The trouble with meeting dates

An example of a dropped filter

Photo by Sarah Kilian on Unsplash

The first time I came across the idea of a dropped filter in M365 Purview eDiscovery was when I had a moment of laziness and tried to collect Teams messages from a custodian mailbox by pointing to the custodian in Premium eDiscovery and didn’t uncheck OneDrive as a custodial location.

I reckoned it didn’t matter because my search for Teams messages wouldn't hit on anything in OneDrive anyway.

That logic was flawed. It was flawed because when confronted with a search for Message Kind in OneDrive, Microsoft recognized that wasn’t a field you could search in OneDrive and dropped it. This resulted in a search that said, “In the Exchange mailbox, search for Message Kind = Microsotteams, and in OneDrive, the search has no filter”

Yes, it collected everything from OneDrive.

It took me a while to understand what happened because there wasn’t any error or warning. (I have since learned that there is a very specific way you can do that search and get a warning, but it won’t always warn you.)

A few months later, I ran into another example that caused some confusion for a client. They were trying to collect calendar entries to investigate how an employee spent their time using a date range.

They were not getting the entries they were expecting. They tried using the date field to search, but the “date” of a meeting invite is not the meeting date; it’s the date the invite was sent. So, they tried using MeetingStartDate.

This also did not go well because MeetingStartDate is a legitimate field, but it’s not a field you can search from the discovery tools.