MFCMAPI Exposes Data Stored by Microsoft 365 Apps in Exchange Online Mailboxes

I regularly use the MFCMAPI program to help understand the contents stored in Exchange Online mailboxes. When I mention this, people often look at me as if I have two heads. They have questions like what magic exists in MFCMAPI and how do I use the magic? That discussion could probably take hours, but let’s see if I can deliver a primer on how to get and use the program.

MFCMAPI Origins and Current Status

MFCMAPI originated as a program written by Microsoft escalation engineers to help debug Outlook desktop. This 2014 article explains some of the background. However, MFCMAPI was available several years beforehand, perhaps starting in 2008 or thereabouts. Since then, it’s been used for a variety of purposes (including creating Outlook profiles) and exporting mailbox data. You can also move or rename folders. However, modifying mailbox data with a low-level utility is not a recommended course of action because you could do serious damage to the mailbox.

I don’t think I have ever created anything with MFCMAPI; my use has always been to poke around the innards of a mailbox to discover what apps store there. In an on-premises environment, a mailbox stores email and some mailbox settings. But in the cloud, Exchange Online mailboxes are used by apps for a variety of purposes such as storing compliance records and Teams attendance records, mostly so that the data is indexed and becomes accessible to Search and services like eDiscovery. User mailboxes are a very convenient place for Microsoft 365 apps to store information and that’s why the program is so useful for administrators who want to understand how apps store data.

Today, Microsoft maintains MFCMAPI through a GitHub project. Stephen Griffin, one of the original brains behind MFCMAPI, still works on the code. You can download the latest release from GitHub. For instance, the latest 64-bit version is available in MFCMAPI.x64.exe.23.0.23089.01.zip.

Using MFCMAPI

MFCMAPI is only able to access user mailboxes, which it does through an Outlook profile. Before launching the program, go to Outlook desktop and make sure that the Outlook profile does not enable cached Exchange mode. If it does, MFCMAPI is limited to accessing synchronized folders and many of the more interesting server-based folders are inaccessible.

Now launch MFCMAPI and choose Logon from the Session menu. MFCMAPI displays a prompt to select the Outlook profile to use and then signs into your account using the information in the profile and lists the message stores available to the profile (Figure 1). Because MFCMAPI uses Outlook profiles for sign-ins, you can’t use the program to open anything other than user or shared mailboxes. This is logical because when the program started, objects like group mailboxes didn’t exist.

Although MFCMAPI lists public folders, you’ll see an error if you try and access them with the program.

Accessing Folders

Select the default store (marked with True in the Default Store column). This is your primary mailbox and double click to open the store. MFCMAPI opens a separate window positioned at the Root Container in the store. This is the root of everything in the mailbox – both the folders visible to users (IPM folders) and those never revealed by clients (non-IPM folders).

Click on Root Container to reveal the set of folders underneath. In Figure 2 you can see some of the folders contained in the mailbox. Three are highlighted:

• Recoverable items: This is where Exchange Online stores deleted items that users can still recover plus copies of items purged or altered when within the scope of a retention policy.
• TeamsMessagesData: This is where Teams stores its compliance records captured for personal and group chats involving the mailbox owner.
• Top of Information Store: This is where the IPM folders are located and you can see a couple of default mailbox folders (Calendar and Archive) plus a user-created folder (Amazon).

As a simple example of what MFCMAPI can reveal, double-click on the TeamsMessagesData folder. The program opens another window to list the items in the folder (Figure 3). Remember, this is a non-IPM folder, so users don’t know of its existence.

The lower pane shows the MAPI properties of the item like its creation date. Message items can have hundreds of properties, many of which are only understood by the generating app. In this instance, the text of the message sent in a Teams chat is available in the PR_HTML property (Figure 4).

The important thing here is that the compliance record is stored as a mailbox item. It is a partial version of the actual Teams message posted in the chat that caused the substrate to create the compliance item. These items exist to allow Microsoft Search to index the content of the chat and eDiscovery searches to find them when necessary.

Enough for a Primer

I think that’s enough for a primer on this topic. There’s lots more that can be done with MFCMAPI, but it serves a useful purpose even if you just use the program to understand what’s in Exchange Online mailboxes. Explore your own mailbox to see what you can find hidden behind the scenes. It can be very revealing!

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Email Signatures Shared between Outlook and OWA But Not a Panacea for Signature Management

A reader pointed me to Microsoft’s Email Signature Gallery and asked if these signatures could be used with Outlook and OWA. The answer is yes, and there’s documentation to show how, which is always nice.

The gallery of email signatures is in a Word document (Figure 1), which can be downloaded or edited online. Editing is important as you need to update one of the sample signatures to use it.

After making the appropriate changes, you can cut and paste the signature into OWA or Outlook desktop (Figure 2) and the wonders of roaming signatures will make it available in both clients. Basically, all you need to do is replace the photo, update the values for title, phone numbers, organization, and address, and add links for your web site and Twitter handle. The email signatures gallery sounds like a very useful tool, but some downsides exist.

According to message center notification MC450845 (October 27, 2022), rollout of roaming signatures should now be complete. Microsoft also refers to the feature as “cloud signatures.” Both mean the same thing. The signature information is in user mailboxes and clients download signature information from the mailbox to apply signatures to messages.

Set-MailboxMessageConfiguration Remains Broken

The first issue is that Microsoft hasn’t addressed the issue with roaming signatures that broke the Set-MailboxMessageConfiguration cmdlet by removing HTML support for signatures in OWA. Microsoft removed the warning from the documentation that roaming signatures causes the problem, which was nice of them. The problem means that if you’ve taken the time to develop nicely-formatted signatures for OWA, any scripts that apply OWA signatures to mailboxes won’t work.

You can’t make an omelette without breaking eggs and Microsoft would say that you can’t introduce roaming signatures and give users a choice of signatures to use without breaking something. At least, I think they’d say this because they broke something.

It’s reasonable to assume that an update would be necessary for the Set-MailboxMessageConfiguration cmdlet after the introduction of roaming signatures. The update needs to:

• Support the storage of signature information in the user’s mailbox.
• Support reading and setting of multiple signatures per mailbox.
• Support selecting a default signature for new messages and replies from the available set.

It would be nice if Microsoft fixed the cmdlet problem so that those who’ve invested time and energy to develop PowerShell scripts to manage email signatures can continue to benefit from their work.

Roaming Signature Data in User Mailboxes

Up to now, the cmdlet could retrieve signature information from its settings. Now it must read data from the ApplicationDateRoot\49499048-0129-47f5-b95e-f9d315b861a folder in the non-IPM part of the mailbox. The MFCMAPI utility reveals that each signature has its own sub-folder (Figure 3) along with other information stored in ApplicationDateRoot\49499048-0129-47f5-b95e-f9d315b861.

The folder for a signature has a contents table storing some message items. The message items hold the signature data (Figure 4) in HTML format, including graphic elements like icons.

It’s obvious that the implementation of roaming signatures is very different in many ways to the simplicity of the earlier approach taken by OWA, which only supports a single HTML signature.

Roaming Signatures Work for OWA

In any case, signatures updated in Outlook desktop become available to OWA (and vice versa) after a period for the clients to learn about updates and refresh caches. Figure 5 shows the signature from the email signatures gallery that I pasted into Outlook as it appears in an OWA message.

Current State of Play

The current state of play is therefore that clients that support roaming signatures (OWA, the Monarch client, and the latest Outlook click to run builds) share signatures stored in user mailboxes. No matter what client someone updates a signature in or the source of the signature (from the gallery, from another user, or generated by the user), the clients will all pick up and use that signature.

Does this mean that ISV signature management products like Code Two’s Email Signatures for Office 365 are out of business? Not at all. Roaming signatures fix a problem in that a common signature is now available within the Outlook client family. It’s not a universal panacea for email signature management and does nothing about making sure that people use suitable corporate signatures throughout the organization, including with non-Outlook clients. If you’re interested in central management of email signatures across multiple clients, there’s still a ton of value to be gained from investing in the right tools.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

New Mission, New Teams Meeting Q and A app, New Functionality

On August 23, Microsoft announced that the Viva Engage app is rolling out to Teams users to replace the older Yammer Communities app. In July, I noted that Microsoft planned to make Yammer the cornerstone of Viva Engage and wondered if this would prove to be Yammer’s real niche within Microsoft 365. We still don’t know if this will be the case, but it’s good to see progress.

Microsoft’s announcement says “For nearly ten years, Yammer has been a leader in employee engagement. Now we are delivering these superpowers into the Microsoft Viva platform, to empower people and teams to be their best, have a voice, and feel included in the workplace.” Apart from the gratuitous use of “superpowers” (which software never possesses), the interesting thing here is the rebranding of Yammer to employee engagement. I guess it’s another way of describing enterprise social networking, the original Yammer mission, but to me it confirms that Microsoft is seeking to give Yammer a new role.

Seamless Switch to Viva Engage

In any case, as Microsoft promised, switching in Viva Engage to replace Yammer communities was seamless. My tenant has custom branding for the Yammer communities app and the existence of a different name and logo didn’t interfere with the replacement. Right now, there’s not much difference between the two apps (Figure 1), but I’m sure we’ll see the Viva Engage app evolve over time. According to Microsoft, the switchover process should be complete worldwide by the end of September.

Yammer and Teams Meeting Q&A

On July 19, Microsoft announced that the Q&A feature for Teams Meetings is generally available. What people might not realize is that Yammer powers the Q&A capability within a meeting. Q&A is an app added to a meeting when the meeting organizer updates the meeting settings to enable the feature (Figure 2).

Within the meeting, launching the Q&A app allows meeting participants to ask and respond to questions, including the ability to react to questions and comments and to mark the best response (Figure 3). Anyone accustomed to working with Yammer will recognize the “inclusive” icons used for reactions, which is one hint about the app’s source.

Some will like the way that the Q&A app gives a structure to questions and responses. Others will consider this overkill and point to the way that meeting chat can serve the same purpose, albeit without the ability to mark the best response. The point here is that no one forces meeting organizers to add Q&A. It’s an app and like any other app that supports meetings, Q&A is optional.

Q&A and Compliance

Being interested in compliance, I wondered if Yammer captured the text in the questions and comments for compliance purposes. Some poking around in mailboxes using the MFCMAPI record reveals that the Microsoft 365 substrate creates compliance records (mail items) for questions and responses in the Yammer folder, just like regular messages posted to Yammer communities. Figure 4 shows the content captured for a response posted to the Q&A app (the same message as shown in Figure 3).

It’s important to underline that the compliance records captured by the Microsoft 365 substrate are mail items that contain enough information for eDiscovery and other compliance purposes (like monitoring by communications compliance policies). They are not perfect copies of the original messages. For instance, if you run a content search to find these items and download one (the items do not support previewing), you’ll get an Outlook message. Figure 5 shows an example of an item marked as the best response in a thread. You can see the text of the comment and then an odd representation of “best response.”

Compliance records do not capture user reactions.

Yammer = Employee Engagement

Going forward, I think the debate about Yammer’s position in Microsoft 365 and its competition with Teams will terminate. The focus now seems firmly set on employee engagement, and we’re likely to see some verbal gymnastics to bring the Yammer browser client under that heading soon. Making use of Yammer capabilities in apps that can be plugged into the Teams framework makes sense too, even if Teams is in danger of becoming flooded by apps. I guess choice is goodness.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Sometimes Web Content Isn’t True

Updated September 16, 2021

Always verify what you read in a blog before you accept it as fact. A myriad of reasons might make text unreliable. People make mistakes as they write, or in their understanding of a topic, or use different versions of software to what you have. The problem doesn’t exist only in independent blogs. Microsoft publications get things wrong too. A recent example in when they updated their guidance about what’s captured in Teams compliance records and can be used for eDiscovery.

It’s good when Microsoft does this because there’s a ton of misconception in the technical community about the purpose and usage of Teams compliance records. I have been told that it is possible to backup Teams by copying the compliance records in an Exchange Online backup, something that is complete and unadulterated rubbish. You can copy the compliance records, but you’ll never be able to restore those items into Teams. As explained below, Microsoft updated their page because it contained some errors (correct information is now online).

How the Microsoft 365 Substrate Captures Teams Compliance Records

In summary, here’s what happens. When someone posts a message to Teams, the Microsoft 365 substrate captures a copy of the message as an Exchange mail item. A Teams message is not a mail item, so some transformation occurs in the capture. For this reason, referring to this process as journaling is incorrect. Unlike email journaling, a perfect legally-defensible copy of the original item does not result.

The Microsoft 365 substrate writes Teams compliance records for personal chats into user mailboxes. Compliance records for channel messages go into group mailboxes. In both cases, the mail items are stored in the TeamsMessagesData folder in the non-IPM (system) part of the mailbox. This folder is hidden from clients. Originally, Teams stored its compliance records in a folder under the Conversation History folder. Teams changed the folder it uses in October 2020.

Storing records in Exchange Online mailboxes has been done since Teams first generated compliance records in 2017. The substrate captures compliance records for all Teams conversations, including those involving hybrid users whose mailboxes are on on-premises Exchange servers and guest users. Compliance records are also captured for federated chats with Skype consumer users. In these cases, special hidden mailboxes store the compliance records. I have heard these mailboxes referred to as phantom, shard, or cloud-based mailboxes.

Conversations in private channels are a special case. Private channels don’t have a group mailbox, so the substrate writes copies of these messages into the personal mailboxes of channel members and tags the items as belonging to a private channel.

Teams compliance records are also used for retention policy processing. The Exchange Managed Folder Assistant removes expired records from mailboxes according to policy. Those deletions are synchronized back to Teams, which then removes the real messages from its store.

Teams and eDiscovery

Because the compliance records are in Exchange Online mailboxes, they are indexed and discoverable by content searches. eDiscovery never operates against the “real” Teams message data, which remains in Azure Cosmos DB. All content searches use the indexes populated by Exchange Online, so the items returned by a content search (Figure 2) come whatever can be found in Exchange Online, including records for conversations involving hybrid, guest, and federated users.

When Teams compliance records are found by a content search, they can be exported as individual items or to a PST. Figure 3 shows an item found with a content search as viewed through Outlook. The compliance record contains important information like the title of the topic and the name of the team the item is posted to. Inline images, GIFs, links, and tables are also visible.

Everything seems good, if you understand and appreciate two facts: first, the compliance records stored in Exchange Online are copies and not real Teams data. Second, the transformation process to copy a Teams message into an Exchange mail item means that some Teams content does not end up in the searchable content.

Moving Content from Teams to Exchange Online

When the substrate copies a Teams message to create a mail item in Exchange Online, the following information is included:

• Links to any embedded emojis, stickers, inline images, and GIFs.
• Tables.
• Embedded deep links to other Teams messages.
• Sharing links to files in SharePoint Online document libraries.
• For channel messages, the subject of the message is recorded (if available) as is the name of a team a message is posted to. For personal chats, the names of the people involved in the conversation are captured.

However, problems occur with these elements of Teams messages:

• Reactions (for example, a like, heart, or smile) given to messages. In an eDiscovery context, reactions can be important signs that certain individuals have seen a conversation in the same way that changing the read status of an email from “unread” tells you that the message was opened.
• Recordings of audio messages.

Update April 2021: Teams compliance records omitted code snippets created in Teams messages in the past. Retesting shows that these elements are now captured as .DAT attachments for the compliance records. The .DAT attachments hold the HTML-formatted content for the code snippet. They can be opened and examined with a text editor.

In addition, compliance records captured for praise messages only include the text of the praise and not the graphics. Compliance messages for messages with quoted text include the text but not the formatting to mark the text as a quote.

An Insight into the Exchange Items

You can use the MFCMAPI utiliity to see what’s in the Teams compliance records captured as mail items in Exchange mailboxes. Examining a Teams compliance record with MFCMAPI very quickly tells you what the item does and does not contain. Mail items are collections of MAPI properties and the content of those properties constitute what clients display, what Office 365 indexes, and what’s discoverable by a content search.

Figure 4 shows an example of how to review the properties of a Teams compliance item. The PR_HTML property stores the HTML-formatted content of the item that clients like Outlook display. In this case, you can see the HTML code describing a “smile” sticker and pointer to a GIF (stored online in a Teams content delivery network).

Webinar Information

Teams webinar information such as the event information, speakers, and attendance report is captured in a set of Microsoft Lists in the meeting organizer’s OneDrive for Business account to make the data available for search and eDiscovery,

Some Teams Data is Invisible for Compliance

Good as the substrate is at capturing Teams messages, some Teams data remains invisible from a compliance perspective, including:

• Voice memos recorded with the Teams mobile client.
• Whiteboards used during Teams meetings (Teams recordings don’t capture whiteboard activity in the video feed and the whiteboard service is not indexed for eDiscovery).
• Teams meeting recording stored in Stream are not available for eDiscovery either. The spoken text in recordings stored in OneDrive for Business and SharePoint Online is captured for search but is not yet available for eDiscovery.

The point is that you shouldn’t assume that everything done in Teams is captured for compliance purposes.

Private Channels

Teams private channels pose another challenge for compliance administrators. The compliance records for conversations in these channels aren’t captured in group mailboxes. Instead, the substrate creates copies in the personal mailboxes of channel members. The messages for private channels and personal chats are mixed up. However, compliance records for private channel messages have different tags to the items for chats. See this post for more information.

In addition, the documents created in the SharePoint sites belonging to private channels won’t be included in content searches unless the URLs for the sites are added to the search locations.

Call and Meeting Records

Teams compliance records are captured for meetings and calls. These records (Call Detail Records or CDRs) note when the meeting or call happened, the participants, and when each participant joined and left the call. For instance, a call between two users might be captured like this:

Start Time (UTC): 5/20/2020 12:57:02 PM
End Time (UTC): 5/20/2020 1:27:36 PM
Duration: 00:30:34.1604437
[5/20/2020 12:57:02 PM (UTC)] vasil@michev.xxx joined.
[5/20/2020 1:27:36 PM (UTC)] vasil@xxx left.
[5/20/2020 12:57:02 PM (UTC)] Tony.Redmond@xxx  joined.
[5/20/2020 1:27:36 PM (UTC)] Tony.Redmond@xxx left.

Because compliance records are captured as mail items, the person who starts the call is noted as the sender (for meetings, it’s the person who schedules the meeting). The people who participate are captured as message recipients and the subject will be something like:

Call (Complete)/Thread Id: /Communication Id: 58365f07-e530-4b69-bef8-71dca438e65a/Vasil Michev (MVP) (Guest),Tony Redmond

The subject for a meeting looks like:

Meeting (ScheduledMeeting)/Thread Id: 19:meeting_NzI1ZTA3ODUtZDhiZC00MTRiLWE5NDEtNmRiMWFlMzI5MmZj@thread.v2/Communication Id: 0f03bcd9-f48b-4bdc-887f-a78f3087d772

When meetings or calls are with visitors, you’ll see them noted with addresses like:

teamsvisitor:13c3a4132a584b918b9c6528b6dabef9 <13c3a4132a584b918b9c6528b6dabef9>

And the transcript will look like this. All we can say is that four anonymous visitors joined a meeting hosted by a tenant user. There’s no way to resolve the addresses signed to visitors into their email addresses.

Start Time (UTC): 6/20/2020 3:54:56 PM
End Time (UTC): 6/20/2020 5:05:28 PM
Duration: 01:10:31.9773921
[6/20/2020 3:54:56 PM (UTC)] teamsvisitor:13c3a4132a584b918b9c6528b6dabef9 joined.
[6/20/2020 5:05:27 PM (UTC)] teamsvisitor:13c3a4132a584b918b9c6528b6dabef9 left.
[6/20/2020 4:02:46 PM (UTC)] teamsvisitor:748997de34a346149f3c72a8d3c6c50f joined.
[6/20/2020 4:36:21 PM (UTC)] teamsvisitor:748997de34a346149f3c72a8d3c6c50f left.
[6/20/2020 4:08:42 PM (UTC)] teamsvisitor:ba1c0907edae4a6791f9fdc17adb9fc1 joined.
[6/20/2020 5:05:28 PM (UTC)] teamsvisitor:ba1c0907edae4a6791f9fdc17adb9fc1 left.
[6/20/2020 4:21:17 PM (UTC)] teamsvisitor:d1cce625a5ee4a29911a7a954a89f1ee joined.
[6/20/2020 4:23:29 PM (UTC)] teamsvisitor:d1cce625a5ee4a29911a7a954a89f1ee left.
[6/20/2020 3:59:38 PM (UTC)] Tony.Redmond@xxx joined.
[6/20/2020 5:05:27 PM (UTC)] Tony.Redmond@ left.

Guest accounts or people authenticated with another Office 365 tenant have their email address noted.

Compliance records for meetings and calls are searched along with other items. If you want to refine a search to look specifically for records for meetings or calls, you can do this by searching for the MAPI item class used for these items (Figure 5).

• To search for all Teams items (messages, calls, and meetings), search using the message kind condition and look for MicrosoftTeams. Warning: Always add extra search parameters (like certain users or a date range) as looking for items based on the message kind will return every item of that kind. In the case of Teams, this could be millions of items.
• To search for Teams meeting records, use the keyword Itemclass:IPM.AppointmentSnapshot.SkypeTeams.Meeting. Again, make sure to add extra search parameters to restrict the number of items returned by the search.
• To search for Teams calls records, use the keyword Itemclass:IPM.AppointmentSnapshot.SkypeTeams.Call.
• To search for both, use the OR operator: Itemclass:IPM.AppointmentSnapshot.SkypeTeams.Meeting OR Itemclass:IPM.AppointmentSnapshot.SkypeTeams.Call

Remember that Teams compliance records, including call detail records, are stored in Exchange Online mailboxes, so always search Exchange Online locations rather than SharePoint Online when looking for Teams content.

The Problems of Assuming Web Text is Accurate

Coming back to the problems of web text that’s wrong. Microsoft published its article on April 15. The text prompted some online commentary about Teams compliance, all blissfully repeating the errors in Microsoft’s article. Here’s an especially egregious example from April 22, complete with erroneous text pasted in from Microsoft’s article. Microsoft updated its page on April 29 with accurate information. It will be interesting to see if those who repeated the incorrect text now recant.

The experience proves that you should always check and verify text found in the web before you trust and depend on it. Even this text!

Compliance is a complex area. If you need to know more about compliance, subscribe to the Office 365 for IT Pros eBook where you’ll find Microsoft 365 compliance explained in depth.

An Unclear Announcement About Legal Holds for Teams

The wording of Microsoft’s February 2 announcement (MC202846) that legal hold is now supported for Teams private channels might have confused some. The announcement starts with “we have begun rolling out legal hold for Microsoft Teams,” which isn’t accurate. It has been possible to put the group mailboxes used by Teams on legal hold via PowerShell or by including group mailboxes in holds owned by eDiscovery cases for quite a while. For example, to set a group mailbox on litigation (everything is retained hold), you can run the command:

Set-Mailbox -Identity MyTeam -LitigationHoldEnabled $True -GroupMailbox

The real meaning of MC202846 is that holds are now supported to control the compliance records created for conversations in private channels. As noted in this article, private channels don’t have a group mailbox, so the same capture mechanism for compliance records used for regular channels doesn’t work.

Holding Teams Private Channel Conversations

When messages are posted to regular channels, the Microsoft 365 substrate captures copies of the messages and stores them in the Team Chat folder of the group mailbox belonging to the team. The lack of a group mailbox for private channels means that the substrate stores compliance records for Teams private channels in the mailboxes of all the members of the private channel, which is the same approach taken to capture records of 1:1 and group chats. Therefore, compliance records for a team are divided as follows:

• Messages posted to Teams regular channels. Stored in the Team Chat folder of the group mailbox belonging to the team.
• Messages posted to Teams private channels. Stored in the Team Chat folder of the mailboxes belonging to all private channel members.

Team Chat is a sub-folder of the Conversation History folder. “Team Chat” is the English language name. If you want to be sure that you’re accessing the right folder with PowerShell, check the folder type. For example, I often use a command like this to discover when the last compliance record was written to a mailbox:

Get-ExoMailboxFolderStatistics -Identity O365ITPros -FolderScope ConversationHistory -IncludeOldestAndNewestItems | ?{$_.FolderType -eq "TeamChat"} | Format-Table Name, ItemsInFolder, NewestItemReceivedDate   
                                       
Name      ItemsInFolder NewestItemReceivedDate
----      ------------- ----------------------
Team Chat          2469 4 Feb 2020 16:03:05

Teams Compliance Records Are Copies

Despite the efforts of some backup vendors, aided and abetted by a lack of understanding about Teams compliance records, it is untrue that messages stored in Exchange mailboxes are real Teams message data that are a good backup source. The Teams message store is in Azure CosmosDB, and the mailbox items are incomplete copies created as Outlook mail items. The upside is that because the compliance records exist in Exchange mailboxes, they are indexed and therefore discoverable by Office 365 content searches, available for retention processing, and suitable targets for holds.

Distinguishing Teams Private Channel Messages

The problem with storing copies of private channel messages alongside copies of personal data is how data governance processing can distinguish the items. After all, you probably don’t want the retention policy set for personal chats to apply to private channel messages. To solve the problem, compliance records for private channels are marked with a different source, allowing components like the Managed Folder Assistant to ignore private channel data when processing retention policies.

Code in the Managed Folder Assistant also handles ELC (Electronic Lifecycle) processing, a fancy name for checking if items must be retained because they come within the scope of a hold. ELC checks items before they are removed from a mailbox and keeps a copy if required by a retention policy or hold. Microsoft has updated the hold logic to allow processing of private channel items, which then means that private channel items now support holds.

Clients can’t get at the Team Chat folder to view or remove items (as seen in Figure 1, you can use MFCMAPI to look at the items), so all compliance records for private channels created since their introduction are still in group mailboxes. In effect, a hold existed for these items. After the update rolls out, holds placed on the mailboxes of members of a private channel will include the messages posted to that channel.

Holding Private Channel Messages

Because all members of a private channel store copies, it’s enough to put the mailbox of a single member of a private channel on hold to impose the hold on the messages posted to that private channel. The obvious flaw in this strategy is that if the chosen member leaves the organization and their mailbox is deleted, the hold lapses. The workaround is to include the mailboxes of two, or three members in the hold, but what happens if all the chosen members leave?

It would be better if the addition of a group mailbox to a hold created implicit holds on all private channel content stored in member mailboxes, but that’s not the way things work. At least, not for now.

Compliance is such an interesting topic! Seriously, when you need to understand Office 365 data governance, consider leveraging the wealth of experience in the Office 365 for IT Pros eBook.

MAPI Properties to Point to Intelligent Communications Services

Has it ever crossed your mind what differences exist between a regular meeting event scheduled in an Outlook calendar and a Teams meeting? I must admit to not caring too much about this topic until a senior Microsoft engineer said that the difference lies in the properties of the meeting event created by Outlook. Normal meetings have a set of properties such as the meeting time, time zone, and attendees. Online meetings have these properties too, but also have a set of Intelligent Communications Services properties that tell Outlook how to connect users to the online meeting.

Although the assertion was entirely logical (of course Outlook needs to know how to connect to an online meeting), my curiosity was piqued and I looked a little further.

Scheduling an Online Meeting with Outlook

The key to scheduling a teams meeting with Outlook is the Teams meeting add-in that the client automatically loads based on the user’s online configuration. If they use Skype for Business Online, Outlook loads the Skype for Business Online add-in; if it’s Teams, Outlook loads that add-in. Apart from adding a button to the calendar menu bar, the add-in serves one major purpose: when the user creates an online meeting, the add-in creates a meeting slot with the online meeting service and inserts the details of the meeting as a URI in the meeting body (Figure 1).

When the time of the Teams meeting rolls around, the user clicks the URI. The target online service responds by opening a web page to allow the user join the meeting. The services differ in how they handle the link. For instance, if the Teams desktop client is logged into the home tenant of the user who created the meeting, the meeting starts in the desktop client. On the other hand, if the user is logged in as a guest to another tenant, Teams offers the option of joining with the with the desktop client or by opening the browser client. The flow is slightly different in the mobile clients, but essentially the key is the URI because it contains the necessary information for the application to connect to the meeting. An example of a URI created for a Teams meeting scheduled through Outlook is:

https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDY3ZjY0MjAtNTNmZS00NWVkLTk0Y2EtNzhjNTI5MmM5ZGUz%40thread.v2/0?context=%7b%22Tid%22%3a%22b662313f-14fc-43a2-9a7a-d2e27f4f3478%22%2c%22Oid%22%3a%22eff4cd58-1bb8-4899-94de-795f656b4a18%22%7d

As you’d expect, the same kind of URI is inserted into meetings created using the Teams calendar app.

Users can fetch the link to send to other people from the meeting properties through the Teams calendar app by selecting a meeting (Figure 2) or using right click to view meeting details (Figure 3).

Outlook Meeting Properties

Outlook stores the information identifying an event as an online Teams meeting as MAPI properties for an item in the Calendar folder of the mailboxes of meeting participants. You can see the properties with a utility like MFCMAPI, which reveals items like OnlineMeetingConfLink (Figure 4). This property contains the name of the meeting organizer among other information. According to Microsoft’s documentation, this is a Globally Routable User Agent URI (GRUU), or a SIP URI that can be used by a user agent (client) to connect to an online meeting. Because the description comes from the Microsoft Exchange ActiveSync protocol documentation, it’s probably a link designed for use by mobile clients that synchronize the calendar folder to a device.

Another interesting property is SkypeTeamsMeetingURI (Figure 5). This is the link that meeting participants use to join an online meeting. As the name suggests, the same property can be used by either Skype for Business Online or by Teams.

Other properties exist for online meetings that I don’t describe here. But the important point is that the difference between a regular meeting event created in an Outlook calendar and one that involves an online meeting are a set of properties holding information to allow clients to connect to the online service. Whether that quite counts as a connection to Intelligent Communication Services is another matter.

You might not need to know this kind of esoteric information right now, but there’s no doubt that filling in knowledge gaps around Office 365 apps makes it easier for people to understand how to work with the technology. Which is a great reason to subscribe to the Office 365 for IT Pros eBook and learn about stuff that might not be documented or explained elsewhere.