UPDATE December 10, 2018
With some guidance from Microsoft, we’ve been directed to Microsoft’s Security & Compliance Center and specifically the legal hold. Placing a legal hold on different groups, mailboxes and sites instruct Microsoft 365 to retain all edited content for a configured period which can then be found in a Content Search Query. For example, if you place a legal hold on the Group mailbox used for a Team, channel discussions will be retained, even if they are edited, and original posts will surface in a Content Search Query. This article describes how and what to place legal holds on to retain different Teams content: Place a Microsoft Teams user or team on legal hold.
Armed with our new knowledge, we proposed a governance guidance plan update to include a process that would apply a legal hold on corresponding Group mailboxes when new Teams are provisioned. Interestingly, we haven’t implemented a change for this client yet as they are considering the moral hazard the editing capability may generate.
Read the original article below for more details.
Audit Microsoft Teams
We recently completed a project to rollout Microsoft Teams for all associates at a client’s company. As part of the project, we drafted a policy and governance guidance document. We typically complete this document with clients by reviewing all Teams settings and best practices, consulting on business decisions that are in our client’s best interest. That’s when we came across the “Users can edit sent messages” messaging policy.
The conversation went something like,
ThreeWill: “You know when you make a typo and want to quickly update it, or you accidentally hit return before completing the post.”
Client: “Oh yes, that makes a lot of sense. We’d like to have that enabled. Of course, there’s an audit trail so that we can see the original unedited message, right?”
ThreeWill: “Surely. But we’ll check just in case…”
Well, we checked, just in case. To date, we have not been able to determine how to view an unedited message posted in Teams.
We started by reviewing the Teams UI and documentation, looking for a post history feature, like what’s found in Yammer. We were unable to find any documented or undocumented history feature. Teams only indicate a post has been modified by placing an “Edited” tag next to the date/time stamp.
We then provisioned a Microsoft demo tenant and configured access to the Security & Compliance Center as an eDiscovery Manager. We set up test posts to Teams and were able to successfully create a Content Search Query that returned results for the test posts. The result types appeared to be email messages and included all expected message content, along with a unique Message ID.
We then edited the post in Teams by changing both the subject and body of the message and reran the Content Search Query. Again, we successfully received search results that appeared to be of email type. The body of the results showed the updated content, but curiously the subject remained the same. Also, every other aspect of the message was exactly the same as the original message, including the Message ID, date and time stamp. There did not appear to be any way to determine the original message had been edited.
Given our inability to show our client how to view original posts prior to being edited, we did not enable the edit feature in our client’s Teams implementation. The apparent lack of an audit trail regarding updated posts in Teams poses too large a liability to enable.