Table of Contents
Stream Doesn’t Support Office 365 Retention Policies
Usage of Microsoft Stream is very high at present, largely driven by storage of Teams meeting recordings and Teams Live Events. This is goodness, but the increased use is revealing some flaws in Stream, such as the lack of support for Office 365 retention policies. At their Microsoft Stream Under the hood session at the Ignite 2019 conference, the development group promised that Stream will support retention policies “in 2020.” The need to keep the service running at a time of high demand might have stopped progress in this space.
When a video owner deletes a video, it goes into the Stream recycle bin and remains there for 30 days. This period allows owners to recover videos deleted in error. After the period elapses, Stream removes the video and the content is irrecoverable.
Exploring the Stream Recycle Bin
Although Stream administrators can see videos deleted by anyone in the tenant in the Stream recycle bin (Figure 1), a danger exists that a video which should be kept might slip through the cracks and be deleted. People in the compliance world worry about this kind of thing because someone could try to remove evidence of a policy violation by deleting recordings of Teams meetings where misdoings were discussed.
While waiting for Microsoft to bring Stream into the full Office 365 compliance framework (spanning retention policies, labels, and holds among other features), it’s possible to build a review mechanism to have someone check videos in the recycle bin to figure out if they should be kept. It’s a form of manual disposition, to use Microsoft’s term for a manual review of an item before it is disposed of.
To achieve the goal, I looked in the Office 365 audit log for StreamDeleteVideo events, which are logged when an owner deletes a video. It doesn’t take much to search for these events over the last 30 days and extract the relevant data, such as the name of the video and who deleted it.
Generating an HTML Report
After processing the audit events, I create an HTML report file (Figure 2). To help identify videos that are approaching deletion, the days since deletion and days remaining are calculated by subtracting the timestamp of the audit event from the current date. Someone creative could take other approaches to highlight entries in the list, such as using different colors for videos approaching their final deletion.
Emailing the Report
Generating a report is one step, making sure that its content is reviewed and actioned is another. To help things along, the script emails a copy to someone selected to review videos and decide if any should be kept. Figure 3 shows the report as it appears in OWA.
Emailing reports is easy with the Send-MailMessage cmdlet. In this case, the HTML content is imported as the message body, we add message properties such as the recipients, sender, and subject, and send it off. Using Send-MailMessage in this way is a good example of the kind of script that will need to be updated when Microsoft removes basic authentication support for SMTP AUTH connections.
The script can be accessed in GitHub. Feel free to create your own version and let us know what improvements you make by posting a comment here.
The Office 365 for IT Pros eBook includes a full chapter about Stream. Like everything else in the book, the Stream content is reviewed and updated when changes happen.
Thank you for sharing this informations in your blog. I used the script from GitHub. I added this rows in before for getting the O365 credentials and to open a session to Exchange for Search-UnifiedAuditLog:
#Enter credentials and establish connection
$O365Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
In row 57 I added my MsgTo mail address with adding “”) #” before the “Change this …”. I deleted a video in my Stream tenant, waited about 2 hours to see the entry in the Security & Compliance Center audit logs and when I call your script I get the html mail including the informations you described! Wonderful!
I’m glad that it works for you.
The latest version has:
# Make sure that we have credentials to send the message
If (!$O365Cred) {$O365Cred = Get-Credential}
# And that we’re connected to Exchange Online
Try { $OrgName = (Get-OrganizationConfig).Name }
Catch {
Write-Host “Your PowerShell session is not connected to Exchange Online.”
Write-Host “Please connect to Exchange Online using an administrative account and retry.”
Break }
It’s just a different way of attacking the problem. I wouldn’t connect to Exchange Online the way that you do. Instead, download the Exchange Online management module https://petri.com/exchange-online-powershell-module-v2 and use it instead. You can still get to the Search-UnifiedAuditLog cmdlet and you’re using modern authentication, etc.
Hello,
I have a question, you said: “After the period elapses, Stream removes the video and the content is irrecoverable.”
What of I didn’t wait until the 30 days elapsed, and I deleted the video from Recycle bin, would the stream admin in my company be able to restore it after I deleted it permanently from recycle bin before 30 days elapsed?
Thank you very much for answering.
Once the video is removed from the recycle bin, it is irrecoverable.