21 DECEMBER 2022

TEAMS - EDISCOVERY
[DOCUMENT SUBTITLE]

KHOJ SAHIWALA
[COMPANY NAME]
[Company address]
Contents
The beginner’s guide to Microsoft Teams eDiscovery....................................................................2
Introduction: The beginner’s guide to Microsoft Teams eDiscovery..........................................2
Microsoft Teams basic features...................................................................................................2
Where is Microsoft Teams data stored?.......................................................................................5
Location by data type...............................................................................................................7
Data retention for Microsoft Teams.............................................................................................9
Understanding Microsoft Security and Compliance Center......................................................12
Native features and limitations for Microsoft Teams eDiscovery.............................................16
Microsoft Teams eDiscovery Plan.............................................................................................18
About Onna for Microsoft Teams..............................................................................................21
Get started with Onna today.......................................................................................................21
The Ultimate Guide to Microsoft Teams eDiscovery....................................................................22
Where is Microsoft Teams data stored?.....................................................................................23
Chat and channel Messages....................................................................................................23
Files........................................................................................................................................23
Meeting Recordings...............................................................................................................24
What is eDiscovery?..................................................................................................................24
Licensing requirements 24
What do you get in the eDiscovery tool?...............................................................................25
Permissions.............................................................................................................................25
Use eDiscovery to collect Teams data.......................................................................................26
Step 1: Create a case...............................................................................................................26
Step 2: Create a hold..............................................................................................................26
Step 3: Create a search...........................................................................................................28
Step 4. Export results..............................................................................................................29
Core eDiscovery limitations.......................................................................................................32
Summary....................................................................................................................................33

pg. 1
The beginner’s guide to Microsoft Teams eDiscovery
Introduction: The beginner’s guide to Microsoft Teams eDiscovery
Welcome to our Beginner’s Guide to Microsoft Teams eDiscovery — where we’ll cover
everything you need to know about eDiscovery for Microsoft Teams, the communication and
collaboration tool dominating the enterprise workforce. From calls and chats to seamless
collaboration on Microsoft apps, Teams allows organizations of scale to work in a unified way.
In 2020, Teams usage surged from 40 million daily active users at the outset of the pandemic to a
whopping 145 million daily active users just a year later. It seems there is no limit to the
platform’s growth, making in-house legal, IT, and compliance professionals uneasy at the
thought of a runaway data train. 
Needless to say, Microsoft Teams eDiscovery has become a hot topic in the legal tech space.
From retention and compliance to security and privacy, there’s a lot to learn about this
multifaceted tool. In this guide, we’ll break down:
 Microsoft Teams Basic Features 
 Where is Microsoft Teams data stored? 
 Data Retention for Microsoft Teams 
 Understanding Microsoft’s Security and Compliance Center 
 Native Features and Limitations in Compliance Center 
 Microsoft Teams eDiscovery Plan 
By the end, you’ll have a clear picture of what your options are for Microsoft Teams eDiscovery
and be able to find a path that works best for you.
Microsoft Teams basic features
Before we get into Microsoft Teams eDiscovery, it’s important to understand what Teams is and
how it works. Although most widely known for its chat capabilities, Teams also offers video
conferencing, calls, and seamless collaboration with familiar Microsoft apps Excel and
Sharepoint. For companies already using Microsoft 365, Teams is usually the go-to choice as it
seamlessly integrates with the full suite of products. Not to mention, it offers connections to
third-party apps for companies with a more diverse tech stack. 
Now that we know what Teams does, let’s break down its basic features. It’s important to take
note of how your team interacts with each of these features to understand what information may
be relevant for Microsoft Teams eDiscovery.
Chats
MS Teams’ chat is central to keeping coworkers connected. With the click of a button, you can
send a quick note, attach a file, embed a link, @mention someone, start a thread, or even react
with an emoji to communicate quickly and efficiently. Whether you need to speak with someone
one-on-one or in a group, the chat functionality allows you to do both with direct messages,
group chats, and channel conversations. 
The chat functionality also has a search feature to help you track down previous conversations by
user, keyword, and types of messages, such as unread messages, likes, @mention messages, and
replies. You can also save messages you may need to refer back to later. Although you can’t
delete messages you’ve sent that are in threads in channels, you can edit or delete
messages you’ve sent individually if given permission by the Teams admin or owner.

pg. 2
Note: Microsoft Teams admins can set different messaging policies to control users’ chat
abilities. These abilities range from simple features like the ability to preview links and turn on
read receipts, to more strict features like the ability to edit or delete messages. These controls can
be set org-wide or customized for individual users, groups of users, or channels of users. Your
messaging policy can play a critical part in Microsoft Teams eDiscovery, so we’ll get into best
practices for configuration later on.
Calling
Teams also enables cloud-based calling features, such as one-on-one calls, audio conferencing,
call transfers, and cloud voicemail. To get this feature, you’ll need Microsoft 365’s Business
Voice Add-On for fewer than 300 users, or Microsoft’s premium purchasing option, the E5
plan for more than 300 users.
Once enabled, you can make a call from Teams itself, Outlook, or any PC, Mac, or mobile
device. You can enhance the experience with full video or screen sharing as well. Teams’
seamless integration with the Microsoft 365 environment also makes it easy to sort through your
contact list and call directly from Outlook. The beauty of this calling system is its compatibility
with any device and from any location — making it a popular solution for remote teams that are
already using Microsoft 365.
Note: You must have the E5 Plan and a phone system to enable audio conferencing. Microsoft
Teams and Business Voice only work when your users’ mailboxes are located in Microsoft 365.
They do not support mailboxes located on an on-premises Exchange Server.
Meetings
Similar to its calling features, Teams also offers a video conferencing feature called Meetings.
From one-on-one meetings to company-wide meetings, Teams enables you to connect face-to-

pg. 3
face with any number of people. Teams Meetings are enhanced with features like screen sharing,
meeting recordings, transcriptions, meeting chats, digital white boarding, live captioning, and
customizable backgrounds. In addition to regular video conferencing, Microsoft offers live and
on-demand virtual event solutions for up to 10,000 participants. This is ideal for large company
meetings or virtual conferences and webinars. 

Via Microsoft
Note: Similar to its messaging policies for chat, Teams offers custom meeting policies. This is
an important setting to be aware of as you may want to allow or disallow meeting recordings and
transcriptions for Microsoft Teams eDiscovery purposes.
Collaboration
Last but certainly not least, Teams acts as a collaboration hub for today’s most popular
productivity and collaboration apps. Not only is Teams integrated with the Microsoft 365 stack,
but admins can also approve the use of apps outside of Microsoft called connectors. Regardless
of what apps you use and where your content lives, Teams sits at the intersection of it all.
From PowerPoint and OneDrive for Business to Dropbox and Box, you can access shared
calendars, projects, folders, files, and more. Whether you’re collaborating with a colleague on a
powerpoint or sharing the final draft of a Word document with your team, you can work on items
in real time without ever having to leave your Teams dashboard.
Where is Microsoft Teams data stored?
Between all the functionalities we just covered, you might be wondering, “Where is Microsoft
Teams data stored?” Although the question might be simple, the answer is quite complex. The

pg. 4
storage location of Teams data is dependent on the functionality and data type, but let’s start with
the basics.
Azure
You’ve probably heard of Azure — Microsoft’s cloud platform that allows users to build and run
applications on-premise, in the cloud, or across hybrid models. Like most Microsoft apps, it’s
also the core platform that Teams is built on. According to Microsoft, 95% of Fortune 500
companies use it, earning the trust of some of the most regulated industries, such as government,
healthcare, and financial services. With these facts in mind, plus its top-notch security, Azure
stands as a solid bedrock for Teams data.
Understanding Azure is important for Microsoft Teams eDiscovery because the Teams
application uses Azure storage to create what’s called the “Teams substrate.” Think of the Teams
substrate as an underlying storage layer that brings together the data flows of all the different
apps and services that make up Teams (i.e., collaboration apps, chat, video, voice). The ability to
search for what you need, protect your data, and maintain information governance and
eDiscovery are a lot harder when you’re dealing with multiple parts, so the Teams substrate
ensures these services’ data flows and storage run cohesively. Below is a visual that
demonstrates this flow:

Within this substrate, you’ll notice that Teams data is stored within different Microsoft apps.
We’ll get into those next.
Location by data type
Understanding where data is stored in each app is not only crucial for Microsoft Teams
eDiscovery, but also privacy, security, and compliance. Below, we’ve outlined exactly where
Teams data types that may be relevant for eDiscovery can be found:

pg. 5
Chat 

One-to-one chat – Teams stores a copy of all private messages in a hidden folder within each
user’s Exchange mailbox. This folder can only be accessed by admins. Private messages are also
stored in the underlying Azure-powered chat service indefinitely.

Group chats – Exactly like one-on-one chats, Teams stores a copy of all group chat
conversations in a hidden folder within each user’s Exchange mailbox. This folder can only be
accessed by admins. Group chat conversations are also stored in the underlying Azure-powered
chat service indefinitely.

Files shared in one-on-one and group chats – Teams stores these files in each user’s OneDrive
for Business account in a folder labeled “Microsoft Teams Chat Files.”

Teams Channel

Channel messages – Teams stores a copy of channel messages in hidden folders in group
Exchange mailboxes. Channel messages are also stored in the underlying Azure-powered chat
service indefinitely.

Files or images in channel messages – Teams stores a copy of files or images in channel
messages in Sharepoint. The Sharepoint site will have a folder called Documents, with a folder
for each Teams channel.

pg. 6
Wiki – Wiki data is stored in a SharePoint document library called “Teams Wiki Data.” Each
channel has a folder inside the library, and each wiki page is stored as an .mht file inside the
channel folder.

Connector conversation posts – Teams can show files from any connector or third-party
integration in channel conversations. Storage of these files occurs in the applications themselves
and do not reside anywhere in Teams.

Video

Meeting chats and files shared in meeting chat – Meeting chats are stored in the OneDrive for
Business account of the user who shares the file. 

Note: If you’re using Microsoft Exchange on-premises, you may not have access to some of this
data as it is stored differently. We recommend speaking to your Microsoft rep about Exchange
Online for the full Teams experience.

You can find more information on where Microsoft Teams data is located here. 

Data retention for Microsoft Teams

Knowing where Microsoft Teams data is stored is useful, but it’s only part of the big picture. It’s
also important to know what data can be retained, and how long for, before you can successfully
conduct Microsoft Teams eDiscovery. In this section, we’ll dive into the retention
settings/admins controls for Teams chats and channel messages.
Teams Chats and Channel Messages
Teams chats and channel messages are perhaps the most critical pieces of data for Microsoft
Teams eDiscovery. If preserved strategically, Teams chats and channel messages can provide the
context needed to meet future eDiscovery needs. Before you set a retention policy in Teams, here
are some key things to consider:

When setting a retention policy for Teams chats and/or channel messages, you can choose from
the following rules:

pg. 7
  Retain Teams chats and/or channel messages for a specific duration of time then do
nothing
 Retain Teams chats and/or channel messages for a specific duration of time then
delete the data
 Delete Teams chats and/or channel messages for a specific duration of time

When choosing which rules to apply, consider how extensively your company uses Teams. For
many, especially those operating in remote or hybrid models, Teams tends to be the central hub
for all collaboration and communication. This means that content you may normally retain or
delete for legal investigations or regulatory compliance in other Microsoft apps can also be
tampered with in Teams.
It’s also good to think about the nature of channels versus private chats. Channels tend to be
home to standard project-management content; however, the teams using them could still be
sharing sensitive information. Private chats also tend to be more of a liability in future litigation
and investigations as there’s an unknown element of risk. For these reasons, you may want
to assign different retention settings for every team, user, or channel.
To set a retention policy in Teams, you’ll need admin access in Compliance Center. To create,
edit, or delete a retention policy for chats and channel messages, follow these steps. For more
information on where data goes and what triggers retention policies for Teams chats and channel
messages, see here.
Note: Even though chats and channel messages are stored in Exchange mailboxes, Exchange
retention policies will not apply to this data. Only retention policies set in Microsoft Teams
locations will be effective.
In addition to the above retention settings in Compliance Center, you can also set messaging
policies in the Microsoft Teams admin center. Admins can use messaging policies to control
which chat and channel messaging features are available to users. To see the full list of settings
you can configure, see here. Otherwise, here are the settings we believe are most relevant for
Microsoft Teams eDiscovery.
 Let owners delete messages that users send in the chat
 Let users delete messages they’ve already sent in the chat
 Let users edit messages they’ve already sent in the chat.
 The ability to use Gifs and add a content rating of unrestricted, moderate restrictions,
or strict adult content
 The ability to use memes
 The ability to use stickers
 The ability to create audio messages. Note: These cannot be captured with
eDiscovery tools
What about retention for the other Microsoft 365 apps?
As we know, the Teams interface is the sum of many parts: Exchange Mailbox for groups and
users, OneDrive for Business, and Sharepoint. All of these apps need their own retention
configurations separate from Teams. To learn how to set a retention policy for apps other than
Teams, check out this article. 

pg. 8
Understanding Microsoft Security and Compliance Center
We can’t cover how to properly retain and capture Teams data without talking about Microsoft
Office and Microsoft 365 Security and Compliance Center. Compliance Center is Microsoft’s
workspace for risk management, security, information governance, auditing, and of course,
Microsoft Teams eDiscovery. With Compliance Center, your team has the necessary tools to
meet legal, regulatory, and organizational requirements within Microsoft products. Whether that
means setting a retention policy or managing user access privileges, Compliance Center has a
variety of solutions to help. 
Even though all Microsoft 365 licenses come with Compliance Center, the E5 license has the
most robust features for Microsoft Teams eDiscovery. Microsoft 365’s E5 license is the highest-
tier option, at an annual commitment of $57 per user/month. For organizations on the E3
licenses, this is a significant jump from $32 per user/month for a viable discovery function.
Below is a side-by-side comparison of each plan’s Compliance Center eDiscovery features. If
you’re curious about the overall comparison, see here. 

Looking at the chart above, it’s not hard to see the stark differences between the E3 and the E5
plan. It might seem as though the only way to get viable security, compliance, and governance
features is to upgrade. However, Microsoft does offer the following add-ons as alternatives:
 E5 eDiscovery and Audit Add-On ($6 user/month)

pg. 9
  E5 Compliance Add-On ($12 user/month)
 Move to E5 ($35 user/month)
From a Microsoft Teams eDiscovery perspective, the E5 license has the most Advanced
eDiscovery features. Before we get into what you get with different licenses, let’s first dive into
what you get with each eDiscovery tool:
Content Search – Content Search is the most basic tool for Microsoft Teams eDiscovery. It
allows you to run searches and preview search results and stats. With Content Search, you can
search by keywords, customizable queries, or specific locations (apps). Although narrowing
down your search to a per app dataset seems ideal, it’s not effective for Microsoft Teams
eDiscovery as Teams’ data is also stored in other apps. For this reason, if you use Content Search
you have to specify the mailbox, Sharepoint site, and OneDrive Business account associated with
your teams, which can be a hassle. Beyond this, there are a number of search, indexing, and
export limitations when using Content Search that may block eDiscovery efforts. To conduct a
content search, follow these steps. For information on more robust eDiscovery options, keep
reading.
Core eDiscovery – Core eDiscovery picks up where Content Search leaves off with features that
move further along the Electronic Discovery Reference Model (EDRM). With Core eDiscovery,
eDiscovery managers and Admins can create cases for allocated users to collaborate on, run
detailed searches, create legal holds, and export search results.
Larger organizations should be aware of a few Core eDiscovery limitations:
 Only 10,000 case holds can be created in an organization
 Only 1,000 mailboxes can be placed in a single case hold  
 Only 1,000 SharePoint and OneDrive sites can be placed in a single case hold 
 Only 1,000 cases will be displayed on the core eDiscovery home page
 Only 1,000 items displayed on Holds, Searches, and Export tabs within a case

pg. 10
Advanced eDiscovery – Advanced eDiscovery is Microsoft’s end-to-end eDiscovery workflow
that lives in Compliance Center. This eDiscovery tool is the full package out of all of Microsoft’s
offerings. It’s ideal for teams that deal with multiple active litigations and strict retention, and/or
want to level up their information governance efforts. 
With Advanced eDiscovery, legal teams can collaborate on cases throughout the entire EDRM
cycle. Advanced eDiscovery allows you to preserve and collect as much or as little data from
custodians as you’d like. For example, for each custodian, you can choose which apps to collect
from, which groups or channels they’re a part of (if any) to collect from, and any sites they’ve
interacted with. Advanced eDiscovery also enables legal holds. Outside of this, Advanced
eDiscovery includes machine learning-driven indexing capabilities that are best for organizing
large, unstructured data sets, and flexible exports that can include metadata, native files, text
files, and redacted documents. To get started with Advanced eDiscovery, follow these steps.
Note: To learn how to conduct a Microsoft Teams eDiscovery investigation using any of these
tools, follow these steps.
Native features and limitations for Microsoft Teams eDiscovery
Now that you understand what each eDiscovery tool entails, let’s take a look at what your
eDiscovery options are with each license. As mentioned before, at the very minimum you’ll need
a Microsoft E3 plan to gain access to Compliance Center eDiscovery capabilities. If your
Microsoft Teams users are on-premises, however, you’ll need to fill out a request to search
across chats. Once approved, you’ll be able to leverage Content Search only in Compliance
Center. Below is a breakdown of the enterprise licenses that have the most extensive Microsoft
Teams eDiscovery capabilities, as well as overall limitations.

pg. 11
pg. 12
With these eDiscovery capabilities and limitations in mind, regardless of which enterprise plan
you have, one thing’s for certain — Microsoft Teams eDiscovery is a complex process. The
good news? There are steps you can take to start creating an effective long-term eDiscovery plan
today. 
Microsoft Teams eDiscovery Plan 
Now that you have plenty of Microsoft Teams eDiscovery knowledge under your belt, it’s time
to come up with a plan of action. Whether you’ve already taken some kind of initiative or are
just starting out, we believe each of these steps is crucial to implementing a successful Microsoft
Teams eDiscovery plan. We understand that no organization or legal team is the same, so we
made sure that this is an adaptive guide to fit your unique needs.
1. Understand your needs

As obvious as it may seem, the first step in launching a successful Microsoft Teams eDiscovery
plan is understanding your needs. Ask yourself questions like:

pg. 13
By asking yourself these questions, you can get a better idea of how to prioritize your efforts.
Take a look at the scope of your goals: do you need the full security, compliance, eDiscovery
package? Are you simply trying to maintain retention and search of a specific channel’s
messages? Or are you just plain tired of dealing with the limitations of Content Search?
Regardless of your reasons, you should be able to preserve relevant data, find what you need,
understand context for review, and export those results. 
2. Reevaluate your license
Once you understand your needs, you should weigh them against your current Microsoft Teams
eDiscovery capabilities. If you find that your needs exceed what your current license can do, it
might be time to either a) upgrade your license b) tack on a necessary add-on or c) find a third-
party eDiscovery solution that can help.  For example, if you’re a company of more than 300
remote workers, have seen increased usage in Microsoft Teams and other MS apps, and are
working with an E3 license, it might make sense to upgrade your licensing to E5. However, if
you’re a smaller company that’s just onboarded Microsoft Teams, but doesn’t typically use other
Microsoft apps, you may just opt for the add-ons or a third-party solution. 
Bottom line — whatever your needs, your Teams data should be accessible, useful, and private.
If you’re not confident that this is the case, weigh your needs against each license to find the plan
that best suits your Microsoft Teams eDiscovery goals.
3. Establish a company Teams policy
After you’ve aligned your needs with your Microsoft license, it’s time to put it all in writing. A
good place to start is creating a company “Teams policy” — guidelines that detail the people,
processes, and technology that drive the successful use, governance, and discovery of Microsoft
Teams data. Although Teams policies may look different depending on company size, needs, and
maturity, here are some basics to consider:
 Outlining who should receive which user roles and configuring permissions
accordingly
 Optimizing your admin roles and user permissions for compliance and security
 Identifying which data types are relevant to retain/delete and why

pg. 14
  Putting controls/restrictions in place around user behavior and explaining why
 Identifying the limitations you currently face and how you plan on filling those gaps
in the future
Although there is no one-size-fits-all approach, a well-documented policy can help streamline
communication between teams, help you spot and avoid risk, and allow you to constantly iterate
and improve on your processes for Microsoft Teams eDiscovery.
4. Make a long-term eDiscovery and preservation plan
Between retention, legal hold, archiving, and search, there are so many critical elements that go
into successful eDiscovery, and the way Microsoft is currently architected doesn’t allow easy
visibility into it all. From unreliable indexing and search, to fragmented retention policies, to a
challenging user experience, Compliance Center may be able to get the job done well enough,
but “well enough” doesn’t cut it in the long run.
The truth is that Microsoft Teams is only one fish in a big sea of communication and
collaboration apps. Apps that will continue to proliferate, become adopted, and create data that
will need controls of their own. Microsoft Teams then, is really a microcosm of a much larger
eDiscovery challenge that enterprises face today. In the same way that you worry about the
preservation, retention, and discovery of data in Microsoft Teams, will be multiplied by the
hundreds of other apps you use. Centralization seems to be the only path to control, and the nuts
and bolts of Compliance Center are not centralized.
Thus, we believe the best way to maintain visibility and control over all of your data (alongside
optimizing your policies and processes) is by implementing an eDiscovery solution that
centralizes data from not only Teams, but any new app that comes your way. Maybe today
you’re searching for something quick to put out a fire, but down the line, you may wish you had
chosen a sustainable solution to make your information accessible, useful, and private.
About Onna for Microsoft Teams
With Onna, organizations that use Microsoft Teams can centralize their eDiscovery efforts by
integrating not only Teams, but also all of their other cloud applications in one place. Not only
does this provide exceptional eDiscovery capabilities for Teams users, but also Teams users that
double as Google Workspace users, Zoom or Slack users, and more.
Onna’s open API integrates directly with Microsoft Teams to simultaneously collect and process
all available data in real-time. Consistently collect, process, search, and investigate data from
Microsoft and other third-party apps, find information faster with a centralized store of search-
ready data, separate primary and archive data stores to mitigate risk of loss and corruption, and
get powerful yet simple to use tools for more efficient workflows.
Ready to see our Microsoft Teams connector in action? Reach out!

Get started with Onna today

pg. 15
The Ultimate Guide to Microsoft Teams eDiscovery

Amid this ongoing pandemic, many organizations across the world have required their
employees to work from home using apps like Microsoft Teams, which generates more content
than ever in Office 365. Microsoft Teams stores data in various places, making it more difficult
for administrators to perform complete eDiscovery.

In this article, we will explore what different Teams eDiscovery tools are available for IT
Admins, how to collect data from Teams using eDiscovery, and what are the current limitations
for eDiscovery workflows.

Where is Microsoft Teams data stored?

Before we begin using eDiscovery, it’s essential to understand the different storage locations of
Microsoft Teams since the app uses multiple Office 365 services to handle its data.

Chat and channel Messages

Microsoft Teams chat and channel messages are stored with Exchange Online. When a user
posts messages to a chat or channel conversation, the Microsoft 365 substrate stores a
compliance record for those messages in Exchange Online. The compliance records for chats are
in the user mailboxes of all chat participants. When users send channel messages, compliance
records are sent to the team mailbox that owns that channel.
Files
Every team has a SharePoint team site, and within that site is the Team document library with
folders representing each channel. Microsoft Teams files live in OneDrive for Business or
SharePoint Online.

When a user sends a file via a Teams chat, a folder in their OneDrive will appear named “Teams
Chat Files, ” containing their files. Files shared through Teams chats are stored in OneDrive for
Business.

Meeting Recordings

Teams meeting recordings are stored in either OneDrive or SharePoint, depending on the type of
meeting. A folder named “Recordings” in OneDrive for Business stores ad hoc Teams meeting
recordings, and SharePoint online stores any Channel meetings.

pg. 16
What is eDiscovery?
Electronic discovery, or eDiscovery, is the process of identifying, collecting, and producing
electronic information in response to a request for production in a legal case or investigation. It
can be emails, files, chat messages, videos, voicemails, etc.
Licensing requirements
There are two types of eDiscovery in Microsoft 365:
 Core eDiscovery, which comes in the Microsoft 365 E3 or Office 365 E3 licensing
SKU
 Advanced eDiscovery, which comes in Microsoft 365 E5 or Office 365 E5
licensing SKU. Advanced eDiscovery also comes as part of the Microsoft 365 E5
Compliance add-on.

This article will focus on the Core eDiscovery features, but it is helpful to understand what the
E5 version provides. Advanced eDiscovery provides custodian management, which enables you
to identify users who are the data custodians in your investigations and add them and their
content locations. You can specify the team content locations to quickly place them on legal
hold.

To run searches for users, they must have an Office 365 license containing a mailbox, SharePoint
Online, OneDrive, and Teams. In the search results, there is conversation grouping, which
groups channel and chat conversations to help identify the context that may be relevant to your
investigation. Advanced eDiscovery also provides deep indexing and the ability to redact
content.

What do you get in the eDiscovery tool?

With each eDiscovery tool, you will get a set of features to search and hold organizational data in
Office 365.

Content Search

Content Search in Microsoft 365 allows you to run searches for keywords, specific users, or
specific locations in Office 365. To run content searches for Teams data, you must narrow your
search to the Team SharePoint site, OneDrive account, and Exchange mailbox because Office
365 stores Teams data in different locations, as we explained earlier.

pg. 17
Core eDiscovery

Admins can use Core eDiscovery to place an eDiscovery hold on content locations in Office 365.
Core eDiscovery cases can create holds to preserve content relevant to the case.

If you are investigating someone, you can hold their Exchange mailboxes and OneDrive for
Business accounts. Additionally, you can place a hold on the mailboxes and sites associated with
Microsoft Teams, Office 365 Groups, and Yammer Groups. The hold preserves the content until
an admin or eDiscovery Manager removes the location or deletes the hold.

Permissions

Before you get started with eDiscovery, you must ensure that you have the correct permissions
assigned. There are two significant roles available in the eDiscovery Manager role group:

 The eDiscovery Manager role enables users to use content search, export the results
and create cases and holds. Users are only able to access cases they create.
 The eDiscovery Admin is an access-all-areas type of permission. Admins can access
all cases and data in eDiscovery.

You can assign these permissions in the Permissions section of the Microsoft 365 Compliance
Admin Center.

Use eDiscovery to collect Teams data

Step 1: Create a case

To use eDiscovery to collect Teams data, first, you need to create a case. Navigate to the
eDiscovery section of the Compliance Admin center and create a new case.

pg. 18
Figure 1: Creating a new case in Core eDiscovery

Step 2: Create a hold

Within each case, you can create multiple holds to preserve the Teams data in eDiscovery. The
hold preserves the content until you delete it, and it will also retain the data even if it reaches its
retention period in Microsoft 365.

To create a hold, open the case and choose the Holds tab. From there, we can create a new hold.

Figure 2: Create a new hold under eDiscovery case

pg. 19
eDiscovery prompts you to enter a name and description for your hold. Next, choose the
locations for the hold.

If you want to hold Teams data, you need to define the Group mailbox and the SharePoint site.
You can do this by searching for the Team name.

Figure 3: Choose hold locations in Office 365

If you want to create a query-based eDiscovery hold, you must give the query condition. You can
choose a keyword and additional conditions such as sender, date, and subject.

pg. 20
Figure 4: Query and condition options within the hold

You can create a hold without a condition, so click next and then submit to create your new hold.
The hold may take up to 24 hours to take effect.
Step 3: Create a search

pg. 21
After creating the hold, select the Searches tab to create a new Search. Follow prompts to name
your search, choose the locations in Exchange and SharePoint. Again, search for the Group
mailbox and SharePoint team site for the Team you want to search. You can add conditions such
as keywords and then click Save.

Figure 5: New search in eDiscovery case

The search will appear under the Searches tab, and you can select it to view the search results
and a sample preview of the data.

Figure 6: Search preview in eDiscovery case

Step 4. Export results

pg. 22
You can export the eDiscovery search results to a .pst file by using the export tool. Go back to
your search and select Actions, then Export results.

Figure 7: Under Actions, export results

You can define the output options in your export results, such as excluding encrypted items, and
then choose how to export the data.

pg. 23
Figure 8: Customise export results

Scroll down to choose SharePoint versioning and duplication options, as well as a numerical
view of the results.

pg. 24
Figure 9: View total items to export

After you click Export, you will see the results under the Exports tab within the case. Once the
export completes, you will download the results.

pg. 25
Figure 10: Exporting results under Export tab in eDiscovery case

The collection of data in the PST files is generally unorganized and unstructured, and channel
and chat messages are not displayed one after the other in order. Instead, you’ll be getting a
collection of individual messages which are difficult to translate.

If you don’t want to deal with unorganized Teams data, you may want to consider purchasing
Advanced eDiscovery, which provides conversation grouping. This makes it much easier to
interpret the data and see the relevant context to the conversation.

Core eDiscovery limitations

The unstructured data export leads me to discuss the various limitations of the Core eDiscovery
tool. First, the content search is not very practical for Microsoft Teams eDiscovery: As an
eDiscovery manager, you need to do a content search for all the Office 365 locations for that
specific team. There is no option to search for a team and get all the data within it, and that’s
because Office 365 stores Teams data in different locations.

Furthermore, not all Teams content is discoverable: Audio recordings, names of channels, and
code snippets are all non-discoverable items in eDiscovery. You should also be aware that the
case holds have some limitations, which will likely impact larger organizations.

Description of Limit Limit

Maximum number of case holds for an organization. 10,000

Maximum number of mailboxes in a single case hold. 1,000

Maximum number of sites in a single case hold. 100

Maximum number of cases displayed on the core eDiscovery home page and the
maximum number of items displayed on the Holds, Searches, and Export tabs within a
case. 1,000

pg. 26
Microsoft’s eDiscovery tools only work natively with Microsoft 365, meaning they will not work
with data stored in third-party tools. This can be a source of concern for organizations that did
not fully embrace Microsoft 365 and still have data stored elsewhere.

Summary

For organizations dealing with multiple active litigations and looking to level up their
information governance efforts, Advanced eDiscovery is probably the route to take. The Core
eDiscovery tools in your standard Office 365 or Microsoft 365 E3 license provide you with the
ability to search, hold, and export results. With Advanced eDiscovery, you can filter, tag and
view threaded conversations in the results, making it easier to interpret the exported data. If you
want to have a Microsoft Teams eDiscovery plan and policy, Advanced eDiscovery is definitely
worth the investment.

pg. 27
How to run eDiscovery or Content Search with Microsoft Teams
Hello All,
I would like to post some information on eDiscovery or Content Search with Microsoft Teams from
Security and Compliance, this is quite simple but many of us are unaware how could I filter out the
conversations specific to Microsoft Teams. Below are the steps one should follow to export the data
for a user in Microsoft Team. Both Content Search and eDiscovery are similar and also have
somewhat similar user interphase, I prefer Content search.
Note : Before we begin, make sure you have the required permissions (eDiscovery Manager or
Administrator) to run eDiscovery or Content search. To verify this follow the below steps, else  skip
the step. Recommended browser is Internet explorer, if used Google chrome requires an
extension "ClickOnce " Learn More about adding extension on Google Chrome
Step 1 : Assign eDiscovery permissions:
 Login to Office 365 >> Admin >> Security and Compliance Admin center.
 Select Permissions >> eDiscovery Manager >> Add the account to eDiscovery
manager role or eDiscovery Administrator role. 
 The difference between this two roles is, eDiscovery manager can only access and
manage the cases they create. They can't access or manage cases created by other
eDiscovery Managers and eDiscovery Administrator can create and check cases
created by other Administrators.
 Learn more about eDiscovery Permissions
 Optional Permission : Preview, this is required when you are interested to take a
preview of the search without downloading the search results. If yes, please add this
permission also.
 Once we have confirmed the permission levels, we are good to run
eDiscovery/Content search.

Step 2 : Run eDiscovery :

 Under Security and Compliance Admin center, expand Search and Investigation.
 Select eDiscovery.

pg. 28
  Next step is to give a friendly name the case and Save.
 Now, Open the created the case and select Searches >> New Search.
 Select Specific Locations (Modify) >> Select User >> and Save it.
 Note : If you want content for all users select the Select all option instead Choose
users, group. Also this location is for Teams Personal chat, for Team
communication select the Location for Teams sites.

 Now, under Keywords select Add Conditions >> and from the list select Message
Kind and Type.

pg. 29
 If you want you can add more conditions to your search like Date etc.
 Now, select Add. Next step very Important to add filters.
 Under the Message Kind add keyword as " microsoftteams " and
for Type select Instant Messages.

pg. 30
 For Skype for Business conversation, in Message Kind you can enter keyword as
" IM ".

pg. 31
 Now, select Save & run and enter a friendly name to your search >> save. Wait for
search to complete.
 Once done, you will see a preview of the search result (only when you are a member of
Preview Role, see step 1).
 Now select Searches and select Refresh option and select
the Search >> More >> Export results.

pg. 32
  Now, under Export Result wizard, select the best option, I prefer 1st option "All items,
excluding ones that have unrecognized format, are encrypted, or weren't indexed for
other reasons".Once done refresh your page and select Exports, you should see the
search here.
Select the search, before we select Download Results, copy the Export Key from here .

 And now select Download results >> it will install the Office 365 eDiscovery tool >>
once the tool launches paste the Key here and select the location to store the results
and Start download.

pg. 33
Hope this was helpful! Cheers!
Best regards,
Sameer Gamare.

pg. 34