Teams App Messages Captured by Microsoft 365 Substrate for Compliance Processing

Message center update MC228823 released on December 7 (Microsoft 365 roadmap item 68875) covers the topic of Microsoft 365 compliance capabilities for card content generated through apps in Teams messages. That title is a mouthful and deserves some investigation to understand exactly what Microsoft means.

Teams and Adaptive Cards

Apps integrated with Teams often use adaptive cards to interact with end users. For instance, if you use the incoming webhook connector to bring data from an external data source into Teams, the information is presented in a card. For example, you can grab information about new Microsoft 365 roadmap items and post them to a channel (Figure 1). The elements of the card are composed by the application and posted to Teams through the connector.

App cards posted by the incoming webhook connector to a Teams channel
Figure 1: App cards posted by the incoming webhook connector to a Teams channel

Interactive Cards

Some cards, like the example given above, are designed to inform people rather than being interactive. Other cards, like Polls in Teams meetings are interactive. Microsoft’s January 26 announcement on the same topic mention apps from ISVs like Survey Monkey, Fuze, and Medxnote, none of which I have used, but all likely to be interactive rather than simply informative.

Cards and Compliance Records

The point about Microsoft talking about compliance capabilities is that app cards contain data. And up to now, this data has not come within the scope of Microsoft 365 compliance functionality:

  • Compliance records: Unlike user messages sent in Teams chats and channel conversations, the Microsoft 365 substrate did not capture compliance records for app cards.
  • eDiscovery and content searches: Because compliance records for app cards didn’t exist, app cards did not show up in search results or advanced eDiscovery cases.
  • eDiscovery holds and retention policies: Likewise, because compliance records rather than the source Teams content in Azure are the basis for Teams retention processing, including holds, the lack of compliance records meant that app cards were not subject to holds or retention policies.

The substrate now captures compliance records for app cards posted to chats and channel conversations, but only for cards generated after the release of the update. No retrospective lookback occurs for app cards created before this point. Like compliance records for other Teams messages, the app data are stored in user and group mailboxes and are indexed and available for compliance processing, like searches, holds, and retention policies. Communications Compliance policies also use compliance records for their checks.

The change is now rolling out to tenants and world-wide deployment is scheduled for completion in mid-February.

Audit Records for Cards

Microsoft has added a new audit event to the Office 365 audit log to capture interactions with app cards. Search for the PerformedCardAction event when using the Search-UnifiedAuditLog cmdlet or “Performed action on card” from the Audit search in the Compliance Center. Neither method tells you much more than someone did something with a card. The event doesn’t tell you what the card or app was or what the user did, so it’s not much use from an audit perspective, unless a narrative like “Performed action on “1612055241167”” is insightful.

If you want to find out who did what with a card, you should run a content search where the preview of found items might be more illuminating. Figure 2 shows how app cards of the same type in Figure 1 appear in the preview of found items.

Teams app card data found by a content search
Figure 2: Teams app card data found by a content search

Like other compliance records, the substrate captures app card data as mail messages. The transformation from app card to mail message doesn’t result in perfect facsimiles. Mail messages are certainly a good way to capture Teams messages (even if Microsoft has trimmed the set of properties captured in Teams compliance records). However, mail messages are less successful in capturing the complete form of adaptive cards. This is evident if you export search results and examine the individual messages.

The truth is that compliance records serve to capture sufficient information for compliance purposes, but don’t expect them to be exact replicas of the original data or provide the complete context of how people use the cards.

Approvals Not Captured

Some gaps remain in the Teams compliance story around apps. For example, you might assume that the Approvals app uses cards, but apparently it doesn’t. At least, the substrate ignores the creation and approval of requests made in the Approvals app and doesn’t create any compliance records. This might not seem important, but it’s a gap in the compliance story and it’s a way for people to communicate through Teams without any records of that interaction. Compliance administrators don’t like that sort of thing but given the rate of expansion of Teams and the number of apps now using the platform, some gaps are inevitable.

We pay a lot of attention to data governance and compliance topics in the Office 365 for IT Pros eBook. Apart from anything else, if you understand how Microsoft 365 manages compliance data for applications like Teams, you understand the applications better.

One Reply to “Teams App Messages Captured by Microsoft 365 Substrate for Compliance Processing”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.