Teams Chat Messages Can Hold Lots of Important Content

Recently, I have written about the choice between shared mailboxes and inactive mailboxes to preserve email content and some of the PII issues that can arise when users gain access to the OneDrive for Business accounts belonging to other people. Both scenarios are related to dealing with the information accumulated in Microsoft 365 by people who leave the organization for one reason or another.

Mailboxes and OneDrive for Business accounts hold information created by their owners for many workloads, like Loop components, Teams meeting recordings, and whiteboards. But one thing they don’t hold is the user’s Teams chat messages. Given the widespread use of Teams by 320 million Microsoft 365 users, a fair chance exists that some important business information exists in chats participated in by ex-employees. Neither the Microsoft 365 admin center nor the Teams admin center includes an option to preserve chats during the account removal process. The question therefore is how to access chats to recover any information required by the business.

Cosmos DB, Compliance Records, and Exchange Mailboxes

Teams chat messages are “owned” by all the participants in a chat. In other words, the departure of one participant from a chat does not remove the chat messages from the Teams messaging database stored in Azure Cosmos DB. Deletion of messages only occurs after the last participant leaves the chat.

When an administrator removes an ex-employee’s account, Teams notes the fact and removes any chat messages the user had sole access to such as messages in the Chat with Self or chats where all other participants have left (shown as ‘Just me’ in the chats list). Removal isn’t immediate and doesn’t happen until Entra ID permanently removes the user account after the 30-day grace period allowed for recovery.

If a Teams retention policy is in force, it doesn’t affect the items stored in Cosmos DB. Instead, retention processing works against the compliance records captured by the Microsoft 365 substrate for Teams chats and stored in the hidden TeamsMessagesData folder in the user’s mailbox. Compliance records are captured in the user’s mailbox for every interaction in a chat, including those from other participants in the conversation. Compliance messages are also captured for channel conversations and are stored in the TeamsMessageData folder of the group mailbox used by the team.

People commonly mistake the storage of compliance messages to mean that Teams stores its messages in Exchange Online mailboxes. This is incorrect. The compliance items held in Exchange Online are incomplete copies of the “real” messages captured to allow Purview compliance solutions to process Teams content. For example, Communication Compliance policies examine compliance records to find violations of organizational policies.

Using Compliance Records

If the account comes within the scope of a Teams retention policy, Purview retains the compliance records stored in the Exchange Online mailbox until the hold lapses. While the hold exists, it’s possible to run a content search against the mailbox to find compliance records. This then creates the possibility of running content searches against the user’s mailbox to:

• Look for references to keywords that might identify important corporate information. For instance, references to project code names.
• Find all Teams chat messages in the mailbox and export the data to a PST for examination by the compliance team or an external expert. The PST could remain under the control of the compliance team after the hold lapses on a “just in case” basis.

To export the compliance records for Teams chat messages, create a new content search. Limit the search to just the target user’s mailbox and use the kind:MicrosoftTeams keyword. Figure 1 shows the sample review for a search of compliance records stored in my mailbox.

I’ve used Teams since its preview in November 2016. As shown in Figure 1, compliance records dating back to at least September 2018 are in the mailbox. According to the search statistics, the search found 24,103 items. Fewer items would be present if a retention policy to govern Teams chat messages (and Copilot for Microsoft 365 interactions) was active.

Although a content search will find and export all the compliance records for Teams chat messages, the difficulty is that a separate compliance record exists for each message in a thread. Chats can be very busy with many interjections occurring over a short period. The result is that finding relevant records of any importance can take a lot of effort. Purview advanced eDiscovery can assemble Teams threads if searching for specific keywords and that can be helpful to understand the context and flow of a conversation.

The Focus on OneDrive Overlooks Teams

It takes time before organizations realize the need to preserve different information. In one way, Microsoft has made it easy to retain the information associated with ex-employees by using OneDrive for Business as the de facto standard for personal information storage within Microsoft 365. Between OneDrive for Business and Exchange Online, it seemed like all the information that could possibly be wanted was accessible. Even though Teams compliance records are in Exchange Online, I suspect that the compliance data for chats are overlooked when accounts are deleted. I could be wrong, but I might be right.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Compliance through Sensitivity Labels, Audit Events, and Compliance Records

Now that the fuss around the general availability of Microsoft 365 Copilot (November 1) is fading, organizations face the harsh reality of deciding whether to invest a minimum of $108,000 (300 Copilot licenses for a year) to test the effectiveness of an AI-based digital assistant is worthwhile. Before deploying any software, companies usually have a checklist to validate that the software is suitable for their users. The checklist might contain entries such as:

• Training available and suitable for users and administrators.
• Requisite software (like Outlook Monarch) and licenses in place.
• Users to receive licenses are identified.
• Success factors quantified and documented.
• Support for compliance technology available.

In MC686593 (updated 6 November, 2023), Microsoft addresses the last point by laying out how Purview compliance solutions support the deployment of Microsoft 365 Copilot. Rollout of the capabilities are due between now and mid-December 2023.

Sensitivity Labels Stop Microsoft 365 Copilot Using Content

Microsoft 365 Copilot depends on an abundance of user information stored in Microsoft 365 repositories like SharePoint Online and Exchange Online. With information to set context and provide the source for answering user prompts, Copilot cannot work. The possibility that Copilot might include sensitive information in its output is real, and it’s good to know that Copilot respects the protection afforded by sensitivity labels. The rule is that if a sensitivity label applied to an item allows a user at least read access, its content is available to Copilot to use when responding to prompts from that user. If the label blocks access, Copilot can’t use the item’s content.

Audit Events Record Microsoft 365 Copilot Interactions

Recent changes in the Microsoft 365 unified audit log and the surrounding ecosystem have not been good. The Search-UnifiedAuditLog cmdlet doesn’t work as it once did, a factor that might impact the way organizations extract audit data for storage in their preferred SIEM. Some will not like the removal of the classic audit search from the Purview compliance portal in favor of the asynchronous background search feature. Both changes seem to be an attempt by Microsoft to reduce the resources consumed by audit searches. This tactic is perfectly acceptable if communicated to customers. The problem is the deafening silence from Microsoft.

On a positive note, the audit log will capture events for Copilot prompts from users and the responses generated by Copilot in a new Interacted with Copilot category. These events can be searched for and analyzed using the normal audit retrieval facilities.

Compliance Records for Microsoft 365 Copilot

The Microsoft 365 substrate captures Copilot prompts and responses and stores this information as compliance records in user mailboxes, just like the substrate captures compliance records for Teams chats. Microsoft 365 retention policies for Teams chats have been expanded to process the Copilot records. If you already have a policy set up for Teams chat, it processes Copilot records too (Figure 2).

Although it’s easier for Microsoft to combine processing for Teams chats and Copilot interactions, I can see some problems. For example, some organizations like to have very short retention periods for Teams chat messages (one day is the minimum). Will the same retention period work for Copilot interactions? It would obviously be better if separate policies processed the different data types. Perhaps this will happen in the future.

Because the substrate captures Copilot interactions, the interactions are available for analysis by Communication Compliance policies. It should therefore be possible to discover if someone is using Copilot in an objectionable manner.

Block and Tackle Support for Microsoft 365 Copilot

None of this is earthshattering. SharePoint Online stores protected documents in clear to support indexing, but it would be silly if Microsoft 365 Copilot could use protected documents in its response. Gathering audit events treats Copilot like all the other workloads, and compliance records make sure that eDiscovery investigations can include Copilot interactions in their work. However, it’s nice that Microsoft has done the work to make sure that organizations can mark the compliance item on deployment checklists as complete.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

New Mission, New Teams Meeting Q and A app, New Functionality

On August 23, Microsoft announced that the Viva Engage app is rolling out to Teams users to replace the older Yammer Communities app. In July, I noted that Microsoft planned to make Yammer the cornerstone of Viva Engage and wondered if this would prove to be Yammer’s real niche within Microsoft 365. We still don’t know if this will be the case, but it’s good to see progress.

Microsoft’s announcement says “For nearly ten years, Yammer has been a leader in employee engagement. Now we are delivering these superpowers into the Microsoft Viva platform, to empower people and teams to be their best, have a voice, and feel included in the workplace.” Apart from the gratuitous use of “superpowers” (which software never possesses), the interesting thing here is the rebranding of Yammer to employee engagement. I guess it’s another way of describing enterprise social networking, the original Yammer mission, but to me it confirms that Microsoft is seeking to give Yammer a new role.

Seamless Switch to Viva Engage

In any case, as Microsoft promised, switching in Viva Engage to replace Yammer communities was seamless. My tenant has custom branding for the Yammer communities app and the existence of a different name and logo didn’t interfere with the replacement. Right now, there’s not much difference between the two apps (Figure 1), but I’m sure we’ll see the Viva Engage app evolve over time. According to Microsoft, the switchover process should be complete worldwide by the end of September.

Yammer and Teams Meeting Q&A

On July 19, Microsoft announced that the Q&A feature for Teams Meetings is generally available. What people might not realize is that Yammer powers the Q&A capability within a meeting. Q&A is an app added to a meeting when the meeting organizer updates the meeting settings to enable the feature (Figure 2).

Within the meeting, launching the Q&A app allows meeting participants to ask and respond to questions, including the ability to react to questions and comments and to mark the best response (Figure 3). Anyone accustomed to working with Yammer will recognize the “inclusive” icons used for reactions, which is one hint about the app’s source.

Some will like the way that the Q&A app gives a structure to questions and responses. Others will consider this overkill and point to the way that meeting chat can serve the same purpose, albeit without the ability to mark the best response. The point here is that no one forces meeting organizers to add Q&A. It’s an app and like any other app that supports meetings, Q&A is optional.

Q&A and Compliance

Being interested in compliance, I wondered if Yammer captured the text in the questions and comments for compliance purposes. Some poking around in mailboxes using the MFCMAPI record reveals that the Microsoft 365 substrate creates compliance records (mail items) for questions and responses in the Yammer folder, just like regular messages posted to Yammer communities. Figure 4 shows the content captured for a response posted to the Q&A app (the same message as shown in Figure 3).

It’s important to underline that the compliance records captured by the Microsoft 365 substrate are mail items that contain enough information for eDiscovery and other compliance purposes (like monitoring by communications compliance policies). They are not perfect copies of the original messages. For instance, if you run a content search to find these items and download one (the items do not support previewing), you’ll get an Outlook message. Figure 5 shows an example of an item marked as the best response in a thread. You can see the text of the comment and then an odd representation of “best response.”

Compliance records do not capture user reactions.

Yammer = Employee Engagement

Going forward, I think the debate about Yammer’s position in Microsoft 365 and its competition with Teams will terminate. The focus now seems firmly set on employee engagement, and we’re likely to see some verbal gymnastics to bring the Yammer browser client under that heading soon. Making use of Yammer capabilities in apps that can be plugged into the Teams framework makes sense too, even if Teams is in danger of becoming flooded by apps. I guess choice is goodness.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Communications Compliance Gains Yammer Support

The advent of support for Yammer conversations in Microsoft 365 Communications Compliance policies created some questions about how monitoring works and if Yammer compliance records served any role. The answer is simple:

• A Yammer network can’t support communications compliance unless it is configured in native Microsoft 365 mode. This step connects Yammer communities with Microsoft 365 groups.
• When in Microsoft 365 mode, the Microsoft 365 substrate captures compliance records for Yammer conversations. The compliance records are mail items stored in the Exchange Online mailbox for the Microsoft 365 group belonging to the community. Compliance records for private Yammer conversations are in the Exchange Online mailboxes for conversation participants.
• Communications compliance policies monitor compliance records to look for problematic content such as threatening behavior. If policies detect issues, investigators work with copies of compliance records stored in special supervision mailboxes to resolve whatever is found.

All of this sounds very familiar because it’s exactly the same approach used by Teams. The only difference is that Teams stores its compliance records in a folder called TeamsMessagesData while Yammer uses one called MessageIngestion\Yammer. Both folders are in the non-IPM section of mailboxes and are invisible to users.

Indeed, in early 2021, Microsoft announced that Planner would adopt the same substrate-driven approach to achieve compliance. However, they have since taken that idea off the table.

eDiscovery

The compliance records for Yammer are mail items. Like the compliance records captured for Teams, the Yammer compliance records are not perfect copies of the messages posted to Yammer communities or privately between users. However, the items are good enough for compliance purposes, and because they’re stored in Exchange Online, the items are indexed and discoverable.

Yammer messages come in several types, including:

• Praise.
• Questions.
• Announcements.
• Polls.
• Discussion.

In addition, the messages can include GIFs, graphics, and reactions.

To discover what content is captured and discoverable, I posted a range of message types to a Yammer community and in private messages. I then ran a content search to find the messages (Figure 1). You’ll notice that the mail items the substrate creates for Yammer compliance records do not support preview. Also, Praise messages don’t have subjects or titles, which accounts for the message with No subject in the sample set.

By definition, the preview sample retrieved by a content search (or in Core eDiscovery) is not every message that a search can find. The full set is only recovered by exporting search results. To examine the items, you can export the results to a PST (or a PST per mailbox) and open the PST in Outlook. Figure 2 shows a Yammer message with a GIF as displayed by Outlook.

You can see that the search found items in the Yammer folder as expected. Some also came from the SubstrateHolds subfolder in Recoverable Items. For some reason, these items stored Yammer poll messages.

Reactions are the only major missing element for Yammer compliance records. This isn’t surprising because the same issue exists for Teams.

Because the compliance records are in Exchange Online mailboxes, you can examine their properties and content with the MFCMAPI utility. Figure 3 shows the compliance record for a Yammer private message as viewed in MFCMAPI. The message is a single line of text surrounded by a bunch of HTML that doesn’t seem to do a lot.

Tracking Yammer Community Activity

Early versions of the Teams and Groups Activity Report used the Get-ExoMailboxFolderStatistics cmdlet to check the presence of compliance records in group mailboxes to understand the activity level of teams and groups. Although the latest version of the script sped up processing by using Graph API calls instead, the cmdlet is still a good way to check the Microsoft 365 Groups used by Yammer communities for activity.

The code needed is straightforward. First, find the set of groups used by Yammer. Next, use Get-ExoMailboxStatistics to fetch the folder data. Finally, report the data after calculating how long it’s been since someone posted to the community. Here’s the basic code:

[array]$YammerGroups = Get-UnifiedGroup -ResultSize Unlimited |?{$_.GroupSku -eq "Yammer"}

If (!($YammerGroups)) {Write-Host "No Microsoft 365 Groups found for Yammer -exiting"; break}

$YammerData = [System.Collections.Generic.List[Object]]::new()
ForEach ($Group in $YammerGroups) {
  Write-Host "Processing" $Group.DisplayName
  $Folder = (Get-ExoMailboxFolderStatistics -Identity $Group.ExternalDirectoryObjectId -Folderscope NonIPMRoot -IncludeOldestAndNewestItems | ?{$_.FolderType -eq "Yammer"})
  If ($Folder.NewestItemReceivedDate) {
    $TimeSincePost = New-TimeSpan ($Folder.NewestItemReceivedDate)
    $FormattedTime = "{0:dd}d:{0:hh}h:{0:mm}m" -f $TimeSincePost }
  Else { 
      $FormattedTime = "N/A" }
  $ReportLine = [PSCustomObject][Ordered]@{  
     DisplayName = $Group.DisplayName
     Items       = $Folder.ItemsInFolder
     NewestItem  = $Folder.NewestItemReceivedDate
     TimeSincePost = $FormattedTime }
  $YammerData.Add($ReportLine)
} # End For
     
$YammerData | Sort Items -Descending | Out-GridView

The script is available for download in the Office 365 for IT Pros GitHub repository.

Figure 4 shows the community statistics generated from the compliance records in my tenant. Obviously, Yammer doesn’t get much usage, but the data is sufficient to prove the point.

Only Modern Yammer

Remember that Yammer (or rather, the Microsoft 365 substrate) generates compliance records only when networks run in native Microsoft 365 mode. This is now the default for new tenants who’ve never used Yammer before. For older tenants still using traditional Yammer, some work needs to be done before they can enjoy the useful compliance records.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.