audit-microsoft-teams-edited-posts.jpg

Unable to Audit Microsoft Teams Edited Posts

Rob Horton is a Senior Consultant and the Sustainment Practice Lead at ThreeWill. His experience includes over 20 years leading software architecture, design and development focusing on support tools, automation and e-commerce for large corporations and his own small businesses.

Audit Microsoft Teams

We recently completed a project to rollout Microsoft Teams for all associates at a client’s company. As part of the project, we drafted a policy and governance guidance document. We typically complete this document with clients by reviewing all Teams settings and best practices, consulting on business decisions that are in our client’s best interest. That’s when we came across the “Users can edit sent messages” messaging policy.

The conversation went something like,

ThreeWill: “You know when you make a typo and want to quickly update it, or you accidentally hit return before completing the post.”

Client: “Oh yes, that makes a lot of sense. We’d like to have that enabled. Of course, there’s an audit trail so that we can see the original unedited message, right?”

ThreeWill: “Surely. But we’ll check just in case…”

Well, we checked, just in case. To date, we have not been able to determine how to view an unedited message posted in Teams.

We started by reviewing the Teams UI and documentation, looking for a post history feature, like what’s found in Yammer. We were unable to find any documented or undocumented history feature. Teams only indicate a post has been modified by placing an “Edited” tag next to the date/time stamp.

We then provisioned a Microsoft demo tenant and configured access to the Security & Compliance Center as an eDiscovery Manager. We set up test posts to Teams and were able to successfully create a Content Search Query that returned results for the test posts. The result types appeared to be email messages and included all expected message content, along with a unique Message ID.

We then edited the post in Teams by changing both the subject and body of the message and reran the Content Search Query. Again, we successfully received search results that appeared to be of email type. The body of the results showed the updated content, but curiously the subject remained the same. Also, every other aspect of the message was exactly the same as the original message, including the Message ID, date and time stamp. There did not appear to be any way to determine the original message had been edited.

Given our inability to show our client how to view original posts prior to being edited, we did not enable the edit feature in our client’s Teams implementation. The apparent lack of an audit trail regarding updated posts in Teams poses too large a liability to enable.

Have you figured out a workaround?   Leave a comment below….


Related Posts

Rob HortonUnable to Audit Microsoft Teams Edited Posts