Finding content in Microsoft Teams in eDiscovery (preview)
This article provides a comprehensive set of procedures, guidelines, and best practices for using eDiscovery (preview) to preserve, collect, review, and export content from Microsoft Teams. The goal of this article is to help you optimize your eDiscovery search for Teams content.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
A prerequisite to managing Teams content in eDiscovery is to understand the type of Teams content that you can collect, process, and review in eDiscovery and where that content is stored in Microsoft 365. Teams data is stored in Azure Cosmos DB. Teams compliance records captured by the substrate are in Exchange Online and are available for eDiscovery. The data stored in Exchange online is hidden from clients. eDiscovery never operates against the real Teams message data, which remains in Azure Cosmos DB.
The following table lists Teams content type and where each is stored for compliance purposes.
Teams category | Description | Chat messages/posts location | Files/attachments location | Meeting recordings location |
---|---|---|---|---|
Teams 1:1 chats | Chat messages, posts, and attachments shared in a Teams conversation between two people. Teams 1:1 chats are also called conversations. | Messages in 1:1 chats are stored in the Exchange Online mailbox of all chat participants. | Files shared in a 1:1 chat are stored in the OneDrive account of the person who shared the file. | N/A |
Teams group chats | Chat messages, posts, and attachments shared in a Teams conversation between three or more people. Also called 1:N chats or group conversations. | Messages in group chats are stored in the Exchange Online mailbox of all chat participants. | Files shared in group chats are stored in the OneDrive account of the person who shared the file. | N/A |
Teams reactions | Reactions applied to chat messages, posts, and attachments in a Teams conversation. | Messages in group chats are stored in the Exchange Online mailbox of all chat participants. | Files shared in group chats are stored in the OneDrive account of the person who shared the file. | N/A |
Teams channels | Chat messages, posts, replies, and attachments shared in a standard Teams channel. | All channel messages and posts are stored in the Exchange Online mailbox associated with the team. | Files shared in a channel are stored in the SharePoint site associated with the team. | N/A |
Teams meetings | Audio and transcripts from recorded Teams meetings. | Chats in recorded meetings are stored in the OneDrive account for the user recording the Teams meeting. | Files and attachments shared in recorded meetings are stored in the OneDrive account for the user recording the Teams meeting. | Meeting recordings are stored in the OneDrive account for the user recording the Teams meeting. |
Private channels | Message posts, replies, and attachments shared in a private Teams channel. | Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel. | Files shared in a private channel are stored in a dedicated SharePoint site associated with the private channel. | N/A |
Shared channels | Message posts, replies, and attachments shared in a shared Teams channel. | Messages sent in a shared channel are stored in a system mailbox associated with the shared channel.1 | Files shared in a shared channel are stored in a dedicated SharePoint site associated with the shared channel. | N/A |
Note
1 To search for (and preserve) messages sent in a shared channel, you have to search or specify the Exchange Online mailbox for the parent Team.
All Microsoft Teams 1:1 or group chats are journaled through to the respective users' mailboxes. All standard channel messages are journaled through to the group mailbox representing the team. Files uploaded in standard channels are covered under the eDiscovery functionality for SharePoint Online and OneDrive.
eDiscovery of messages and files in private channels works differently than in standard channels. To learn more, see eDiscovery of private channels.
Recorded Teams meetings are stored in the OneDrive account of the user recording the meeting. Additionally, attendee identification information when using the Hide Attendee Names functionality for Teams meetings is stored in the user mailbox of the meeting organizer.
Not all Teams content is eDiscoverable. The following table shows the Teams content types that you can search for using Microsoft eDiscovery tools:
Content type | Notes |
---|---|
Audio recordings | Audio calls between Teams user and external contacts |
Card content | See Search for card content for more information. |
Chat links | |
Chat messages | This includes content in standard Teams channels, 1:1 chats, 1:N group chats, chats with yourself, and chats with guests. |
Code snippets | |
Edited messages | If the user is on hold, previous versions of edited messages are also preserved. |
Emojis, GIFs, and stickers | |
Inline images | |
Loop components | Content in a loop component is saved in a .fluid file that's stored in the OneDrive account of the user who sends the loop component. That means you have to include OneDrive as a data source when searching for content in loop components. |
Meeting IM conversations | |
Meeting metadata1 | |
Meeting recordings and transcripts | Transcripts of the meeting audio are extracted and provided as a separate file. Maximum supported recorded meeting .mp4 file size is 350 MB. If the recorded meeting file size is greater than 350 MB, a processing error occurs and the file is available for download. |
Name of channel | |
Quotes | Quoted content is searchable. However, search results don't indicate that the content was quoted. |
Reactions (such as likes, hearts, and other reactions) | Reactions are supported for all commercial customers after June 1, 2022. Reactions before this date aren't available for eDiscovery. Expanded reactions are now supported. To understand reaction history, the content must be on legal hold. |
Subject | |
Tables | |
Teams Video Clip (TVC) | Search TVC with "Video-Clip" keyword and "save as" a .mp4 file for each TVC attachment by right-clicking the preview. TVCs are collected as Teams conversation attachments (if smaller than 200 MB) and separate .mp4 files. TVC file data is discoverable in eDiscovery review sets and can be exported. Preview of video clips isn't currently supported. |
1 Meeting (and call) metadata includes the following:
- Meeting start and end time, and duration
- Meeting join and leave events for each participant
- VOIP joins/calls
- Federated user joins
- Guest joins
Important
Anonymous users joining meetings and calls aren't currently supported in eDiscovery search queries.
Microsoft Teams data appears as IM or Conversations in the Excel eDiscovery export output. You can open the .pst
file in Outlook to view those messages after you export them.
When viewing the .pst file for the team, all conversations are located in the Team Chat folder under Conversation History. The title of the message contains the team name and channel name.
Private chats in a user's mailbox are stored in the Team Chat folder under Conversation History.
Compliance copies of messages in private and shared channels are sent to different mailboxes depending on the channel type. That means you have to search different mailbox locations based on the type of channel a user is a member of.
- Private channels: Compliance copies are sent to the mailbox of all members of the private channel members. That means you have to search the user mailbox when searching for content in private channel messages.
- Shared channels: Compliance copies are sent to a system mailbox that's associated with the parent team. Because Teams doesn't support an eDiscovery search of a single system mailbox for a shared channel, you have to search the mailbox for the parent team (by selecting the name of the Team mailbox) when searching for message content in shared channels.
Each private and shared channel has its own SharePoint site that's separate from the parent team site. That means files in private and shared channels are stored in its own site and managed independently of the parent team. This means you must identify and search the specific site associated with a channel when searching for content in files and channel message attachments.
Use the following sections to help identify the private or shared channel to include in your eDiscovery search.
Use the procedure in this section to identify members of a private channel so that you can use eDiscovery tools to search the member's mailbox for content in private channel messages.
Before you perform these steps, make sure you have the latest version of the Teams PowerShell module installed.
Run the following command to get the group ID of the team that contains the shared channels you want to search.
Get-Team -DisplayName <display name of the the parent team>
Tip
Run the Get-Team cmdlet without any parameters to display a list of all Teams in your organization. The list contains the group Id and DisplayName for every team.
Run the following command to get a list of private channels in the parent team. Use the group ID for the team that you obtained in step 1.
Get-TeamChannel -GroupId <parent team GroupId> -MembershipType Private
Run the following command to get a list of private channel owners and members for a specific private channel.
Get-TeamChannelUser -GroupId <parent team GroupId> -DisplayName "Partner Shared Channel"
Include the mailboxes of owners and members of a private channel as part of your eDiscovery search query.
You can use eDiscovery tools to search for Teams content related to guests in your organization. Teams chat content that's associated with a guest is preserved in a cloud-based storage location and can be searched for using eDiscovery. This includes searching for content in 1:1 and 1:N chat conversations in which a guest is a participant with other users in your organization. You can also search for private channel messages in which a guest is a participant and search for content in guest:guest chat conversations where the only participants are guests.
To search for content for guests:
Connect to Microsoft Graph PowerShell. For more information, see the Microsoft Graph PowerShell overview. Be sure to complete Step 1 and Step 2 in the previous article.
After you successfully connect to Microsoft Graph PowerShell, run the following command to display the user principal name (UPN) for all guests in your organization. You have to use the UPN of the guest when you create the search in step 4.
Get-MgUser -Filter "userType eq 'Guest'" -All $true | FL UserPrincipalName
Tip
Instead of displaying a list of user principal names on the computer screen, you can redirect the output of the command to a text file. You can do this by appending
> filename.txt
to the previous command. The text file with the user principal names is saved to the current folder.In a different Windows PowerShell window, connect to Security & Compliance PowerShell. For instructions, see Connect to Security & Compliance PowerShell. You can connect with or without using multifactor authentication.
Create a search query that searches for all content (such as chat messages and email messages) in which the specified guest was a participant by running the following command.
New-ComplianceSearch <search name> -ExchangeLocation <guest UPN> -AllowNotFoundExchangeLocationsEnabled $true -IncludeUserAppContent $true
For example, to search for content associated with the guest Sara Davis, you would run the following command.
New-ComplianceSearch "Sara Davis Guest" -ExchangeLocation "sara.davis_hotmail.com#EXT#@contoso.onmicrosoft.com" -AllowNotFoundExchangeLocationsEnabled $true -IncludeUserAppContent $true
For more information about using PowerShell to create searches, see New-ComplianceSearch.
Run the following command to start the search that you created in step 4:
Start-ComplianceSearch <search name>
Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
Select the eDiscovery solution card and then select Cases (preview) in the left nav.
Select a case.
In the list of searches on the Searches tab, select the search that you created in step 4 to display the flyout page.
On the flyout page, you can do the following things:
- Select Sample to view the search results and preview the content.
- Next to the Query field, select Edit to edit and then rerun the search. For example, you can add a search query to narrow the results.
- Select Export to export and download the search results.
Card content generated by apps in Teams channels, 1:1 chats, and 1xN chats are stored in mailboxes and can be searched. A card is a UI container for short pieces of content. Cards can have multiple properties and attachments, and can include items that trigger card actions. For more information, see Cards
Like other Teams content, where card content is stored is based on where the card was used. Content for cards used in a Teams channel is stored in the Teams group mailbox. Card content for 1:1 and 1xN chats are stored in the mailboxes of the chat participants.
To search for card content, you can use the kind:microsoftteams
or itemclass:IPM.SkypeTeams.Message
search conditions. When reviewing search results, card content generated by bots in a Teams channel has the Sender/Author email property as <appname>@teams.microsoft.com
, where appname
is the name of the app that generated the card content. If card content was generated by a user, the value of Sender/Author identifies the user.
When viewing card content in search results, the content appears as an attachment to the message. The attachment is named appname.html
, where appname
is the name of the app that generated the card content.
Note
To display images from card content in search results at this time (such as the checkmarks in the previous screenshot), you have to be signed into Teams (at https://teams.microsoft.com) in a different tab in the same browser session that you use to view the search results. Otherwise, image placeholders are displayed.
Admins can search for Teams meeting content based on the meeting start or end dates. To filter review set items by specific Teams meeting dates, you can use the Meeting start date and Meeting end date properties in eDiscovery (preview) search tools.
The Hide Attendee Names feature in Microsoft Teams hides the name of attendees from other attendees so only organizers can see attendees names. This feature may be used for meetings or events with external businesses, vendors, confidential meetings, or other meetings where personal privacy between attendees is important. When this feature is enabled, the names of attendees are hidden in the meeting roster, meeting chat, and meeting recordings.
To search for the names of attendees in Teams meetings where the Hide Attendee Names feature was enabled, you must include the organizer's mailbox in the scope for the search. Hidden attendee names are only available in the organizer's mailbox.
Admins can use eDiscovery to search for content in chats messages in a Teams meeting in external access and guest access environments based on the following restrictions:
- External access: In a Teams meeting with users from your organization and users from an external organization where external attendees are using external access, admins in both organizations can search for content in chat messages from the meeting.
- Guest: In a Teams meeting with users from your organization and guests, only admins in the organization who hosts the Teams meeting can search for content in chat messages from the meeting.