Investigating Microsoft Teams with Magnet AXIOM Cyber

With Magnet AXIOM Cyber, investigators can now acquire and analyze data from Microsoft Teams without the need of additional tools or use of Compliance Center. In this blog we’ll discuss the steps necessary for investigators to complete to acquire MS Teams data directly into AXIOM Cyber.

Along with the ability to collect from cloud sources such as AWS, O365, G-Suite, and Teams, AXIOM Cyber enables examiners to remotely collect evidence from an endpoint with the use of a covertly deployed remote collection agent.

Request a free trial of Magnet AXIOM Cyber today.

Provide Administrator Approval for the Magnet Forensics International, Inc (Teams) Application

To acquire data from Microsoft Teams accounts, you might need to provide administrator consent for Magnet Forensics International, Inc (Teams) before logging in to the application for the first time.

1. Browse to the Microsoft administrator consent page for Magnet Forensics International, Inc (Teams) and log in as an administrator.
2. To allow Magnet Forensics International, Inc (Teams) the requested permissions, click Accept.

After you log in successfully, complete the following steps to confirm that administrator approval was successfully configured:

1. Browse to portal.azure.com.
2. In the Search bar, browse for and select Enterprise Applications.
3. On the Enterprise Application page, confirm that you see Magnet Forensics International, Inc (Teams).

Allow Access to All User Accounts Through AXIOM

Configure Azure Active Directory to allow examiners to log in to all Microsoft Teams accounts through AXIOM and deactivate user assignment requirements.

1. Browse to the Azure Portal and log in as an administrator.
2. To open Azure Active Directory, in the left pane, click All services.
3. Search for and select Azure Active Directory.
4. Click Enterprise applications > All applications.
5. Search for and select Magnet Forensics International, Inc (Teams).
6. Under Manage, click Properties.
7. Next to Enabled for users to sign-in, click Yes.
8. To allow all users in your organization to access the Magnet Forensics application, next to User assignment required, click No.

Allow Access to Specific User Accounts Through AXIOM

If you chose not to allow access to all user accounts through AXIOM, you can allow access to specific user accounts.

1. Browse to the Azure Portal and log in as an administrator.
2. To open Azure Active Directory, in the left pane, click All services.
3. Search for and select Azure Active Directory.
4. Click Enterprise applications > All applications.
5. Search for and select Magnet Forensics International, Inc (Teams).
6. Under Manage, click User and groups.
7. In the Users and groups list, make sure that the users you want to be able to access Magnet Forensics are included in the list. If not, click Add user and choose the user you want to include.

Verify Users Have Permissions for AXIOM

For each user that you want to be able to access the Magnet Forensics International, Inc (Teams) application, verify that they have the required permissions.

1. Browse to the Azure Portal and log in as an administrator.
2. To open Azure Active Directory, in the left pane, click All services.
3. Search for and select Azure Active Directory.
4. Click Enterprise applications > All applications.
5. Search for and select Magnet Forensics International, Inc (Teams).
6. Under Manage, click User and groups.
7. Select a user.
8. Under Manage, click Applications > Magnet Forensics.
9. Make sure that the permissions list includes the Microsoft Graph API.

Once completed, users should be able to login to their organization’s Microsoft Teams instance to acquire directly from AXIOM. If you have any questions, check out our Knowledge Base article with more information and please don’t hesitate to reach out to either support@magnetforensics.com or myself at trey.amick@magnetforensics.com