Answering your questions about our Microsoft 365 connector

Microsoft 365 is exploding, forcing organizations to adapt to handle the influx of data generated by users of all types. We had the great opportunity to present a demo of our Microsoft 365 connector during a webinar on Thursday, Jan. 21. You can watch the recording of that webinar here if you missed it.

What was amazing during the webinar was the number of questions that we received. It shows that this topic really is of interest across several industries and job functions, and there was no way we could answer everyone’s questions in under an hour. We didn’t want to leave anyone out, however, so we compiled everyone’s questions and answered them to the best of our ability here!

I’d like to thank everyone inside of Nuix who took the time to answer my own questions and provide their feedback on this content. I hope these responses are helpful to everyone who attended or who may find this article in the future.

YOUR QUESTIONS, OUR ANSWERS

We have Nuix Investigate and will have Nuix Discover soon. My background is forensics, so we need to have a connector to pull the data. What is that exactly? An Azure deployment tied into M365 directly?

Nuix provides a connector to support the ingestion of Microsoft 365 data into a Nuix case. Using the Nuix connector in conjunction with your Microsoft tenant and the Microsoft Graph API, users can access data from their Exchange, Teams, SharePoint, and OneDrive for Business services.

I see modern attachments, specifically under One Drive and SharePoint, would this also be working in the Teams data? If there is a link, will the collector pull that file in if it can reach it?

Yes, Modern Attachments are supported whether attached on an Exchange email or sent in a Teams message.

If we put a name of a custodian, can we check what channels in Teams this custodian a participant of?

When adding one or more custodians using the "User Principal Name” field, the connector will automatically add all the teams those custodians are part of as evidence. See screenshot below for more details.

Can it ingest PST exports from M365? I know Nuix Workstation can as a standalone file; does it matter if you add it as a single file or M365?

Nuix can ingest PST exports from M365; however, the Teams data is not parsed correctly due to differences with the way the data is identified in the PST as opposed to the way they are identified through our M365 connector. This is something our team is working on enhancing for a future release.

What kind of privileges do we need to connect to the custodians M365? Do we need Active Directory permissions? How does it connect to the user’s O365?

You may refer to our official M365 connector documentation located in our Product Documentation site.

Where is the data stored by Nuix once collected? In a forensic container? Which type?

Using Nuix Workstation, the data is stored within the Nuix case. Nuix Imager, which is our imaging tool based on the Nuix Engine (which also powers Nuix Workstation), also has access to the connector. With Nuix Imager, the data can be captured and store in a Nuix Logical Image (.nli), which is essentially a zipped folder containing the data you’ve gathered and optionally culled.

Does speed of download depend on the number of workers?

Like other data sources, more Nuix Workers will mean faster performance; however, with any API connection, the underlying “plumbing” must be taken into consideration. I’ve seen performance on average vary between ~0.5-1 GB per hour, per worker. In a 4-worker example, you would be able to download data from Microsoft at speeds of ~2–4 GB per hour. Of course, there are limitations with how “fast” you can go. I’ve routinely seen the “sweet spot” to be 2 or 4 workers. More than 4 workers create more throttling and decreased performance.

How does Nuix locate a user’s Teams site?

This is handled by the Microsoft Graph API coupled with the secret sauce that our engineering team has built into the connector.

Does Nuix support RSMF export for loading these chats to Relativity?

Nuix does not currently support exporting chat data to RSMF format. We are evaluating the request currently.

Do you need Nuix Investigate or Nuix Discover to review the data, or can you export from Nuix Workstation and review in other platforms as well?

Teams chat data can be exported out and included in a load file.

Our biggest challenges collecting from Office 365 are:

1) Finding and collecting a specific folder in a user's Exchange or OneDrive when we are given only the folder name and username.

2) Finding and collecting appointments that a user posts to their calendar as opposed to meeting which are otherwise captured in our ecomms archive.

3) Interested in the intersection of Nuix Data Finder and the M365 collector so that we only ingest data responsive to people + dates + search terms + type.

The Pre-filter Evidence window in Nuix Workstation can be used to find and collect a specific folder in a user’s Exchange or OneDrive.

Appointment items are captured through Exchange.

Nuix Data Finder can be used in conjunction with the connector to additional rules to the processing logic.

If another review tool was used, such as Relativity, can the Teams chats be exported in a way that will allow conversation threading, etc.?

Nuix does not currently support exporting chat data to RSMF format. We are evaluating the request currently.

Can I get a copy of the user guide? I'm working with [a government agency], which has a huge M365 deployment, to be able to pull M365 data directly into Nuix Workstation to display in Nuix Investigate or Nuix Discover.

You may refer to our official M365 connector documentation located in our Product Documentation site.

Do you need an E5 or advanced eDiscovery license to leverage the Nuix M365 connector? Or is a core eDiscovery license sufficient?

Official Microsoft documentation states that the Messaging API (which we use as part of the M365 connection) requires E5/A5. We have confirmed, however, that the current solution works on E3.

When pulling the modern attachment for an email, if the modern attachment is versioned in OneDrive is the attachment provided in the tool the latest version of the file or the version that was shared at the time the email had been created?

If the modern attachment is from an email, the latest version of the attachment will be downloaded. If the modern attachment is from a Teams chat message, the version that was shared at that point in time will be downloaded.

Follow up on binary. If you direct connect to M365 and do not store binaries, do you have to reconnect or maintain connection to export that data?

Without storing binaries, the M365 connector will download the items into the Nuix case, and they will be available for search purposes only. If any activity is performed which requires the binary (for example: viewing the native within Nuix, OCR, export, etc.), Nuix will need to re-connect to M365 to re-download the item. This process not only adds time to the overall workflow, but also adds some risk as well. If the item no longer exists or moved, you will not be able to load the binary stream.

Conversational View from Teams: Producing the conversational view can occur both from Channel Conversations and the private chats? Can we export the conversational view as a single file (example PDF)?

Each message within a conversation is a separate item. When producing conversations, you will need to export out the conversation (and any family items associated with the message) as a separate item. With Nuix Investigate, you can print to PDF a view of the conversation/bubble chat view for offline review purposes.