Modern collaboration has profoundly impacted the way we connect and perceive our world; from the way we communicate to the way we interpret it. The first and foremost issue with this digital transformation is that it has generated a tsunami of data. According to IDC, the world is expected to produce and replicate 163 ZB of data in 2025, ten times more than in 2016.
Traditionally, organizations used documents and email to communicate. Today, they’re also handling instant messages, text messages, video files, images, and DIO (Digital Input/Output) files. In addition to the data explosion, we will see an increase in IoT (internet of things).
It is imperative to protect information not only to maintain trust but also to ensure compliance with internal and external regulations. As people work in new ways and create and share data across boundaries, protecting data has become more challenging.
While cloud services and mobility have improved productivity and collaboration, it has also become essential to secure and monitor that data. As well as protecting sensitive information on-premises, customers now need to protect it across devices, SaaS applications, and cloud services.
Because it consumes so many cloud services drawn from across Microsoft 365, Teams is a great example of a collaboration application that reflects the new way of working. As such, tenant administrators need to understand how to manage the data their users generate.
Retention Policies in Microsoft Teams
Microsoft 365 includes powerful retention capabilities that allow organizations to define what data they want to keep or delete. For Teams, you can create a retention policy to retain data from chats and channel messages, and then delete these messages after a defined period. Retention processing uses the creation date of messages to determine when to delete data.
When users post messages to a chat or channel conversation, the Microsoft 365 substrate captures a compliance record for the message and stores it in Exchange Online. For chats, the compliance records are in the user mailboxes of all chat participants. For channel messages, the compliance records go into the group mailbox belonging to the team which owns the channel. Like all items stored in Exchange Online, the compliance records are indexed and available for eDiscovery.
Teams compliance records stored in Exchange Online are basic copies of the actual message data. For instance, not everything (like voice memos and reactions) posted to Teams is included in compliance records. Storage for the actual Teams messages is in Azure Cosmos DB.
When a retention policy is applied to process Teams messages, the compliance items are permanently deleted from the Exchange mailboxes and the removal operation synchronized to Teams to be applied to the Cosmos DB storage.
Organizations can create separate retention policies for personal chats and channel messages. A separate policy is needed to process messages from Teams’ private channels. Additionally, you can set up policies based on specific users or teams. You can, for example, apply a one-year deletion policy to specific teams in your organization and a three-year deletion policy to all other teams.
Retention periods can be as short as 24 hours for both chat and channel messages. However, upon testing the 24-hour retention, we found that it can take from 72 hours to 1 week before chat and channel messages are deleted.
As far as users are concerned, they see that messages are deleted because of the retention policy. The replies under a channel post remain if they are still within their retention period.
Why apply retention to Teams Chat and Channel Messages?
During customer workshops, I found that ensuring the timely deletion of personally identifiable information is one of the most pressing concerns when considering Teams Chat and Channel messages. The reason for this is due to some substantial consequences for being out of compliance:
- Loss of trust – This is the number one scare for most organizations. If customers do not trust you with their data, they will not do business with you. Being compliant with applicable regulations and standards is becoming the basis for doing business. “If you are not complying with the rules, we don’t even talk.”
- Reputational damage – If a breach happens, your name will be in the news, and it will damage reputations and diminish trust. No organization wants to be known or remembered for the breach that occurred and the data they lost.
- Fines – Can be very significant and could substantially impact doing business.
As a result, many organizations feel like they cannot risk allowing personal content to be accidentally retained, so they use Retention Policies to apply very short-term automated deletion to all their Teams chats and channels.
Finding the balance
As you can imagine, some organizations want to act with caution and reduce risk by setting a very short retention period – a few days or weeks, but that is not recommended. As chat messages are persistent, users can search and scroll back to find what they need.
Additionally, chat is an artifact of a Teams meeting, along with the recording, transcript, whiteboard, notes, and more. It would create a poor end-user experience for users to have to re-ask for information they previously shared if retention policies with short retention periods remove chats and channel messages. This will make it impossible for customers to find the information they need. There also doesn’t seem to be any compliance regulation that would require such a short retention period for any type of data; it’s more likely legal advice.
In that case, organizations should look at compliance regulations they currently adhere to for Personal Identifiable Information. For example, under GDPR, it is recommended that PII data can be kept from three to 10 years depending on the type of data and reason for keeping it.
Knowing the types of sensitive data commonly stored in Teams will help put a flexible, end-user-friendly policy in place. Microsoft 365 offers tools to help search for sensitive data such as the Content Explorer, available in Microsoft 365 E5. The Content Explorer will search for any data based on Sensitive Information Types so you can see where your sensitive data is being shared and stored.
It is also worth looking into other Microsoft 365 E5 Compliance tools such as Data Loss Prevention, to prevent users from sharing PII in a Teams chat or channel message and use more appropriate methods. This can also be done by educating end-users to avoid sharing sensitive information in this way.
If eDiscovery needs to retain Teams chat and channel messages, the retention policy will be ignored, and the data will still be kept.
Governance and Compliance can be a complex subject and while this article is just focused on Teams Retention, it is recommended that organizations have a plan in place for records management across Microsoft 365 and their on-premises environments to ensure they are compliant.