Preserving Teams Messages for an Ex-Employee

Teams Cover Hero

Traces Left Behind in Office 365

When someone leaves a company, they leave many traces of their presence in the organization’s digital memories. The challenge for companies is to decide how long to keep information associated with an ex-employee, a procedure now complicated by regulations like GDPR. Essentially, you need good and well-documented business reasons to keep personal information about someone for any length of time.

Email is Easy

Keeping the mailbox of an ex-employee is easy. Either make the mailbox a shared mailbox or put the mailbox on hold and then delete the user’s account to make the mailbox inactive. Either route is good, with shared mailboxes more popular because they are easier to access and don’t need a license unless the mailbox is larger than 50 GB or has an archive.

The Deleting User wizard in the Office 365 Admin Center will make a mailbox shared before it removes an account, and the wizard also takes care of the user’s OneDrive for Business account. However, the wizard can’t deal with hybrid users.

SharePoint is Easy Too

SharePoint is also straightforward. The nature of sites is that they are shared by groups of users, so the remaining users will continue to have access to documents after the removal of the ex-employee’s account. If an ex-employee was the owner of a site, you should make sure that the site continues to have at least one owner and promote someone into that rule if needed. And as noted above, the wizard takes care of their OneDrive for Business account.

Outside the Basic Office 365 Workloads

The basic Office 365 workloads of email and document management are well covered, but what about Teams. Here’s a management request that I heard of:

They need to know how to look at a Teams instance of a departed colleague. There are conversations, files, tabs, possibly chats.“

Leaving aside the debate whether departed means dead or someone who resigned, the need is clear. Management want to be able to review the Teams activity of someone, probably before the account is removed from Office 365.

Content Searches to the Rescue

The easiest and quickest way to recover all messages sent by someone in personal chats and channel conversations is to run a content search to retrieve the compliance records captured by Office 365 for Teams conversations.

Go to the Security and Compliance Center, select Search and Investigation, then Content search, and then create a new search. In the search query, click add condition and select “instant messages” as the type of item you’re interested in. You then add a second condition with the email address of the person whose messages you want to retrieve as the sender/author.

After setting the search conditions, we need to select the locations to search. Click Specific locations and choose the user’s personal mailbox plus the group mailboxes for the teams they belong to or all Exchange mailboxes. The latter is best as it is all too easy to miss out a team when you add them to a search.

Figure 1 shows what the content search should look like together with a preview of some search results. As you can see, we have channel messages (those with the team name in the subject) and personal chats (those prefixed with IM). Remember, these items are compliance records and not the actual messages, so you must reassemble them into order to recreate conversations.

Teams Content Search
Figure 1: A content search finds some Teams messages (image credit: Tony Redmond)

We can expand the search to look for documents authored by the ex-employee stored in document libraries belonging to Teams. To do this, add “Documents” to the set of information types covered by the query and add the SharePoint libraries belonging to Teams to the search locations.

Export and Review

After refining the search to make sure that you have found everything of interest, click the More menu and select Export results. You can choose to export the messages in a PST file, a ZIP file, or as individual files. Once the export is done, hand the files over to management for their review and the job’s done.

GDPR DSR and Teams

An GDPR Data Subject Request (DSR) search executed through the Security and Compliance Center includes Teams messages in its scope, so the search will find Teams messages along with regular email, Skype for Business IM transcripts, OneDrive documents, and SharePoint documents. Running a DSR search is an effective way of recovering everything within Office 365 associated with an ex-employee that can be found by a content search. This excludes Planner and Yammer data as Office 365 does not index this information and is therefore unavailable to a content search.

Auditing Team Actions

If we want to find out what actions someone has taken within Teams (like adding channels or tabs), the Office 365 audit log is the place to go because that’s where these actions are captured. Some PowerShell will reveal the actions. For instance, this snippet finds all occurrences of channel adds and tabs adds, updates, or removals for a specific user.

$Records = (Search-UnifiedAuditLog -StartDate 6-Jul-2018 -EndDate 6-Sep-2018 -Operations "ChannelAdded","TabUpdated","TabAdded","TabRemoved" -ResultSize 1000 -UserIds [email protected])
If ($Records.Count -eq 0) {
   Write-Host "No Teams activity found." }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = @()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject][Ordered]@{
           TimeStamp   = $AuditData.CreationTime
           User        = $AuditData.UserId
           Action      = $AuditData.Operation
           Status      = $AuditData.Status
           Workload    = $AuditData.Workload
           TeamId      = $AuditData.TeamGuid
           TeamName    = $AuditData.TeamName
           Channel     = $AuditData.ChannelName
           }
      $Report += $ReportLine
  }}
$Report | Select Timestamp, Action, User, TeamName

To find information about more actions, add them to the list of operations specified in the command.

Keeping Data for Ex-Employees

There are many good reasons why organizations need to keep data for ex-employees. Contract records might be in email or OneDrive for Business, information about projects that they’ve been working on are in personal Teams chats, and so on. Office 365 has the tools to make this data available to allow company representatives to continue the work of the ex-employee. Just be sure that the actions taken to find and extract data belonging to ex-employees are measured, legal, and defensible. It is important to preserve personal privacy, even when you’re trying to find something important for the company.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.