eDiscovery & Legal Hold in Microsoft Teams


When a new Team in Microsoft Teams is created, it automatically creates an Office 365 Group and because Office 365 Groups exist within Office 365, they can be subject to Security and Compliance policies in Office 365. In addition content posted in Microsoft Teams, can also be subject to these policies and enables organizations to perform Content Search and eDiscovery along with Legal Hold on this stored content. This article will walk an administrator through how to perform eDiscovery and Legal Hold on content within Microsoft Teams.

Disclaimer: This article is not an extensive nor exhaustive “how to” for eDiscovery and Legal Hold in Office 365. The purpose of this article is to demonstrate the simplicity of performing eDiscovery and Legal Hold on Microsoft Teams content but we will not go in-depth into the process. For more information on the in-depth process, please refer to the documentation referenced in the hyperlinks above.

Environment Setup:

Within Microsoft Teams, I have created some content in the conversation of a Team called Finance Auditors Team. This content will pertain to a confidential company project of Contoso’s that we will refer to as “Project Lunch”. In addition, two files have been created under the Files tab of the Team; “Project Status Report” and “Project Plan”.

Step 1: Create a new eDiscovery Case in the Office 365 Security & Compliance Center

Browse to the Office 365 Security & Compliance Center at www.protection.office.com. On the left pane, expand Search & Investigation and click eDiscovery

Click the button Create a case. In the flyout on the right side, give the case a name and a brief discription then click Save.

Step 2: Configure & Run the eDiscovery Case

On the eDiscovery screen, click Open next to the case you just created

On the new window that opens for the case details, click the Search tab

Click the + (plus) sign to launch a new window to configure the keyword search. In the details, give the search a name and configured the searching locations. For my example, I will select Search Everywhere then click Next

In the What do you want us to look for step, enter a keyword. For my example I will enter Project Lunch and then click Search. Note the dialog box will close and the search will immediately start to execute.

Note The dialog box will close and the search will immediately start to execute. This process may take a few moments to run.

Step 3: Review the results

Once the search is finished running, click the hyperlink Preview Search Results (Note: A new window called “Preview Search Results” will launch, and you may be prompted to authenticate).

Within the Preview Search Results window, you will notice on the left pane the search results where the keyword “Project Lunch” appears. In this example, Project Lunch was returned in a PowerPoint, Word document, and two IM conversations (Microsoft Teams).

Important: All the items in the search results, were in the Finance Auditors Team within Microsoft Teams

Clicking on an item in the left pane, will display the detailed results on the right pane. Notice you can click Download Original Item and it will allow you to download the original document where the keyword was discovered. In this example, a Word Document (docx).

I’m going to click on the IM item titled Finance Auditors Team/1500489998445. This will display the message on the right pane and enable you to also download the original conversation. Close the window when finished. Note, Microsoft Teams conversations will appear as IM type when doing the content search.

Step 4: Place on Legal Hold

Within the eDiscovery center, click the tab Hold at the top. Then click the Plus (+) sign to create a new hold case (this will launch a new window).

Within the Create a new hold window, give the hold case a name, for this example we will use Project Lunch. Next, select the group mailbox that is associated with the team by clicking the Plus (+) sign.

In the search field, type the name of the mailbox that is associated with the Office 365 Group (aka the team name), in this case Project Lunch and press Enter. Next highlight the display name of the mailbox and click Add then click OK.

Note: This will place chat conversations that occur in the Microsoft Team on hold

Back on the Create a New Hold dialog box, click the Plus (+) sign under Sites:

Type in the URL of the Office 365 Group that is associated with the team and click Add then click OK.

Note: This will place content created such as Planner, Files, etc within the Office 365 group that’s associated with the team on hold.

On the next screen, in the What do you want to look for? (optional) fields for keywords, leave blank to hold the entire mailbox and click Finish


At this point, further actions can be taken to export the content or used Advanced eDiscovery for preparing a more detailed search if needed. Note, if the team is deleted the content is still on hold and can be accessed. Stay tuned as I will continue to write future articles on additional Security & Compliance topics for Microsoft Teams!

–Matt Soseman


Understanding Office365 Security Capabilities

So you want to learn more about the security capabilities in Microsoft Office 365? You’ve come to the right place! Below is a list of resources that will provide you with a good foundational knowledge of the various advanced security workloads in Office365. Stay tuned as I will update this list periodically.

Start Here -> Office365 Trust Center


Office 365 Secure Productive Enterprise

Getting Started:

Address your CXO’s top five cloud security concerns

Take control of your security and compliance with Office 365

Learn how Office 365 security and compliance leverages intelligence in a cloud first world

Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls

Own your data with next generation access control technology in Office 365

General Data Protection Regulation (GDPR)

How Does Microsoft IT Secure Office 365?

Keep calm and automate: How we secure the Office 365 service

Office 365 Secure Score:

Introducing the Office 365 Secure Score

Learn about Office 365 Secure Score: actionable security analytics

An introduction to Office 365 Secure score

New Office 365 capabilities help you proactively manage security and compliance risk

Advanced Threat Analytics:

Learn how Microsoft Advanced Threat Analytics combats persistent threats

Plan and deploy Microsoft Advanced Threat Analytics the right way

Advanced Security Management:

Overview of Advanced Security Management in Office 365

Get started with Advanced Security Management

Gain visibility and control with Office 365 Advanced Security Management

Advanced Threat Protection:

Introducing Office 365 Advanced Threat Protection

Advanced threat protection for safe attachments and safe links

Learn about advancements in Office 365 Advanced Threat Protection

Data Loss Prevention:

Protect your sensitive information with Office 365 Data Loss Prevention

Customize and tune Microsoft Office 365 Data Loss Prevention

Customer Lockbox:

Announcing Customer Lockbox for Office 365

Office 365 Customer Lockbox Requests


Building security and compliance solutions with the O365 Activity API – a Microsoft IT case study


Deliver management and security at scale to Office 365 with Azure Active Directory

Secure your Active Directory to mitigate risk in the cloud


Implement Microsoft Exchange Online Protection

Get an edge over attackers – what you need to know about email threats

Understand how Microsoft protects you against Spoof, Phish, Malware, and Spam emails

Learn about advancements in Office 365 Advanced Threat Protection

Advanced eDiscovery:

Office 365 Advanced eDiscovery

Video: Office 365 Advanced eDiscovery

Reduce costs and challenges with Office 365 eDiscovery and Analytics

Azure Information Protection:

What is Azure Rights Management?

Information Protection and Control (IPC) in Office 365 with Microsoft Rights Management service (RMS) whitepaper

Collaborate confidently using Rights Management

Adopt a comprehensive identity-driven solution for protecting and sharing data securely

Mobile Devices:

Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune

Deliver a BYOD program that employees and security teams will love with Microsoft Intune

Manage BYOD and corporate-owned devices with MDM solutions

Secure Android devices and apps with Microsoft Intune


Introducing Office 365 Message Encryption: Send encrypted emails to anyone!

Encryption in Office 365

Challenge cloud encryption myths and learn about Office 365 BYOK plans

Windows Defender Advanced Threat Protection:

Detect and respond to advanced and targeted attacks with Windows Defender ATP

Advanced Data Governance:

Advanced Data Governance overview

Take control of your data with intelligent data governance in Office 365

Applying intelligence to security and compliance in Office 365

Threat Intelligence:

Applying intelligence to security and compliance in Office 365

Resource I will post soon: Enterprise Mobility Suite, AppLocker, Credential Guard, Device Guard, Windows Hello, Windows Information Protection, Cloud App Protection, Azure Active Directory Premium.