Microsoft Teams eDiscovery for Calling/Meetings
We’re proud to announce that starting July 2nd, 2018 Microsoft Teams now supports eDiscovery for calling/meeting. With this feature launch, Microsoft Teams delivers on its Q2CY2018 commitments towards the Skype and Teams convergence roadmap (see here). Now, compliance admins who are used to performing eDiscovery searches for Microsoft Teams messages and files will now be able to search and discover summary records for every Microsoft Teams meeting or call in their tenant. To sum up, Microsoft Teams supports eDiscovery for:
- Messages in Microsoft Teams (including Skype for Business interop chats)
- Files in Microsoft Teams
- Meetings/Calls in Microsoft Teams
Note: We recently added support for Guest Users and Exchange on Premises users as well. For more details, please review this blogpost.
How this works?
Microsoft Teams Clients participate in Meetings and Calls that run on the next generation calling and meeting infrastructure services from Skype and Teams. These services will collect information about every meeting and call in Teams. This information is used by the Call Record Processing services to generate a record of the call or meeting, referred to as a call detail record (CDR). This CDR is sent into a special folder (not discoverable by Exchange clients like Outlook or OWA) located within the mailbox storage of all participants who dialed into the call/meeting. This data is indexed and made available to the eDiscovery functionality in the Office 365 Security and Compliance center. So, when compliance admins search for Teams content by including user mailboxes are included in the scope of the search, meeting and call summaries for Microsoft Teams are going to be included in the output of the search.
For the purposes of eDiscovery, Microsoft Teams has introduced 2 new types in addition to IM:
- Meeting - scheduled meetings, channel meetups, ad hoc meetings, group chats turned into meetings with > 2 people
- Call - one-to-one calls
Also, for convenience of our compliance admins the kind: MicrosoftTeams has been introduced and using this kind in compliance content search filters brings together all the 3 kinds that apply to Microsoft Teams together i.e. IM, Meeting and Call.
What is covered in the meeting/call summary?
The idea is that all relevant events that happen during a Microsoft Teams meeting or call are recorded in the summary. This is valuable information for our compliance admins and can be used as evidence in litigation.
With this launch, the following scenarios are covered in the call/meeting summary:
- Meeting or call start and end time, and duration
- Call/Meeting join and leave events for each participant
- VOIP join/calls
- PSTN join/dial-in events
- Anonymous join
- Federated user join
- Guest user join
- Calls to voicemail
- Missed or unanswered calls
- Call Transfers (will be represented as two separate calls)
In the future, we plan to add support for other events such as:
- Screen and app sharing events in a meeting
- Recording events (with support for the cloud recording link and attaching the call/meeting recording transcript to the summary record in eDiscovery)
- Inclusion of meeting subject in the summary record
- Broadcast meetings
- And more…
Frequently Asked Questions:
Is there a delay between the meeting or call happening and the data showing up in eDiscovery in the Security and Compliance center?
Yes, because of the nature of our systems and the requirement to collect additional meta-data about the meeting/call, it can take up to 8 hours for the CDR (call detail record, this is a term used to represent the meeting/call summary) to show up in the Office 365 security and compliance center.
What kind do I need to use if I specifically want to target meetings/calls in the Content search filters?
Use kind = MicrosoftTeams to target Meetings, Calls, and IM from Teams. Then in the compliance content search preview, sort by Types to get to Meeting and Call, separate from IM.
What do the From and To Fields for the item represent in content search preview?
The from field represents the organizer of the meeting or initiator of the call and the to field contains the list of all participants who joined the meeting or call.
Which fields should be looked at to understand the start and end date of a meeting?
The start time, end time and duration in the body of the meeting/call summary should be looked at as the authoritative source of information for the meeting or call start and end timing. These fields are in UTC. The sent date time on the item reflects the time when the CDR was ingested into the compliant storage layer.
How does this functionality work for guest users who joined a meeting or call?
For guest users, CDRs are ingested into the cloud storage locations provisioned for guests and compliance content search can run against these locations. You should see an entry for a guest user in the body of the meeting/call summary if they joined.
Is this data subjected to retention policies?
Since the data being used to generate CDRs as of now is not customer created content, retention policies for Teams do not apply/support to this data. In the future, if we start supporting customer content in the CDRs, we will come up with a retention strategy for it.
For more information about how to do an eDiscovery search for Microsoft Teams Meetings and Calls, please refer to the help articles on office eDiscovery support here and Teams help pages here. Thank you for reading and stay tuned for more updates on the Microsoft Teams meeting and calling eDiscovery story.
Feel free to post questions and/or provide feedback on this topic through the various channels available to you. We are listening, and we appreciate your feedback!
Product Manager | Teams Security, Compliance & Information Protection