Teams Writes Items into Mailboxes
As I am sure everyone is now well aware, Teams creates items in group and personal mailboxes to capture compliance records for channel and personal conversations. The mailbox items are not perfect copies of Teams messages (they don’t record likes, for instance), but they are indexed and discoverable by Office 365 content searches and therefore useful for compliance purposes.
Searching the Office 365 Audit Log
Poking around in the nether reaches of Office 365 is kind of normal for the Office 365 for IT Pros writing team, and this week we noticed that the Office 365 audit log includes records for the capture of Teams compliance records. However, only records for messages posted to channel conversations by tenant users are captured in the audit log. Audit records for messages posted to personal chats or those posted by guest users are not captured. Capturing of these records happened over 90 days in the past, which is all you can go back in the Office 365 audit log unless you have an E5 license and your tenant has been upgraded to 365-day retention.
If you want to check the audit records on your tenant, use the Audit log search in the Security and Compliance Center or run the PowerShell command (adjust the dates to stay within the 90-day range) shown below:
$Records = Search-UnifiedAuditLog -StartDate 21-Nov-2018 -EndDate 20-Feb-2019 -operations "Create" -resultsize 5000 | Format-Table CreationDate, Operations, UserIds
Among the records, you’ll probably see some for the special user S-1-5-18. These records capture the introductory message posted in the General channel when a new team is created.
Interpreting Audit Records for Teams Messages
Taking a technique explored in Chapter 21 of the Office 365 for IT Pros eBook to expand the content of the AuditData property of audit records, we can interpret the records we find (here’s another example). In this case, we can generate a quick count of messages posted to the teams in the tenant.
If ($Records.Count -eq 0) {
Write-Host "No audit records records found." }
Else {
Write-Host "Processing" $Records.Count "audit records..."
$Report = @()
ForEach ($Rec in $Records) {
If ($Rec.Operations -eq "Create") {
$AuditData = ConvertFrom-Json $Rec.Auditdata
$ReportLine = [PSCustomObject]@{
TimeStamp = $Rec.CreationDate
User = $AuditData.UserId
Action = $AuditData.Operation
Team = $AuditData.MailboxOwnerUPN
Subject = $AuditData.Item.Subject
MessageId = $AuditData.Item.InternetMessageId}
$Report += $ReportLine
}}}
$GroupData = $Report | Group-Object -Property Team
$GroupData | Sort Count -Descending | Select Name, Count
Name Count
---- -----
Office365ITPros@Office365ITPros.com 192
ExchangeMVPs@office365itpros.com 130
Audie-tronadmirers@office365itpros.com 128
JapanRugbyWorldCup2019@office365itpros.com 112
Volleyball@office365itpros.com 110
...
Remember that this count is inaccurate. It doesn’t include any messages posted to Teams by guest users, nor does it capture anything for messages posted to Teams channels via connectors or bots. However, knowing about these records and how to interpret them might come in handy as a way of looking at Teams activity.
To look at the data a different way, if you wanted to find out who is the most prolific poster to Teams, change the Group-Object command to:
$GroupData = $Report | Group-Object -Property User $GroupData | Sort Count -Descending | Select Name, Count Name Count ---- ----- Tony.Redmond@office365itpros.com 155 Jeff.Guillet@office365itpros.com 122 S-1-5-18 11 Kim.Akers@office365itpros.com 10 ...
The interesting thing is that we can conclude that 11 new teams were created in the period because that’s the count of messages created by S-1-5-18!
Interesting though this little discovery is to the true Office 365 nerd, it’s probably not going to feature in the Office 365 for IT Pros eBook. We do have some standards!