Why Loop Components Have Some Compliance Problems

Same Issue Exists for Teams and OWA

I’m still waiting for the arrival of Loop components in OWA. After writing about the announcement of Loop support for OWA in MC360766, I was asked about the eDiscovery and Compliance issue reported in the message center post and why some organizations might block the use of Loop components until Microsoft delivers a solution.

The same problem exists for Loop components created in Teams chat. Let me explain what the problem is by going through an example.

Creating a Problem in a Loop Component

First, we create a compliance issue in a Loop component posted in a Teams chat. In this case, it’s a conversation about potentially fraudulent activity (Figure 1) in a Loop paragraph. The physical storage for the component is in a fluid file stored in the originator’s OneDrive for Business account. Like other files shared in chats, the file is in the Microsoft Teams Chat Files folder.

A problem conversation in a Loop component in Teams chat
Figure 1: A problem conversation in a Loop component in Teams chat

It’s worth noting that Teams DLP policies do not currently check the content of Loop components. For instance, if the organization deploys a DLP policy to prevent users from sharing credit card numbers, it blocks this activity in regular chats, but not in Loop components.

Searching for Loops

I then opened the Microsoft Purview Compliance portal and created a new content search to look for any file or email containing the keyword “Arkana” as used in the Loop component. The search found three items, including one called “The Plan” (Figure 2).

Figure 2: A chat with a Loop component is found by a content search

As I note in a discussion about using Loop components in Teams chat, the Microsoft 365 substrate generates compliance records for messages posted in Teams chats. Although the substrate captures compliance records for messages containing loop components, they are empty apart from a link to the fluid file in their source OneDrive for Business account. For this reason, the compliance records do not appear in search results.

Accessing Loop Component Content

The content search preview does not support files containing loop components and displays the error:

“This document type is not supported by preview.”

To view the content, you can download a copy of the file from the search preview. This creates a file without an extension that cannot be opened. To solve the problem, I did the following:

  • Gave the file the same fluid extension (e.g., The Plan.fluid) as used when Teams stores files containing Loop components in the Microsoft Teams Chat Files folder in OneDrive for Business.
  • Moved the file into my OneDrive for Business account. Any folder will do.
  • Double-clicked on the file. Office.com opened and displayed the contents (Figure 3).

A copy of a Loop component file opens in Office.com
Figure 3: A copy of a Loop component file opens in Office.com

The good news here is that an investigator can at least download Loop components from a content search preview to examine their contents. The bad news is that this needs to be done on a file-by-file basis.

Exporting Loops in Search Results

After using search preview to make sure that a search locates results that they want, the next step for compliance investigators is to export search results. A preview is just that: a snapshot of what to expect when a search runs. Before an export can happen, Microsoft 365 runs a full search. This might find items overlooked in the preview. In our test, the export included the fluid file containing the interesting content (Figure 4).

Loop component files exported by a content search
Figure 4: Loop component files exported by a content search

The problem now starts to become obvious. You can’t open a fluid file from exported search results. You can if you copy the file to your OneDrive for Business account, but not in its export location. I suspect that this is due to permissions. When you move or copy a fluid file into your OneDrive for Business account, you have full control over it. Left in the search export location, metadata containing permissions in the file likely stops someone from opening it unless they have permission to.

This causes a huge problem for investigators. It might be workable for internal investigators to copy discovered fluid files to their personal OneDrive for Business account to review the files there. It’s not feasible for external investigators and experts to do the same, especially if they don’t have access to OneDrive for Business or want to work offline.

I believe this is the reason why Microsoft is working on “an offline consumable export format.” In other words, as the search export process extracts copies of files containing Loop components from their source locations, it will create something like a PDF version of the files. If this doesn’t happen soon, more organizations will consider blocking Loop components for all Microsoft 365 apps, adding to Microsoft’s difficulties in convincing people that this method of collaboration is a real advance.

Same Issue for Emails

The same issue will occur in emails with embedded Loop components. These files will probably live in the sender’s OneDrive for Business account with permissions granted to all recipients to interact with the components. Microsoft will need to do the same magic to convert Loop content in emails to something consumable outside the tenant.

Of course, quite how this scheme works when external recipients are part of the addressee list remains to be seen. It might be that these recipients see a static version of the Loop content. I’ll let you know when OWA support for Loop components becomes available.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

7 Replies to “Why Loop Components Have Some Compliance Problems”

  1. I was at ignite and Microsoft told me they are now supporting DLP policies for Loop, but still trying to confirm this

    1. I haven’t looked into the matter recently because I have been too busy elsewhere. However, given that Loop components cannot be shared with external people, DLP isn’t much help. What kind of data loss prevention are you worried about with Loop?

      1. Nothing in particular. Just in general. With the recent notice that Loop app is available in Public Preview, we’ve received requests to use it. So, would like to enable it, via M365 App policy. Policy changes often require approval by our information security department. So, was doing research (a.k.a. Googling ;-)), and your article popped up.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.