This course explores communication compliance in Microsoft 365 and the benefits it can bring to your organization. We'll look at the phases that make up a communication compliance workflow and then move on to compliance policies.
- Understand what communication compliance is and what the workflow looks like
- Learn about the pieces that make up communication compliance policies
Anyone who wishes to learn about using communication compliance in Microsoft 365.
To get the most out of this course you should have a basic understanding of Microsoft 365 and compliance concepts.
Welcome to Communication Compliance Policies. In this deep dive here, we’ll discuss Communication compliance policies and several related components. We’ll take a look at what communication compliance policies are and what they are used for. We’ll also look at the templates that you can use to create policies, AND we’ll look at the different policy settings that are available. We’ll then dive into supervised users and reviewers, before wrapping up with communication types that are supported by Communication Compliance.
Communication Compliance Policies are used to specify the communications and users within your organization that are subject to review. They also define the conditions that communications must meet, and the users who can perform reviews.
Communication compliance is accessed via the Microsoft 365 Compliance Center. Once you’re in Communication Compliance, you can create communication compliance policies. However, before you can access the Communication Compliance page in the Microsoft 365 compliance center, or set up communication compliance policies, you must be included in the Supervisory Review Administrator role group.
When creating communication compliance policies, you can simplify the process by using policy templates, which are built-in templates that contain common pre-defined policy settings. The conditions and scope of these templates differ, depending on the template.
There are three policy templates available in the Microsoft 365 compliance center. They include the Offensive language and anti-harassment template, the Sensitive information template, and the Regulatory compliance template.
The Offensive language and anti-harassment template can be used to create a policy that can automatically detect abusive or offensive content. This template uses threat, profanity, and harassment language classifiers to detect this type of content.
The Sensitive information template is used to create policies that scan communications for sensitive information types that you define, OR for specific keywords that you specify. Organizations typically use this template to create policies that ensure important data isn't shared with the wrong people.
The Regulatory compliance template can be used to create policies that scan communications for references to standard financial terms that are typically associated with regulatory standards.
Policy settings are used to define what the communication compliance policy will do. There are several customizable policy settings that are available, including Users, Direction, Sensitive Information Types, Custom Keyword Dictionaries, Classifiers, Conditional Settings, and Review Percentage.
The Users policy setting is used to specify whether a policy applies to all users or specific users.
Direction settings are used to specify the direction of the communication to scan. For example, an Inbound direction setting allows you to review communications that are sent to the people you choose to supervise. The Outbound direction setting allows you to review communications sent from the people you choose to supervise. And lastly, the Internal direction setting is used when you want to review communications sent between users that you’ve specified in a policy.
You can use the Sensitive information types policy setting to specify sensitive information types that you want to watch for. For example, you might want to identify and protect credit card numbers, bank account numbers, social security numbers, and other data that could be sensitive.
Custom keyword dictionaries are used to create custom dictionaries that can support terms or languages that are specific to your organization.
Built-in Classifiers are used to monitor messages across all communication channels in your organization for different types of compliance issues. They use a combination of AI and keywords to identify language in messages that may violate anti-harassment policies. For example, built-in classifiers can be used to scan for offensive conduct that targets, or harasses people by race, color, religion, or even national origin. They can also scan for profanity and for threats of violence or physical harm.
Conditional settings are another policy setting that’s available. Conditional settings allow you to specify conditions that trigger a policy match. The conditions that you specify for a policy apply to communications from both email and third-party sources in your organization. (like from Facebook or DropBox). For example, the Content matches any of these classifiers conditional setting will apply to a policy when any specified classifiers are included or excluded in a message. Another conditional setting, called Message is received from any of these domains, causes a policy to include or exclude specific domains or email addresses in received messages.
I’ve included a link in the transcript of this lesson to all of the conditional settings that are available. You can access it here.
And lastly, we have the policy setting, called Review percentage. You would use this policy setting to reduce the amount of content to review. In other words, you can use Review Percentage to specify a percentage of the communications that are covered by a policy. When you configure a review percentage, a sample of monitored content is chosen from the total percentage of content that matches the policy’s conditions. Setting a 50% review percentage in a policy makes 50% of all matching content available to your reviewers.
Now, before you get started with communication compliance, you need to first decide what users need their communications reviewed. In other words, which users are giving you communication problems?
When you create a policy, the user email addresses are used to identify people or groups of people that should be supervised. For example, you can specify Microsoft 365 Groups, Exchange DLs, and even Microsoft Teams channels. That said, specific users and groups can also be excluded from scanning, via an exclusion group or a list of groups.
If you opt to supervise a Microsoft 365 group of users, the policy that you create will scan the content of the shared Office 365 mailbox for that group. It will also scan the Microsoft Teams channels that are associated with the group. However, if you opt to supervise a distribution list, the policy will scan the individual user mailboxes of those users that belong to the distribution list.
I should point out that, in addition to determining who needs to be supervised, you also need to decide who will review the messages of the users that are being supervised. To do this, you specify, in the policy, the user email addresses of the users or groups that will review supervised communications.
It’s important to note that the reviewers that you specify MUST have mailboxes that are hosted in Exchange Online, AND they must also be assigned the Case Management and Review roles.
To round things out in this lesson, let’s now take a look at supported communication types when it comes to communication compliance.
When you create a communication compliance policy, you have to specify what you want to scan. That being the case, it’s important to know what communication platforms are in play, so to speak.
The list on your screen shows the platforms that you can scan.
Notice in this list that you have Microsoft Teams, Exchange email, Yammer, Skype for Business, and even some third-party platforms like Facebook, LinkedIn, and Twitter.
I should mention that, by default, communications that are captured across these platforms are retained for seven years for each policy – even if the users’ mailboxes are deleted, or even if they leave the company.
As far as Microsoft Teams goes, communication compliance can scan chat communications and associated attachments in public or private Microsoft Teams channels. Individual chats can also be scanned.
The group management configurations that you see on your screen can be used to supervise individual user chats and channel communications in Teams:
For Teams chat communications Assign individual users or assign a distribution group to the communication compliance policy. This setting is for one-to-one or one-to-many user/chat relationships.
For Teams channel communications: Assign every Microsoft Team channel or Microsoft 365 group you want to scan that contains a specific user to the communication compliance policy. If you add the same user to other Microsoft Teams channels or Microsoft 365 groups, be sure to add these new channels and groups to the communication compliance policy.
As you might expect, all Exchange Online mailboxes in your organization are all eligible for communication compliance message scanning.
As far as Yammer goes, private messages can be scanned by communication compliance policies, as can public community conversations. The caveat here, with Yammer, is that Yammer must be in native mode to support scanning of messages and attachments.
In Skype for Business Online, you can supervise chat communications and associated attachments. Supervised chat conversations are sourced from previous conversations that are saved in Skype for Business Online. If you want to supervise user chat communications in Skype for Business Online, you have to assign individual users, or assign a distribution group to the communication compliance policy that you create. This setting is for one-to-one or one-to-many user/chat relationships.
As far as third-party sources go, communication compliance can scan communications from those third parties for data imported into mailboxes in your Microsoft 365 organization.
The list on your screen shows the third-party resources that are supported.
So, let’s wrap this lesson up with a quick review.
Communication Compliance Policies are used to specify the communications and users within your organization that are subject to review, they define the conditions that communications must meet, and they define the users who can perform reviews.
Policy Templates are built-in templates that contain common pre-defined policy settings. These are used to simplify the creation of communication compliance policies.
Policy Settings are used to define what your communication compliance policy will do. There are several customizable policy settings that are available, including Users, Direction, Sensitive Information Types, Custom Keyword Dictionaries, Classifiers, Conditional Settings, and Review Percentage.
Reviewers MUST have mailboxes that are hosted in Exchange Online, AND they must also be assigned the Case Management and Review roles.
Communication types that are supported by communication compliance include Microsoft Teams, Exchange email, Yammer, Skype for Business, and even some third-party platforms like Facebook, LinkedIn, Twitter, and SAP SuccessFactors. There’s also a custom connector available for other platforms.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.