Step by Step: fetching Microsoft Teams conversation history (chat history)

Scenario A: Targeting an specific Team

An uncommon but definitely one of those once in a while query from the HR or compliance/security leadership you will get is “Can we search for Microsoft Teams chat” in Office 365.

The answer depends on the type of content/period that you need. Here are some of the use cases I worked on (probably not the exact case as yours but you might get some clarity here about where to look for)

Teams stores an individual’s chat history in a hidden file in the users mailbox which is not accessible via OWA or Outlook. Users or Administrators cannot access these hidden files. Skype for Business used to archive these in the users mailbox which they could delete but we didn’t worry about that because our email archive still had a record of those IMs.

You can see in the following screenshot that I have tried to add the Internal IT channel mailbox in to the Outlook and obviously “Conversation History” is empty because it’s a hidden folder. So, with that in mind, we will have to dig in through a different way.

Scenario A: How to retrieve the conversation history of a particular Team/Channel?

First lets connect to Exchange online PowerShell to put up a foundation in to what we are looking for.

Connect-EXOPSSession

Login as a Global Admin

All the chat history from Microsoft Teams is saved into a mailbox with the name of the Team. So I’m looking for a mailbox called “Internal IT”. Easiest way is to fire up trusty PowerShell and run:

Let’s run this line to retrieve all the group mailboxes we have in this tenant.

get-mailbox -groupmailbox

I see all the shared mailboxes in my tenant. As you can see I find one called “Internal IT” as shown below.

Now this is the Channel I am interested in (Internal IT). This simply means that each channel has a dedicated database which brings the initial satisfaction ! We could surely get something out now.

With that in mind, we now know what is the address of the Team channel I need to look in to. And, here comes the e-Discovery content search for the rescue. Yes we can fetch the Teams chat history from there !

Head on to Compliance Admin blade from office 365 Admin center

Go to “e-Discovery”

Start by creating a new case here. Hit “+ Create a case” to begin

Give it a simple name and a description and save

Click on the blue “Open” button to get inside the case

It brings you to the search interface

From Searches, add the following search parameters.

You can customize your query to suite your needs and I have done it as below. Feel free to click that little “X” to close each parameter and add another to match your target result.

Use the “Add Conditions” button to refine your search criteria

I am not going to search based on a keyword so it’s going to be the participants parameter and the value is my target Team (Project Delivery)

From the locations, choose the following and unselect everything else.

You can further customize your search query to get a more refined search result but it’s totally up to you. My target is to get the entire chat history of “Project Delivery Team” Team chat.

Finally hit the search button and give it a few seconds/minutes (based on the content size of the tenant).

And, here we are ! It now shows me all the IM’s under this Team.

You can export the result in two ways, a report or the result

Also, it allows you to choose what you want to export.

Once done, click on the relevant export batch and download it.

When you download, there’ll be a small tool to obtain the batch. Make sure you are on the Microsoft Edge browser for this final task.

Warning: You must use Microsoft Edge or Internet Explorer to download search results or reports. Please switch to one of these browsers to download the content.

The following error means you are not using Microsoft Edge for this task. Just switch your browser and you should be good to go !

Advertisement

Allow all users to see everyone’s calendar in an Office 365 environment

Yes you are right!. Setting this access right organization-wide is surely raises a major privacy concern specially when it comes to personal details (such as HR and Operation related events) in employee’s calendars.

However, there can be exceptional scenarios where business decides what they need, such as the pandemic situation the whole world face right now (COVID-19) as every organization prepares to work from home and allow people to interact online in more efficient and effective ways. In my case, one of our top level client badly needed to enable everyone’s calendar visible to everyone in the company to allow people to efficiently get in touch.

This is possible and exchange online has the capability to do it, but, make sure you do it for an absolute purpose. In Exchange online, you can set the default internal sharing policy for Office 365 user’s calendars using PowerShell. You may decide to set the default for all current users to Limited Details, then add exceptions for users whose calendar is to be kept to Availability (Free/Busy) only. There are various roles to define as per your need.

The AccessRights parameter in the PS command below specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.

You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

I am emphasizing again, DO NOT DO THIS Unless there is an absolute necessity.

For None-MFA environment (even though MFA is a fundamental and very common security requirement, there can be exceptional cases) – Amend the AccessRights parameter accordingly

$credentials = Get-Credential -Credential elliot@gcits.com.au

Write-Output “Getting the Exchange Online cmdlets”

$Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `

-ConfigurationName Microsoft.Exchange -Credential $credentials `

-Authentication Basic -AllowRedirection

Import-PSSession $Session

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

For MFA environments

Preparation:

Run this to get the current state of all user mailboxes as exported to a CSV file. This will help on the verification later in case if you need to reverse this (Pre)

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Applying Access Rights:

Now let’s change the access right for all user mailboxes. Amend the AccessRights parameter according to your requirement (applied to all user mailboxes)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

If you wish to avoid an selected user mailbox (May be CEO’s ?), you can use the following (with the “userprincipalname” “–ne” parameters to add an exception)

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox | where userprincipalname -ne “mark@mantoso.onmicrosoft.com”) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights AvailabilityOnly
}

Connect-EXOPSSession

foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {

$cal = $user.alias+”:\Calendar”

Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights Reviewer

}

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Verification:

To verify the result against a single user mailbox, you can run this line

Get-MailboxFolderPermission neil@mantoso.onmicrosoft.com:\calendar

Or run the following to get the result of all user mailboxes exported as a CSV file so it can be compared with the CSV you got before applying the change (Post)

$file=”C:\Temp\Calendar-Post.csv”
$Usermailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox
foreach($user in $usermailboxes) {
$cal = $user.alias+":\Calendar"
$perms = get-MailboxFolderPermission -Identity $cal -User Default
$Perms | select identity, Foldername, AccessRights | export-csv $file -append
}

Testing:

Now let’s see how this works after changing the permissions. Details wise, this is how it shown now (looking at Chnau’s Calendar from Manoj’s Mailbox)

Private Events in Chanu’s Calendar (Only the date/time and Subject)

None Private Events in the Chanu’s Calendar (Shown Items in detail)

1. Subject
2. Location
3. Organizer
4. Attachments
5. Attendees and response status
6. Date/Time 

Item opened in full window

Here’s the full list of roles available to set. You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.

Individual permissions:

• CreateItems: The user can create items in the specified folder.
• CreateSubfolders: The user can create subfolders in the specified folder.
• DeleteAllItems: The user can delete all items in the specified folder.
• DeleteOwnedItems: The user can only delete items that they created from the specified folder.
• EditAllItems: The user can edit all items in the specified folder.
• EditOwnedItems: The user can only edit items that they created in the specified folder.
• FolderContact: The user is the contact for the specified public folder.
• FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can’t read items, edit items, delete items, or create items.
• FolderVisible: The user can view the specified folder, but can’t read or edit items within the specified public folder.
• ReadItems: The user can read items within the specified folder.

The roles that are available, along with the permissions that they assign, are described in the following list:

• Author:CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
• Contributor:CreateItems, FolderVisible
• Editor:CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
• None:FolderVisible
• NonEditingAuthor:CreateItems, FolderVisible, ReadItems
• Owner:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact, FolderOwner, FolderVisible, ReadItems
• PublishingEditor:CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
• PublishingAuthor:CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
• Reviewer:FolderVisible, ReadItems

The following roles apply specifically to calendar folders:

• AvailabilityOnly: View only availability data
• LimitedDetails: View availability data with subject and location

Reference – Set Mailbox Folder Permissions (Microsoft Docs)

A temporary alternative for message forwarding in Teams: Share to Outlook

Microsoft Teams currently doesn’t have the Forward chat option which sometimes makes it a little harder when you have to share a chat with someone else in the organization. There are valid use cases where we need to refer to a particular conversation in Teams and forward chat option would definitely be a handy add-in there. However, the new feature called “Share to Outlook” can also be used as a temporary alternative in such scenarios (not in all cases obviously).

In Teams, you now can forward a message embedded to an email. Let’s say i want to forward the following message to few people in my organization.

To do this, I can simply hover to your desired conversation and click on the three dots.

And, click on “Share to Outlook” option from the dropdown list.

The send email flyout will pop up. Simply add the recipients and customize the subject or body as required and send it out.

This may not be a replacement for message forwarding but at least an temporary alternative for situations where you need it the most.

Allow Microsoft Teams owners to delete chats in channels

This sounds like it comes under moderation feature of Teams, but it’s not. If you are trying to configure Teams owners to allow deleting chats sent by other members, you are on the right place. Microsoft Teams has moderation features but this doesn’t falls under that setting.

To configure moderation for Teams, you can refer to my previous article which will walk you through the moderation configuration.

Let’s have a look at this scenario. As you can see below, Neil is a member of the “Project Delivery” team and he sent a few messages in the Linda Scope channel. Let’s think about a situation where some users post inappropriately in a channel and the Team owner would like to take it out immediately (when there is no moderation enabled). At this point, its fair that an owner might need the control to manage this.

By default, owners won’t be able to delete these messages from the channel. As the following screenshot elaborates, Manoj is the Team owner and he has no ability to delete the message.

Here are the owners of this channel (obviously, Manoj is an owner here)

To empower owners of this Team with delete permission, we can simply turn it on from the Message Policy. Login to Office 365 an administrator and head on to “Teams Admin Centre”

Navigate to “Messaging Policies”

By default, there is only one Messaging Policy which is “Global ORG Wide” policy. You can use this policy if you want every Teams owner should be granted (applies to all existing and upcoming Teams) with this privilege.

Note: If you are editing the Default Global policy, it might take a few hours to apply the changes (right now, 24-48 hours)

Just leave it as it is and create a new custom policy if you are looking to grant this for certain owners only.

Give it a meaningful name and a small description to recognize. And ensure the first switch (Owners can delete sent messages) is turned “ON”

Once done, you should be able to see both policies listed down.

Now let’s navigate to “Users” blade and click on the target administrator who you want to grant this privilege and navigate to policies in that profile (remember, you need to repeat this for every owner individually)

Click on the “Edit” link on the right pane and assign the custom policy under ” Messaging Policy” dropdown as shown below.

Give it a few minutes and check the same scenario. Log in as a member and try to post a new message then try to delete that by logging from Owners account (for testing, it is ideal to have two browser profiles and both users logged in side by side so you could monitor the behavior in real time).

As you can see from the following screen shot, Manoj can now delete this Neil’s message as an owner. Which means, the policy has applied to Manoj Successfully.

And if I needed, I still could Undo it so the message will restore

If you are editing the Default Global policy, it might take a few hours to apply the changes (right now, 24-48 hours)