I'm trying to extract Teams chat conversations between two specific users for a legal investigation, but I'm having difficulty narrowing it down properly. My current KQL query pulls in a lot of irrelevant information, and I need it to focus only on the chats between these two users. Here's my query: (Date=2025-09-01..2026-02-14) AND (((Participants:XXX) AND (Participants:XXXX))) AND (((Recipients:XXXX AND (Recipients:XXXXX))). Am I missing something? Is using the advanced eDiscovery feature excessive for this task?
4 Answers
Looks like your KQL is a bit redundant. Instead of the two-part criteria, try simplifying it to just ‘(Participants:XXX AND Participants:XXXX)’ and skip the recipients part, since Teams chat doesn’t actually use that field. Plus, using advanced eDiscovery for just two users might be overkill; a basic content search could be faster and more effective.
You should be able to pull the Teams chats if you have set their Exchange accounts as data sources. Just a heads up, exporting Teams chats can sometimes produce unexpected results, so best of luck with that!
Getting specific Teams conversations can be really tough. What we usually do is pull a broader search for the case, including the involved people and dates. Then, we refine our results using the results browser to narrow things down with keywords or other filters, which might help you find the correct chats.
I’ll give the basic search a shot. If I remove the recipient part, does that mean I could retrieve chats between anyone or just the two users I'm focusing on?
That sounds like a solid plan. I was thinking of doing something similar — provide them with all the data and let them sift through it. It’s their job, after all!