Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

The Ultimate Guide to Microsoft Teams eDiscovery

Amid this ongoing pandemic, many organizations across the world have required their employees to work from home using apps like Microsoft Teams, which generates more content than ever in Office 365. Microsoft Teams stores data in various places, making it more difficult for administrators to perform complete eDiscovery.

In this article, we will explore what different Teams eDiscovery tools are available for IT Admins, how to collect data from Teams using eDiscovery, and what are the current limitations for eDiscovery workflows.

Where is Microsoft Teams data stored?

Before we begin using eDiscovery, it’s essential to understand the different storage locations of Microsoft Teams since the app uses multiple Office 365 services to handle its data.

Chat and channel Messages

Microsoft Teams chat and channel messages are stored with Exchange Online. When a user posts messages to a chat or channel conversation, the Microsoft 365 substrate stores a compliance record for those messages in Exchange Online. The compliance records for chats are in the user mailboxes of all chat participants. When users send channel messages, compliance records are sent to the team mailbox that owns that channel.

Files

Every team has a SharePoint team site, and within that site is the Team document library with folders representing each channel. Microsoft Teams files live in OneDrive for Business or SharePoint Online.

When a user sends a file via a Teams chat, a folder in their OneDrive will appear named “Teams Chat Files, ” containing their files. Files shared through Teams chats are stored in OneDrive for Business.

Meeting Recordings

Teams meeting recordings are stored in either OneDrive or SharePoint, depending on the type of meeting. A folder named “Recordings” in OneDrive for Business stores ad hoc Teams meeting recordings, and SharePoint online stores any Channel meetings.

What is eDiscovery?

Electronic discovery, or eDiscovery, is the process of identifying, collecting, and producing electronic information in response to a request for production in a legal case or investigation. It can be emails, files, chat messages, videos, voicemails, etc.

Licensing requirements

There are two types of eDiscovery in Microsoft 365:

Core eDiscovery, which comes in the Microsoft 365 E3 or Office 365 E3 licensing SKU
Advanced eDiscovery, which comes in Microsoft 365 E5 or Office 365 E5 licensing SKU. Advanced eDiscovery also comes as part of the Microsoft 365 E5 Compliance add-on.

This article will focus on the Core eDiscovery features, but it is helpful to understand what the E5 version provides. Advanced eDiscovery provides custodian management, which enables you to identify users who are the data custodians in your investigations and add them and their content locations. You can specify the team content locations to quickly place them on legal hold.

To run searches for users, they must have an Office 365 license containing a mailbox, SharePoint Online, OneDrive, and Teams. In the search results, there is conversation grouping, which groups channel and chat conversations to help identify the context that may be relevant to your investigation. Advanced eDiscovery also provides deep indexing and the ability to redact content.

What do you get in the eDiscovery tool?

With each eDiscovery tool, you will get a set of features to search and hold organizational data in Office 365.

Content Search

Content Search in Microsoft 365 allows you to run searches for keywords, specific users, or specific locations in Office 365. To run content searches for Teams data, you must narrow your search to the Team SharePoint site, OneDrive account, and Exchange mailbox because Office 365 stores Teams data in different locations, as we explained earlier.

Core eDiscovery

Admins can use Core eDiscovery to place an eDiscovery hold on content locations in Office 365. Core eDiscovery cases can create holds to preserve content relevant to the case.

If you are investigating someone, you can hold their Exchange mailboxes and OneDrive for Business accounts. Additionally, you can place a hold on the mailboxes and sites associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. The hold preserves the content until an admin or eDiscovery Manager removes the location or deletes the hold.

Permissions

Before you get started with eDiscovery, you must ensure that you have the correct permissions assigned. There are two significant roles available in the eDiscovery Manager role group:

The eDiscovery Manager role enables users to use content search, export the results and create cases and holds. Users are only able to access cases they create.
The eDiscovery Admin is an access-all-areas type of permission. Admins can access all cases and data in eDiscovery.

You can assign these permissions in the Permissions section of the Microsoft 365 Compliance Admin Center.

Use eDiscovery to collect Teams data

Step 1: Create a case

To use eDiscovery to collect Teams data, first, you need to create a case. Navigate to the eDiscovery section of the Compliance Admin center and create a new case.

Figure 1: Creating a new case in Core eDiscovery

Step 2: Create a hold

Within each case, you can create multiple holds to preserve the Teams data in eDiscovery. The hold preserves the content until you delete it, and it will also retain the data even if it reaches its retention period in Microsoft 365.

To create a hold, open the case and choose the Holds tab. From there, we can create a new hold.

Figure 2: Create a new hold under eDiscovery case

eDiscovery prompts you to enter a name and description for your hold. Next, choose the locations for the hold.

If you want to hold Teams data, you need to define the Group mailbox and the SharePoint site. You can do this by searching for the Team name.

Figure 3: Choose hold locations in Office 365

If you want to create a query-based eDiscovery hold, you must give the query condition. You can choose a keyword and additional conditions such as sender, date, and subject.

Query and condition options within hold — Figure 4: Query and condition options within the hold

You can create a hold without a condition, so click next and then submit to create your new hold. The hold may take up to 24 hours to take effect.

Step 3: Create a search

After creating the hold, select the Searches tab to create a new Search. Follow prompts to name your search, choose the locations in Exchange and SharePoint. Again, search for the Group mailbox and SharePoint team site for the Team you want to search. You can add conditions such as keywords and then click Save.

The search will appear under the Searches tab, and you can select it to view the search results and a sample preview of the data.

Figure 6: Search preview in eDiscovery case

Step 4. Export results

You can export the eDiscovery search results to a .pst file by using the export tool. Go back to your search and select Actions, then Export results.

You can define the output options in your export results, such as excluding encrypted items, and then choose how to export the data.

Scroll down to choose SharePoint versioning and duplication options, as well as a numerical view of the results.

After you click Export, you will see the results under the Exports tab within the case. Once the export completes, you will download the results.

Figure 10: Exporting results under Export tab in eDiscovery case

The collection of data in the PST files is generally unorganized and unstructured, and channel and chat messages are not displayed one after the other in order. Instead, you’ll be getting a collection of individual messages which are difficult to translate.

If you don’t want to deal with unorganized Teams data, you may want to consider purchasing Advanced eDiscovery, which provides conversation grouping. This makes it much easier to interpret the data and see the relevant context to the conversation.

Core eDiscovery limitations

The unstructured data export leads me to discuss the various limitations of the Core eDiscovery tool. First, the content search is not very practical for Microsoft Teams eDiscovery: As an eDiscovery manager, you need to do a content search for all the Office 365 locations for that specific team. There is no option to search for a team and get all the data within it, and that’s because Office 365 stores Teams data in different locations.

Furthermore, not all Teams content is discoverable: Audio recordings, names of channels, and code snippets are all non-discoverable items in eDiscovery. You should also be aware that the case holds have some limitations, which will likely impact larger organizations.

Description of Limit	Limit
Maximum number of case holds for an organization.	10,000
Maximum number of mailboxes in a single case hold.	1,000
Maximum number of sites in a single case hold.	100
Maximum number of cases displayed on the core eDiscovery home page and the maximum number of items displayed on the Holds, Searches, and Export tabs within a case.	1,000

Microsoft’s eDiscovery tools only work natively with Microsoft 365, meaning they will not work with data stored in third-party tools. This can be a source of concern for organizations that did not fully embrace Microsoft 365 and still have data stored elsewhere.

Summary

For organizations dealing with multiple active litigations and looking to level up their information governance efforts, Advanced eDiscovery is probably the route to take. The Core eDiscovery tools in your standard Office 365 or Microsoft 365 E3 license provide you with the ability to search, hold, and export results. With Advanced eDiscovery, you can filter, tag and view threaded conversations in the results, making it easier to interpret the exported data. If you want to have a Microsoft Teams eDiscovery plan and policy, Advanced eDiscovery is definitely worth the investment.

Related Article:

How Does eDiscovery Work Within Microsoft 365?

Table of contents

by Kat Beedim
Last Update: Dec 23, 2022
Mar 10, 2022

Kat Beedim is a Microsoft Solutions Specialist at Core Technology Systems, a UK-based Microsoft Gold Partner. She specialises in helping customers deploy collaboration and productivity tools in Microsoft 365. Kat is a frequent conference speaker, ...

How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023
Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.