The Ultimate Guide to Microsoft Teams eDiscovery
Amid this ongoing pandemic, many organizations across the world have required their employees to work from home using apps like Microsoft Teams, which generates more content than ever in Office 365. Microsoft Teams stores data in various places, making it more difficult for administrators to perform complete eDiscovery.
In this article, we will explore what different Teams eDiscovery tools are available for IT Admins, how to collect data from Teams using eDiscovery, and what are the current limitations for eDiscovery workflows.
Table of Contents
- Where is Microsoft Teams data stored?
- What is eDiscovery?
- Use eDiscovery to collect Teams data
- Core eDiscovery limitations
Where is Microsoft Teams data stored?
Before we begin using eDiscovery, it’s essential to understand the different storage locations of Microsoft Teams since the app uses multiple Office 365 services to handle its data.
Chat and channel Messages
Microsoft Teams chat and channel messages are stored with Exchange Online. When a user posts messages to a chat or channel conversation, the Microsoft 365 substrate stores a compliance record for those messages in Exchange Online. The compliance records for chats are in the user mailboxes of all chat participants. When users send channel messages, compliance records are sent to the team mailbox that owns that channel.
Every team has a SharePoint team site, and within that site is the Team document library with folders representing each channel. Microsoft Teams files live in OneDrive for Business or SharePoint Online.
When a user sends a file via a Teams chat, a folder in their OneDrive will appear named “Teams Chat Files, ” containing their files. Files shared through Teams chats are stored in OneDrive for Business.
Teams meeting recordings are stored in either OneDrive or SharePoint, depending on the type of meeting. A folder named “Recordings” in OneDrive for Business stores ad hoc Teams meeting recordings, and SharePoint online stores any Channel meetings.
What is eDiscovery?
Electronic discovery, or eDiscovery, is the process of identifying, collecting, and producing electronic information in response to a request for production in a legal case or investigation. It can be emails, files, chat messages, videos, voicemails, etc.
There are two types of eDiscovery in Microsoft 365:
- Core eDiscovery, which comes in the Microsoft 365 E3 or Office 365 E3 licensing SKU
- Advanced eDiscovery, which comes in Microsoft 365 E5 or Office 365 E5 licensing SKU. Advanced eDiscovery also comes as part of the Microsoft 365 E5 Compliance add-on.
This article will focus on the Core eDiscovery features, but it is helpful to understand what the E5 version provides. Advanced eDiscovery provides custodian management, which enables you to identify users who are the data custodians in your investigations and add them and their content locations. You can specify the team content locations to quickly place them on legal hold.
To run searches for users, they must have an Office 365 license containing a mailbox, SharePoint Online, OneDrive, and Teams. In the search results, there is conversation grouping, which groups channel and chat conversations to help identify the context that may be relevant to your investigation. Advanced eDiscovery also provides deep indexing and the ability to redact content.
What do you get in the eDiscovery tool?
With each eDiscovery tool, you will get a set of features to search and hold organizational data in Office 365.
Content Search in Microsoft 365 allows you to run searches for keywords, specific users, or specific locations in Office 365. To run content searches for Teams data, you must narrow your search to the Team SharePoint site, OneDrive account, and Exchange mailbox because Office 365 stores Teams data in different locations, as we explained earlier.
Admins can use Core eDiscovery to place an eDiscovery hold on content locations in Office 365. Core eDiscovery cases can create holds to preserve content relevant to the case.
If you are investigating someone, you can hold their Exchange mailboxes and OneDrive for Business accounts. Additionally, you can place a hold on the mailboxes and sites associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. The hold preserves the content until an admin or eDiscovery Manager removes the location or deletes the hold.
Before you get started with eDiscovery, you must ensure that you have the correct permissions assigned. There are two significant roles available in the eDiscovery Manager role group:
- The eDiscovery Manager role enables users to use content search, export the results and create cases and holds. Users are only able to access cases they create.
- The eDiscovery Admin is an access-all-areas type of permission. Admins can access all cases and data in eDiscovery.
You can assign these permissions in the Permissions section of the Microsoft 365 Compliance Admin Center.
Use eDiscovery to collect Teams data
Step 1: Create a case
To use eDiscovery to collect Teams data, first, you need to create a case. Navigate to the eDiscovery section of the Compliance Admin center and create a new case.
Step 2: Create a hold
Within each case, you can create multiple holds to preserve the Teams data in eDiscovery. The hold preserves the content until you delete it, and it will also retain the data even if it reaches its retention period in Microsoft 365.
To create a hold, open the case and choose the Holds tab. From there, we can create a new hold.
eDiscovery prompts you to enter a name and description for your hold. Next, choose the locations for the hold.
If you want to hold Teams data, you need to define the Group mailbox and the SharePoint site. You can do this by searching for the Team name.
If you want to create a query-based eDiscovery hold, you must give the query condition. You can choose a keyword and additional conditions such as sender, date, and subject.
You can create a hold without a condition, so click next and then submit to create your new hold. The hold may take up to 24 hours to take effect.
Step 3: Create a search
After creating the hold, select the Searches tab to create a new Search. Follow prompts to name your search, choose the locations in Exchange and SharePoint. Again, search for the Group mailbox and SharePoint team site for the Team you want to search. You can add conditions such as keywords and then click Save.
The search will appear under the Searches tab, and you can select it to view the search results and a sample preview of the data.
Step 4. Export results
You can export the eDiscovery search results to a .pst file by using the export tool. Go back to your search and select Actions, then Export results.
You can define the output options in your export results, such as excluding encrypted items, and then choose how to export the data.
Scroll down to choose SharePoint versioning and duplication options, as well as a numerical view of the results.
After you click Export, you will see the results under the Exports tab within the case. Once the export completes, you will download the results.
The collection of data in the PST files is generally unorganized and unstructured, and channel and chat messages are not displayed one after the other in order. Instead, you’ll be getting a collection of individual messages which are difficult to translate.
If you don’t want to deal with unorganized Teams data, you may want to consider purchasing Advanced eDiscovery, which provides conversation grouping. This makes it much easier to interpret the data and see the relevant context to the conversation.
Core eDiscovery limitations
The unstructured data export leads me to discuss the various limitations of the Core eDiscovery tool. First, the content search is not very practical for Microsoft Teams eDiscovery: As an eDiscovery manager, you need to do a content search for all the Office 365 locations for that specific team. There is no option to search for a team and get all the data within it, and that’s because Office 365 stores Teams data in different locations.
Furthermore, not all Teams content is discoverable: Audio recordings, names of channels, and code snippets are all non-discoverable items in eDiscovery. You should also be aware that the case holds have some limitations, which will likely impact larger organizations.
|Description of Limit||Limit|
|Maximum number of case holds for an organization.||10,000|
|Maximum number of mailboxes in a single case hold.||1,000|
|Maximum number of sites in a single case hold.||100|
|Maximum number of cases displayed on the core eDiscovery home page and the maximum number of items displayed on the Holds, Searches, and Export tabs within a case.||1,000|
Microsoft’s eDiscovery tools only work natively with Microsoft 365, meaning they will not work with data stored in third-party tools. This can be a source of concern for organizations that did not fully embrace Microsoft 365 and still have data stored elsewhere.
For organizations dealing with multiple active litigations and looking to level up their information governance efforts, Advanced eDiscovery is probably the route to take. The Core eDiscovery tools in your standard Office 365 or Microsoft 365 E3 license provide you with the ability to search, hold, and export results. With Advanced eDiscovery, you can filter, tag and view threaded conversations in the results, making it easier to interpret the exported data. If you want to have a Microsoft Teams eDiscovery plan and policy, Advanced eDiscovery is definitely worth the investment.
More in Microsoft 365
M365 Changelog: (Updated) Introducing OneNote viewer in Teams mobile apps
Jan 26, 2023 | Rabia Noureen
Microsoft Plans to Block All Downloaded Excel XLL Add-Ins
Jan 26, 2023 | Rabia Noureen
How to Run a Successful Microsoft Teams Meeting, Live Event, or Webinar
Jan 25, 2023 | Jason Wynn
Microsoft Confirms Global Network Outage Hits Teams, Outlook, and Azure
Jan 25, 2023 | Rabia Noureen
M365 Changelog: (Updated) Microsoft 365 admin center - New Teams Group Graph API and Teams Team Activity Counts
Jan 24, 2023 | Rabia Noureen
Collaborating with Microsoft 365: File Sharing, Real-Time Co-Authoring, and Microsoft Loop Components
Jan 20, 2023 | Michael Reinders
Most popular on petri