What You Need to Know About Teams and Office 365 Retention Policies

Posted on April 17, 2018 by Tony Redmond in Microsoft Teams, Office, Office 365 with

Teams Splash

Teams Becomes More Compliant

It’s April, so it must be time for Microsoft to launch some new compliance features for Office 365. Last April, Microsoft launched the new Office 365 data governance framework, including retention policies and classification labels. Around the same time, Teams began to record compliance records for personal and channel conversations in user and group mailboxes. Now, to complete the circle, Office 365 retention policies can process Teams compliance records. All of which is good news with regulations like GDPR on the near-term horizon.

Office 365 retention policies support OneDrive for Business and SharePoint Online libraries, so it has always been possible to control some Teams content. The new initiative covers retention management for conversations, which exist in the Teams chat and media services running in Azure.

The MFA Helps with Compliance

Microsoft took an interesting approach to apply retention policies to conversations. Instead of building a new background process to interpret and execute the instructions as described in retention policies, Teams uses the Exchange Managed Folder Assistant (MFA) to process the compliance records held in user and group mailboxes.

As you might recall, each time someone posts a message to a channel, Teams captures a copy of the message in the Team Chat folder of the group mailbox belonging to the host team for the channel. Copies of messages sent to personal chats end up in the same folder in the mailboxes of participants. Office 365 indexes these compliance records to make them available for eDiscovery. To see how many Teams compliance records are in a (group or user) mailbox, use this PowerShell command:

The logic behind using MFA as the fulcrum for retention processing is impeccable. MFA already understands Exchange mailbox retention policies and Office 365 retention policies. It is a lot easier to include some processing in MFA for Teams compliance records than it is to write a new background agent specifically for Teams retention.

Retention for Teams

Apart from upgrading MFA, Office 365 needed two big updates to enable Teams retention. First, Office 365 retention policies now support Teams channel messages (in group mailboxes) and Teams chats (in user mailboxes) as processable locations (Figure 1).

Teams Office 365

Figure 1: Teams shows up in retention policy locations (image credit: Tony Redmond)

In testing retention policies for Teams, I noticed some glitches of the type that you see when software is new. For example, you can select a guest user account and add it to a policy, even though these users don’t have mailboxes. Thankfully, Office 365 checks users before creating the policy (Figure 2). On a more practical note, there’s no support for bulk addition of users by adding a distribution group or Office 365 group to the policy.

Teams Office 365 Guest

Figure 2: A guest user can’t be found, so they can’t be in a Teams retention policy (image credit: Tony Redmond)

You can add Teams to a policy that don’t exist (because they are Office 365 Groups that are not enabled for Teams). Office 365 did not detect the presence of these groups and was happy to create the policy with them in it, possibly because they might be team-enabled in the future.

Types of Teams Retention

The new locations let administrators define a retention policy to remove Teams content after it reaches a certain age. For example, you might decide to remove all personal chats after six months while keeping channel messages for a year.

The separation between channel messages and personal chats exists because some tenants might want to impose different retention regimes on shared content (in channels) and personal content (in chats).

Some might, but I think most tenants will look to impose a common retention policy across both personal and channel chats, if only because personal chats often host the same kind of business- discussions that occur in the more formal setting of a channel. My experience of Teams is that a lot of sensitive work happens through personal chats, so it is reasonable to view these messages to be as important as those in the more formal context created by channels.

The norm for Teams is to keep messages forever. Apart from removing content after a set period, retention policies also allow tenants to make sure that Office 365 keeps content for as long as is necessary, which you might need to do to satisfy a government or industry regulation. In this case, as users do not have access to items in the hidden Teams Chat folder through clients like OWA and Outlook, it is unlikely that anyone will try to remove a Teams compliance record before its time, but if they do, Office 365 will keep a copy.

Substrate Processing

The second change is that Microsoft extended processing in the Office 365 substrate to synchronize the removal of any Teams compliance records by MFA back to the Teams chat service. Until now, Teams used the substrate to create compliance records in group or user mailboxes (and remove the items, if someone deletes a message in Teams), so the flow has been one-way.

When MFA removes Teams compliance records from mailboxes based on a policy setting (for instance, an item expires after six months), those removals ripple back through the substrate to Teams, which removes the items from the chat service. Eventually, as clients synchronize with Teams, the items disappear from local caches and the retention cycle completes.

Synchronization Takes Time

The time necessary for removed items to disappear completely from Office 365 varies according to when MFA processes a mailbox (the SLA for MFA to process all mailboxes in a tenant is a week), the synchronization between the substrate and Teams, and client synchronization with Teams. Other factors such as throttling of background processes due to user load also influence timing and while the clean-up occurs, it will still be possible for removed items to show up in content searches. Microsoft says that it could take up to 30 days for Teams to clean up content, but this period should be shorter.

A Separate Policy for Teams

Teams uses separate retention policies for chats, so you cannot include Teams processing in a retention policy that spans other workloads (and on a technical note, Teams retention policies use separate cmdlets: New-TeamsRetentionCompliancePolicy and New-TeamsComplianceRetentionRuleTeams). You can have one retention policy that applies to both personal and channel conversations, or one for each type – or indeed, multiple policies to process different sets of teams and users.

Using a separate retention policy for chats means that you need at least two retention policies to achieve full coverage of Teams content – one (or two) for chats, and the other for SharePoint and OneDrive. In addition, Teams does not support the removal of items less than 30 days old, so the smallest retention period is 30 days.

Teams does not support the advanced retention settings available in other workloads, such as the ability to search for specific items using keywords or to look for items that hold sensitive data. This functionality might come when Teams supports data loss prevention (DLP) policies, which is on the Office 365 roadmap.

If you want retention policies to apply to the content posted in the SharePoint document libraries used by Teams, you must include those sites in the SharePoint section of the retention policy. A retention policy cannot process data stored in other locations used by Teams such as third-party applications accessed through tabs or bots.

One Size Fits All Policy

Retention policies can do two things. You either keep content for at least the retention period or remove content after the retention period elapses. Teams supports either option, but what it does not do (at least today) is give users the ability to mark specific messages for longer- or shorter-term retention. SharePoint and Exchange support this kind of flexibility through classification labels or personal tags.

For instance, if you need to keep some content for ten years for audit purposes and the retention policy removes all items after six months, you can assign a personal tag or classification label to items in a mailbox or classification labels to documents in SharePoint or OneDrive for Business sites. Although Teams retention is based on the compliance records in user mailboxes, clients cannot access the Team Chats folder to apply retention tags to the items stored there.

It’s possible that Microsoft will give Teams the ability to use classification labels in the future, perhaps after the unification of Office 365 classification labels and Azure Information Protection labels that’s promised for later this year. Supporting classification labels might also allow Teams to exploit advanced compliance functionality like disposition review or event-based retention.

A Continuing Journey to Full Compliance

Teams is on a journey to support the full spectrum of compliance features available inside Office 365. This is happening as Microsoft deploys the Teams services into more Office 365 datacenter region (the latest regions added are the U.K. and India), handling increasing customer demand, and rolling out new functionality to support the transition from Skype for Business Online. Every week, something changes, so Teams can never be accused of being boring. Which is good, I suppose.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Tagged with , , , , ,