Table of Contents
Premium eDiscovery Reveals Reactions but They’re Also Available with PowerShell
Updated 26 January 2023
On July 5 2022, message center notification MC397444 announced the general availability of support for the inclusion of Teams reactions in Purview Premium eDiscovery. Teams supports a set of reactions (icons for thumbs-up, surprise, sad, angry, heart, and laugh) to allow users to indicate what they think of a message posted to a chat or channel conversation.
Including reactions in eDiscovery results is important because the reactions can provide important context for a conversation. For example, if I suggest a fraudulent transaction to someone in chat and they show their agreement with the idea using the thumbs-up reaction. If an investigator can see both the message and the reaction, they have much better insight into what happens than if they can only see the message. As Microsoft says in MC397444, “this detail can provide additional user sentiment…”
In July 2022, Microsoft said that about 12% of Office 365 paid seats use E5 and therefore have access to Purview Premium eDiscovery. The remainder have no access to eDiscovery or use the standard eDiscovery included in Office 365 E3.
Standard eDiscovery and Teams Reactions
Standard eDiscovery searches the Teams compliance records captured by the Microsoft 365 substrate and stored in user mailboxes in Exchange Online. Despite what you might sometimes read online, the real data is always held in the Teams message store in Azure Cosmos DB. Exchange Online only holds cut-down versions of messages designed for compliance purposes.
The results from standard eDiscovery searches don’t include reactions because the compliance records don’t have this information. Although the substrate captures edits to messages in chats and channel conversations, it doesn’t include reactions in these changes.
Teams Reactions in the Audit Log
In late August 2022, I noticed that Teams started to capture records for message reactions in the unified audit log. I continually remind tenant administrators that it’s worthwhile scanning the audit log from time to time to see what new events are present. Here’s what I do (results edited for brevity):
$AuditRecords = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date).AddDays(1) -Formatted -ResultSize 5000 $AuditRecords | Group Operations | Sort Name | Format-Table Name, Count Name Count ---- ----- Add app role assignment grant to user. 2 Add app role assignment to service principal. 2 Add group. 5 Add member to group. 2 Add member to role. 1 Add owner to group. 2 Add service principal. 9 Add user. 1
Scanning down through the list quickly reveals the presence of new audit events or events that generate a lot of activity. For instance, in my tenant, I see many FileModified events to log details of files updated in SharePoint Online or OneDrive for Business. In any case, this is how I found the ReactedToMessage event.
Interpreting the ReactedToMessage event
Examination of the events showed that they capture reactions for both chat and channel conversations. As you’d expect, the content of the AuditData property in the events is different for a chat than for a channel conversation. The information captured for a chat reaction is straightforward to process. The content for audit records captured for channel conversation reactions is a little more complicated. Here’s an example:
CreationTime : 2022-08-25T10:28:10
Id : cdc580a1-16bf-5b3b-9ab7-4773c78fa833
Operation : ReactedToMessage
OrganizationId : a662313f-14fc-43a2-9a7a-d2e27f4f3478
RecordType : MicrosoftTeams
UserKey : aff4cd58-1bb8-4899-94de-795f656b4a18
UserType : Regular
Version : 1
Workload : MicrosoftTeams
ClientIP : ::ffff:10.60.2.150
UserId : Kim.Akers@office365itpros.com
AADGroupId : 33b07753-efc6-47f5-90b5-13bef01e25a6
ChannelGuid : 19:f2cb1f5540f54e06b7a45e90af446ebb@thread.skype
ExtraProperties : {@{Key=TimeZone; Value=Europe/Dublin}, @{Key=OsName; Value=windows}, @{Key=OsVersion; Value=10},
@{Key=Country; Value=ie}...}
MessageId : 1661368101750
MessageReactionType : like
MessageVersion : 1661423290212
ParentMessageId : 1659278677696
TeamGuid : 19:0571b31b8d1b4bd0b31e4069743b9d35@thread.skype
ChannelName : 🏴☠️2023 Edition (9th)
TeamName : Ultimate Guide to Office 365
A little work is necessary to resolve the GUID for the team (AADGroupId) to its display name and to discover the name of the channel the reaction is in. To solve that problem, I used the Get-MgTeamChannel cmdlet to retrieve all the channels in the team and then filtered the list to find the display name of the channel, meaning that the output looks nice (Figure 1).
The full script is available from GitHub.
Updated Reactions
One thing to note is that Teams does not capture audit records with a different operation code when someone removes a reaction from a message. If someone decides that their initial reaction was bad and goes ahead to remove the original reaction and replace it with a new reaction, you’ll see two audit events captured for the same message. The version of the script from 26 January 2023 deals with this situation. Figure 2 shows that the most popular reaction in my tenant is ‘Like.’
Finding Messages
If you need to find the message a reaction belongs to, you can use the message identifier. This code uses the Graph chatMessage API to retrieve a message and all its replies, checks which messages in the thread have reactions, and outputs details of the message, its author, date posted, the text, and the reaction. You’ll need to sign into the Microsoft Graph with the ChannelMessage.Read.All permission to make this request.
$uri = "https://graph.microsoft.com/v1.0/teams/33b07753-efc6-47f5-90b5-13bef01e25a6/channels/19:f2cb1f5540f54e06b7a45e90af446ebb@thread.skype/messages/1659278677696/replies"
$Messages = Invoke-MgGraphRequest -uri $Uri -Method Get
ForEach ($Message in $Messages.Value) {
If ($Message.reactions.count -gt 0) {
$From = $Message.from.user.displayname
$Date = $Message.lastModifiedDateTime
$Text = $Message.body.content
$Reactions = $Message.reactions.reactionType -join ", "
Write-Host ("Message from {0} date {1}" -f $from, $date)
Write-Host ("Text {0}" -f $text)
Write-Host ("Reactions: {0}" -f $reactions) -foregroundcolor Red
}
}
Message from Tony Redmond date 30/08/2022 14:29:59
Text I really wouldn't worry until next month
Reactions: like
If your account is a member of the team, you can use the weburl returned for a message to open Teams to display the message. The weburl looks like this:
Using Teams Reactions
This exercise demonstrated that the audit records captured for Teams reactions can be exploited for different purposes. At one end of the spectrum, you can use the data to discover if people use reactions effectively (for instance, what’s the most popular reaction?). At the other end, you could use the audit records alongside standard eDiscovery to discover if reactions exist for problematic messages found by searches. The audit log is truly an interesting place to look for data, and if you ingest the audit data into Microsoft Sentinel through the Office 365 connector, you can use a KQL query to analyze reactions too!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
One Reply to “Teams Reactions Captured in Audit Records”