Teams Now Captures Compliance Records for Hybrid and Guest Users

Teams Compliance Pipeline

Capturing Compliance Data Since January

Neatly aligned with the need for better compliance mandated by GDPR, Microsoft announced on June 1 that they have been collecting compliance records for messages sent by on-premises users in personal chats since January 31, 2018. Microsoft says that they are working to create compliance records for chats before this date but cannot commit to when this data might be available.

Filling a Gap

Capturing these conversations fills a big gap in the Teams compliance story. Before this, if someone with an on-premises Exchange mailbox participated in a personal chat, Teams did not capture copies of their messages. On-premises users do not have cloud mailboxes, and the mechanism used by Teams to capture compliance records relied on the ability to store compliance records in the hidden Team Chat folder in mailboxes.

The problem is obvious when you think that two on-premises users could have had a personal conversation in Teams without leaving a trace of what they discussed. That’s not a desirable situation in a world when the ability to enforce compliance is demanded for regulatory or legal reasons.

Channel conversations never had the same problem because Office 365 captures compliance records for these conversations in the group mailbox for to the team that owns the channel.

Only for Synchronized On-Premises Mailboxes

Starting last January, Microsoft provisioned special “phantom” mailboxes inside Office 365 for enterprise tenants (those with E1, E3, or E5 licenses) for on-premises mailboxes whose accounts are synchronized to Azure Active Directory with AADConnect. The on-premises mailboxes are part of a hybrid Exchange configuration where some objects stay on-premises and some are in the cloud.

Compliance for Guest Users Too

Microsoft uses the same solution to capture compliance records for messages sent by guest users in private conversations.

The provisioning process to create phantom mailboxes for hybrid and guest users happened automatically to make sure that chat data is now available to search across all the Office 365 datacenter regions supported by Teams.

The phantom mailboxes, otherwise called “cloud-based mailbox for on-premises users,” have a single “Team Chat” folder to store the compliance records. Office 365 creates the phantom mailboxes in the same datacenter region as the tenant.

Note: From October 6, 2020, Microsoft changed the storage location for Teams compliance records. See this page for more information.

Unavailable to Office 365 Management Tools

You cannot log onto these mailboxes or manage them through the normal Office 365 management interfaces, including PowerShell. However, because Exchange Online knows about these mailboxes, their content is indexed and discoverable, which then means that content searches can find the compliance records, including the searches used by eDiscovery cases and GDPR Data Subject Requests (DSRs).

Enabling a Special GUI

Although the collection of compliance records happens in the background, some work is needed to expose those records to a tenant so that they appear in the Security and Compliance Center. Microsoft says that a tenant must submit a support request called “Enable Application Content Search for On-premises Users” together with the tenant name, default domain, and the tenant identifier, a unique GUID. You can find the identifier in the Azure Active Directory portal, or with PowerShell by running the Get-AzureADTenantDetail cmdlet:

Get-AzureADTenantDetail.ObjectId | Select ObjectId

When Office 365 engineering receives the support request, they enable the tenant for a special form of the GUI used to create content searches in the Security and Compliance Center. Under the search locations, a new option appears to include on-premises data in the search (Figure 1).

Security and Compliance Center IM
Figure 1: Including on-premises data in an Office 365 content search (image credit: Microsoft)

In addition, on-premises users are included in the account picker used to select mailboxes to include in searches. If you select “all mailboxes” for a search, Office 365 automatically includes the phantom mailboxes for on-premises and guest users.

PowerShell Searches Available Now

Microsoft says that it typically takes 2-3 weeks for them to complete the process of provisioning a tenant to see the amended GUI. If you can’t wait, you can use PowerShell because the New-ComplianceSearch cmdlet supports two new parameters:

  • Set AllowNotFoundExchangeLocationsEnabled to $True to tell Office 365 that you want to search the phantom mailboxes. The search won’t try to check that the Exchange mailboxes specified for the search exist (they do, but they are phantoms). It also means that content searches will check compliance records generated by guest users.
  • Set IncludeUserAppContent to $True to tell Office 365 that some or all of the mailboxes specified for the search are phantoms.

After that, it’s a matter of specifying the on-premises mailboxes individually in the ExchangeLocation parameter or searching all Exchange mailboxes. For example, these commands create a content search for chat records and then start the search.

New-ComplianceSearch -Name "Teams Chat Scan" -Description "Search for Teams Chat Information relating to Contoso" -ContentMatchQuery "Contoso AND kind:im" -IncludeUserAppContent $True -AllowNotFoundExchangeLocationsEnabled $True -ExchangeLocation All 
Start-ComplianceSearch -Identity "Teams Chat Scan"

Previewing Search Results

Even if you don’t ask Microsoft to update the Security and Compliance Center GUI to deal with phantom mailboxes, after creating a search in PowerShell, you can preview results through the Security and Compliance Center. Figure 2 shows a compliance record generated for a message in a personal chat (it has “IM” as its subject) authored by a guest user.

Guest user IM
Figure 2: A content search finds a compliance record for a guest user (image credit: Tony Redmond)

No Hold or Retention for Phantom Mailboxes

Although you can search for compliance records generated by on-premises users, you cannot put phantom mailboxes on hold. This should not be a problem because no one can log onto those mailboxes and try to remove items. Also, you cannot apply Office 365 retention policies to the phantom mailboxes.

The Enduring Search for Compliance Perfection

Over the last year, Teams has made good progress in getting better at meeting the compliance requirements of customers by supporting features like Office 365 retention policies. This new update is a good step forward, but there’s more to do. Expect to hear more as Microsoft drives to complete functionality before the Ignite conference in September.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.