Using eDiscovery to find Teams Data

eDiscovery is used to conduct content investigations in Microsoft 365. There are 3 eDiscovery solutions with slightly features. All 3 can be used to discover Teams data, though not ALL Teams data is discoverable.

Discoverable Teams information and where it is stored for compliance purposes such as eDiscovery is shown in the table below.

ContentStored inNotes
Chat MessagesUser MailboxThis includes emojis, gifs, stickers and inline images as well as content displayed in ‘cards’
Files Shared in Chat MessagesOneDriveIt is also possible to set retention so the version of the file shared is discoverable (see Ignite 2021 updates in Further reading)
Teams Channel MessagesGroup MailboxThis includes emojis, gifs, stickers and inline images as well as content displayed in ‘cards’
Files shared in channel chat messagesSharePointIt is also possible to set retention so the version of the file shared is discoverable (see Ignite 2021 updates in Further reading)
Edited Chat & Channel MessagesUser/Group MailboxFor users/groups on hold, then the previous version of the messages are also available to eDiscovery
Meeting Chat (Private Meetings)User Mailbox
Files shared in Meeting Chat (Private Meetings)OneDriveIt is also possible to set retention so the version of the file shared is discoverable (see Ignite 2021 updates in Further reading)
Meeting Chat (Channel Meetings)Group Mailbox
Files shared in Channel Meeting ChatSharePointIt is also possible to set retention so the version of the file shared is discoverable (see Ignite 2021 updates in Further reading)
Meeting & Call MetadataUser MailboxThis includes start/end time of meeting & join/leave time for each participant
Meeting Recordings / Transcripts (Private Meetings)OneDriveStored in OneDrive of user who starts the recording/transcript. Recordings can only be

 

The following content is NOT discoverable using eDiscovery:

  • Audio recordings
  • Code snippets
  • Channel name
  • Reactions
  • Feed notifications

The storage location shown above is important for two reasons:

  1. To help choose locations to include in the eDiscovery search
  2. To understand where the data show up when exporting the results. Anything stored in a mailbox will be exported into a pst file, while OneDrive & SharePoint content is exported in file folders.

In the walk through we are going to use the Content Search functionality as we are focusing on the search and export functionality. Core eDiscovery and Advanced eDiscovery can both be used to find the Teams information and have different additional functionality to the Core Search.

The features of the different eDiscovery solutions are summarised in the following table which is sourced from the Microsoft Docs article on eDiscovery (see further reading at the end of this article)

Content Search

Core eDiscovery

(additional to Content Search)

Advanced eDiscovery

(additional to Core)

Search for data/content

Keyword queries and search conditions

Export search results

Role based permissions to use

Case management

Legal hold

Custodian Management

Legal hold notifications

Advanced indexing

Review sets incl filtering

OCR

Conversation Threading

Collection Statistics & Reporting

Tagging

Analytics

Predictive coding models

Error Remediation

Computed document metadata

Transparency of long running jobs

Export to Azure storage location

Content Search Walk Through for Teams Data

In this walk through we are conducting a search to check for content related to a new project. This content has been spread across multiple Teams, including private channels and in direct 1:1 chat with files having been created and saved in various locations.

Navigate to the compliance center https://compliance.microsoft.com and choose Content Search. Although Content Search is an eDiscovery function it is not included in the eDiscovery sub menu.

eDiscovery in Microsoft 365

Click New search, then complete the Name and Description for the search you want to perform.

eDiscovery in Microsoft 365

Click Next then choose the locations to be searched. To cover all Teams locations you will need to include mailboxes for all Teams users including guests and all SharePoint sites for the Teams.

There are potential issues with the example here, in that we have included all mailboxes and all SharePoint sites. The results will include all discoverable Teams content but also emails and files in other SharePoint sites. This may not be detrimental but you should be aware that the result will include more than Teams data.

eDiscovery in Microsoft 365

Click Next and then create your search using combination of keywords and conditions such as creation date, sender, etc.

eDiscovery in Microsoft 365

Click Next and review the summary of the setting you have specified before clicking Submit to start the search.

eDiscovery in Microsoft 365

Next you will see confirmation that the search has been created and is in progress. Click Done. How long it take till the results are available will depend on the volume of content being searched.

eDiscovery in Microsoft 365

When you click Done you will return to the Content Search page and will be able to see the status of your new search.

eDiscovery in Microsoft 365

Note that an alert has been sent to all Global Admins that an eDiscovery Search has been started. This is the default behaviour.

eDiscovery in Microsoft 365

Once the search is showing as completed, click onto the search name to load the results.

eDiscovery in Microsoft 365

You can see the search statistics, showing how many items have been found.

eDiscovery in Microsoft 365

Click Review sample to check the information which has been found to verify your search worked as expected.

eDiscovery in Microsoft 365

You can then export the results or a report on the results from the Actions menu.

eDiscovery in Microsoft 365

If you choose to export the results then you will be presented with options of how you want to export the discovered data.

eDiscovery in Microsoft 365

Don’t forget to scroll before clicking the Export button as there are further options, which never seem to fit on the one screen.

eDiscovery in Microsoft 365

Your export will be prepared and once ready will be found under Export on the main Content Search screen. Click on the name of the search you want to export data from.

eDiscovery in Microsoft 365

You will need the Export Key, so be sure to copy it! Click Download results to start the download of the exported results.

eDiscovery in Microsoft 365

You should see a pop up asking to open the file. This is the specific tool used for eDiscovery, called the eDiscovery Export Tool.

eDiscovery in Microsoft 365

Install the application.

eDiscovery in Microsoft 365

The next prompt will ask for that Export key and the location you want to save the exported pst and file folders to.

eDiscovery in Microsoft 365

Once extracted you will be able to open the file folder and add the PST files to Outlook to review. Remember teams messages will be in the PST files in Teams Chat folder.

Further Reading

Updates from Microsoft Ignite (Nov 2021) on governing data in Microsoft Teams:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-information-governance-new-ways-to-govern-your-data-in/ba-p/2815238?WT.mc_id=M365-MVP-5004583

https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?WT.mc_id=M365-MVP-5004583

https://docs.microsoft.com/en-us/microsoftteams/ediscovery-investigation – overview?WT.mc_id=M365-MVP-5004583

https://docs.microsoft.com/en-us/microsoftteams/location-of-data-in-teams?WT.mc_id=M365-MVP-5004583

https://docs.microsoft.com/microsoft-365/compliance/export-search-results?view=o365-worldwide&WT.mc_id=M365-MVP-5004583

https://docs.microsoft.com/en-us/microsoft-365/compliance/configure-edge-to-export-search-results?view=o365-worldwide&WT.mc_id=M365-MVP-5004583