How to Collect Microsoft Teams and Microsoft 365 Data During eDiscovery

The chat and channel messages of Microsoft Teams are stored with Exchange Online. This means that whenever a message is posted, the eDiscovery Office 365 substrate stores the message’s compliance record in the Exchange Online. All the chat participants receive the compliance records of chats in their mailboxes. In the case of channel messages, the owner of the channel receives the compliance records.

Microsoft Teams is integrated with SharePoint, which contains the Teams document library with different folders for each channel. The files for Microsoft Teams will either be in SharePoint Online or OneDrive for Business. As soon as the user sends a file on chat, a folder is created in their OneDrive named “Team Chat Files.”

The recordings of all the Teams meetings are either stored in SharePoint or OneDrive. In OneDrive for Business, there is a folder named “Recordings” containing recordings of ad hoc Teams meetings. The recordings for channel meetings are stored on SharePoint Online.

Before you can start collecting Teams data, you have to create a case. To do this, head to the Compliance Admin center of the application and navigate to the eDiscovery section. You will find the option to create a new case there.

For each case, you can create multiple holds in order to preserve the data for Microsoft eDiscovery. The content will be preserved until you delete it. Even after the retention period has been reached, the data will be retained in Microsoft 365.

Open the case and select the Holds tab for creating a hold. You will have to enter a name and description. Next, you will have to select the hold’s location. For Teams data, you must define the SharePoint site and the Group mailbox. To do this, you will have to search for the name of the Team.

In the case of a query-based eDiscovery hold, you must provide a query condition. It is also possible to select keywords and conditions such as date, subject, and sender. You can also create a hold without any conditions. Simply click Next and Submit, and your new hold will be created. It can take 24 hours for the hold to take effect.

Once you have created the hold, you can create a new search by selecting the Searches tab. Name your search by following the prompts. You can choose the location in Exchange and SharePoint. Make sure that you search for the SharePoint team site and Group mailbox for the Team. There is also an option to add conditions such as keywords. Once you are done, click Save.

You will be able to find the search in the Searches tab. Select it to see the search results, along with a sample data preview.

It is possible to export the search results of the eDiscovery to a .pst file. For this, go to your search, select Actions, and Export results. There is an option to define the output options in the export results, allowing you to exclude encrypted items. Then, you can select how you want to export the data.

You can scroll down to get a numerical view of the results and find the SharePoint duplication and versioning options. After you hit Export, you will be able to view the results under the Exports tab. Once the eDiscovery export tool has finished, the results will be available to download.

It is important to note that the data you will get in the .pst file will be unstructured and unorganized. You won’t see the chat and channel messages displayed in order. What you will get is a collection of messages that are difficult to translate. To avoid this, you need the help of an eDiscovery solution such as Casepoint that can help you interpret this data and understand the relevance of the conversation.

The advanced compliance tools of Microsoft only work with their own tech stack. They cannot mirror third-party apps’ retention policies via connectors for Microsoft Teams. Moreover, the sync across third-party apps only happens once a day.

Microsoft doesn’t offer instantaneous searches. The searches are processed in batches, which means that depending on the scope, volume, and size of the search, it can take a lot of time.

The images sent as email attachments are not indexed. Sending large files can be a problem for the software as well. If you send content such as emoji reactions in Teams, it won’t be indexed, meaning it cannot be searched. Also, the chat of a participant without an Exchange Online mailbox won’t be preserved.

Microsoft stores the original as well as the archived copy in the same environment. This puts your data at an increased risk of theft, corruption, and loss.

The process of setting up and using the Microsoft Compliance Center is complex. To perform certain actions, Compliance Center uses Powershell, which makes it prone to errors.