The beginner’s guide to Microsoft Teams eDiscovery

Introduction: The beginner’s guide to Microsoft Teams eDiscovery

Welcome to our Beginner’s Guide to Microsoft Teams eDiscovery — where we’ll cover everything you need to know about eDiscovery for Microsoft Teams, the communication and collaboration tool dominating the enterprise workforce. From calls and chats to seamless collaboration on Microsoft apps, Teams allows organizations of scale to work in a unified way. In 2020, Teams usage surged from 40 million daily active users at the outset of the pandemic to a whopping 145 million daily active users just a year later. It seems there is no limit to the platform’s growth, making in-house legal, IT, and compliance professionals uneasy at the thought of a runaway data train. 

Needless to say, Microsoft Teams eDiscovery has become a hot topic in the legal tech space. From retention and compliance to security and privacy, there’s a lot to learn about this multifaceted tool. In this guide, we’ll break down:

  • Microsoft Teams Basic Features 
  • Where is Microsoft Teams data stored? 
  • Data Retention for Microsoft Teams 
  • Understanding Microsoft’s Security and Compliance Center 
  • Native Features and Limitations in Compliance Center 
  • Microsoft Teams eDiscovery Plan 

By the end, you’ll have a clear picture of what your options are for Microsoft Teams eDiscovery and be able to find a path that works best for you.

Microsoft Teams basic features

Before we get into Microsoft Teams eDiscovery, it’s important to understand what Teams is and how it works. Although most widely known for its chat capabilities, Teams also offers video conferencing, calls, and seamless collaboration with familiar Microsoft apps Excel and Sharepoint. For companies already using Microsoft 365, Teams is usually the go-to choice as it seamlessly integrates with the full suite of products. Not to mention, it offers connections to third-party apps for companies with a more diverse tech stack. 

Now that we know what Teams does, let’s break down its basic features. It’s important to take note of how your team interacts with each of these features to understand what information may be relevant for Microsoft Teams eDiscovery.

Chats

MS Teams’ chat is central to keeping coworkers connected. With the click of a button, you can send a quick note, attach a file, embed a link, @mention someone, start a thread, or even react with an emoji to communicate quickly and efficiently. Whether you need to speak with someone one-on-one or in a group, the chat functionality allows you to do both with direct messages, group chats, and channel conversations. 

The chat functionality also has a search feature to help you track down previous conversations by user, keyword, and types of messages, such as unread messages, likes, @mention messages, and replies. You can also save messages you may need to refer back to later. Although you can’t delete messages you’ve sent that are in threads in channels, you can edit or delete messages you’ve sent individually if given permission by the Teams admin or owner.

chat-messages_microsoft-teams-ediscovery

Note: Microsoft Teams admins can set different messaging policies to control users’ chat abilities. These abilities range from simple features like the ability to preview links and turn on read receipts, to more strict features like the ability to edit or delete messages. These controls can be set org-wide or customized for individual users, groups of users, or channels of users. Your messaging policy can play a critical part in Microsoft Teams eDiscovery, so we’ll get into best practices for configuration later on.

Calling

Teams also enables cloud-based calling features, such as one-on-one calls, audio conferencing, call transfers, and cloud voicemail. To get this feature, you’ll need Microsoft 365’s Business Voice Add-On for fewer than 300 users, or Microsoft’s premium purchasing option, the E5 plan for more than 300 users.

Once enabled, you can make a call from Teams itself, Outlook, or any PC, Mac, or mobile device. You can enhance the experience with full video or screen sharing as well. Teams’ seamless integration with the Microsoft 365 environment also makes it easy to sort through your contact list and call directly from Outlook. The beauty of this calling system is its compatibility with any device and from any location — making it a popular solution for remote teams that are already using Microsoft 365.

Note: You must have the E5 Plan and a phone system to enable audio conferencing. Microsoft Teams and Business Voice only work when your users’ mailboxes are located in Microsoft 365. They do not support mailboxes located on an on-premises Exchange Server.

Meetings

Similar to its calling features, Teams also offers a video conferencing feature called Meetings. From one-on-one meetings to company-wide meetings, Teams enables you to connect face-to-face with any number of people. Teams Meetings are enhanced with features like screen sharing, meeting recordings, transcriptions, meeting chats, digital white boarding, live captioning, and customizable backgrounds. In addition to regular video conferencing, Microsoft offers live and on-demand virtual event solutions for up to 10,000 participants. This is ideal for large company meetings or virtual conferences and webinars. 

video-conferencing_microsoft-teams-ediscovery
Via Microsoft

Note: Similar to its messaging policies for chat, Teams offers custom meeting policies. This is an important setting to be aware of as you may want to allow or disallow meeting recordings and transcriptions for Microsoft Teams eDiscovery purposes.

Collaboration

Last but certainly not least, Teams acts as a collaboration hub for today’s most popular productivity and collaboration apps. Not only is Teams integrated with the Microsoft 365 stack, but admins can also approve the use of apps outside of Microsoft called connectors. Regardless of what apps you use and where your content lives, Teams sits at the intersection of it all. From PowerPoint and OneDrive for Business to Dropbox and Box, you can access shared calendars, projects, folders, files, and more. Whether you’re collaborating with a colleague on a powerpoint or sharing the final draft of a Word document with your team, you can work on items in real time without ever having to leave your Teams dashboard.

Where is Microsoft Teams data stored?

Between all the functionalities we just covered, you might be wondering, “Where is Microsoft Teams data stored?” Although the question might be simple, the answer is quite complex. The storage location of Teams data is dependent on the functionality and data type, but let’s start with the basics.

Azure

You’ve probably heard of Azure — Microsoft’s cloud platform that allows users to build and run applications on-premise, in the cloud, or across hybrid models. Like most Microsoft apps, it’s also the core platform that Teams is built on. According to Microsoft, 95% of Fortune 500 companies use it, earning the trust of some of the most regulated industries, such as government, healthcare, and financial services. With these facts in mind, plus its top-notch security, Azure stands as a solid bedrock for Teams data.

Understanding Azure is important for Microsoft Teams eDiscovery because the Teams application uses Azure storage to create what’s called the “Teams substrate.” Think of the Teams substrate as an underlying storage layer that brings together the data flows of all the different apps and services that make up Teams (i.e., collaboration apps, chat, video, voice). The ability to search for what you need, protect your data, and maintain information governance and eDiscovery are a lot harder when you’re dealing with multiple parts, so the Teams substrate ensures these services’ data flows and storage run cohesively. Below is a visual that demonstrates this flow:

teams-substrate_microsoft-teams-ediscovery

Within this substrate, you’ll notice that Teams data is stored within different Microsoft apps. We’ll get into those next.

Location by data type

Understanding where data is stored in each app is not only crucial for Microsoft Teams eDiscovery, but also privacy, security, and compliance. Below, we’ve outlined exactly where Teams data types that may be relevant for eDiscovery can be found:

data-type-locations_microsoft-teams-ediscovery
Chat 

One-to-one chat – Teams stores a copy of all private messages in a hidden folder within each user’s Exchange mailbox. This folder can only be accessed by admins. Private messages are also stored in the underlying Azure-powered chat service indefinitely.

Group chats – Exactly like one-on-one chats, Teams stores a copy of all group chat conversations in a hidden folder within each user’s Exchange mailbox. This folder can only be accessed by admins. Group chat conversations are also stored in the underlying Azure-powered chat service indefinitely.

Files shared in one-on-one and group chats – Teams stores these files in each user’s OneDrive for Business account in a folder labeled “Microsoft Teams Chat Files.”

Teams Channel

Channel messages – Teams stores a copy of channel messages in hidden folders in group Exchange mailboxes. Channel messages are also stored in the underlying Azure-powered chat service indefinitely.

Files or images in channel messages – Teams stores a copy of files or images in channel messages in Sharepoint. The Sharepoint site will have a folder called Documents, with a folder for each Teams channel.

Wiki Wiki data is stored in a SharePoint document library called “Teams Wiki Data.” Each channel has a folder inside the library, and each wiki page is stored as an .mht file inside the channel folder.

Connector conversation posts – Teams can show files from any connector or third-party integration in channel conversations. Storage of these files occurs in the applications themselves and do not reside anywhere in Teams.

Video

Meeting chats and files shared in meeting chat – Meeting chats are stored in the OneDrive for Business account of the user who shares the file. 

Note: If you’re using Microsoft Exchange on-premises, you may not have access to some of this data as it is stored differently. We recommend speaking to your Microsoft rep about Exchange Online for the full Teams experience.

You can find more information on where Microsoft Teams data is located here

Data retention for Microsoft Teams

Knowing where Microsoft Teams data is stored is useful, but it’s only part of the big picture. It’s also important to know what data can be retained, and how long for, before you can successfully conduct Microsoft Teams eDiscovery. In this section, we’ll dive into the retention settings/admins controls for Teams chats and channel messages.

Teams Chats and Channel Messages

Teams chats and channel messages are perhaps the most critical pieces of data for Microsoft Teams eDiscovery. If preserved strategically, Teams chats and channel messages can provide the context needed to meet future eDiscovery needs. Before you set a retention policy in Teams, here are some key things to consider:

data-retention-microsoft-teams-ediscovery

When setting a retention policy for Teams chats and/or channel messages, you can choose from the following rules:

  • Retain Teams chats and/or channel messages for a specific duration of time then do nothing
  • Retain Teams chats and/or channel messages for a specific duration of time then delete the data
  • Delete Teams chats and/or channel messages for a specific duration of time
message-deletions_microsoft-teams-ediscovery

When choosing which rules to apply, consider how extensively your company uses Teams. For many, especially those operating in remote or hybrid models, Teams tends to be the central hub for all collaboration and communication. This means that content you may normally retain or delete for legal investigations or regulatory compliance in other Microsoft apps can also be tampered with in Teams.

It’s also good to think about the nature of channels versus private chats. Channels tend to be home to standard project-management content; however, the teams using them could still be sharing sensitive information. Private chats also tend to be more of a liability in future litigation and investigations as there’s an unknown element of risk. For these reasons, you may want to assign different retention settings for every team, user, or channel.

To set a retention policy in Teams, you’ll need admin access in Compliance Center. To create, edit, or delete a retention policy for chats and channel messages, follow these steps. For more information on where data goes and what triggers retention policies for Teams chats and channel messages, see here.

Note: Even though chats and channel messages are stored in Exchange mailboxes, Exchange retention policies will not apply to this data. Only retention policies set in Microsoft Teams locations will be effective.

In addition to the above retention settings in Compliance Center, you can also set messaging policies in the Microsoft Teams admin center. Admins can use messaging policies to control which chat and channel messaging features are available to users. To see the full list of settings you can configure, see here. Otherwise, here are the settings we believe are most relevant for Microsoft Teams eDiscovery.

  • Let owners delete messages that users send in the chat
  • Let users delete messages they’ve already sent in the chat
  • Let users edit messages they’ve already sent in the chat.
  • The ability to use Gifs and add a content rating of unrestricted, moderate restrictions, or strict adult content
  • The ability to use memes
  • The ability to use stickers
  • The ability to create audio messages. Note: These cannot be captured with eDiscovery tools

What about retention for the other Microsoft 365 apps?

As we know, the Teams interface is the sum of many parts: Exchange Mailbox for groups and users, OneDrive for Business, and Sharepoint. All of these apps need their own retention configurations separate from Teams. To learn how to set a retention policy for apps other than Teams, check out this article

Understanding Microsoft Security and Compliance Center

We can’t cover how to properly retain and capture Teams data without talking about Microsoft Office and Microsoft 365 Security and Compliance Center. Compliance Center is Microsoft’s workspace for risk management, security, information governance, auditing, and of course, Microsoft Teams eDiscovery. With Compliance Center, your team has the necessary tools to meet legal, regulatory, and organizational requirements within Microsoft products. Whether that means setting a retention policy or managing user access privileges, Compliance Center has a variety of solutions to help. 

Even though all Microsoft 365 licenses come with Compliance Center, the E5 license has the most robust features for Microsoft Teams eDiscovery. Microsoft 365’s E5 license is the highest-tier option, at an annual commitment of $57 per user/month. For organizations on the E3 licenses, this is a significant jump from $32 per user/month for a viable discovery function. Below is a side-by-side comparison of each plan’s Compliance Center eDiscovery features. If you’re curious about the overall comparison, see here

ediscovery-plans_microsoft-teams-ediscovery

Looking at the chart above, it’s not hard to see the stark differences between the E3 and the E5 plan. It might seem as though the only way to get viable security, compliance, and governance features is to upgrade. However, Microsoft does offer the following add-ons as alternatives:

  • E5 eDiscovery and Audit Add-On ($6 user/month)
  • E5 Compliance Add-On ($12 user/month)
  • Move to E5 ($35 user/month)

From a Microsoft Teams eDiscovery perspective, the E5 license has the most Advanced eDiscovery features. Before we get into what you get with different licenses, let’s first dive into what you get with each eDiscovery tool:

Content Search Content Search is the most basic tool for Microsoft Teams eDiscovery. It allows you to run searches and preview search results and stats. With Content Search, you can search by keywords, customizable queries, or specific locations (apps). Although narrowing down your search to a per app dataset seems ideal, it’s not effective for Microsoft Teams eDiscovery as Teams’ data is also stored in other apps. For this reason, if you use Content Search you have to specify the mailbox, Sharepoint site, and OneDrive Business account associated with your teams, which can be a hassle. Beyond this, there are a number of search, indexing, and export limitations when using Content Search that may block eDiscovery efforts. To conduct a content search, follow these steps. For information on more robust eDiscovery options, keep reading.

Core eDiscoveryCore eDiscovery picks up where Content Search leaves off with features that move further along the Electronic Discovery Reference Model (EDRM). With Core eDiscovery, eDiscovery managers and Admins can create cases for allocated users to collaborate on, run detailed searches, create legal holds, and export search results.

Larger organizations should be aware of a few Core eDiscovery limitations:

  • Only 10,000 case holds can be created in an organization
  • Only 1,000 mailboxes can be placed in a single case hold  
  • Only 1,000 SharePoint and OneDrive sites can be placed in a single case hold 
  • Only 1,000 cases will be displayed on the core eDiscovery home page
  • Only 1,000 items displayed on Holds, Searches, and Export tabs within a case
compliance-center_microsoft-teams-ediscovery

Advanced eDiscovery Advanced eDiscovery is Microsoft’s end-to-end eDiscovery workflow that lives in Compliance Center. This eDiscovery tool is the full package out of all of Microsoft’s offerings. It’s ideal for teams that deal with multiple active litigations and strict retention, and/or want to level up their information governance efforts. 

With Advanced eDiscovery, legal teams can collaborate on cases throughout the entire EDRM cycle. Advanced eDiscovery allows you to preserve and collect as much or as little data from custodians as you’d like. For example, for each custodian, you can choose which apps to collect from, which groups or channels they’re a part of (if any) to collect from, and any sites they’ve interacted with. Advanced eDiscovery also enables legal holds. Outside of this, Advanced eDiscovery includes machine learning-driven indexing capabilities that are best for organizing large, unstructured data sets, and flexible exports that can include metadata, native files, text files, and redacted documents. To get started with Advanced eDiscovery, follow these steps.

Note: To learn how to conduct a Microsoft Teams eDiscovery investigation using any of these tools, follow these steps.

Native features and limitations for Microsoft Teams eDiscovery

Now that you understand what each eDiscovery tool entails, let’s take a look at what your eDiscovery options are with each license. As mentioned before, at the very minimum you’ll need a Microsoft E3 plan to gain access to Compliance Center eDiscovery capabilities. If your Microsoft Teams users are on-premises, however, you’ll need to fill out a request to search across chats. Once approved, you’ll be able to leverage Content Search only in Compliance Center. Below is a breakdown of the enterprise licenses that have the most extensive Microsoft Teams eDiscovery capabilities, as well as overall limitations.

ediscovery-features-by-plan_microsoft-teams-ediscovery
limitations-by-license_microsoft-teams-ediscovery

With these eDiscovery capabilities and limitations in mind, regardless of which enterprise plan you have, one thing’s for certain — Microsoft Teams eDiscovery is a complex process. The good news? There are steps you can take to start creating an effective long-term eDiscovery plan today. 

Microsoft Teams eDiscovery Plan 

Now that you have plenty of Microsoft Teams eDiscovery knowledge under your belt, it’s time to come up with a plan of action. Whether you’ve already taken some kind of initiative or are just starting out, we believe each of these steps is crucial to implementing a successful Microsoft Teams eDiscovery plan. We understand that no organization or legal team is the same, so we made sure that this is an adaptive guide to fit your unique needs.

  1. Understand your needs


As obvious as it may seem, the first step in launching a successful Microsoft Teams eDiscovery plan is understanding your needs. Ask yourself questions like:

assess-your-needs_microsoft-teams-ediscovery

By asking yourself these questions, you can get a better idea of how to prioritize your efforts. Take a look at the scope of your goals: do you need the full security, compliance, eDiscovery package? Are you simply trying to maintain retention and search of a specific channel’s messages? Or are you just plain tired of dealing with the limitations of Content Search? Regardless of your reasons, you should be able to preserve relevant data, find what you need, understand context for review, and export those results. 

2. Reevaluate your license

Once you understand your needs, you should weigh them against your current Microsoft Teams eDiscovery capabilities. If you find that your needs exceed what your current license can do, it might be time to either a) upgrade your license b) tack on a necessary add-on or c) find a third-party eDiscovery solution that can help.  For example, if you’re a company of more than 300 remote workers, have seen increased usage in Microsoft Teams and other MS apps, and are working with an E3 license, it might make sense to upgrade your licensing to E5. However, if you’re a smaller company that’s just onboarded Microsoft Teams, but doesn’t typically use other Microsoft apps, you may just opt for the add-ons or a third-party solution. 

Bottom line — whatever your needs, your Teams data should be accessible, useful, and private. If you’re not confident that this is the case, weigh your needs against each license to find the plan that best suits your Microsoft Teams eDiscovery goals.

3. Establish a company Teams policy

After you’ve aligned your needs with your Microsoft license, it’s time to put it all in writing. A good place to start is creating a company “Teams policy” — guidelines that detail the people, processes, and technology that drive the successful use, governance, and discovery of Microsoft Teams data. Although Teams policies may look different depending on company size, needs, and maturity, here are some basics to consider:

  • Outlining who should receive which user roles and configuring permissions accordingly
  • Optimizing your admin roles and user permissions for compliance and security
  • Identifying which data types are relevant to retain/delete and why
  • Putting controls/restrictions in place around user behavior and explaining why
  • Identifying the limitations you currently face and how you plan on filling those gaps in the future

Although there is no one-size-fits-all approach, a well-documented policy can help streamline communication between teams, help you spot and avoid risk, and allow you to constantly iterate and improve on your processes for Microsoft Teams eDiscovery.

4. Make a long-term eDiscovery and preservation plan

Between retention, legal hold, archiving, and search, there are so many critical elements that go into successful eDiscovery, and the way Microsoft is currently architected doesn’t allow easy visibility into it all. From unreliable indexing and search, to fragmented retention policies, to a challenging user experience, Compliance Center may be able to get the job done well enough, but “well enough” doesn’t cut it in the long run.

The truth is that Microsoft Teams is only one fish in a big sea of communication and collaboration apps. Apps that will continue to proliferate, become adopted, and create data that will need controls of their own. Microsoft Teams then, is really a microcosm of a much larger eDiscovery challenge that enterprises face today. In the same way that you worry about the preservation, retention, and discovery of data in Microsoft Teams, will be multiplied by the hundreds of other apps you use. Centralization seems to be the only path to control, and the nuts and bolts of Compliance Center are not centralized.

Thus, we believe the best way to maintain visibility and control over all of your data (alongside optimizing your policies and processes) is by implementing an eDiscovery solution that centralizes data from not only Teams, but any new app that comes your way. Maybe today you’re searching for something quick to put out a fire, but down the line, you may wish you had chosen a sustainable solution to make your information accessible, useful, and private.

About Onna for Microsoft Teams

With Onna, organizations that use Microsoft Teams can centralize their eDiscovery efforts by integrating not only Teams, but also all of their other cloud applications in one place. Not only does this provide exceptional eDiscovery capabilities for Teams users, but also Teams users that double as Google Workspace users, Zoom or Slack users, and more.

Onna’s open API integrates directly with Microsoft Teams to simultaneously collect and process all available data in real-time. Consistently collect, process, search, and investigate data from Microsoft and other third-party apps, find information faster with a centralized store of search-ready data, separate primary and archive data stores to mitigate risk of loss and corruption, and get powerful yet simple to use tools for more efficient workflows.

Ready to see our Microsoft Teams connector in action? Reach out!