Wednesday, January 1, 2020

Search the audit log for events in Microsoft Teams

The audit log can help you investigate specific activities across Office 365 services. For Teams, here are some of the activities that are audited:
·         Team creation
·         Team deletion
·         Added channel
·         Changed setting

To see the complete list of activities that are audited in Office 365, read Search the audit log in the Office 365 Security & Compliance Center.

Turn on auditing in Teams

Before you can look at audit data, you have to first turn on auditing in the Security & Compliance Center. For help turning on auditing, read Turn Office 365 audit log search on or off. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

Audit data is only available from the point at which you turned on Auditing.

Retrieve Teams data from the audit log
1.    To retrieve audit logs, go to the Security & Compliance Center. Under Search, select Audit log search.
3.    Sign in to Office 365 using your work account.
4.    In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
5.    Use Search to filter by the activities, dates, and users you want to audit.

6.    Export your results to Excel for further analysis.

You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

Here's the process for searching the audit log in Office 365.

Recover deleted Teams

Microsoft Teams, owners of teams have the capability of deleting a team, and sometimes these teams may be accidentally deleted. When the team is deleted, it is held in the "recycle bin" for 30 days until it is permanently deleted. Below is the process of restoring a deleted team in Microsoft Teams.

       Once Team is deleted, option to recover it exists for up to 30 days
       All of it including (Channels, files, tabs, etc.) will reappear as it was before
       Restore can take up to 4 hours
       To restore, from exchange admin center, select recipients, then groups
       Locate the group (only if soft deleted)
       Select the group and choose restore

Confirm that the recently deleted team shows on the list and select it

On the right-hand side menu, click the “Click here to restore” option

Confirm the restoration request

Launch PowerShell as an administratorNote, at the time of this writing, this restore procedure requires the AzureADPreview module to be installed. To install, simply type Install-Module AzureADPreview and follow the prompts.
IMPORTANT: When a team is created in Microsoft Teams, it creates an Office 365 group. This procedure is the process for restoring an Office 365 group and is documented in more detail here.

       PowerShell command to restore
                Get-AzureADMSDeltedGroup     (make note of Object ID)
                Restore-ADMSDeletedDirectoryObject –ID <objectID>

MS Teams Data Storage

Conversation Storage
Chat: Most chats are stored in memory. Chat uses Azure storage (blog, tables, and queues), and is moving to Cosmos DB (one-on-one chats and group chats are in Cosmos DB already).
Substrate/Exchange: All the chat and channel messages are stored in Exchange for information protection purposes.
Conversation Images & Media: Inline images and other media are stored separately (Giphys aren’t stored).

File Storage
1-1 Chats: Any files shared in these chats are stored in the OneDrive for Business of the person who posted it, and permissions are set for members of the chat to read it.
Team Conversations: These are uploaded to SharePoint, and there’s a folder associated with each channel in the appropriate Team.
Cloud Storage: Microsoft Teams supports Dropbox, Box, Citrix ShareFile, and Google Drive as cloud storage service options.

Clean the Microsoft Teams Client Cache

Clearing the Teams client cache is the first step to troubleshooting. The trouble is, the cache for Teams isn’t in one place or even a single directory. It’s split in multiple directories and even Internet Explorer and Chrome cache locations.

Fully exit the Microsoft Teams desktop client. To do this, either right click Teams from the Icon Tray and select ‘Quit’, or run Task Manager and fully kill the process.

These locations are:
  • %AppData%\Microsoft\teams\application cache\cache
  • %AppData%\Microsoft\teams\blob_storage
  • %AppData%\Microsoft\teams\databases
  • %AppData%\Microsoft\teams\cache
  • %AppData%\Microsoft\teams\gpucache
  • %AppData%\Microsoft\teams\Indexeddb
  • %AppData%\Microsoft\teams\Local Storage
  • %AppData%\Microsoft\teams\tmp
  • %LocalAppData%\Google\Chrome\User Data\Default\Cache
  • %LocalAppData%\Google\Chrome\User Data\Default\Web Data
  • %LocalAppData%\Google\Chrome\User Data\Default\Cookies
  • Internet Explorer Cookies
  • Internet Explorer Temporary Internet Files