Microsoft Teams makes it easy to bring information into one centralized location. But how do you ensure all this data complies with regulations? In this article, we will cover the complete compliance and records management story for Microsoft Teams. We define compliance as managing information using policies for retention and disposal.
Teams is a Collection of Services
Microsoft Teams collects information from other services together into a single interface. Meaning, it is the origin service that controls compliance, not Microsoft Teams. The exception is the conversations and chat features which are native to teams. Because of this, we will need to look at the compliance story for each service in Microsoft Teams.
Here are the services you can use in Microsoft Teams.
- Conversations and Chat
- SharePoint, for files and OneNote
- Other files services, such as x
- Outlook email inbox & shared calendar
Next are some key concepts before diving into the compliance details of each service. The details of these concepts deserve their own article; see this Office.com article for more information.
First, retention polices in Office 365 can be set at a few levels:
- Org-wide, meaning the policy covers (almost) all data in Office 365.
- Entire locations, which set a policy covering data in Exchange email, SharePoint sites, etc.
- A policy to include or exclude specific users, Office 365 groups, or locations.
If there are many retention policies that apply to a specific piece of content, then the policy applied follows the diagram below.
Microsoft Teams Compliance for Conversations and Chat
Microsoft Teams handles two types of conversations. 1:1 and group chats occur in the chat section of the UI. Conversations occur in the conversations tab located within a Team.
- 1:1 and group chats get recorded in the user’s individual Exchange mailboxes.
- Team Conversations get stored in the Outlook group mailbox created with the Team.
Both conversations and chats are in Exchange as mailbox items and use the Exchange compliance features. This means that:
- 1:1 and group chats will follow the retention policy applied to the user’s mailbox. This policy is from an org-wide policy, a location policy for Exchange email, or an Exchange email policy that includes a specific user. There is not a way to have a separate retention policy for only chats from Microsoft Teams.
- Team Conversations follow the retention policy applied to the Team mailbox. Policies can be set at four levels. First, at the organization wide level. Second, the Office 365 Group location level. Third, the Exchange email location level, and fourth for specific Office 365 groups. For retention purposes an Office 365 Group is the same as a Microsoft Team. If more than one policy applies to Team Conversations, look to the Principles of Retention above.
Compliance for SharePoint and OneDrive for Business Files
All files shared in Microsoft Teams end up in SharePoint or OneDrive for Business.
- Files located in the files tab within a Team are in the associated SharePoint Team site.
- Files shared in a 1:1 or group chat are in each user’s OneDrive for Business in a folder called Microsoft Teams Chat Files.
- Files shared through a Team conversation are in the Documents library in the Team SharePoint site. The files are in a folder for each channel.
Files shared in Microsoft Teams use the compliance features of SharePoint and OneDrive. The files will follow the Principles of Retention above.
Labels to can also classify documents in OneDrive for Business and SharePoint. Labels can classify documents in four ways. First, an end user can apply a label at the document level. Second, a document library can have a label automatically applied. Third, labels can automatically identify sensitive information. Fourth, labels can classify documents using a keyword query.
A note of caution: OneDrive for Business files are not managed by a SharePoint or Office 365 group policy. Choose how to manage chat files stored in OneDrive for Business, versus Team files stored in SharePoint.
Compliance for Other File Services
Microsoft Teams has added third party file integration to Microsoft Teams. Users can now view and edit files saved in third-party storage locations. This includes Box, Citrix ShareFile, Dropbox, and Google Drive. Enable this feature in the Office 365 Admin Center if you’d like it to be available in Microsoft Teams.
Compliance for Planner
Microsoft Planner doesn’t have any specific compliance features or functionality to discuss. It is not possible to manage Planner content in place. You also cannot apply retention policies to Planner content using Office 365 features. But, this functionality may be coming soon. In the Microsoft article, Overview of retention policies, it mentions that “Support for content in Planner is coming soon”.
Compliance for Outlook Email and Calendar
When we create a Microsoft Team it also creates an Outlook Team email inbox and Calendar. From a compliance perspective, both are Outlook Mailbox Content for that Team. We manage this content the same as Team Conversations with one exception. User can classify individual emails in an Outlook email inbox using labels. Labels can enforce retention rules based on that classification.
Compliance for PowerBI
PowerBI aggregates data from many locations into dashboards. It is providing a view of the data and is not actually storing any information. The service where the data resides would manage compliance policies, not PowerBI.
Compliance for Stream
Microsoft Stream is not currently covered by Office 365 compliance capabilities. It not included in the Office 365 Compliance Framework, and is going through external audits. The Offie 365 Compliance Framework outlines the compliance audits completed for each service. The Microsoft Stream FAQ page states: “Microsoft Stream has completed all the work and internal reviews to be included in category C in the Office 365 Compliance Framework. However, Stream will only be listed in the Office 365 Compliance Framework as category C when it completes external audits and receives official certifications (estimated to occur later this year).”
Microsoft Teams Compliance for Bots
At the time of this post, the last time Microsoft commented on Microsoft Teams compliance features was on April 21, 2017. The blog titled: Top Feature of Microsoft Teams & Information Protection mentions the following. “[There are] a few known issues with Teams today that we are working to fix soon…. Messages from and To Bots are not being captured correctly in the Compliance Content Search process.”
Microsoft is planning to manage Bot conversations using the compliance features of Office 365. But, we don’t know the location of the information. We also don’t know the details of the execution of this functionality. Bot conversations are 1:1 chats. We can guess that bot chats will get recorded in an individual user’s Exchange mailbox. We will need to wait for confirmation.
Microsoft Teams Compliance for Connectors
Another noted issue: “Messages from Connectors that get written into channels are not being captured in the Compliance Content Search process.” Again, this means managing Connector content is on the roadmap. But we don’t know the execution details. Connectors post messages to the Conversation tab of a Team Channel. So, we can guess that these messages will be stored in the Outlook group mailbox associated with the Team. But again, we need to wait for confirmation.
Microsoft Teams Compliance for Tabs
A Tab provides a view to content that resides in another location. Think of it as a window that provides a view into data that is somewhere else. Microsoft Teams provides an easy way to view and navigate to the information. It is and not actually storing the information in Teams. Teams will not provide any management for that information. You will need to manage the data for compliance in the location where it resides.
The exception is tabs that display data located in Office 365. For example, Excel, PowerPoint, Word, OneNote, and SharePoint documents. These files live in either in OneDrive or SharePoint Online. They follow the rules in the SharePoint and OneDrive for Business section above.
This article explained how Microsoft Teams provides compliance features to manage information. Yet, these features are complicated and confusing. There are gaps that present risks in the ‘out of the box’ Microsoft Teams and Office 365 features.