Records retention on Skype for Business conversations


I have been tasked with discovering more information on retention policies for IMs sent through Skype for Business.  We are thinking about adding it as an alternative to texting for information that is subject to public records requests. 

Based on what I think I found - the conversations for desktop clients are stored in Exchange - so we can set retention and archiving policies on those.

However the big argument is personal phone vs. work issued cell phone.  It appears that conversations are stored on the personal device - so we would have to use MDM to have access to the data to archive it?

I also am looking at the eDiscovery center and see I can do eDiscovery on Skype for Business, but is that just on the client installs where the conversations are stored in Outlook, or does it cover mobile devices?


Can someone verify if I'm on the right track?

4 Replies
best response confirmed by Deleted

I too am interested. We don't have any "work" phones, they are all personal phones used for work purposes. 

I was under the impression that all conversations conducted within Skype were stored in Outlook's Conversation History.

I do know that if you are refering to normal SMS/texting then no, MDM doesn't get them. For us we'd have to take someone's phone and send it to a phone "forensics" company that would then retrieve all the messages for us (that would include non-work messages). Not a cheap proposition.


We were thinking of steering people away from SMS/texting for that very reason and trying to get them to use the IM feature in Skype for Business, but if those aren't archived anywhere but their personal phone, we aren't gaining anything.  I took a look at the privacy agreement here There are documents specifically for phones and it seems like the conversations are stored on the phone and not in Outlook archives.

Saving of conversations in Outlook is optional, users can turn it off and I'm not sure whether you can enforce it on.

This is an area that is still weak with SfB. We need proper audit capability for it, we also need enforced conversation save.


Another weak area is that of DLP. We should be able to monitor conversations for inapppropriate information being shared and for inappropriate conversations. Bullying is a particular problem over IM. Sexual harrassment can also be an issue.


With file sharing enabled, SfB is also another path for data exfiltration, another reason for DLP to cover it.