Teams is a nice place to discuss the issues of the day, but what happens if someone abuses the platform and sends some abusive or otherwise objectionable messages?
The simple answer is that team owners should keep an eye on discussions and remove anything that shouldn’t be there. That’s OK if team owners are omnipresent and have the time and energy to check every channel in every team they own. Not every owner does so.
Tenant Administrators to the Rescue
Humans being fallible, bad posts can slip through the cracks and stay undetected for a while. When an administrator learns that something unpleasant exists in Teams, they can ask the team owner to act. Or, in extreme cases, they might consider removing the offending content.
A tenant administrator can add themselves as an owner, open the team, and remove the posts. Two problems exist with this approach. First, it’s manual and tiresome. Second, the poster might have posted the same message to multiple teams in the organization, meaning that we must track down and remove the message from all those teams.
Finding the message in multiple teams isn’t a problem. Because Office 365 captures compliance records for Teams in the group mailboxes for each team where they are indexed and discoverable, we can search those compliance records to find offending content. After that, it’s a matter of removing items from each team where items are found.
Content Searches Can Purge
Office 365 content searches support a “purge action,” which is intended to remove items from mailboxes in situations like when an email virus or phishing message sneaks through anti-malware defenses. The problem of purging content from email is worse than it is for Teams because a problematic email can exist in thousands of mailboxes, which might be the case if an executive sends the wrong text to an All Employees distribution list.
By comparison, someone must post bad content as messages in individual channels. This takes a lot more effort than sending email to a large distribution list.
On the surface, it seems like if a content search can find compliance records for bad messages, we should be able to use the same search to remove those messages from Teams and solve our problem.
You can only set up purge actions for content searches with PowerShell, using the New-ComplianceSearchAction cmdlet. Creating the search and making sure that you find the right actions can be done as normal with the Security and Compliance Center.
The Problem with Purging Compliance Records
There’s good and bad news to share here. Although you can purge items with a content search, the purge only soft-deletes the items. In other words, the records still exist in mailboxes. In fact, a soft-delete of any item like a compliance record from a group mailbox moves the item into the Deletions sub-folder of the Recoverable Items folder. The items stay in the Deletions folder for the deleted items retention period set on the mailbox, normally 14 days.
This arrangement is great for Office 365 Groups but works less well for Teams. Moving an item from a group conversation into the Deletions folder hides it from Groups clients like OWA or Outlook for iOS immediately. However, a set of compliance record for a Teams conversation is not what users see through Teams clients. These records exist in Exchange solely for compliance purposes and are never used by clients.
Teams clients access the contents of conversations though data stored in the Teams services running in Azure, which means that even if you purge compliance records, the messages are still available to the Teams clients.
Soft-deleted (purged) compliance records linger on until their deleted items retention period expires and the Managed Folder Assistant next processes the mailbox holding the records. At this point, Exchange hard-deletes the records and removes them permanently. The permanent removal of compliance records then ripples back to Teams via background synchronization and leads to the deletion of the corresponding messages in channels (the same mechanism is used by Office 365 retention policies to process Teams). The offending content is then gone. The entire process from running a content search to purge the records to final synchronization back to Teams takes a minimum of 14 days and could take up to 35 days to complete.
Another point to consider is that a purge action for a content search only ever removes a maximum of 10 items from a mailbox. This is deliberate to ensure that a mistake made in a content search cannot then lead to a largescale removal of data from mailboxes. You can run several purges to remove items if more than 10 matching items exist in a mailbox.
Search-Mailbox Doesn’t Help
The now-venerable Search-Mailbox cmdlet is also available to process Exchange mailboxes and can hard-delete items. However, Search-Mailbox only supports user and shared mailboxes and you cannot run the cmdlet against the group mailboxes holding the Teams compliance records. However, Search-Mailbox can search and find the compliance records for personal chats because these items are in user mailboxes.
No Documents Purged
Finally, the purge action for a content search only supports mailboxes. You cannot run a purge against SharePoint Online or OneDrive for Business sites to remove documents, folders, or lists, all of which might hold offending content. To purge these documents, you’ll have to note them in the results returned by the content search, find the files, and remove them.
Manual Process Needed
It’s unlikely that tenants will consider it acceptable to wait for retention periods to expire and synchronization to occur before bad content disappears from Teams. Unfortunately, this means that if someone posts offensive material into Teams, administrators have some manual work to do to find and remove those messages.
Courtesy Petri Tony Redmond