Top Features of Microsoft Teams & Information Protection in Office 365

Published Apr 21 2017 12:44 PM 56K Views

We're excited about last month’s global launch of Microsoft Teams. I'm Ansuman Acharya, and I work as a Program Manager in the Security and Compliance area for Microsoft Teams. We have had several queries and how-to questions from our customers around how Microsoft Teams plugs into the Office 365 Security and Compliance Center and I want to make sure that this article provides sufficient coverage and links to other useful resources for that topic.


To start, let’s take a quick look at the features we delivered for GA. Here is a summary:


Teams Blog 1.png


Microsoft Teams provides coverage for its information protection dataset i.e. all user conversations, channel messages, group chats and files stored within the context of these chats.


Audit Log Search –

Audit log search plugs right into the Office 365 Security and Compliance Center and exposes abilities to set alerts and/or report on Audit event by making available, export of workload specific or generic event sets for admin use and investigation, across an unlimited auditing timeline. It can take up to 30 minutes or up to 24 hours after an event occurs within Microsoft Teams for the corresponding audit log entry to be displayed in the search results.


Teams Audit logging aims to capture over 25 different business events.

  • Teams & channels specific events – Addition, Deletion, Creation
  • Bots, connectors and apps events
  • Setting changes events – Team, tenant and tool admin settings
  • Messaging events – edits and deletions
  • File events are covered under SharePoint logging


As of now, these are the following events that are enabled in Production and work is underway to split Settings changed into 3 sub settings – Tenant Wide Settings, Team level settings and channel level settings. The older setting changed event will be deprecated and there will also be a new sign in event for Teams i.e. “User Signed in to Teams”


Teams Blog 2.png


Further work to add the events as listed above is in progress and we would love to hear feedback on events that you see logged for your tenant for Teams and the level of detail in them.  If you have more questions, please see article on office support for searching the unified audit logs.


Here is what our Channel Added event looks like:


Teams Blog 3.png



eDiscovery, Legal Hold, Compliance Content Search –

Large Enterprises are often exposed to high penalty legal proceedings which demand submission of all Electronically Stored Information (ESI). Teams becomes the newest addition to the Office 365 Security and Compliance family by exposing its information protection data set i.e.


  • 1:1 chats
  • Group chats
  • Channel messages
  • SharePoint Files
  • OneNote content
  • OneDrive for Business content


to the eDiscovery, hold and content search functionality. All Teams 1:1 or group chats are journaled through to the respective users’ mailboxes and all channel messages are journaled through to the group mailbox representing the Team. Files uploaded are covered under the eDiscovery functionality for SharePoint Online and OneDrive for Business.


Teams Blog 4.png


For content search, both the user or the group mailboxes can be added to search for Teams content at the same time, along with the SharePoint Online site representing the team. Advanced eDiscovery, export and de-duplication of records is also supported for Teams data. Content search based on keywords, common types and to/from lists can be applied to Teams data to narrow scope down as well.


Here is an example of a Compliance Content Search query that is searching across workloads in a Team site and in a group mailbox corresponding to a Team with “trading” and “stock” keywords.


Teams Blog 5.png



A few known issues with Teams today that we are working to fix soon:

  1. Messages from and To Bots are not being captured correctly in the Compliance Content Search process.
  2. Messages from Connectors that get written into channels are not being captured in the Compliance Content Search process.
  3. For the email a channel feature, the emails that are rendered on the channel as messages are also not available for Compliance Content Search.

For archival, or hold on a user or Team during litigation, holds functionality within an eDiscovery case can be used to add a legal hold to a user’s mailbox or the group(Team)’s mailbox which makes sure that Teams content is preserved immutable in these containers when there is a requirement to preserve data. Files and OneNote data can be also put on hold through SharePoint. All hold behavior is transparent to the end user in the Teams client experience and is only available to admins in the Office 365 Security and Compliance Center. In terms of storage archiving, user mailboxes are enabled to storage extensions by enabling an archive mailbox and this applies to Teams data stored in those mailboxes too.


If you have more questions, please see eDiscovery in Office 365 to learn more.


Exchange Online Protection for Email a Channel Feature –

If you’ve not heard, Microsoft Teams has a cool new feature where users can generate an email address for a channel within a Team and emails sent to that channel are rendered just as other user initiated conversations are, within the channel. In keeping with our security first attitude, we route these emails through Exchange Online Protection providing spam and malware filtering. We have received feedback and working with some of our biggest Enterprise Customers on mechanisms on routing emails through the EOP/ATP setup within their own tenant.


Conditional Access and Intune App Protection for Teams -

Teams was built cloud and mobile first with enterprise grade security being a key pillar from the start. One of the most important features we launched for IT Admins is Intune MAM Support (with or without Intune MDM) for our iOS and Android phone apps. The new azure portal can be used by Intune or AAD admins to configure MAM policies including copy paste, pin access and client data encryption for Teams apps providing security for mobile communication. Please see Create and deploy app protection policies with Microsoft Intune for more information.


Teams also honors Azure Active Directory Conditional Access policies setup for Exchange Online, SharePoint Online on its browser, desktop and mobile apps. This is because Teams as an app depends heavily on accessing resources controlled by these services. (Example: Calendar through Exchange Online or Files/Recent documents using SharePoint Online) for a Conditional Access policies enabled on services aim to provide IT Admins secure control over access to any of the deployed services within of Office 365 through Office or other third party client apps.


Conditional Access policies include controls for

  • requiring Multi Factor Authentication
  • requiring compliant or domain joined devices
  • using IP addresses or user location to block access to a service.


For more information, please see the article regarding how to create conditional access policies on AAD. Future work in this space includes plans to add Teams as its own cloud app in the Azure Portal under the AAD Conditional Access workflow and provide support for SharePoint Session based conditional access policies in the Teams clients. 


Also, if you’re looking for more information around how to deploy Teams and use these features in your organization, please use resources at


Looking forward, and in listening to our customers our information protection roadmap, retention policies (preservation and deletion) for Teams data has been a big ask and we are working to make this real so admins have a way to delete/preserve their Teams chat data per their legal and compliance requirements.


Thanks, and stay tuned for more updates. Please feel free to post questions and/or feedback about Teams Security and Compliance features. We are listening. 




Version history
Last update:
‎Apr 21 2017 12:44 PM
Updated by: