Premium eDiscovery Reveals Reactions but They’re Also Available with PowerShell
Updated 26 January 2023
On July 5 2022, message center notification MC397444 announced the general availability of support for the inclusion of Teams reactions in Purview Premium eDiscovery. Teams supports a set of reactions (icons for thumbs-up, surprise, sad, angry, heart, and laugh) to allow users to indicate what they think of a message posted to a chat or channel conversation.
Including reactions in eDiscovery results is important because the reactions can provide important context for a conversation. For example, if I suggest a fraudulent transaction to someone in chat and they show their agreement with the idea using the thumbs-up reaction. If an investigator can see both the message and the reaction, they have much better insight into what happens than if they can only see the message. As Microsoft says in MC397444, “this detail can provide additional user sentiment…”
In July 2022, Microsoft said that about 12% of Office 365 paid seats use E5 and therefore have access to Purview Premium eDiscovery. The remainder have no access to eDiscovery or use the standard eDiscovery included in Office 365 E3.
The results from standard eDiscovery searches don’t include reactions because the compliance records don’t have this information. Although the substrate captures edits to messages in chats and channel conversations, it doesn’t include reactions in these changes.
Teams Reactions in the Audit Log
In late August 2022, I noticed that Teams started to capture records for message reactions in the unified audit log. I continually remind tenant administrators that it’s worthwhile scanning the audit log from time to time to see what new events are present. Here’s what I do (results edited for brevity):
$AuditRecords = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date).AddDays(1) -Formatted -ResultSize 5000
$AuditRecords | Group Operations | Sort Name | Format-Table Name, Count
Name Count
---- -----
Add app role assignment grant to user. 2
Add app role assignment to service principal. 2
Add group. 5
Add member to group. 2
Add member to role. 1
Add owner to group. 2
Add service principal. 9
Add user. 1
Scanning down through the list quickly reveals the presence of new audit events or events that generate a lot of activity. For instance, in my tenant, I see many FileModified events to log details of files updated in SharePoint Online or OneDrive for Business. In any case, this is how I found the ReactedToMessage event.
Interpreting the ReactedToMessage event
Examination of the events showed that they capture reactions for both chat and channel conversations. As you’d expect, the content of the AuditData property in the events is different for a chat than for a channel conversation. The information captured for a chat reaction is straightforward to process. The content for audit records captured for channel conversation reactions is a little more complicated. Here’s an example:
A little work is necessary to resolve the GUID for the team (AADGroupId) to its display name and to discover the name of the channel the reaction is in. To solve that problem, I used the Get-MgTeamChannel cmdlet to retrieve all the channels in the team and then filtered the list to find the display name of the channel, meaning that the output looks nice (Figure 1).
One thing to note is that Teams does not capture audit records with a different operation code when someone removes a reaction from a message. If someone decides that their initial reaction was bad and goes ahead to remove the original reaction and replace it with a new reaction, you’ll see two audit events captured for the same message. The version of the script from 26 January 2023 deals with this situation. Figure 2 shows that the most popular reaction in my tenant is ‘Like.’
Figure 2: The most popular Teams emoji is ‘Like’
Finding Messages
If you need to find the message a reaction belongs to, you can use the message identifier. This code uses the Graph chatMessage API to retrieve a message and all its replies, checks which messages in the thread have reactions, and outputs details of the message, its author, date posted, the text, and the reaction. You’ll need to sign into the Microsoft Graph with the ChannelMessage.Read.All permission to make this request.
$uri = "https://graph.microsoft.com/v1.0/teams/33b07753-efc6-47f5-90b5-13bef01e25a6/channels/19:f2cb1f5540f54e06b7a45e90af446ebb@thread.skype/messages/1659278677696/replies"
$Messages = Invoke-MgGraphRequest -uri $Uri -Method Get
ForEach ($Message in $Messages.Value) {
If ($Message.reactions.count -gt 0) {
$From = $Message.from.user.displayname
$Date = $Message.lastModifiedDateTime
$Text = $Message.body.content
$Reactions = $Message.reactions.reactionType -join ", "
Write-Host ("Message from {0} date {1}" -f $from, $date)
Write-Host ("Text {0}" -f $text)
Write-Host ("Reactions: {0}" -f $reactions) -foregroundcolor Red
}
}
Message from Tony Redmond date 30/08/2022 14:29:59
Text I really wouldn't worry until next month
Reactions: like
If your account is a member of the team, you can use the weburl returned for a message to open Teams to display the message. The weburl looks like this:
This exercise demonstrated that the audit records captured for Teams reactions can be exploited for different purposes. At one end of the spectrum, you can use the data to discover if people use reactions effectively (for instance, what’s the most popular reaction?). At the other end, you could use the audit records alongside standard eDiscovery to discover if reactions exist for problematic messages found by searches. The audit log is truly an interesting place to look for data, and if you ingest the audit data into Microsoft Sentinel through the Office 365 connector, you can use a KQL query to analyze reactions too!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
One Reply to “Teams Reactions Captured in Audit Records”