Over the last 18 months Microsoft Teams has evolved from being the new kid on the block to a core focus point for many organisations’ deployment of Office 365. Microsoft are taking it to the next level following the Ignite announcement that cloud only Skype for Business Online organisations will be automatically upgraded to Microsoft Teams! This was discussed in the session: Planning a seamless migration from Skype for Business to Teams for IT Admins.
A colleague of mine advised me there will be some nuance to this, however one of the key elements will be that for pure “Online only Skype for Business Organisations, Microsoft will at some point, automatically upgrade you to Microsoft Teams“. As with many significant changes that are pushed out by Microsoft you will have an option to delay the migration for a short time, however once migrated not necessarily an option to roll back.
A common scenario we see with many organisations we work with is when they have Skype for Business Online, but user mailboxes are not hosted in Exchange Online, these remain on-premises. There are many reasons for this configuration, however the one area we will focus on in this post is the retention and compliance of instant messages whilst mailboxes remain on-premises.
Consider the following:
- 40% of your mailboxes are still on-premises and must remain there due to data residency requirements.
- Everyone is using Skype for Business Online and Microsoft have advised that they will be upgrading you to Microsoft Teams.
- All mailboxes are set with Legal Hold and instant message chats from Skype are retained in the mailbox.
- Your Governance, Security and Compliance teams perform searches on mailbox content when the need arises.
Where does Microsoft Teams fit in?
All 1-to-1 and 1-to-N (many) chat sessions in Microsoft Teams are retained within the recipients’ Exchange Online Mailboxes. For the 60% of users, in our example, who have their mailboxes in Exchange Online, this is not a problem as the Teams chat content is already stored there.
For the 40% where their mailbox is hosted on-premises this data would historically not be captured. In June 2018 Microsoft introduced a new feature referred to as “cloud-based mailbox for on-premises users” which is a storage area created to store Microsoft Teams chat data for on-premises users. Some may refer to this as a “Shadow Mailbox” but we won’t use this given we want to avoid shadow IT references!
When you licence a user for Microsoft Teams, whose mailbox is on-premises, Microsoft will enable the user with a cloud based mailbox which is used to retain all Microsoft Teams chats the user joins.
Performing an eDiscovery search of the “Cloud-based Mailbox for on-premises users”
Now Microsoft Teams chat content is stored in an accessible location for Content Searching in the Security and Compliance Center for the on-premises user, it can be searched much in the same way as if the users mailbox was also in Exchange Online.
To enable the user interface options in the Office 365 Security and Compliance Center a support call with Microsoft must be raised.
Alternatively, you can use PowerShell to initiate the search using the Compliance Search Cmdlets. Use the tag “kind:im” in the ContentMatchQuery string of the compliance search to locate instant messages. This same tag can be used in the Security and Compliance Center search interface once enabled.
New-ComplianceSearch "Search for Beeblebrox" -ContentMatchQuery "Beeblebrox AND kind:im" -ExchangeLocation "Marvin@hhgttg.com" -IncludeUserAppContent $true -AllowNotFoundExchangeLocationsEnabled $true
Start-ComplianceSearch "Search for Beeblebrox"
The results can then be viewed in the Office 365 Security and Compliance Center by anyone who has the Previewer role.
Migrating the On-premises mailbox Online
How does migrating from Exchange On-Premises to Exchange Online affect the stored Microsoft Teams Chats ?
In an Exchange Hybrid configuration, a mailbox move will operate as normal, resulting in Exchange Online consolidating the mailbox being on-boarded with the existing cloud-based mailbox for the on-premises user.
I say consolidate, as it is likely that behind the scenes the two mailboxes are merged once the migration is complete given the change in GUID’s referencing the existing Cloud based mailbox and the migrating mailbox.
Migrating the Online mailbox back on-Premises
This is where there is the possibility for chat history loss as it is no longer stored in the Cloud-based mailbox.
Off boarding a mailbox back to the Exchange On-Premises service, initially leads to the MailboxLocation attribute no longer containing a reference to a “cloud-based mailbox for on-premises users”.
The issue here is that performing a Compliance Search for this user no longer returns the compliance results until the user opens Microsoft Teams and starts to chatting again.
It’s great that Microsoft are proposing to auto migrate whole tenants using Skype for Business Online to Microsoft Teams. It’s also great that there is a way to support Compliance Searching of Microsoft Teams Chats for On-Premises users, however do consider the limitations:
- Off-Boarding mailboxes back to On-premises may result in lack of Compliance Search Results for Chat
- eDiscovery hold or Office 365 retention policies are be applied to on-premises user mailbox