Dealing with Teams Chat Messages When People Leave

Teams Chat Messages Can Hold Lots of Important Content

Recently, I have written about the choice between shared mailboxes and inactive mailboxes to preserve email content and some of the PII issues that can arise when users gain access to the OneDrive for Business accounts belonging to other people. Both scenarios are related to dealing with the information accumulated in Microsoft 365 by people who leave the organization for one reason or another.

Mailboxes and OneDrive for Business accounts hold information created by their owners for many workloads, like Loop components, Teams meeting recordings, and whiteboards. But one thing they don’t hold is the user’s Teams chat messages. Given the widespread use of Teams by 320 million Microsoft 365 users, a fair chance exists that some important business information exists in chats participated in by ex-employees. Neither the Microsoft 365 admin center nor the Teams admin center includes an option to preserve chats during the account removal process. The question therefore is how to access chats to recover any information required by the business.

Cosmos DB, Compliance Records, and Exchange Mailboxes

Teams chat messages are “owned” by all the participants in a chat. In other words, the departure of one participant from a chat does not remove the chat messages from the Teams messaging database stored in Azure Cosmos DB. Deletion of messages only occurs after the last participant leaves the chat.

When an administrator removes an ex-employee’s account, Teams notes the fact and removes any chat messages the user had sole access to such as messages in the Chat with Self or chats where all other participants have left (shown as ‘Just me’ in the chats list). Removal isn’t immediate and doesn’t happen until Entra ID permanently removes the user account after the 30-day grace period allowed for recovery.

If a Teams retention policy is in force, it doesn’t affect the items stored in Cosmos DB. Instead, retention processing works against the compliance records captured by the Microsoft 365 substrate for Teams chats and stored in the hidden TeamsMessagesData folder in the user’s mailbox. Compliance records are captured in the user’s mailbox for every interaction in a chat, including those from other participants in the conversation. Compliance messages are also captured for channel conversations and are stored in the TeamsMessageData folder of the group mailbox used by the team.

People commonly mistake the storage of compliance messages to mean that Teams stores its messages in Exchange Online mailboxes. This is incorrect. The compliance items held in Exchange Online are incomplete copies of the “real” messages captured to allow Purview compliance solutions to process Teams content. For example, Communication Compliance policies examine compliance records to find violations of organizational policies.

Using Compliance Records

If the account comes within the scope of a Teams retention policy, Purview retains the compliance records stored in the Exchange Online mailbox until the hold lapses. While the hold exists, it’s possible to run a content search against the mailbox to find compliance records. This then creates the possibility of running content searches against the user’s mailbox to:

• Look for references to keywords that might identify important corporate information. For instance, references to project code names.
• Find all Teams chat messages in the mailbox and export the data to a PST for examination by the compliance team or an external expert. The PST could remain under the control of the compliance team after the hold lapses on a “just in case” basis.

To export the compliance records for Teams chat messages, create a new content search. Limit the search to just the target user’s mailbox and use the kind:MicrosoftTeams keyword. Figure 1 shows the sample review for a search of compliance records stored in my mailbox.

I’ve used Teams since its preview in November 2016. As shown in Figure 1, compliance records dating back to at least September 2018 are in the mailbox. According to the search statistics, the search found 24,103 items. Fewer items would be present if a retention policy to govern Teams chat messages (and Copilot for Microsoft 365 interactions) was active.

Although a content search will find and export all the compliance records for Teams chat messages, the difficulty is that a separate compliance record exists for each message in a thread. Chats can be very busy with many interjections occurring over a short period. The result is that finding relevant records of any importance can take a lot of effort. Purview advanced eDiscovery can assemble Teams threads if searching for specific keywords and that can be helpful to understand the context and flow of a conversation.

The Focus on OneDrive Overlooks Teams

It takes time before organizations realize the need to preserve different information. In one way, Microsoft has made it easy to retain the information associated with ex-employees by using OneDrive for Business as the de facto standard for personal information storage within Microsoft 365. Between OneDrive for Business and Exchange Online, it seemed like all the information that could possibly be wanted was accessible. Even though Teams compliance records are in Exchange Online, I suspect that the compliance data for chats are overlooked when accounts are deleted. I could be wrong, but I might be right.

---

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.