eDiscovery: How to search based on users, IMs, and Teams channels?

%3CLINGO-SUB%20id%3D%22lingo-sub-990572%22%20slang%3D%22en-US%22%3EeDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990572%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20need%20to%20search%20all%20Teams%20messages%20sent%2Freceived%20by%20a%20set%20of%20specific%20users.%20If%20I%20understand%20correctly%2C%20one-to-one%20and%20one-to-many%20messages%20are%20listed%20as%20%22IM%20(Instant%20Message)%22%20type%20but%20how%20do%20I%20also%20include%20those%20messages%20sent%20by%20these%20users%20to%20the%20Teams%20channels%20in%20addition%20to%20the%20IM%20messages%3F%20It%20seems%20messages%20sent%20to%20a%20Teams%20channel%20are%20stored%20in%20an%20O365%20group%20so%20if%20I%20include%20the%20O365%20group%20in%20the%20search%2C%20I%20suppose%20I%20also%20need%20to%20enable%20%22E-mail%20messages%22%20under%20%22type.%22%20However%2C%20the%20search%20results%20will%20also%20include%20all%20emails%20sent%20by%20these%20users%20which%20is%20not%20what%20I%20want%20to%20include.%20How%20do%20people%20do%20a%20search%20to%20satisfy%20a%20simple%20query%3A%20Find%20all%20Teams%20messages%20sent%2Freceived%20by%20a%20set%20of%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992016%22%20slang%3D%22en-US%22%3ERe%3A%20eDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992016%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449333%22%20target%3D%22_blank%22%3E%40AZLearner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20this%20search%20will%20list%20all%20mails%20sent%20by%20the%20user%20(Ex%3A%20Group%20Conversations%2C%20Planner%20Comments)%20along%20with%20teams%20chat.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20may%20know%20%3A%3C%2FP%3E%3CP%3EThe%20actual%20content%20of%20Teams%20Channel%20chats%20are%20stored%20in%20the%20Azure%20Storage.%20In%20addition%2C%20Teams%20Channel%20Chats%20get%20copied%20to%20a%20hidden%20folder%20(%5CConversation%20History%5CTeam%20Chat)%20in%20the%20Exchange%20Online%20mailbox%20of%20the%20Office%20365%20Group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20technically%20searching%20mails%20under%20the%20hidden%20folder%20(%5CConversation%20History%5CTeam%20Chat)%20will%20return%20only%20teams%20messages.%20Not%20sure%20which%20tool%20we%20can%20use%20this%20kind%20of%20search%20(Content%20Search%20or%20eDiscovery%2C%20or%20some%20other%20powershell%20commands).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993469%22%20slang%3D%22en-US%22%3ERe%3A%20eDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993469%22%20slang%3D%22en-US%22%3E%3CP%3ESimply%20use%20the%20kind%3AIM%20keyword.%20For%20more%20details%2C%20review%20the%20documentation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994167%22%20slang%3D%22en-US%22%3ERe%3A%20eDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994167%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38365%22%20target%3D%22_blank%22%3E%40Kevin%20Morgan%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449333%22%20target%3D%22_blank%22%3E%40AZLearner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20this%20search%20will%20list%20all%20mails%20sent%20by%20the%20user%20(Ex%3A%20Group%20Conversations%2C%20Planner%20Comments)%20along%20with%20teams%20chat.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EBased%20on%20my%20tests%2C%20it%20will%20also%20include%20all%20non-Teams%20emails%20the%20specified%20users%20sent%20which%20means%20the%20result%20is%20no%20longer%20limited%20to%20Teams%20messages...%20I%20am%20curious%20if%20I've%20set%20the%20criteria%20incorrectly%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994170%22%20slang%3D%22en-US%22%3ERe%3A%20eDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994170%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20kind%3AIM%2C%20I%20assume%20you%20meant%20this%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F155763iEA1DA4220F3410FE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20am%20new%20to%20eDiscovery%20and%20use%20the%20UI%20in%20protection.office.com%20web%20interface..%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994345%22%20slang%3D%22en-US%22%3ERe%3A%20eDiscovery%3A%20How%20to%20search%20based%20on%20users%2C%20IMs%2C%20and%20Teams%20channels%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994345%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449333%22%20target%3D%22_blank%22%3E%40AZLearner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bis%20correct.%20We%20can%20simply%20use%20the%20keyword%20search%20%22kind%3Aim%22%20or%20%22kind%3Amicrosoftteams%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20following%20keyword%20search%20queries%20in%20Content%20Search.%20Both%20are%20working%20fine.%3C%2FP%3E%3CPRE%3Efrom%3Ausername%40yourdomain.com%20AND%20kind%3Aim%0Afrom%3Ausername%40yourdomain.com%20AND%20kind%3Amicrosoftteams%3C%2FPRE%3E%3CP%3E%22kind%3Amicrosoftteams%22%20-%20returns%20items%20from%20chats%2C%20meetings%2C%20and%20calls%20in%20Microsoft%20Teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20this%20test%20using%20Content%20Search%20(%3CA%20title%3D%22Content%20Search%22%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fcontentsearchbeta%3FContentOnly%3D1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Fcontentsearchbeta%3FContentOnly%3D1%3C%2FA%3E)%20-%20not%20in%20eDiscovery.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20refer%20%3CA%20title%3D%22Keyword%20queries%20with%20Email%20properties%20in%20Content%20Search%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fkeyword-queries-and-search-conditions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20post%20to%20know%20more%20details%20about%20keyword%20queries%20with%20Email%20properties%20in%20Content%20Search.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20978px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F155779i6D486A9755BB8239%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22search-messages-kind-im-microsoftteams.png%22%20title%3D%22search-messages-kind-im-microsoftteams.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I need to search all Teams messages sent/received by a set of specific users. If I understand correctly, one-to-one and one-to-many messages are listed as "IM (Instant Message)" type but how do I also include those messages sent by these users to the Teams channels in addition to the IM messages? It seems messages sent to a Teams channel are stored in an O365 group so if I include the O365 group in the search, I suppose I also need to enable "E-mail messages" under "type." However, the search results will also include all emails sent by these users which is not what I want to include. How do people do a search to satisfy a simple query: Find all Teams messages sent/received by a set of users?

 

thanks,

5 Replies

@AZLearner 

 

Yes, this search will list all mails sent by the user (Ex: Group Conversations, Planner Comments) along with teams chat.

 

As you may know :

The actual content of Teams Channel chats are stored in the Azure Storage. In addition, Teams Channel Chats get copied to a hidden folder (\Conversation History\Team Chat) in the Exchange Online mailbox of the Office 365 Group.

 

So, technically searching mails under the hidden folder (\Conversation History\Team Chat) will return only teams messages. Not sure which tool we can use this kind of search (Content Search or eDiscovery, or some other powershell commands).

Simply use the kind:IM keyword. For more details, review the documentation.


@Kevin Morgan wrote:

@AZLearner 

 

Yes, this search will list all mails sent by the user (Ex: Group Conversations, Planner Comments) along with teams chat.

 


Based on my tests, it will also include all non-Teams emails the specified users sent which means the result is no longer limited to Teams messages... I am curious if I've set the criteria incorrectly?

@Vasil Michev 

By kind:IM, I assume you meant this?

clipboard_image_0.png

I am new to eDiscovery and use the UI in protection.office.com web interface..

Thanks,

@AZLearner 

 

@Vasil Michev is correct. We can simply use the keyword search "kind:im" or "kind:microsoftteams"

 

I have tried following keyword search queries in Content Search. Both are working fine.

from:username@yourdomain.com AND kind:im
from:username@yourdomain.com AND kind:microsoftteams

"kind:microsoftteams" - returns items from chats, meetings, and calls in Microsoft Teams.

 

I have tried this test using Content Search (https://protection.office.com/contentsearchbeta?ContentOnly=1) - not in eDiscovery.

 

You can refer this post to know more details about keyword queries with Email properties in Content Search.

 

search-messages-kind-im-microsoftteams.png