Recently, I spoke with a customer who’d adopted Microsoft Teams and was now in need of a solution for running frequent compliance searches against a set of keywords contained in Teams 1:1 conversations. From there, they wanted the ability to place the matching content on hold and then review and export the results.  Since they were licensed for Core eDiscovery as part of their Microsoft 365 E3 subscription, I knew with certainty that this task could be accomplished.

*Note: It is assumed that if you are reading this article, you understand what eDiscovery is and the differences between Core and Advanced eDiscovery. 

Teams compliance records

Before we get to Core eDiscovery however, we should examine how Teams compliance records are captured. Many compliance admins will probably not know (nor care) how the process works, they just want it to work so they can successfully search for content they need to review or export.  But for those who like to look under the hood, here’s a snapshot of what happens:

  • A message is posted to Teams (either 1:1 or channel conversation).
  • The Microsoft 365 substrate captures the message and creates a copy as an Exchange mail item.
  • Compliance records for 1:1 chats are copied to user mailboxes.
  • Compliance records for channel messages are copied to group mailboxes.

This means that compliance searches will never operate against the “actual” Teams message data which resides in Azure Cosmos DB.  Such searches will be run against the indexes populated by Exchange Online, and search results also include content from hybrid, guest, and federated users.  

However, it is incorrect to refer to this process as journaling. Due to some differences between Teams messages and Exchange mail items, a slightly imperfect copy of the data is placed into an Exchange mailbox as a result of the actions taken by the substrate.  For example, reactions are not yet covered, however, this is included on the Microsoft 365 roadmap.

Back to Core eDiscovery

That wasn’t why the customer called though, so let’s talk more about Core eDiscovery and how it can facilitate my customer’s request.  To achieve the required outcome with Core eDiscovery, we must conduct content searches that target copies of Teams conversations captured as an Exchange mail item by the Microsoft 365 substrate.  Once the anticipated search results are returned, we then place the searched locations on hold and export the results to review in an Excel sheet.

So, sounds like we’ve provided a solution therefore the job is done, right? Unfortunately, it isn’t. My customer also wants to review the results of the content search, as well as the full original conversation threads, instead of individual item results.  Welcome to Advanced eDiscovery.

READ MORE: Microsoft Makes Teams Multi-Geo and a New Core Workload.

Advanced eDiscovery

With Advanced eDiscovery we can take things up a notch, deriving the required outputs of a content search with Conversation threading, a feature included in Advanced eDiscovery collections. 

If you haven’t used Advanced eDiscovery for a while, you may be wondering what ‘collections’ are. As of March 2021, Microsoft rolled out an update to Microsoft 365 tenants where the ‘Search’ tab in an Advanced eDiscovery case is now renamed ‘Collections,’ and this is where you configure a ‘New Collection’ made up of custodians, locations, and conditions:

How Advanced eDiscovery Finds and Displays Microsoft Teams Conversations
Figure 1: The updated ‘New collection’ experience.

The ‘New Collection’ wizard guides you through configuring parameters for your Advanced eDiscovery case. The penultimate section of the wizard is named ‘Save draft or collect.’  In this section, you add collected items to a new or existing review set.  Under ‘Additional collection settings,’ you’ll want to select ‘Collect contextual Teams and Yammer messages around your search results’:

How Advanced eDiscovery Finds and Displays Microsoft Teams Conversations
Figure 2: Review set results showing Teams conversation.

Now that we’ve identified the entire original conversation threads in question, would you say Advanced eDiscovery ticks all the required boxes for my customer?  Let’s review our proposed course of action for the customer:

  • Create an Advanced eDiscovery case.
  • Create and apply holds to preserve the content.
  • Create a search within a new collection, and execute against compliance content indexed in Exchange Online and extracted from the Microsoft 365 substrate.
  • Search results from the collection are then returned, placed in a review set within the context of full conversations rather than the individual items.
  • Export the review set to an Excel sheet for further examination.

Yes, this is exactly what my customer needs, Advanced eDiscovery for the win!  Now while this is certainly good news, it does beg the question – Is Advanced eDiscovery worth the ticket price, and is it the only way in which one can achieve conversation reconstruction?

Is Advanced eDiscovery worth it?

Well, most people find this answer frustrating, but in the world of Microsoft 365 it’s something we live every day, and “it just depends.” It depends because the answer is subjective and will vary amongst admins and across organizations. I tell all my customers who are just starting on their Microsoft 365 journey that essentially, they have purchased a box of Legos, and what they build with it and which bricks they use depends on what they’re trying to achieve. Yes, I’ve used the “d” word again, but it is the correct answer. 

Regarding the customer I reference in this article, they checked every box and were perfect candidates for the Advanced eDiscovery brick.  The cost is justified by the regularity with which they need to perform the searches and the fact that they need to view fully reconstructed conversations. 

Could they achieve the same results using Core eDiscovery?  If they tailored their searches effectively and sifted through the non-contextual results, they could probably accomplish the same task with enough time and determination.  Nonetheless, this approach would be very similar to taping together a document from a box of shredding – It may be worth the time if you only need to do it once. If the need to perform this type of task becomes more frequent, then I highly recommend purchasing an Advanced eDiscovery license in the most cost-effective way for your organization.

Summary

When it comes to eDiscovery and which solution is right for your organization, “you get what you pay for.” Microsoft 365 services are no different – you’re either willing to pay for them or you aren’t.  Some organizations will not need or want to pay for Advanced eDiscovery, while others will find it an essential purchase.  Regardless of which camp your organization resides in, Microsoft empowers customers with the flexibility to choose the right eDiscovery tool that best suits your needs.

About the Author

Peter Rising

Peter Rising is a Microsoft MVP in Office apps and services, and a Microsoft Certified Trainer (MCT). He has worked for several IT solutions providers and private organizations in a variety of technical roles focusing on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft 365 platform. He holds a number of Microsoft certifications, including MCSE: Productivity; MCSA: Office 365; Microsoft 365 Certified: Enterprise Administrator Expert; Microsoft 365: Security Administrator Associate; and Microsoft 365 Certified: Teams Administrator Associate. He is also the author of two books, which are exam guides for Microsoft certifications. You can contact him directly on Twitter: @M365Rising

Leave a Reply