Searching cloud-based mailboxes for on-premises users in Office 365

If your organization has an Exchange hybrid deployment and has enabled Microsoft Teams, users can use the Teams chat application for instant messaging. For the cloud-based user, the Teams chat data (also called 1xN chats) is saved to their primary cloud-based mailbox. When an on-premises user uses the Team chat application, their primary mailbox is located on-premises. To get around this limitation, Microsoft has released a new feature where a cloud-based storage area (called a cloud-based mailbox for on-premises users) is created to store Teams chat data for on-premises users. This lets you use the Content Search tool in the Office 365 Security & Compliance Center to search and export Teams chat data for on-premises users.

Here are the requirements and limitation for setting up and to set up and search cloud-based mailboxes for on-premises users:

  • The user accounts in your on-premises directory service (such as Active Directory) must be synchronized with Azure Active Directory, the directory service in Office 365. This means that a mail user account is created in Office 365 and is associated with a user whose primary mailbox is located in the on-premises organization.

  • The cloud-based mailbox for on-premises users is used only store Teams chat data. An on-premises user can't sign in to the cloud-based mailbox or access in any way. It can't be used to send or receive email messages.

  • You have to submit a request to Microsoft Support to enable your organization to search for Teams chat data in the cloud-based mailboxes for on-premises users. See Filing a request with Microsoft Support to enable this feature in the Security & Compliance Center in this article.

Note: Teams channel conversations are always stored in the cloud-based mailbox that's associated with the Team. That means you can use Content Search to search channel conversations without have to file a support request. For more information about searching Teams channel conversations, see Searching Microsoft Teams and Office 365 Groups.

How it works

If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates a cloud-based mailbox to store 1xN Teams chat data. After the Teams chat data is stored in the cloud-based mailbox, it's indexed for search. This lets you Use Content Search (and searches associated with eDiscovery cases) to search, preview, and export Teams chat data for on-premises users. You can also use *ComplianceSearch cmdlets in the Office 365 Security & Compliance Center PowerShell to search for Teams chat data for on-premises users.

The following graphic shows the workflow of how Teams chat data for on-premises users is available to search, preview, and export.

Cloud-based storage for on-premises users in Microsoft Teams

In addition to this new capability, you can still use Content Search to search, preview, and export Teams content in the cloud-based SharePoint site and Exchange mailbox associated with each Microsoft Team and 1xN Teams chat data in the Exchange Online mailbox for cloud-based users.

Filing a request with Microsoft Support to enable this feature in the Security & Compliance Center

You must file a request with Microsoft Support to enable your organization to use the graphical user interface in the Security & Compliance Center to search for Teams chat data in the cloud-based mailboxes for on-premises users. Note that this feature is available in Office 365 Security & Compliance Center PowerShell. You don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.

Include the following information when you submit the request to Microsoft Support:

  • The default domain name of your Office 365 organization.

  • The tenant name and tenant ID of your Office 365 organization. You can find these in the Azure Active Directory portal (under Manage > Properties). See Find your Office 365 tenant ID.

  • The following title or description of the purpose of the support request: "Enable Application Content Search for On-premises Users". This will help route the request to the Office 365 eDiscovery engineering team who will implement the request.

After the engineering change is made, Microsoft Support will send you an estimated deployment date. Note that the deployment process usually takes 2-3 weeks after you submit the support request.

What happens after this feature is enabled?

After this feature is deployed in your Office 365 organization, the following changes are made in Content Search and in searches associated with an eDiscovery case in the Security & Compliance Center:

  • The Add Office app content for on-premises users checkbox is added under the Locations in Content Search.

    The "Add Office app content for on-premises users" checkbox is added to the Content Search UI

  • On-premises users are displayed in the content locations picker that you use to select user mailboxes to search.

Searching for Teams chat content in cloud-based mailboxes for on-premises users

After the feature has been enabled, you can use Content Search in the Security & Compliance Center to search for Teams chat data in the cloud-based mailboxes for on-premises users.

  1. In the Security & Compliance Center, go to Search & investigation > Content search

  2. On the Search page, click Add icon New search.

    As previously explained, the Add Office app content for on-premises users checkbox is displayed under Locations. Note that it is selected by default.

  3. Create the keyword query and add conditions to the search query if necessary. To only search for Team chats data, you can add the following query in the Keywords box:

    kind:im
    
  4. At this point, you can choose one of the following options under Locations:

    • All locations - Select this option to search the mailboxes of all users in your organization. When the checkbox is selected, all cloud-based mailboxes for on-premises users will also be searched.

    • Specific locations - Select this option and then click Modify > Choose user, groups, or teams to search specific mailboxes. As previously explained, the locations picker will let you search for on-premises users.

  5. Save and run the search. Any search results from the cloud-based mailboxes for on-premises users can be previewed like any other search results. Additionally, you can you can export the search results (including any Teams chat data) to a PST file. For more information, see:

Using PowerShell to search for Teams chat data in cloud-based mailboxes for on-premises users

You can use the New-ComplianceSearch and Set-ComplianceSearch cmdlets in the Office 365 Security & Compliance Center PowerShell to search the cloud-based mailbox for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.

  1. Connect to Office 365 Security & Compliance Center PowerShell.

  2. Run the following PowerShell command to create a new content searches the cloud-based mailboxes of on-premises users.

    New-ComplianceSearch <name of new search> -ContentMatchQuery <search query> -ExchangeLocation <on-premises user> -IncludeUserAppContent $true -AllowNotFoundExchangeLocationsEnabled $true  
    

    The IncludeUserAppContent parameter is used to specify the cloud-based mailbox for the user or users who are specified by the ExchangeLocation parameter. The AllowNotFoundExchangeLocationsEnabled allows cloud-based mailboxes for on-premises users. When you use the $true value for this parameter, the search doesn't try to validate the existence of the mailbox before it runs. This is required to search the cloud-based mailboxes for on-premises users because these types of mailboxes don't resolve as regular mailboxes.

    The following example searches for Teams chats (which are instant messages) that contain keyword "redstone" in the cloud-based mailbox of Sara Davis, who is an on-premises user in the Contoso organization.

    New-ComplianceSearch "Redstone_Search" -ContentMatchQuery "redstone AND kind:im" -ExchangeLocation sarad@contoso.com -IncludeUserAppContent $true -AllowNotFoundExchangeLocationsEnabled $true  
    

    After you create a new search, be sure to use the Start-ComplianceSearch cmdlet to run the search.

For more information using these cmdlets, see:

Known issues

  • Currently, you can only search, preview, and export content in cloud-based mailboxes for on-premises users. Placing a cloud-based mailbox for an on-premises user on a hold associated with an eDiscovery case or assigning it to an Office 365 retention policy is not supported.

  • The content location picker for eDiscovery holds displays on-premises users and will let you select them. However, as previously explained the hold will not be applied to the on-premises user.

Frequently asked questions

Where are cloud-based mailboxes for on-premises users located?

Cloud-based mailboxes are created and stored in the same datacenter as your Office 365 organization.

Are there any other requirements other than submitting a support request?

As previously explained, the identities of users with on-prem mailboxes must be synchronized to your cloud-based organization so that a corresponding mail user account is created for each on-premises user account in Office 365. Additionally, your organization must have an Office 365 enterprise subscription, such as an Office 365 Enterprise E1, E3, or E5 subscription.

Is there a risk of losing the Teams chat data if the user's on-premises mailbox is migrated to the cloud?

No. When you migrate the primary mailbox of an on-premises user to the cloud, the Teams chat data for that user will be migrated to their new cloud-based primary mailbox.

Can I apply an eDiscovery hold or Office 365 retention policies to on-premises users?

No.

Can Content Search find older Teams chats for on-premises users before the time my organization submitted the request to enable this feature?

Microsoft started storing the Teams chat data for on-premises users on January 31, 2018. So, if the identity of an on-premises Teams user has been synched between Active Directory and Azure Active Directory since this date, then their Teams chat data will be stored in a cloud-based mailbox and will be searchable using Content Search. Microsoft is also working on storing Teams chat data from prior to January 31, 2018 in the cloud-based mailboxes for on-premises users. More information about this will be available soon.