Vance",

+ "email": "AdeleV@contoso.com",

+ "acknowledgedDateTime": "0001-01-01T00:00:00Z"

+}

+```

+ Title: "Create ediscoveryHoldPolicy"

+description: "Create a new ediscoveryHoldPolicy object."

+ms.localizationpriority: medium

+# Create ediscoveryHoldPolicy

+Namespace: microsoft.graph.security

+Create a new [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object.

+You can specify the following properties when creating an **ediscoveryHoldPolicy**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The display name of the legal hold policy. Required.|

+|description|String|The description of the legal hold policy. Optional.|

+|contentQuery|String|The content query of the legal hold policy. Optional.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryholdpolicy_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalHolds

+Content-Type: application/json

+{

+ "displayname": "My legalHold with sources",

+ "description": "Created from Graph API",

+ "contentQuery": "Bazooka",

+ "userSources@odata.bind": [

+ {

+ "@odata.type": "microsoft.graph.security.userSource",

+ "email": "SalesTeam@M365x809305.OnMicrosoft.com"

+ }

+ ],

+ "siteSources@odata.bind": [

+ {

+ "@odata.type": "microsoft.graph.security.siteSource",

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Design-topsecret"

+ }

+ }

+ ]

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryHoldPolicy"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/legalHolds/$entity",

+ "isEnabled": true,

+ "errors": [],

+ "contentQuery": "Bazooka",

+ "description": "Created from Graph API",

+ "createdDateTime": "2022-05-23T03:54:11.1Z",

+ "lastModifiedDateTime": "2022-05-23T03:54:11.1Z",

+ "status": "pending",

+ "id": "b9758bbc-ddbd-45e0-8484-3eb49cf1ded3",

+ "displayName": "My legalHold with sources",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ }

+}

+```

+ Title: "Create ediscoveryNoncustodialDataSource"

+description: "Create a new ediscoveryNoncustodialDataSource object."

+ms.localizationpriority: medium

+# Create ediscoveryNoncustodialDataSource

+Namespace: microsoft.graph.security

+Create a new ediscoveryNoncustodialDataSource object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object.

+You can specify the following properties when creating an **ediscoveryNoncustodialDataSource**.

+|Property|Type|Description|

+|:|:|:|

+|dataSource|[microsoft.graph.security.dataSource](../resources/security-datasource.md)|Required. Either a userSource or siteSource. For userSource, use "dataSource" : { "@odata.type" : "microsoft.graph.security.userSource", "email" : "SMTP address"}. For site source use "dataSource" : { "@odata.type" : "microsoft.graph.security.siteSource", "site@odata.bind" : "siteId" }, where siteId can be derived from the site URL, e.g. `https://contoso.sharepoint.com/sites/HumanResources`, the Microsoft Graph request would be `https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/HumanResources`. The ID is the first GUID listed in the ID field. Alternatively use the webUrl directly, "dataSource": {"@odata.type": "microsoft.graph.security.siteSource","site": {"webUrl": `https://m365x809305.sharepoint.com/sites/Design-topsecret`}}

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverynoncustodialdatasource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialDataSources

+Content-Type: application/json

+{

+ "dataSource": {

+ "@odata.type": "microsoft.graph.security.siteSource",

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Design-topsecret"

+ }

+ }

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryNoncustodialDataSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources/$entity",

+ "status": "active",

+ "holdStatus": "notApplied",

+ "createdDateTime": "2022-05-23T03:15:08.5354451Z",

+ "lastModifiedDateTime": "2022-05-23T03:15:08.5354451Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "43373338343345303943344434423032",

+ "displayName": "Design - top secret"

+}

+```

+ Title: "Create ediscoveryReviewSet"

+description: "Create a new ediscoveryReviewSet object."

+ms.localizationpriority: medium

+# Create ediscoveryReviewSet

+Namespace: microsoft.graph.security

+Create a new [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) object.

+You can specify the following properties when creating an **ediscoveryReviewSet**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the review set. Required.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryreviewset_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/reviewSets

+Content-Type: application/json

+{

+ "displayName": "My review set 2"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewSet"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/reviewSets/$entity",

+ "displayName": "My review set 2",

+ "id": "887306f5-1eb4-4409-b18c-ba47f4e3fa9b",

+ "createdDateTime": "2022-05-23T16:33:13.5126494Z",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ }

+}

+```

+ Title: "Create ediscoverySearch"

+description: "Create a new ediscoverySearch object."

+ms.localizationpriority: medium

+# Create ediscoverySearch

+Namespace: microsoft.graph.security

+Create a new [ediscoverySearch](../resources/security-ediscoverysearch.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoverySearch](../resources/security-ediscoverysearch.md) object.

+You can specify the following properties when creating an **ediscoverySearch**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The display name of the search. Required|

+|description|String|The description of the search Optional.|

+|contentQuery|String|The query string used for the search. The query string in KQL (Keyword Query Language) format. Optional|

+|dataSourceScopes|String|The option to search across all mailboxes or sites in the tenant. The possible values are: `none`, `allTenantMailboxes`, `allTenantSites`, `allCaseCustodians`, `allCaseNoncustodialDataSources`. Optional.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoverySearch](../resources/security-ediscoverysearch.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverysearch_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches

+Content-Type: application/json

+{

+ "displayName": "My search 2",

+ "description": "My first search",

+ "contentQuery": "(Author=\"edison\")",

+ "custodianSources@odata.bind": [

+ "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/userSources/43434642-3137-3138-3432-374142313639",

+ "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/siteSources/169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "https://graph.microsoft.com/beta/security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/unifiedGroupSources('32e14fa4-3106-4bd2-a245-34bf0c718a7e')"

+ ],

+ "noncustodialSources@odata.bind": [

+ "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/35393639323133394345384344303043"

+ ]

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoverySearch"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/searches/$entity",

+ "dataSourceScopes": "none",

+ "description": "My first search",

+ "lastModifiedDateTime": "2022-05-23T04:38:07.5787454Z",

+ "contentQuery": "(Author=\"edison\")",

+ "id": "46867792-68e6-41db-9cd0-f651c2290d91",

+ "displayName": "My search 2",

+ "createdDateTime": "2022-05-23T04:38:07.5787454Z",

+ "lastModifiedBy": null,

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Create ediscoveryReviewTag"

+description: "Create a new ediscoveryReviewTag object."

+ms.localizationpriority: medium

+# Create ediscoveryReviewTag

+Namespace: microsoft.graph.security

+Create a new ediscoveryReviewTag object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object.

+You can specify the following properties when creating an **ediscoveryReviewTag**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|Display name of the tag. Required.|

+|description|String|Description of the tag. Optional.|

+|childSelectability|String|This value controls whether the UX presents the tags as checkboxes or a radio button group. The possible values are: `One`, `Many`. Required.|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object in the response body.

+## Examples

+### Create a tag

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryreviewtag_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags

+{

+ "displayName": "My tag API",

+ "description": "Use Graph API to create tags",

+ "childSelectability": "Many"

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewTag"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/tags/$entity",

+ "displayName": "My tag API",

+ "description": "Use Graph API to create tags",

+ "lastModifiedDateTime": "2022-05-23T19:58:26.1573076Z",

+ "childSelectability": "Many",

+ "id": "7c6cc351-fb90-431f-8562-1b607a3144a4",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+### Create a tag with a parent

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryreviewtag_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags

+{

+ "displayName": "My tag API",

+ "description": "Use Graph API to create tags",

+ "childSelectability": "Many",

+ "parent@odata.bind":""

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewTag"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/tags/$entity",

+ "displayName": "My tag API",

+ "description": "Use Graph API to create tags",

+ "lastModifiedDateTime": "2022-05-23T19:58:26.1573076Z",

+ "childSelectability": "Many",

+ "id": "7c6cc351-fb90-431f-8562-1b607a3144a4",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Reopen eDiscoveryCase"

+description: "Reopen an eDiscoveryCase that was closed."

+ms.localizationpriority: medium

+# eDiscoveryCase: reopen

+Namespace: microsoft.graph.security

+Reopen an eDiscovery case that was closed. For details, see [Reopen a closed case](/microsoft-365/compliance/close-or-delete-case#reopen-a-closed-case).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reopen

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `204 No Content` response code.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "reopen_ediscoverycase"

+}

+-->

+``` http

+POST https://graph.microsoft.com/security/cases/eDiscoveryCases/061b9a92-8926-4bd9-b41d-abf35edc7583/reopen

+```

+### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Update ediscoveryCase"

+description: "Update the properties of an ediscoveryCase object."

+ms.localizationpriority: medium

+# Update ediscoveryCase

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoveryCase](../resources/security-ediscoverycase.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.

+| Property | Type | Description |

+|:-|:|:|

+|description|String|The case description.|

+|displayName|String|The case name.|

+|externalId|String|The external case number for customer reference.|

+## Response

+If successful, this method returns a `204 NO CONTENT` response code and an updated [ediscoveryCase](../resources/security-ediscoverycase.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoverycase"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/cases/eDiscoverycases/22aa2acd-7554-4330-9ba9-ce20014aaae4

+Content-Type: application/json

+{

+ "displayName": "My Case 1 - Renamed",

+ "description": "Updated description"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+```http

+HTTP/1.1 204 No Content

+```

+ Title: "Get ediscoveryCaseSettings"

+description: "Read the properties and relationships of an ediscoveryCaseSettings object."

+ms.localizationpriority: medium

+# Get ediscoveryCaseSettings

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryCaseSettings](../resources/security-ediscoverycasesettings.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/settings

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryCaseSettings](../resources/security-ediscoverycasesettings.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoverycasesettings"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/settings

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCaseSettings"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/settings/$entity",

+ "id": "b0073e4e-4184-41c6-9eb7-8c8cc3e2288b",

+ "redundancyDetection": {

+ "isEnabled": true,

+ "similarityThreshold": 65,

+ "minWords": 10,

+ "maxWords": 500000

+ },

+ "topicModeling": {

+ "isEnabled": false,

+ "ignoreNumbers": true,

+ "topicCount": 100,

+ "dynamicallyAdjustTopicCount": true

+ },

+ "ocr": {

+ "isEnabled": false,

+ "maxImageSize": 24576,

+ "timeout": "PT1M"

+ }

+}

+```

+ Title: "Reset ediscoveryCaseSettings to default"

+description: "Reset a ediscoveryCaseSettingsobject to the default values."

+ms.localizationpriority: medium

+# eDiscoveryCaseSettings: resetToDefault

+Namespace: microsoft.graph.security

+Reset a [caseSettings](../resources/security-ediscoverycaseSettings.md) object to the default values.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/settings/resetToDefault

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `200 OK` response code.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "settings_resettodefault"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/settings/resettodefault

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Update ediscoveryCaseSettings"

+description: "Update the properties of an ediscoveryCaseSettings object."

+ms.localizationpriority: medium

+# Update ediscoveryCaseSettings

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoveryCaseSettings](../resources/security-ediscoverycasesettings.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}/settings

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|redundancyDetection|[microsoft.graph.security.redundancyDetectionSettings](../resources/security-redundancydetectionsettings.md)|**TODO: Add Description** Optional.|

+|topicModeling|[microsoft.graph.security.topicModelingSettings](../resources/security-topicmodelingsettings.md)|**TODO: Add Description** Optional.|

+|ocr|[microsoft.graph.security.ocrSettings](../resources/security-ocrsettings.md)|**TODO: Add Description** Optional.|

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoverycasesettings"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/settings

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.ediscoveryCaseSettings",

+ "redundancyDetection": {

+ "@odata.type": "microsoft.graph.security.redundancyDetectionSettings"

+ },

+ "topicModeling": {

+ "@odata.type": "microsoft.graph.security.topicModelingSettings"

+ },

+ "ocr": {

+ "@odata.type": "microsoft.graph.security.ocrSettings"

+ }

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoveryCustodian: activate"

+description: "Re-activate a custodian from a case."

+ms.localizationpriority: medium

+# ediscoveryCustodian: activate

+Namespace: microsoft.graph.security

+Activate a custodian that has been released from a case to make them part of the case again. For details, see [Manage custodians in an Advanced eDiscovery case](/microsoft-365/compliance/manage-new-custodians#re-activate-custodian).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoveryCustodianId}/activate

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.activate"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoveryCustodianId}/activate

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryCustodian: applyHold"

+description: "Start the process of applying hold to eDiscovery custodians."

+ms.localizationpriority: medium

+# ediscoveryCustodian: applyHold

+Namespace: microsoft.graph.security

+Start the process of applying hold to eDiscovery custodians. After the operation is created, you can get the status of the case operation by retrieving the `Location` parameter from the response headers. The location provides a URL that will return a [eDiscoveryHoldOpertaion](../resources/security-ediscoveryholdoperation.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/applyHold

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{eDiscoveryCustodianId}/applyHold

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|ids|String collection|The IDs of custodians to apply hold. Optional.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Example 1. Apply hold to multiple custodians.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.applyhold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/applyHold

+Content-Type: application/json

+{

+ "ids": [

+ "7f697316-43ed-48e1-977f-261be050db93", "b26888b3-e1f5-47c5-bdf2-33d1b90cb2e8"

+ ]

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+### Example 2. Apply hold to a single custodian.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.applyhold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/c25c3914f9f743ee9cbaa25377e0cec6/applyHold

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Get ediscoveryCustodian"

+description: "Read the properties and relationships of an ediscoveryCustodian object."

+ms.localizationpriority: medium

+# Get ediscoveryCustodian

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoveryCustodianId}

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}/custodian

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryCustodian](../resources/security-ediscoverycustodian.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoverycustodian"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryCustodian"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians/$entity",

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "lastModifiedDateTime": "2022-05-23T02:35:42.9272828Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "0053a61a3b6c42738f7606791716a22a",

+ "displayName": "Alex Wilber",

+ "email": "AlexW@M365x809305.OnMicrosoft.com",

+ "acknowledgedDateTime": "0001-01-01T00:00:00Z"

+}

+```

+ Title: "List ediscoveryIndexOperation"

+description: "Get the ediscoveryIndexOperation resources from the lastIndexOperation navigation property."

+ms.localizationpriority: medium

+# List ediscoveryIndexOperation

+Namespace: microsoft.graph.security

+Get the ediscoveryIndexOperation resources from the lastIndexOperation navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoverycustodianId}/lastIndexOperation

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialSources/{ediscoveryNoncustodialDataSourceId}/lastIndexOperation

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryIndexOperation](../resources/security-ediscoveryindexoperation.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryindexoperation"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/lastIndexOperation

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryIndexOperation"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.security.ediscoveryIndexOperation",

+ "createdDateTime": "2022-05-23T02:35:43.1932326Z",

+ "completedDateTime": "0001-01-01T00:00:00Z",

+ "percentProgress": 0,

+ "status": "running",

+ "action": "index",

+ "id": "b23821836460441891d16a2cb7463392",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ }

+}

+```

+ Title: "List siteSources"

+description: "Get the siteSource resources from the siteSources navigation property."

+ms.localizationpriority: medium

+# List siteSources

+Namespace: microsoft.graph.security

+Get the siteSource resources from the siteSources navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/siteSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [siteSource](../resources/security-sitesource.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_sitesource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/siteSources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.siteSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/siteSources",

+ "value": [

+ {

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "displayName": "U.S. Sales",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z",

+ "holdStatus": "applied",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/USSales",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z"

+ }

+ }

+ ]

+}

+```

+ Title: "List custodian's unifiedGroupSources"

+description: "Get a list of the custodian's unifiedGroupSource objects and their properties."

+ms.localizationpriority: medium

+# List custodian's unifiedGroupSources

+Namespace: microsoft.graph.security

+Get a list of the [unifiedGroupSource](../resources/security-unifiedgroupsource.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/unifiedGroupSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [unifiedGroupSource](../resources/security-unifiedgroupsource.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_unifiedgroupsource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/unifiedGroupSources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.unifiedGroupSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/unifiedGroupSources",

+ "value": [

+ {

+ "@odata.id": "https://graph.microsoft.com/v1.0/groups/32e14fa4-3106-4bd2-a245-34bf0c718a7e",

+ "displayName": "Design (Mailbox)",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z",

+ "holdStatus": "applied",

+ "id": "32e14fa4-3106-4bd2-a245-34bf0c718a7e",

+ "includedSources": "mailbox,site",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "group": {

+ "email": "Design@M365x809305.onmicrosoft.com",

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Design",

+ "id": "32e14fa4-3106-4bd2-a245-34bf0c718a7e",

+ "displayName": "Design (Mailbox)",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z"

+ }

+ },

+ {

+ "@odata.id": "https://graph.microsoft.com/v1.0/groups/21be9868-b58b-4f8b-800c-591e9ad8d4ec",

+ "displayName": "CEO Connection (Mailbox)",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z",

+ "holdStatus": "applied",

+ "id": "21be9868-b58b-4f8b-800c-591e9ad8d4ec",

+ "includedSources": "mailbox,site",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "group": {

+ "email": "ceoconnection@M365x809305.onmicrosoft.com",

+ "webUrl": "https://m365x809305.sharepoint.com/sites/ceoconnection",

+ "id": "21be9868-b58b-4f8b-800c-591e9ad8d4ec",

+ "displayName": "CEO Connection (Mailbox)",

+ "createdDateTime": "2022-05-23T02:35:42.926309Z"

+ }

+ }

+ ]

+}

+```

+ Title: "List userSources"

+description: "Get the userSource resources from the userSources navigation property."

+ms.localizationpriority: medium

+# List userSources

+Namespace: microsoft.graph.security

+Get the userSource resources from the userSources navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/userSources

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}/userSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [userSource](../resources/security-usersource.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_usersource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/userSources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.userSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/userSources",

+ "value": [

+ {

+ "displayName": "Alex Wilber",

+ "createdDateTime": "2022-05-23T00:58:19.0702524Z",

+ "holdStatus": "applied",

+ "id": "43434642-3137-3138-3432-374142313639",

+ "email": "AlexW@M365x809305.OnMicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": "https://m365x809305-my.sharepoint.com/personal/alexw_m365x809305_onmicrosoft_com/",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "Create custodian siteSource"

+description: "Create a new custodian siteSource object."

+ms.localizationpriority: medium

+# Create custodian siteSource

+Namespace: microsoft.graph.security

+Create a new [siteSource](../resources/security-sitesource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/siteSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [siteSource](../resources/security-sitesource.md) object.

+You can specify the following properties when creating a **siteSource**.

+|Property|Type|Description|

+|:|:|:|

+|site|String|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`.|

+## Response

+If successful, this method returns a `201 Created` response code and a [siteSource](../resources/security-sitesource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_sitesource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/siteSources

+Content-Type: application/json

+{

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Retail"

+ }

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.siteSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/siteSources/$entity",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/dbe4b18e-2765-4989-8647-48139180c45f",

+ "displayName": "Retail",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "dbe4b18e-2765-4989-8647-48139180c45f",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Create custodian unifiedGroupSource"

+description: "Create a new custodian unifiedGroupSource object."

+ms.localizationpriority: medium

+# Create custodian unifiedGroupSource

+Namespace: microsoft.graph.security

+Create a new [unifiedGroupSource](../resources/security-unifiedgroupsource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/unifiedGroupSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [unifiedGroupSource](../resources/security-unifiedgroupsource.md) object.

+You can specify the following properties when creating an **unifiedGroupSource**.

+>**Note:** Either **group** or **group@odata.bind** is required in order to create a **unifiedGroupSource**.

+|Property|Type|Description|

+|:|:|:|

+|includedSources|microsoft.graph.ediscovery.sourceType|Specifies which sources are included in this group. Possible values are: `mailbox`, `site`.|

+|group|String|Specifies the email address for the group. To get the email address of a group, use [List groups](../api/group-list.md) or [Get group](../api/group-get.md). You can then query by the name of the group using `$filter`; for example, `https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'secret group'&$select=mail,id,displayName`.|

+|group@odata.bind|String|ID of the group. You can get this in the same way that you get the group. |

+## Response

+If successful, this method returns a `201 Created` response code and an [unifiedGroupSource](../resources/security-unifiedgroupsource.md) object in the response body.

+## Examples

+### Example 1: Create unifiedGroupSource with group SMTP address

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_unifiedgroupsource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}/custodian/unifiedGroupSources

+Content-Type: application/json

+{

+ "group": {

+ "mail": "SOCTeam@M365x809305.onmicrosoft.com"

+ },

+ "includedSources": "mailbox, site"

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.unifiedGroupSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/unifiedGroupSources/$entity",

+ "@odata.id": "https://graph.microsoft.com/v1.0/groups/1ce58bf6-e0fd-403d-a655-312a838110cf",

+ "displayName": "SOC Team (Mailbox)",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "1ce58bf6-e0fd-403d-a655-312a838110cf",

+ "includedSources": "mailbox,site",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+### Example 2: Create unifiedGroupSource with group@odata.bind

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_unifiedgroupsource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/unifiedGroupSources

+Content-Type: application/json

+{

+ "group@odata.bind": "https://graph.microsoft.com/v1.0/groups/93f90172-fe05-43ea-83cf-ff785a40d610",

+ "includedSources": "mailbox"

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.unifiedGroupSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/unifiedGroupSources/$entity",

+ "@odata.id": "https://graph.microsoft.com/v1.0/groups/93f90172-fe05-43ea-83cf-ff785a40d610",

+ "displayName": "Finance Team (Mailbox)",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "93f90172-fe05-43ea-83cf-ff785a40d610",

+ "includedSources": "mailbox",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Create custodian userSource"

+description: "Create a new custodian userSource object."

+ms.localizationpriority: medium

+# Create custodian userSource

+Namespace: microsoft.graph.security

+Create a new [userSource](../resources/security-usersource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{custodianId}/userSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [userSource](../resources/security-usersource.md) object.

+You can specify the following properties when creating a **userSource**.

+|Property|Type|Description|

+|:|:|:|

+|email|String|SMTP address of the user.|

+|includedSources|String|Specifies which sources are included in this group. Possible values are: `mailbox`, `site`.|

+## Response

+If successful, this method returns a `201 Created` response code and a [userSource](../resources/security-usersource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_usersource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/userSources

+{

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox, site"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.userSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/userSources/$entity",

+ "displayName": "MOD Administrator",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": "",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "ediscoveryCustodian: release"

+description: "Release a custodian from a case."

+ms.localizationpriority: medium

+# ediscoveryCustodian: release

+Namespace: microsoft.graph.security

+Release a custodian from a case. For details, see [Release a custodian from a case](/microsoft-365/compliance/manage-new-custodians#release-a-custodian-from-a-case).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoveryCustodianId}/release

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.release"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/c25c3914f9f743ee9cbaa25377e0cec6/release

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryCustodian: removeHold"

+description: "**TODO: Add Description**"

+ms.localizationpriority: medium

+# ediscoveryCustodian: removeHold

+Namespace: microsoft.graph.security

+Start the process of removing hold from eDiscovery custodians. After the operation is created, you can get the status of the case operation by retrieving the `Location` parameter from the response headers. The location provides a URL that will return a [eDiscoveryHoldOpertaion](../resources/security-ediscoveryholdoperation.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/removeHold

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{eDiscoveryCustodianId}/removeHold

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|ids|String collection|The IDs of custodians to apply hold. Optional.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Example 1. Apply hold to multiple custodians.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.removehold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/removeHold

+Content-Type: application/json

+{

+ "ids": [

+ "7f697316-43ed-48e1-977f-261be050db93", "b26888b3-e1f5-47c5-bdf2-33d1b90cb2e8"

+ ]

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+### Example 2. Apply hold to a single custodian.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.removehold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/c25c3914f9f743ee9cbaa25377e0cec6/removeHold

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryCustodian: updateIndex"

+description: "Triggers a indexOperation to make a custodian and associated sources searchable."

+ms.localizationpriority: medium

+# ediscoveryCustodian: updateIndex

+Namespace: microsoft.graph.security

+Triggers a [indexOperation](../resources/security-ediscoveryIndexOperation.md)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/custodians/{ediscoveryCustodianId}/updateIndex

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.updateindex"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/c25c3914f9f743ee9cbaa25377e0cec6/updateIndex

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoveryExportOperation: getDownloadUrl"

+description: "return a downloadUrl from where the export content is delivered as a stream"

+ms.localizationpriority: medium

+# ediscoveryExportOperation: getDownloadUrl

+Namespace: microsoft.graph.security

+If a Azure blob url is not provided in export action, the export operation exports the files to an internal store. Contents of this store can be fetched by calling into this function. This will return a downloadUrl where the zipped content is delivered as a stream.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /ediscoveryExportOperation/getDownloadUrl

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this function returns a `200 OK` response code and a String in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryexportoperationthis.getdownloadurl"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/operations/f98a9f54efeb479ab75164cd7d0a98fb/getDownloadUrl

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Edm.String"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: text/plain

+{

+ "https://sdfpkgg0021.blob.edproxy.aed01.ediscovery.outlook.com/packaging120g37c10016472cb0abf28fac5800b0/6dec1a1c-0577-424f-819c-9542edc47f5a.zip?{SASToken}"

+}

+```

+ Title: "Get ediscoveryFile"

+description: "Read the properties and relationships of an ediscoveryFile object."

+ms.localizationpriority: medium

+# Get ediscoveryFile

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryFile](../resources/security-ediscoveryfile.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryFile](../resources/security-ediscoveryfile.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoveryfile"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/files/000168cdf05c48d98faac7bff8719726a25da40bb2b9c369fb580b8797abf661

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryFile"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets('273f11a1-17aa-419c-981d-ff10d33e420f')/files/$entity",

+ "id": "000168cdf05c48d98faac7bff8719726a25da40bb2b9c369fb580b8797abf661",

+ "dateTime": "2017-11-02T15:07:10Z",

+ "size": 921,

+ "name": "Report/CustomVisuals/WordCloud1447959067750/package.json",

+ "sourceType": "site",

+ "subjectTitle": "Operations Analytics.pbix",

+ "extension": "json",

+ "mediaType": "application/json; charset=ISO-8859-1",

+ "processingStatus": "success",

+ "otherProperties": {

+ "Source": null,

+ "Participants": null,

+ "To": null,

+ "Cc": null,

+ "Bcc": null,

+ "Recipients": null,

+ "Author": null,

+ "CreatedTime": null,

+ "Received": null,

+ "Sent": null,

+ "LastModifiedDate": "2017-11-02T15:07:10Z",

+ "MessageType": null,

+ "Title": null,

+ "EmailHasAttachment": false,

+ "EmailImportance": "",

+ "WordCount": 25,

+ "ErrorIgnored": false,

+ "IsFromErrorRemediation": false,

+ "EmailSecurity": 0,

+ "EmailSensitivity": 0,

+ "IsModernAttachment": false,

+ "IsEmbeddedDocument": true,

+ "ComplianceLabels": null,

+ "ConversationId": null,

+ "ConversationIndex": null,

+ "ItemClass": null,

+ "LocationName": null,

+ "MeetingStartDate": null,

+ "MeetingEndDate": null,

+ "ParticipantDomains": null,

+ "RecipientDomains": null,

+ "Sender": null,

+ "SenderDomain": null

+ }

+}

+```

+ Title: "Get ediscoveryHoldPolicy"

+description: "Read the properties and relationships of an ediscoveryHoldPolicy object."

+ms.localizationpriority: medium

+# Get ediscoveryHoldPolicy

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoveryholdpolicy"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalholds/783c3ea4-d474-4051-9c13-08707ce8c8b6

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryHoldPolicy"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/legalHolds/$entity",

+ "isEnabled": true,

+ "errors": [],

+ "contentQuery": "does api fetch query?",

+ "description": "does api fetch description?",

+ "createdDateTime": "2022-05-23T01:09:53.497Z",

+ "lastModifiedDateTime": "2022-05-25T23:15:04.317Z",

+ "status": "success",

+ "id": "783c3ea4-d474-4051-9c13-08707ce8c8b6",

+ "displayName": "CustodianHold-b0073e4e-4184-41c6-9eb7-8c8cc3e2288b",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "MOD Administrator",

+ "displayName": null

+ }

+ }

+}

+```

+ Title: "Create siteSource"

+description: "Create a new siteSource object."

+ms.localizationpriority: medium

+# Create siteSource

+Namespace: microsoft.graph.security

+Create a new siteSource object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}/siteSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [siteSource](../resources/security-sitesource.md) object.

+You can specify the following properties when creating a **siteSource**.

+|Property|Type|Description|

+|:|:|:|

+|site|String|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`.|

+## Response

+If successful, this method returns a `201 Created` response code and a [siteSource](../resources/security-sitesource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_sitesource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalHolds/0053a61a3b6c42738f7606791716a22a/siteSources

+Content-Type: application/json

+{

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/Retail"

+ }

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.siteSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/legalHolds('0053a61a3b6c42738f7606791716a22a')/siteSources/$entity",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/dbe4b18e-2765-4989-8647-48139180c45f",

+ "displayName": "Retail",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "dbe4b18e-2765-4989-8647-48139180c45f",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Create userSource"

+description: "Create a new userSource object."

+ms.localizationpriority: medium

+# Create userSource

+Namespace: microsoft.graph.security

+Create a new userSource object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}/userSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [userSource](../resources/security-usersource.md) object.

+You can specify the following properties when creating a **userSource**.

+|Property|Type|Description|

+|:|:|:|

+|email|String|SMTP address of the user.|

+|includedSources|String|Specifies which sources are included in this group. Possible values are: `mailbox`, `site`.|

+## Response

+If successful, this method returns a `201 Created` response code and a [userSource](../resources/security-usersource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_usersource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}/userSources

+Content-Type: application/json

+{

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox, site"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.userSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/legalHolds('0053a61a3b6c42738f7606791716a22a')/userSources/$entity",

+ "displayName": "MOD Administrator",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "applied",

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": "",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ }

+}

+```

+ Title: "Update ediscoveryHoldPolicy"

+description: "Update the properties of an ediscoveryHoldPolicy object."

+ms.localizationpriority: medium

+# Update ediscoveryHoldPolicy

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}/legalHolds/{ediscoveryHoldPolicyId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|description|String|The description of the legal hold policy. Optional.|

+|contentQuery|String|The content query of the legal hold policy. Optional.|

+## Response

+If successful, this method returns a `204 No Content` response code and an updated [ediscoveryHoldPolicy](../resources/security-ediscoveryholdpolicy.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoveryholdpolicy"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/legalholds/783c3ea4-d474-4051-9c13-08707ce8c8b6

+{

+ "description": "updated description",

+ "contentQuery": "bazooka bazooka"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoveryNoncustodialDataSource: applyHold"

+description: "Start the process of applying hold to eDiscovery non-custodial data sources."

+ms.localizationpriority: medium

+# ediscoveryNoncustodialDataSource: applyHold

+Namespace: microsoft.graph.security

+Start the process of applying hold to eDiscovery non-custodial data sources. After the operation is created, you can get the status of the case operation by retrieving the `Location` parameter from the response headers. The location provides a URL that will return a [eDiscoveryHoldOpertaion](../resources/security-ediscoveryholdoperation.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/applyHold

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoverynoncustodialDatasourceId}/applyHold

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|ids|String collection|The IDs of non-custodial data sources to apply hold. Optional.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Example 1. Apply hold to multiple non-custodial data sources.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverynoncustialdatasource.applyhold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/applyHold

+Content-Type: application/json

+{

+ "ids": [

+ "39333641443238353535383731453339",

+ "46333131344239353834433430454335"

+ ]

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+### Example 2. Apply hold to a single non-custodial data source.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverynoncustialdatasource.applyhold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/39333641443238353535383731453339/applyHold

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Get ediscoveryNoncustodialDataSource"

+description: "Read the properties and relationships of an ediscoveryNoncustodialDataSource object."

+ms.localizationpriority: medium

+# Get ediscoveryNoncustodialDataSource

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoveryNoncustodialDataSourceId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoverynoncustodialdatasource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/35393639323133394345384344303043?$expand=dataSource

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryNoncustodialDataSource"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources(dataSource())/$entity",

+ "status": "active",

+ "holdStatus": "applied",

+ "createdDateTime": "2022-05-23T02:09:11.1395287Z",

+ "lastModifiedDateTime": "2022-05-23T02:09:11.1395287Z",

+ "releasedDateTime": "0001-01-01T00:00:00Z",

+ "id": "35393639323133394345384344303043",

+ "displayName": "U.S. Sales",

+ "dataSource@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/noncustodialDataSources('35393639323133394345384344303043')/dataSource/$entity",

+ "dataSource": {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "displayName": "U.S. Sales",

+ "createdDateTime": "2022-05-23T02:09:11.1395535Z",

+ "holdStatus": "0",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ },

+ "site": {

+ "webUrl": "https://m365x809305.sharepoint.com/sites/USSales",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdDateTime": "2022-05-23T02:09:11.1395535Z"

+ }

+ }

+}

+```

+ Title: "ediscoveryNoncustodialDataSource: release"

+description: "Releases the non-custodial data source from the case."

+ms.localizationpriority: medium

+# ediscoveryNoncustodialDataSource: release

+Namespace: microsoft.graph.security

+Releases the non-custodial data source from the case.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoveryNoncustodialDataSourceId}/release

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverynoncustodialdatasourcethis.release"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoveryNoncustodialDataSourceId}/release

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryNoncustodialDataSource: removeHold"

+description: "Start the process of removing hold from eDiscovery non-custodial data sources."

+ms.localizationpriority: medium

+# ediscoveryNoncustodialDataSource: removeHold

+Namespace: microsoft.graph.security

+Start the process of removing hold from eDiscovery non-custodial data sources. After the operation is created, you can get the status of the case operation by retrieving the `Location` parameter from the response headers. The location provides a URL that will return a [eDiscoveryHoldOpertaion](../resources/security-ediscoveryholdoperation.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/removeHold

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoverynoncustodialDatasourceId}/removeHold

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|ids|String collection|The IDs of non-custodial data sources to remove hold. Optional.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Example 1. Remove hold from multiple non-custodial data sources.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.removehold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/removeHold

+Content-Type: application/json

+{

+ "ids": [

+ "39333641443238353535383731453339",

+ "46333131344239353834433430454335"

+ ]

+}

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+### Example 2. Remove hold from a single non-custodial data source.

+#### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverycustodianthis.removehold"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/39333641443238353535383731453339/removeHold

+```

+#### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryNoncustodialDataSource: updateIndex"

+description: "Triggers a indexOperation to make a non-custodial data source and its associated data source searchable."

+ms.localizationpriority: medium

+# ediscoveryNoncustodialDataSource: updateIndex

+Namespace: microsoft.graph.security

+Triggers a [indexOperation](../resources/security-ediscoveryIndexOperation.md)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/noncustodialDataSources/{ediscoveryNoncustodialDataSourceId}/updateIndex

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverynoncustodialdatasourcethis.updateindex"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialdatasources/46333131344239353834433430454335/updateIndex

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoveryReviewSet: addToReviewSet"

+description: "Start the process of adding a collection from Microsoft 365 services to a review set."

+ms.localizationpriority: medium

+# ediscoveryReviewSet: addToReviewSet

+Namespace: microsoft.graph.security

+Start the process of adding a collection from Microsoft 365 services to a review set. After the operation is created, you can get the status of the operation by retrieving the `Location` parameter from the response headers. The location provides a URL that will return a [Add to review set operation](../resources/security-ediscoveryaddtoreviewsetoperation.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /ediscoveryExportOperation/reviewSet/addToReviewSet

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|search|[microsoft.graph.security.ediscoverySearch](../resources/security-ediscoverysearch.md)|The ID of the eDiscovery search you'd like to add to the review set.|

+|additionalDataOptions|additionalDataOptions|The options for adding items to reviewSet.|

+### additionalDataOptions values

+|Name|Description|

+|:|:|

+|allVersions|include all versions of a sharepoint document matching the source collection query. Caution: SharePoint versions can significantly increase the volume of items |

+|linkedFiles|include linked files that were shared in outlook, teams, or yammer messages by attaching a link to the file.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewsetthis.addtoreviewset"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/ediscoveryExportOperation/reviewSet/addToReviewSet

+Content-Type: application/json

+{

+ "search": {

+ "id": "7c165312-d8db-48b5-9129-1af50932df53"

+ },

+ "additionalDataOptions": "linkedFiles"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Delete ediscoveryReviewSetQuery"

+description: "Deletes an ediscoveryReviewSetQuery object."

+ms.localizationpriority: medium

+# Delete ediscoveryReviewSetQuery

+Namespace: microsoft.graph.security

+Deletes an [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /ediscoveryExportOperation/reviewSetQuery/$ref

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_ediscoveryreviewsetquery"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/ediscoveryExportOperation/reviewSetQuery

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoveryReviewSet: export"

+description: "Initiate an export from a reviewSet."

+ms.localizationpriority: medium

+# ediscoveryReviewSet: export

+Namespace: microsoft.graph.security

+Initiate an export from a **reviewSet**. For details, see [Export documents from a review set in Advanced eDiscovery](/microsoft-365/compliance/export-documents-from-review-set).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/export

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|outputName|String| Name of the export. Required. |

+|description|String| Description of the export |

+|azureBlobContainer|String| When exporting to your own Azure storage account, this is the container URL. |

+|azureBlobToken|String| When exporting to your own Azure storage account, SAS token for the container URL. |

+|exportOptions|String|Specifies options that control the format of the export. Possible values are: `originalFiles`, `text`, `pdfReplacement`, `fileInfo`, `tags`.|

+|exportStructure|String| Options that control file structure and packaging of the export. Possible values are: `none`, `directory`, `pst`.|

+## Response

+If the export has started successfully, this action returns a `202 Accepted` response code. The response will also contain a `Location` header, which contains the location of the [Export operation](../resources/security-ediscoveryexportoperation.md) that was created to handle the export.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewsetthis.export"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/export

+Content-Type: application/json

+{

+ "outputName": "Export via API",

+ "description": "Export for the Contoso investigation",

+ "exportOptions": "originalFiles,fileInfo,tags",

+ "exportStructure": "directory"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Get ediscoveryReviewSet"

+description: "Read the properties and relationships of an ediscoveryReviewSet object."

+ms.localizationpriority: medium

+# Get ediscoveryReviewSet

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /ediscoveryExportOperation/reviewSet

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryReviewSet](../resources/security-ediscoveryreviewset.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoveryreviewset"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewSet"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets/$entity",

+ "displayName": "Teams messages",

+ "id": "273f11a1-17aa-419c-981d-ff10d33e420f",

+ "createdDateTime": "2022-05-29T20:49:47.4133043Z",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+}

+```

+ Title: "List ediscoveryFiles"

+description: "Get a list of the ediscoveryFile objects and their properties."

+ms.localizationpriority: medium

+# List ediscoveryFiles

+Namespace: microsoft.graph.security

+Get a list of the [ediscoveryFile](../resources/security-ediscoveryfile.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryFile](../resources/security-ediscoveryfile.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryfile"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/files?$top=5

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryFile)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets('273f11a1-17aa-419c-981d-ff10d33e420f')/files",

+ "@odata.nextLink": "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/files?$top=5&$skiptoken=1",

+ "value": [

+ {

+ "id": "000168cdf05c48d98faac7bff8719726a25da40bb2b9c369fb580b8797abf661",

+ "dateTime": "2017-11-02T15:07:10Z",

+ "size": 921,

+ "name": "Report/CustomVisuals/WordCloud1447959067750/package.json",

+ "sourceType": "site",

+ "subjectTitle": "Operations Analytics.pbix",

+ "extension": "json",

+ "mediaType": "application/json; charset=ISO-8859-1",

+ "processingStatus": "success",

+ "otherProperties": {

+ "Source": null,

+ "Participants": null,

+ "To": null,

+ "Cc": null,

+ "Bcc": null,

+ "Recipients": null,

+ "Author": null,

+ "CreatedTime": null,

+ "Received": null,

+ "Sent": null,

+ "LastModifiedDate": "2017-11-02T15:07:10Z",

+ "MessageType": null,

+ "Title": null,

+ "EmailHasAttachment": false,

+ "EmailImportance": "",

+ "WordCount": 25,

+ "ErrorIgnored": false,

+ "IsFromErrorRemediation": false,

+ "EmailSecurity": 0,

+ "EmailSensitivity": 0,

+ "IsModernAttachment": false,

+ "IsEmbeddedDocument": true,

+ "ComplianceLabels": null,

+ "ConversationId": null,

+ "ConversationIndex": null,

+ "ItemClass": null,

+ "LocationName": null,

+ "MeetingStartDate": null,

+ "MeetingEndDate": null,

+ "ParticipantDomains": null,

+ "RecipientDomains": null,

+ "Sender": null,

+ "SenderDomain": null

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoveryReviewSetQuery"

+description: "Get the ediscoveryReviewSetQuery resources from the reviewSetQuery navigation property."

+ms.localizationpriority: medium

+# List ediscoveryReviewSetQuery

+Namespace: microsoft.graph.security

+Get the ediscoveryReviewSetQuery resources from the reviewSetQuery navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryreviewsetquery"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryReviewSetQuery)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets('273f11a1-17aa-419c-981d-ff10d33e420f')/queries",

+ "value": [

+ {

+ "lastModifiedDateTime": "2022-05-29T20:49:47.9289317Z",

+ "contentQuery": "((((FileClass=\"Email\") AND (InclusiveType=\"InclusiveMinus\" OR InclusiveType=\"Inclusive\")) OR ((FileClass=\"Attachment\") AND (UniqueInEmailSet=\"true\")) OR ((FileClass=\"Document\") AND (MarkAsRepresentative=\"Unique\")) OR ((FileClass=\"Conversation\"))))",

+ "id": "837335b0-1943-444d-a3d1-5522cc21c5a4",

+ "displayName": "[AutoGen] For Review",

+ "createdDateTime": "2022-05-29T20:49:47.9289317Z",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "lastModifiedBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ },

+ {

+ "lastModifiedDateTime": "2022-05-29T20:49:48.0539099Z",

+ "contentQuery": "((FileType:gz OR FileType:gzip OR FileType:bz2 OR FileType:zip OR FileType:7z OR FileType:rar OR FileType:vhd OR FileType:mbox OR FileType:pst OR FileType:sfx) OR (Size<\"3072B\" AND (FileType:gif OR FileType:bmp OR FileType:png OR FileType:jpg OR FileType:jpeg OR FileType:tif OR FileType:tiff OR FileType:emf OR FileType:pct OR FileType:pic)))",

+ "id": "977ad4d5-3e5c-4594-8cb6-7d09dbcddf21",

+ "displayName": "[AutoGen] Potentially Immaterial Items",

+ "createdDateTime": "2022-05-29T20:49:48.0539099Z",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "lastModifiedBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "Create ediscoveryReviewSetQuery"

+description: "Create a new ediscoveryReviewSetQuery object."

+ms.localizationpriority: medium

+# Create ediscoveryReviewSetQuery

+Namespace: microsoft.graph.security

+Create a new [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object.

+You can specify the following properties when creating an **ediscoveryReviewSetQuery**.

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the query. Required.|

+|contentQuery|String|The KQL query for the review set. [Learn more.](https://docs.microsoft.com/microsoft-365/compliance/review-set-search)|

+## Response

+If successful, this method returns a `201 Created` response code and an [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoveryreviewsetquery_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries

+Content-Type: application/json

+{

+ "displayName": "My Query 1",

+ "contentQuery": "(Author=\"edison\")"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewSetQuery"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets('273f11a1-17aa-419c-981d-ff10d33e420f')/queries/$entity",

+ "description": null,

+ "lastModifiedDateTime": "2022-05-29T23:39:51.3307953Z",

+ "contentQuery": "((Author=\"edison\"))",

+ "id": "fcb86cd1-50e0-427c-840e-ba6f087364e5",

+ "displayName": "My Query 1",

+ "createdDateTime": "2022-05-29T23:39:51.3307953Z",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ }

+}

+```

+ Title: "ediscoveryReviewSetQuery: applyTags"

+description: "Apply tags to files in eDiscovery review set."

+ms.localizationpriority: medium

+# ediscoveryReviewSetQuery: applyTags

+Namespace: microsoft.graph.security

+Apply tags to files in eDiscovery review set. [Learn more.](https://docs.microsoft.com/microsoft-365/compliance/tagging-documents)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries/{queryId}/applyTags

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|tagsToAdd|[microsoft.graph.security.ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) collection|Tags to remove from the files in review set query.|

+|tagsToRemove|[microsoft.graph.security.ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) collection|Tags to remove add the files in review set query.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewsetquerythis.applytags"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/ediscoveryExportOperation/reviewSetQuery/applyTags

+Content-Type: application/json

+{

+ "tagsToAdd": [

+ {"id": "d3d99dc704a74801b792b3e1e722aa0d"}

+ ]

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "ediscoveryReviewSetQuery: export"

+description: "Initiate an export from a reviewSet query."

+ms.localizationpriority: medium

+# ediscoveryReviewSetQuery: export

+Namespace: microsoft.graph.security

+Initiate an export from a **reviewSet** query. For details, see [Export documents from a review set in Advanced eDiscovery](/microsoft-365/compliance/export-documents-from-review-set).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries/{queryId}/export

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|outputName|String| Name of the export. Required. |

+|description|String| Description of the export |

+|azureBlobContainer|String| When exporting to your own Azure storage account, this is the container URL. |

+|azureBlobToken|String| When exporting to your own Azure storage account, SAS token for the container URL. |

+|exportOptions|String|Specifies options that control the format of the export. Possible values are: `originalFiles`, `text`, `pdfReplacement`, `fileInfo`, `tags`.|

+|exportStructure|String| Options that control file structure and packaging of the export. Possible values are: `none`, `directory`, `pst`.|

+## Response

+If successful, this action returns a `202 Accepted` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewsetquerythis.export"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries/fcb86cd1-50e0-427c-840e-ba6f087364e5/export

+Content-Type: application/json

+{

+ "outputName": "Export reviewset query via API",

+ "description": "Export for the Contoso investigation 2",

+ "exportOptions": "originalFiles,fileInfo,tags",

+ "exportStructure": "directory"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Get ediscoveryReviewSetQuery"

+description: "Read the properties and relationships of an ediscoveryReviewSetQuery object."

+ms.localizationpriority: medium

+# Get ediscoveryReviewSetQuery

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries/{queryId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoveryreviewsetquery"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries/fcb86cd1-50e0-427c-840e-ba6f087364e5

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewSetQuery"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/reviewSets('273f11a1-17aa-419c-981d-ff10d33e420f')/queries/$entity",

+ "description": null,

+ "lastModifiedDateTime": "2022-05-29T23:39:51.3307953Z",

+ "contentQuery": "((Author=\"edison\"))",

+ "id": "fcb86cd1-50e0-427c-840e-ba6f087364e5",

+ "displayName": "My Query 1",

+ "createdDateTime": "2022-05-29T23:39:51.3307953Z",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null,

+ "userPrincipalName": "c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+ }

+ }

+}

+```

+ Title: "ediscoveryReviewSetQuery: run"

+description: "Run reviewset query to get the list of files."

+ms.localizationpriority: medium

+# ediscoveryReviewSetQuery: run

+Namespace: microsoft.graph.security

+Run reviewset query to get the list of files.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries/{queryId}/run

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this function returns a `200 OK` response code and a [microsoft.graph.security.ediscoveryFile](../resources/security-ediscoveryfile.md) collection in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewsetquerythis.run"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries/837335b0-1943-444d-a3d1-5522cc21c5a4/run

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryFile)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(ediscoveryFile)",

+ "@odata.nextLink": "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/reviewSets/273f11a1-17aa-419c-981d-ff10d33e420f/queries/837335b0-1943-444d-a3d1-5522cc21c5a4/run?$top=2&$skiptoken=1",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryFile",

+ "id": "000168cdf05c48d98faac7bff8719726a25da40bb2b9c369fb580b8797abf661",

+ "dateTime": "2017-11-02T15:07:10Z",

+ "size": 921,

+ "name": "Report/CustomVisuals/WordCloud1447959067750/package.json",

+ "sourceType": "site",

+ "subjectTitle": "Operations Analytics.pbix",

+ "extension": "json",

+ "mediaType": "application/json; charset=ISO-8859-1",

+ "processingStatus": "success",

+ "otherProperties": {

+ "Source": null,

+ "Participants": null,

+ "To": null,

+ "Cc": null,

+ "Bcc": null,

+ "Recipients": null,

+ "Author": null,

+ "CreatedTime": null,

+ "Received": null,

+ "Sent": null,

+ "LastModifiedDate": "2017-11-02T15:07:10Z",

+ "MessageType": null,

+ "Title": null,

+ "EmailHasAttachment": false,

+ "EmailImportance": "",

+ "WordCount": 25,

+ "ErrorIgnored": false,

+ "IsFromErrorRemediation": false,

+ "EmailSecurity": 0,

+ "EmailSensitivity": 0,

+ "IsModernAttachment": false,

+ "IsEmbeddedDocument": true,

+ "ComplianceLabels": null,

+ "ConversationId": null,

+ "ConversationIndex": null,

+ "ItemClass": null,

+ "LocationName": null,

+ "MeetingStartDate": null,

+ "MeetingEndDate": null,

+ "ParticipantDomains": null,

+ "RecipientDomains": null,

+ "Sender": null,

+ "SenderDomain": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryFile",

+ "id": "005248e12e3f4859c8b20f385f7e962f41eeea144cf27baefd339bd5fa8ed39a",

+ "dateTime": "2017-10-04T22:42:49Z",

+ "size": 19811608,

+ "name": "Introducing the Contoso Mark 8 3D.pptx",

+ "sourceType": "site",

+ "subjectTitle": "PowerPoint Presentation",

+ "extension": "pptx",

+ "mediaType": "application/vnd.openxmlformats-officedocument.presentationml.presentation",

+ "processingStatus": "success",

+ "otherProperties": {

+ "Source": null,

+ "Participants": null,

+ "To": null,

+ "Cc": null,

+ "Bcc": null,

+ "Recipients": null,

+ "Author@odata.type": "#Collection(String)",

+ "Author": [

+ "meganb@m365x809305.onmicrosoft.com"

+ ],

+ "CreatedTime": "2021-09-14T12:00:53Z",

+ "Received": null,

+ "Sent": null,

+ "LastModifiedDate": "2017-10-04T22:42:49Z",

+ "MessageType": null,

+ "Title": "PowerPoint Presentation",

+ "EmailHasAttachment": false,

+ "EmailImportance": "",

+ "WordCount": 293,

+ "ErrorIgnored": false,

+ "IsFromErrorRemediation": false,

+ "EmailSecurity": 0,

+ "EmailSensitivity": 0,

+ "IsModernAttachment": false,

+ "IsEmbeddedDocument": false,

+ "ComplianceLabels": null,

+ "ConversationId": null,

+ "ConversationIndex": null,

+ "ItemClass": null,

+ "LocationName": null,

+ "MeetingStartDate": null,

+ "MeetingEndDate": null,

+ "ParticipantDomains": null,

+ "RecipientDomains": null,

+ "Sender": null,

+ "SenderDomain": null

+ }

+ }

+ ]

+}

+```

+ Title: "Update ediscoveryReviewSetQuery"

+description: "Update the properties of an ediscoveryReviewSetQuery object."

+ms.localizationpriority: medium

+# Update ediscoveryReviewSetQuery

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoveryReviewSetQuery](../resources/security-ediscoveryreviewsetquery.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/queries/{queryId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the query. Required.|

+|contentQuery|String|The KQL query for the review set. [Learn more.](https://docs.microsoft.com/microsoft-365/compliance/review-set-search)|

+## Response

+If successful, this method returns a `204 No content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoveryreviewsetquery"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/ediscoveryExportOperation/reviewSetQuery

+Content-Type: application/json

+{

+ "displayName": "My Query 1 (update)",

+ "contentQuery": "(Author=\"edisons\")"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No content.

+```

+ Title: "ediscoveryReviewTag: asHierarchy"

+description: "List tag as hierarchy*"

+ms.localizationpriority: medium

+# ediscoveryReviewTag: asHierarchy

+Namespace: microsoft.graph.security

+List tags with the tag hierarchy shown.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags/asHierarchy

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this function returns a `200 OK` response code and a [microsoft.graph.security.ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) collection in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoveryreviewtagthis.ashierarchy"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags/asHierarchy

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryReviewTag)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(ediscoveryReviewTag)",

+ "@odata.count": 5,

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryReviewTag",

+ "displayName": "My tag API 2",

+ "description": "Use Graph API to create tags (updated)",

+ "lastModifiedDateTime": "2022-05-30T00:27:41.6407249Z",

+ "childSelectability": "Many",

+ "id": "062de822f17a4a2e9b833aa3f6c37108",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "childTags": []

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryReviewTag",

+ "displayName": "Responsive",

+ "description": "",

+ "lastModifiedDateTime": "2022-05-23T19:41:24.4237284Z",

+ "childSelectability": "One",

+ "id": "d3d99dc704a74801b792b3e1e722aa0d",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "childTags": []

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryReviewTag",

+ "displayName": "Not responsive",

+ "lastModifiedDateTime": "2022-05-23T19:41:31.3381716Z",

+ "childSelectability": "One",

+ "id": "ced26633616a434abd83762d49a25a6c",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "childTags": []

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryReviewTag",

+ "displayName": "Processing",

+ "description": "Determine whether to outsource processing",

+ "lastModifiedDateTime": "2022-05-23T19:46:03.8746996Z",

+ "childSelectability": "Many",

+ "id": "d8580989505c4fb3a25b845013697cf7",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ },

+ "childTags": []

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.ediscoveryReviewTag",

+ "displayName": "My tag API",

+ "description": "Use Graph API to create tags",

+ "lastModifiedDateTime": "2022-05-23T19:58:26.1573076Z",

+ "childSelectability": "Many",

+ "id": "7c6cc351-fb90-431f-8562-1b607a3144a4",

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

+ "displayName": "Graph Explorer"

+ }

+ },

+ "childTags": []

+ }

+ ]

+}

+```

+ Title: "Get ediscoveryReviewTag"

+description: "Read the properties and relationships of an ediscoveryReviewTag object."

+ms.localizationpriority: medium

+# Get ediscoveryReviewTag

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags/{ediscoveryReviewTagId}

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}/tags/{ediscoveryReviewTagId}

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}/tags/{ediscoveryReviewTagId}/parent

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/reviewSets/{ediscoveryReviewSetId}/files/{ediscoveryFileId}/tags/{ediscoveryReviewTagId}/childTags/{ediscoveryReviewTagId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoveryreviewtag"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags/062de822f17a4a2e9b833aa3f6c37108

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryReviewTag"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/tags/$entity",

+ "displayName": "My tag",

+ "description": null,

+ "lastModifiedDateTime": "2022-05-23T19:41:01.7432683Z",

+ "childSelectability": "Many",

+ "id": "062de822f17a4a2e9b833aa3f6c37108",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ }

+ }

+}

+```

+ Title: "Update ediscoveryReviewTag"

+description: "Update the properties of an ediscoveryReviewTag object."

+ms.localizationpriority: medium

+# Update ediscoveryReviewTag

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoveryReviewTag](../resources/security-ediscoveryreviewtag.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}/tags/{ediscoveryReviewTagId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|Display name of the tag. Required.|

+|description|String|Description of the tag. Optional.|

+|childSelectability|childSelectability|This value controls whether the UX presents the tags as checkboxes or a radio button group. The possible values are: `One`, `Many`. Required.|

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoveryreviewtag"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/tags/062de822f17a4a2e9b833aa3f6c37108

+{

+ "displayName": "My tag API 2",

+ "description": "Use Graph API to create tags (updated)"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Remove custodianSources"

+description: "Remove a dataSource object."

+ms.localizationpriority: medium

+# Remove custodianSources

+Namespace: microsoft.graph.security

+Remove a [dataSource](../resources/security-datasource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/custodianSources/{id}/$ref

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_custodiansources_from_ediscoverysearch"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/custodianSources/{id}/$ref

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Remove noncustodialSources"

+description: "Remove an ediscoveryNoncustodialDataSource object."

+ms.localizationpriority: medium

+# Remove noncustodialSources

+Namespace: microsoft.graph.security

+Remove an [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/noncustodialSources/{id}/$ref

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_noncustodialsources_from_ediscoverysearch"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/noncustodialSources/35393639323133394345384344303043/$ref

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoverySearch: estimateStatistics"

+description: "Runs an estimate of the eDiscovery search."

+ms.localizationpriority: medium

+# ediscoverySearch: estimateStatistics

+Namespace: microsoft.graph.security

+Run an estimate of the number of emails and documents in the eDiscovery search. To learn more about searches in eDiscovery, see [Collect data for a case in Advanced eDiscovery](/microsoft-365/compliance/collecting-data-for-ediscovery).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/estimateStatistics

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If the estimate is started successfully, this action returns a `202 Accepted` response code.

+The response will also contain a `Location` header, which contains the location of the [estimateStatisticsOperation](../resources/security-ediscoveryestimateoperation.md) that was created to handle the estimate. Check the status of the estimate operation by making a GET request to the location, when successfully completed, the [status](../resources/ediscovery-caseoperation.md#caseoperationstatus-values) will change to `succeeded`.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverysearchthis.estimatestatistics"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/estimatestatistics

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get ediscoverySearch"

+description: "Read the properties and relationships of an ediscoverySearch object."

+ms.localizationpriority: medium

+# Get ediscoverySearch

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [ediscoverySearch](../resources/security-ediscoverysearch.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [ediscoverySearch](../resources/security-ediscoverysearch.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_ediscoverysearch"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/58399dff-cebe-478f-b1af-d3227f1fd645/searches/60150269-9758-4439-9bc4-453c864d082f

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoverySearch"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('58399dff-cebe-478f-b1af-d3227f1fd645')/searches/$entity",

+ "dataSourceScopes": "none",

+ "description": "",

+ "lastModifiedDateTime": "2022-03-17T22:24:22.5038229Z",

+ "contentQuery": "messagekind:microsoftteams ",

+ "id": "60150269-9758-4439-9bc4-453c864d082f",

+ "displayName": "loop only",

+ "createdDateTime": "2022-03-17T22:24:22.5038229Z",

+ "lastModifiedBy": null,

+ "createdBy": {

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": "MOD Administrator",

+ "userPrincipalName": "admin@M365x809305.onmicrosoft.com"

+ },

+ "application": {

+ "id": "80ccca67-54bd-44ab-8625-4b79c4dc7775",

+ "displayName": null

+ }

+ }

+}

+```

+ Title: "List additionalSources"

+description: "Get the ediscoveryNoncustodialDataSource resources from the additionalSources navigation property."

+ms.localizationpriority: medium

+# List additionalSources

+Namespace: microsoft.graph.security

+Get the ediscovery data source resources from the additionalSources navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/additionalSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoverynoncustodialdatasource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/additionalSources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryNoncustodialDataSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/cases/ediscoveryCases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/searches('c61a5860-d634-4d14-aea7-d82b6f4eb7af')/additionalSources",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "43434642-3137-3138-3432-374142313639",

+ "email": "AlexW@M365x809305.OnMicrosoft.com",

+ "includedSources": "mailbox",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "38423145-4639-4244-4437-464630424139",

+ "email": "IrvinS@M365x809305.OnMicrosoft.com",

+ "includedSources": "mailbox",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "36304536-3033-3845-4639-394538443235",

+ "email": "AllanD@M365x809305.OnMicrosoft.com",

+ "includedSources": "mailbox",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "46454445-3936-3941-4145-463642313642",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "37383041-3143-3731-3744-384643453341",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/",

+ "displayName": null,

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "30394337-4541-4632-4532-423832464235",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List custodianSources"

+description: "Get the dataSource resources from the custodianSources navigation property."

+ms.localizationpriority: medium

+# List custodianSources

+Namespace: microsoft.graph.security

+Get the dataSource resources from the custodianSources navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/custodianSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [dataSource](../resources/security-datasource.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_datasource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/custodianSources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.dataSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.security.dataSource)",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/cases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/userSources('c25c3914-f9f7-43ee-9cba-a25377e0cec6')",

+ "displayName": "MOD Administrator",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/cases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/userSources('43434642-3137-3138-3432-374142313639')",

+ "displayName": "Alex Wilber",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "43434642-3137-3138-3432-374142313639",

+ "email": "AlexW@M365x809305.OnMicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.unifiedGroupSource",

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/cases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/unifiedGroupSources('32e14fa4-3106-4bd2-a245-34bf0c718a7e')",

+ "displayName": "Design (Mailbox)",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "32e14fa4-3106-4bd2-a245-34bf0c718a7e",

+ "includedSources": "mailbox,site",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.siteSource",

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/cases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('0053a61a3b6c42738f7606791716a22a')/siteSources('169718e3-a8df-449d-bef4-ee09fe1ddc5d')",

+ "displayName": "U.S. Sales",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "169718e3-a8df-449d-bef4-ee09fe1ddc5d",

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.userSource",

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/cases('b0073e4e-4184-41c6-9eb7-8c8cc3e2288b')/custodians('c25c3914f9f743ee9cbaa25377e0cec6')/userSources('45354430-3730-4232-4236-323230383438')",

+ "displayName": "MOD Administrator",

+ "createdDateTime": "0001-01-01T00:00:00Z",

+ "holdStatus": "0",

+ "id": "45354430-3730-4232-4236-323230383438",

+ "email": "admin@M365x809305.onmicrosoft.com",

+ "includedSources": "mailbox,site",

+ "siteWebUrl": null,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "c25c3914-f9f7-43ee-9cba-a25377e0cec6",

+ "displayName": null

+ }

+ }

+ }

+ ]

+}

+```

+ Title: "List ediscoveryEstimateOperations"

+description: "Get the last ediscoveryEstimateOperation object and its properties."

+ms.localizationpriority: medium

+# List ediscoveryEstimateOperations

+Namespace: microsoft.graph.security

+Get the last [ediscoveryEstimateOperation](../resources/security-ediscoveryestimateoperation.md) objects and their properties.

+>**Note:** This method only lists the last operation; it does not return a history of all operations.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/lastEstimateStatisticsOperation

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryEstimateOperation](../resources/security-ediscoveryestimateoperation.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoveryestimateoperation"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/lastEstimateStatisticsOperation

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.ediscoveryEstimateOperation"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.security.ediscoveryEstimateOperation",

+ "createdDateTime": "2022-05-29T18:56:48.4649404Z",

+ "completedDateTime": "2022-05-29T18:58:31.968065Z",

+ "percentProgress": 100,

+ "status": "succeeded",

+ "action": "estimateStatistics",

+ "id": "d80d2f2bc71d4544b75d4836bef4ff57",

+ "indexedItemCount": 1756,

+ "indexedItemsSize": 89489297,

+ "unindexedItemCount": 1,

+ "unindexedItemsSize": 57952,

+ "mailboxCount": 4,

+ "siteCount": 6,

+ "createdBy": {

+ "application": null,

+ "user": {

+ "id": "0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7",

+ "displayName": null,

+ "userPrincipalName": null

+ }

+ }

+}

+```

+ Title: "List noncustodialSources"

+description: "Get the ediscoveryNoncustodialDataSource resources from the noncustodialSources navigation property."

+ms.localizationpriority: medium

+# List noncustodialSources

+Namespace: microsoft.graph.security

+Get the ediscoveryNoncustodialDataSource resources from the noncustodialSources navigation property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/noncustodialSources

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_ediscoverynoncustodialdatasource"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/noncustodialsources

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.security.ediscoveryNoncustodialDataSource)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.security.ediscoveryNoncustodialDataSource)",

+ "value": [

+ {

+ "status": "released",

+ "holdStatus": "removing",

+ "createdDateTime": "2022-05-23T02:09:11.1395287Z",

+ "lastModifiedDateTime": "2022-05-23T02:09:11.1395287Z",

+ "releasedDateTime": "2022-05-26T18:37:12.3318976Z",

+ "id": "35393639323133394345384344303043",

+ "displayName": "U.S. Sales"

+ }

+ ]

+}

+```

+ Title: "Create dataSource"

+description: "Create a new dataSource object."

+ms.localizationpriority: medium

+# Create dataSource

+Namespace: microsoft.graph.security

+Create a new dataSource object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/additionalSources

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [dataSource](../resources/security-datasource.md) object.

+You can specify the following properties when creating a **dataSource**.

+>**Note:** Either **email** or **site** are required, not both.

+|Property|Type|Description|

+|:|:|:|

+|email|string|SMTP address of the mailbox. To get the email address of a group, use [List groups](../api/group-list.md) or [Get group](../api/group-get.md). You can query by the name of the group using `$filter`; for example, `https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'secret group'&$select=mail,id,displayName`.|

+|site|string|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`. |

+## Response

+If successful, this method returns a `201 Created`.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_datasource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/additionalSources

+{

+ "@odata.type": "microsoft.graph.security.siteSource",

+ "site": {

+ "webUrl": "https://contoso.sharepoint.com/sites/SecretSite"

+ }

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.dataSource"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/sourceCollections('39b0bafd920e4360995c62e18a5e8a49')/additionalSources/$entity",

+ "@odata.type": "#microsoft.graph.ediscovery.siteSource",

+ "displayName": "Secret Site",

+ "createdDateTime": "2021-08-11T23:35:02.33986Z",

+ "id": "42393244-3838-4636-3437-453030334136",

+ "createdBy": {

+ "user": {

+ "id": "798d8d23-2087-4e03-912e-c0d9db5cb5d2",

+ "displayName": "Edisco Admin",

+ "userPrincipalname": "ediscoadmin@contoso.com"

+ }

+ }

+}

+```

+ Title: "Add dataSource"

+description: "Add custodianSources by posting to the custodianSources collection."

+ms.localizationpriority: medium

+# Add dataSource

+Namespace: microsoft.graph.security

+Add custodianSources by posting to the custodianSources collection.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/custodianSources/$ref

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [dataSource](../resources/security-datasource.md) object.

+You can specify the following properties when creating a **dataSource**.

+|Property|Type|Description|

+|:|:|:|

+|@odata.id|String|String that defines the custodial object. See the example that follows.|

+## Response

+If successful, this method returns a `204 No Content` response code and a [dataSource](../resources/security-datasource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_datasource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/custodianSources/$ref

+Content-Type: application/json

+{

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/custodians/0053a61a3b6c42738f7606791716a22a/userSources/c25c3914-f9f7-43ee-9cba-a25377e0cec6"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Add ediscoveryNoncustodialDataSource"

+description: "Add noncustodialSources by posting to the noncustodialSources collection."

+ms.localizationpriority: medium

+# Add ediscoveryNoncustodialDataSource

+Namespace: microsoft.graph.security

+Add noncustodialSources by posting to the noncustodialSources collection.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/noncustodialSources/$ref

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object.

+You can specify the following properties when creating an **ediscoveryNoncustodialDataSource**.

+|Property|Type|Description|

+|:|:|:|

+|@odata.id|String|String that defines the non-custodial object. See the example that follows.|

+## Response

+If successful, this method returns a `204 No Content` response code and an [ediscoveryNoncustodialDataSource](../resources/security-ediscoverynoncustodialdatasource.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "create_ediscoverynoncustodialdatasource_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/noncustodialSources/$ref

+Content-Type: application/json

+{

+ "@odata.id": "https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/noncustodialDataSources/39333641443238353535383731453339"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "ediscoverySearch: purgeData"

+description: "Use the purge data method to delete Teams messages in a eDiscovery search."

+ms.localizationpriority: medium

+# ediscoverySearch: purgeData

+Namespace: microsoft.graph.security

+Permanently delete Microsoft Teams messages contained in a [eDiscovery search](../resources/security-ediscoverysearch.md).

+>**Note:** This request purges Teams data only. It does not purge other types of data such as mailbox items.

+You can collect and purge the following categories of Teams content:

+- **Teams 1:1 chats** - Chat messages, posts, and attachments shared in a Teams conversation between two people. Teams 1:1 chats are also called *conversations*.

+- **Teams group chats** - Chat messages, posts, and attachments shared in a Teams conversation between three or more people. Also called *1:N* chats or *group conversations*.

+- **Teams channels** - Chat messages, posts, replies, and attachments shared in a standard Teams channel.

+- **Private channels** - Message posts, replies, and attachments shared in a private Teams channel.

+- **Shared channels** - Message posts, replies, and attachments shared in a shared Teams channel.

+For more information about purging Teams messages, see:

+- [eDiscovery solution series: Data spillage scenario - Search and purge](/microsoft-365/compliance/data-spillage-scenariosearch-and-purge)

+- [Advanced eDiscovery workflow for content in Microsoft Teams](/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}/purgeData

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this action returns a `202 Accepted` response code.

+If the purge data operation is started successfully, this action returns a `202 Accepted` response code. The response will also contain a `Location` header, which contains the location of the [Purge data operation](../resources/security-ediscoverypurgedataoperation.md) that was created to commit the purge.

+To check the status of the purge data operation, make a GET request to the location URL.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "ediscoverysearchthis.purgedata"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/security/cases/eDiscoverycases/b0073e4e-4184-41c6-9eb7-8c8cc3e2288b/searches/c61a5860-d634-4d14-aea7-d82b6f4eb7af/purgeData

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 202 Accepted

+```

+ Title: "Update ediscoverySearch"

+description: "Update the properties of an ediscoverySearch object."

+ms.localizationpriority: medium

+# Update ediscoverySearch

+Namespace: microsoft.graph.security

+Update the properties of an [ediscoverySearch](../resources/security-ediscoverysearch.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|eDiscovery.Read.All, eDiscovery.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Not supported.|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|contentQuery|String|The query string in KQL (Keyword Query Language) query. For details, see [Keyword queries and search conditions for Content Search and eDiscovery](/microsoft-365/compliance/keyword-queries-and-search-conditions). You can refine searches by using fields paired with values; for example, `subject:"Quarterly Financials" AND Date>=06/01/2016 AND Date<=07/01/2016`.|

+|dataSourceScopes|dataSourceScopes|When specified, the collection will span across a service for an entire workload. Possible values are: `none`,`allTenantMailboxes`,`allTenantSites`,`allCaseCustodians`,`allCaseNoncustodialDataSources`. **Note:** Either one custodian or specifying dataSourceScope is required when creating a source collection.|

+|description|String|The description of the **eDiscovery search**.|

+|displayName|String|The display name of the **eDiscovery search**.|

+## Response

+If successful, this method returns a `204 No Content` response code and an updated [ediscoverySearch](../resources/security-ediscoverysearch.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_ediscoverysearch"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/cases/ediscoveryCases/{ediscoveryCaseId}/searches/{ediscoverySearchId}

+Content-Type: application/json

+{

+ "displayName": "Teams search"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+> [!CAUTION]

+> The eDiscovery APIs under eDiscovery subnamespace are being deprecated. Please use the new [eDiscovery APIs under security](security-api-overview.md#ediscovery-preview).

+### signInFrequencyAuthenticationType values

+|Member|

+|:|

+|primaryAndSecondaryAuthentication|

+|secondaryAuthentication|

+|unknownFutureValue|

+### signInFrequencyInterval values

+|Member|

+|:|

+|timeBased|

+|everyTime|

+## eDiscovery (preview)

+[Microsoft Purview eDiscovery (Premium)](/microsoft-365/compliance/overview-ediscovery-20) provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations.

+ Title: "caseOperation resource type"

+description: "An abstract entity that represents a long-running process."

+ms.localizationpriority: medium

+# caseOperation resource type

+Namespace: microsoft.graph.security

+Inherits from [entity](../resources/entity.md).

+An abstract entity that represents a long-running eDiscovery process. It contains a common set of properties that are shared among inheriting entities. Entities that derive from **caseOperation** include:

+- [Index operation](../resources/security-ediscoveryindexoperation.md)

+- [Hold operation](../resources/security-ediscoveryholdoperation.md)

+- [Purge data operation](../resources/security-ediscoverypurgedataoperation.md)

+- [Estimate operation](../resources/security-ediscoveryestimateoperation.md)

+- [Add to review set operation](../resources/security-ediscoveryaddtoreviewsetoperation.md)

+- [Tag operation](../resources/security-ediscoverytagoperation.md)

+- [Export operation](../resources/security-ediscoveryexportoperation.md)

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List caseOperations](../api/security-ediscoverycase-list-operations.md)|[microsoft.graph.security.caseOperation](../resources/security-caseoperation.md) collection|Get a list of the [caseOperation](../resources/security-caseoperation.md) objects and their properties.|

+|[Get caseOperation](../api/security-caseoperation-get.md)|[microsoft.graph.security.caseOperation](../resources/security-caseoperation.md)|Read the properties and relationships of a [caseOperation](../resources/security-caseoperation.md) object.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|action|[microsoft.graph.security.caseAction](../resources/security-caseoperation.md#caseaction-values)| The type of action the operation represents. Possible values are: `addToReviewSet`,`applyTags`,`contentExport`,`convertToPdf`,`estimateStatistics`, `purgeData`|