Teams Reactions Captured in Audit Records

Premium eDiscovery Reveals Reactions but They’re Also Available with PowerShell

Updated 26 January 2023

On July 5 2022, message center notification MC397444 announced the general availability of support for the inclusion of Teams reactions in Purview Premium eDiscovery. Teams supports a set of reactions (icons for thumbs-up, surprise, sad, angry, heart, and laugh) to allow users to indicate what they think of a message posted to a chat or channel conversation.

Including reactions in eDiscovery results is important because the reactions can provide important context for a conversation. For example, if I suggest a fraudulent transaction to someone in chat and they show their agreement with the idea using the thumbs-up reaction. If an investigator can see both the message and the reaction, they have much better insight into what happens than if they can only see the message. As Microsoft says in MC397444, “this detail can provide additional user sentiment…”

In July 2022, Microsoft said that about 12% of Office 365 paid seats use E5 and therefore have access to Purview Premium eDiscovery. The remainder have no access to eDiscovery or use the standard eDiscovery included in Office 365 E3.

Standard eDiscovery and Teams Reactions

Standard eDiscovery searches the Teams compliance records captured by the Microsoft 365 substrate and stored in user mailboxes in Exchange Online. Despite what you might sometimes read online, the real data is always held in the Teams message store in Azure Cosmos DB. Exchange Online only holds cut-down versions of messages designed for compliance purposes.

The results from standard eDiscovery searches don’t include reactions because the compliance records don’t have this information. Although the substrate captures edits to messages in chats and channel conversations, it doesn’t include reactions in these changes.

Teams Reactions in the Audit Log

In late August 2022, I noticed that Teams started to capture records for message reactions in the unified audit log. I continually remind tenant administrators that it’s worthwhile scanning the audit log from time to time to see what new events are present. Here’s what I do (results edited for brevity):

$AuditRecords = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date).AddDays(1) -Formatted -ResultSize 5000
$AuditRecords | Group Operations | Sort Name | Format-Table Name, Count

Name                                          Count
----                                          -----
Add app role assignment grant to user.            2
Add app role assignment to service principal.     2
Add group.                                        5
Add member to group.                              2
Add member to role.                               1
Add owner to group.                               2
Add service principal.                            9
Add user.                                         1

Scanning down through the list quickly reveals the presence of new audit events or events that generate a lot of activity. For instance, in my tenant, I see many FileModified events to log details of files updated in SharePoint Online or OneDrive for Business. In any case, this is how I found the ReactedToMessage event.

Interpreting the ReactedToMessage event

Examination of the events showed that they capture reactions for both chat and channel conversations. As you’d expect, the content of the AuditData property in the events is different for a chat than for a channel conversation. The information captured for a chat reaction is straightforward to process. The content for audit records captured for channel conversation reactions is a little more complicated. Here’s an example:

CreationTime        : 2022-08-25T10:28:10
Id                  : cdc580a1-16bf-5b3b-9ab7-4773c78fa833
Operation           : ReactedToMessage
OrganizationId      : a662313f-14fc-43a2-9a7a-d2e27f4f3478
RecordType          : MicrosoftTeams
UserKey             : aff4cd58-1bb8-4899-94de-795f656b4a18
UserType            : Regular
Version             : 1
Workload            : MicrosoftTeams
ClientIP            : ::ffff:
UserId              :
AADGroupId          : 33b07753-efc6-47f5-90b5-13bef01e25a6
ChannelGuid         :
ExtraProperties     : {@{Key=TimeZone; Value=Europe/Dublin}, @{Key=OsName; Value=windows}, @{Key=OsVersion; Value=10},
                      @{Key=Country; Value=ie}...}
MessageId           : 1661368101750
MessageReactionType : like
MessageVersion      : 1661423290212
ParentMessageId     : 1659278677696
TeamGuid            :
ChannelName         : 🏴‍☠️2023 Edition (9th)
TeamName            : Ultimate Guide to Office 365

A little work is necessary to resolve the GUID for the team (AADGroupId) to its display name and to discover the name of the channel the reaction is in. To solve that problem, I used the Get-MgTeamChannel cmdlet to retrieve all the channels in the team and then filtered the list to find the display name of the channel, meaning that the output looks nice (Figure 1).

 Audit records for Teams reactions
Figure 1: Audit records for Teams reactions

The full script is available from GitHub.

Updated Reactions

One thing to note is that Teams does not capture audit records with a different operation code when someone removes a reaction from a message. If someone decides that their initial reaction was bad and goes ahead to remove the original reaction and replace it with a new reaction, you’ll see two audit events captured for the same message. The version of the script from 26 January 2023 deals with this situation. Figure 2 shows that the most popular reaction in my tenant is ‘Like.’

 The most popular Teams emoji is 'Like'
Figure 2: The most popular Teams emoji is ‘Like’

Finding Messages

If you need to find the message a reaction belongs to, you can use the message identifier. This code uses the Graph chatMessage API to retrieve a message and all its replies, checks which messages in the thread have reactions, and outputs details of the message, its author, date posted, the text, and the reaction. You’ll need to sign into the Microsoft Graph with the ChannelMessage.Read.All permission to make this request.

$uri = ""
$Messages = Invoke-MgGraphRequest -uri $Uri -Method Get
ForEach ($Message in $Messages.Value) {
  If ($Message.reactions.count -gt 0) {
    $From = $Message.from.user.displayname
    $Date = $Message.lastModifiedDateTime
    $Text = $Message.body.content
    $Reactions = $Message.reactions.reactionType -join ", " 
    Write-Host ("Message from {0} date {1}" -f $from, $date)
    Write-Host ("Text {0}" -f $text)
    Write-Host ("Reactions: {0}" -f $reactions) -foregroundcolor Red
Message from Tony Redmond date 30/08/2022 14:29:59
Text I really wouldn't worry until next month
Reactions: like

If your account is a member of the team, you can use the weburl returned for a message to open Teams to display the message. The weburl looks like this:

Using Teams Reactions

This exercise demonstrated that the audit records captured for Teams reactions can be exploited for different purposes. At one end of the spectrum, you can use the data to discover if people use reactions effectively (for instance, what’s the most popular reaction?). At the other end, you could use the audit records alongside standard eDiscovery to discover if reactions exist for problematic messages found by searches. The audit log is truly an interesting place to look for data, and if you ingest the audit data into Microsoft Sentinel through the Office 365 connector, you can use a KQL query to analyze reactions too!

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

One Reply to “Teams Reactions Captured in Audit Records”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.