eDiscovery against Microsoft Teams

Blog post: 1 minute read

In this post, I’ll talk about eDiscovery in Office 365 specifically as it relates to content stored for a Microsoft Team. There are a few key things to consider when doing your search to ensure you are catching everything you should be.

Refer to this link for How to manage an eDiscovery case in the Office 365 Security & Compliance Center.

Here are the components of a Microsoft Team you must ensure are being included in an eDiscovery search:

  • Team mailbox – includes conversations across channels
  • Team SharePoint site – includes documents and wiki content
  • Team members’ personal mailboxes
  • Team members’ personal OneDrive for Business sites

You might be asking why you would be required to also search a team member’s personal mailbox and OneDrive for Business site. Let me explain.

As you would expect, conversations part of a Microsoft Team’s channel are stored in the Team’s mailbox. Any files shared in conversations that are part of a Microsoft Team’s channel are stored in the associated SharePoint site. Due to this, you must specify both the Team mailbox(primary SMTP address) and Team SharePoint site URL when performing an eDiscovery search.

To get the Team mailbox address and SharePoint site URL:

[code language=”powershell” light=”true”]
Get-UnifiedGroup "<Team name>" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl
[/code]


However, conversations that are part of the Chat list in a Microsoft Team are stored in the personal mailbox of the user who participated in the chat. Additionally, any files shared in the chat are stored in the user’s OneDrive for Business site. Due to this, you should also include the Microsoft Team member’s mailbox and OneDrive for Business site in an eDiscovery search to ensure you are catching all content that may have been initiated from a Microsoft Team.

To get a list of a Microsoft Team’s members:

[code language=”powershell” light=”true”]
Get-UnifiedGroupLinks "<Team name>" -LinkType Members | FL DisplayName,PrimarySmtpAddress
[/code]

Use this list to see the Team members’ mailboxes and then you can derive the OneDrive for Business sites you should also be including.

Thanks for reading.

-JCK


Photo by Markus Petritz on Unsplash

Leave a Reply