Microsoft Teams compliance overview

March 10, 2021

With more than 42 million active users daily, Microsoft Teams is the de-facto enterprise default for team-based collaboration. It offers a multitude of collaborative features, including real-time conversations, group-chat, search, document management and connections.

However, as this easy-to-use platform is adopted by your end-users, your security & compliance staff might have some questions. So, let us take some time to look at some of the compliance features built into Microsoft 365 to help you be compliant with Microsoft Teams. The focus of this article is limited to eDiscovery, information retention policies and information barriers.

Teams architecture

Before we delve into any compliance feature, we must first understand the Microsoft Teams architecture. This architecture consists of several components used to store documents, conversations, chats, and meeting recordings. And these components are also needed to create a complete compliance solution.

The basis for a Microsoft Team is the Azure AD Microsoft 365 Group. This is a mail-enabled group with owners and members. If needed, you can even have dynamic membership based on an Azure AD attribute of your users. The second component is SharePoint Online. This is used for document storage and the wiki function. Exchange Online is used for the group’s e-mail and calendar and plays a crucial role in compliance. More on this later. OneDrive for Business is for exchanging documents when using chats.

Let us take a closer look at these conversations and chats. Conversations in Team channels are stored in memory (for quick retrieval) and in Azure Cosmos DB. For eDiscovery and legal holds, a substrate captures chats and conversations and stores these records in a mailbox in Exchange Online. These contain links (for example to shared files), the message subject and the people in the chat. Images and other media are stored in Microsoft Teams Content Delivery Network or CDN.  Reactions (likes), recordings of audio messages and code snippets in conversations are not included.

In practice, this will lead to this example of a conversation in Microsoft Teams (picture on the left). Nearly all information is available for eDiscovery (picture on the right). But the information which was included as a code snippet is not available. Take note of this.

Conversations and documents

Conversations are stored in the Exchange Online mailbox. A hidden folder is used, called Conversation history\Teams Chat. Any substrate of the conversation will be stored here as an e-mail message. These can be retrieved for eDiscovery purposes.

There is one other hidden folder you might notice. And this one is called RecoverableItems\SubstratesHolds. This folder is used to store conversations which are retained due to a retention policy. More on these later.

Channel documents or private channel documents are stored in a SharePoint Online site-collection. You need to be aware that every private channel has its own (separate) site-collection. These do not show up in the SharePoint admin-center, but are easily recognizable ( https://original-site-collection-privatechannelname).

Documents shared during a chat are stored in the sender’s OneDrive for Business location. A link to the document is shared with the participants in the chat.

At this moment Microsoft is working on storing the meeting recordings as an .MP4 file in either SharePoint Online or OneDrive for Business, enabling easy sharing and protection.

Retaining information

Let us say you have a business justification for retaining all information in a specific Teams environment. All conversations and documents must be retained for five years. During this time, the information can be modified or deleted – but a copy of the information must be retained. After this period, the information must be automatically deleted.

In order to make this scenario work, you will need to use Microsoft 365 retention policies. But because these policies only work for specific locations, you will need to create more than one. Selecting the Teams location will deselect the SharePoint location – for example. That is why you need to have a working knowledge of the Teams architecture.

As there is no mention of 1:1 or group chats, we do not need to include this in the policy. But conversations and documents are part of our policy. We will need to have a policy which includes the following:

Policy Information Source
1 Documents

The SharePoint Online site-collection

Any SharePoint Online site-collection connected to a private channel

2 Conversations Teams channel messages


Please note:

In order to make this scenario work, you will need to be able to manage this Team. When new private channels are added, the policy needs to be modified. So be aware of this!


Discoverable conversations and documents are retrieved using the eDiscovery module within Microsoft 365. In the example below an eDiscovery search was performed for conversations which contain credit card information. If needed, this information can be exported.

eDiscovery is based on cases. These cases are used to search for content, place content on hold and export the search results.  Two important components are the keywords and conditions -which form the search query- and the locations.


These locations are basically grouped in two (I will disregard Exchange public folders for this article); The first group is used for finding messages. These include e-mails, Forms and Teams conversations. The second group is for documents. If you only need to find Teams conversations, then select the first group. When you need the documents as well, then select both. In the example below, I want to find any Teams conversations where either “creditcard” or “Credit Card” was used. And as you can see, my user Appie1701 shared some information in the Unmaskmole Teams environment.

As you might notice, these conversations are displayed as e-mails. And this is the format these will be exported, when needed.

Please note:

The new advanced eDiscovery automatically collects documents from SharePoint Online or OneDrive from a link sent in a conversation. These are added to the eDiscovery case.

Information Barriers & Communication compliance

Teams compliance also covers the way people can or cannot communicate within the organization. Some highly regulated enterprises will have so-called Chinese Walls erected between specific departments. And other enterprises might want to monitor for offensive or abusive language in Teams conversations and/or chats.

This is where information barriers and communication compliance come into play. Both are part of the Microsoft 365 E5 Compliance license add-on.

Let us say we have two departments Management and Operations. Communications using Microsoft Teams is limited. People from Management cannot be part of any Teams environment from Operations and cannot use chat with the Operations people.

To comply with this regulation, we can use Information Barriers. To set this up, we will use segments in Azure AD. People in the enterprise are added to a segment based on an attribute in AD. Using a policy, the rules between the segments are set-up. At present, you will need to use PowerShell to create these policies.

By the way: this way of working is changing, as Microsoft will introduce a GUI-based template for creating these barriers.

When the barrier is active, it will act when:

  • members are added to a Teams environment;
  • a new chat is requested;
  • a user is invited to join a meeting;
  • a screen is shared between two or more users;
  • a user places a phone call (VOIP) in Teams;
  • the “share with anyone with the link” is disabled in SharePoint Online;
  • sharing from SharePoint Online is only possible within the segment.

In this example I created a groups chat with people from Management (including myself) and Operations (Peter, Control). When the chat is started, the two people from Operations are removed from the chat.

Communications compliance

Some enterprises have regulations on electronic communications. For example: financial information cannot be exchanged using Teams conversations. Other examples include using profanity, bullying using Teams or exchanging sensitive information.

Communications compliance (formally known as supervision) allows for the check on inbound, outbound, and internal communications between specific sets of users. This check is done by setting a policy and reviewers within the enterprise.

When an item is detected that corresponds with the policy, an alert is created. This alert can be resolved or followed-up. This can include, removing the message in Teams or escalating to a compliance team.


Wrapping up

The main goal for this article is to provide an overview of eDiscovery, retention, and communication compliance for Microsoft Teams. If you need more information, please use these links.

Collaboration means two-way communication!

Did you like this article? Are you interested in this topic? Would you like to share your knowledge and experience with the authors and other readers? Our #communityrocks group on Facebook is bringing everyone involved together: authors, editors and readers. Join us in sharing knowledge, asking questions and making suggestions. We would like to hear from you! 

Join us on Facebook

Related Articles

Submit a Comment

Your email address will not be published. Required fields are marked *