Managing Communication Risks in Microsoft 365

2021-11-11 // By Penny Morgan

It’s no secret that many organizations have faced some changes in their workplace recently. Many organizations are now conducting work remotely and new communication and collaboration platforms are quickly being adopted. These new scenarios not only heighten an organization’s risk exposure, but also bring greater needs to support employees in adopting these new challenges.

A primary goal for any organization is to ensure these communication platforms are compliant, yet agile. They will seek out technology which allows them to empower employees to do their best work in this new environment, but also need to effectively manage risk in communications to protect company assets and detect code of conduct violations, such as inappropriate communications containing profanity, threats, and harassment and communications that share sensitive information inside and outside of your organization.

Communication Compliance, an insider risk solution that can be found in the Microsoft 365 Compliance Center, is designed to help meet those needs. It provides the necessary visibility, processes and controls to detect and mitigate inappropriate conduct, while aligning to the cultural, legal, and privacy requirements under which these organizations must operate.

Communication Compliance helps organizations detect, capture and take remediation actions upon various types of code of conduct violations as well as regulatory compliance requirements within company communications, with as little disruption possible to the business.

Microsoft offers both pre-defined and custom policies allowing you to scan internal and external communications across several different Microsoft 365 workloads (Microsoft Teams, Skype for Business Online, Exchange Online, Yammer, or third-party communications) for policy matches so they can be examined by designated reviewers. Reviewers can investigate these flagged communications and take appropriate actions to make sure they're compliant with your organization's messaging standards.

If the features of Communication Compliance sound familiar, you may already be familiar with its predecessor, Supervision (Supervisory reviews). If your organization is currently using supervision policies, you’ll want to transition to the new communication compliance policies as soon as possible. Unfortunately, there is no method to “migrate” or “upgrade” the legacy policies to the new platform. Messages (data) saved in supervision policy matches also can’t be moved or shared into communication compliance in Microsoft 365. Microsoft recommends creating new policies in communication compliance that have the same settings as existing supervision policies to use the new investigation and remediation improvements. For organizations with both solutions used side by side during the transition process, policies used in each solution must have unique policy names.

Before getting started with communication compliance, there are some additional planning activities and considerations that you should review as well. For instance, you’ll want to identify the appropriate people who will take on the responsibility for implementing and managing communication compliance and assign them the appropriate permissions to do so. There are five pre-defined role groups used to configure permissions to manage communication compliance features. Depending on how you wish to manage communication policies and alerts, you'll need to assign users to these specific role groups.

You must also determine who needs their communications reviewed. In the policy, you will identify individuals or groups (ie Microsoft 365 Groups, Exchange-based distribution lists, Yammer communities, and Microsoft Teams channels) of people to supervise by simply specifying their email address. Users covered by communication compliance policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription.

When you create a communication compliance policy, you must also determine who reviews the messages of the supervised users. All reviewers must have mailboxes hosted on Exchange Online and must be assigned appropriate roles. When reviewers are added to a policy, they automatically receive an email message that notifies them of the assignment to the policy and provides links to information about the review process. To simplify your setup, you can create groups for people who need their communications reviewed and groups for people who review those communications.

Protecting the privacy of users that have policy matches may also be important and can help promote objectivity in data investigation and analysis reviews for policy alerts. For users with a communication compliance policy match, you can choose to show anonymized versions of usernames. For example, a user named ‘Sally Smith’ would appear with a randomized pseudonym such as 'AnonIS7-866' in all areas of the communication compliance experience. Choosing this setting anonymizes all users with current and past policy matches and applies to all policies. User profile information in the communication compliance alert details will not be available when this option is chosen. However, user names are displayed when adding new users to existing policies or when assigning users to new policies. If you choose to turn off this setting, user names are displayed for all users that have current or past policy matches.

Creating communication compliance policies is a quick and easy process, especially when using the pre-defined templates for inappropriate content, sensitive information, and regulatory compliance. Custom communication compliance policies allow for even more flexibility in detecting and investigation issues specific to your organization and requirements.

Microsoft recently announced several new capabilities, currently in public preview, that further enhance Communication Compliance, including day zero insights, deeper integration with Microsoft Teams, advanced reporting capabilities, additional language support, and richer onboarding to make it even easier to get started. Check out this recent announcement for more details on these features: Discover and Manage Communication Risks with Communication Compliance.

Communication Compliance is just part of a large insider-risk management landscape for organizations and is specifically addressing an increasingly important aspect of the modern workplace where not only communication is spreading across a growing number of diverse channels, but also the number of regulations to comply with is increasing. Organizations will need to leverage tools like this to be able to tackle this compliance concern at scale.

To learn more about Communication Compliance, you may want to start with Microsoft’s documentation: Communication Compliance in Microsoft 365. Or, if sifting through documentation doesn’t sound exciting, maybe some hands-on, instructor-led training would interest you more. If so, check out the LRS Education Services course catalog for the many Microsoft 365 courses available.

If cloud technologies and/or being a Microsoft 365 administrator are new adventures for you, the following courses may be of interest:

MS--900T01 - Microsoft 365 Fundamentals

MS--030T00 - Office 365 Administrator

If you have some experience and are looking specifically for more information on security and compliance, you may want to check out the following courses:

SC-900T00 - Microsoft Security, Compliance, and Identity Fundamentals

SC-200T00 - Microsoft Security Operations Analyst

MS-500T00 – Microsoft 365 Security Administration

We’d love to have you attend in person or virtually using our Virtual Training platform. And in case you didn’t know, however you choose to attend these courses, you may also receive a FREE Microsoft Certification exam voucher to get you moving down the road to certification.

If you have any questions or would like more information regarding courses scheduled at LRS Education Services, please call 877.832.0688 extension 1493 or email us at getsmart@LRS.com.

Penny Morgan, LRS Education Services
MCT, MCSA, MCITP, MCTS, MCSE, MCP
Microsoft 365 Certified: Fundamentals
Microsoft 365 Certified: Enterprise Administrator Expert
Microsoft 365 Certified: Security Administrator Associate
Microsoft 365 Certified: Messaging Administrator Associate
Microsoft 365 Certified: Teams Administrator Associate
Microsoft Certified: Azure Fundamentals
Microsoft Certified: Azure Administrator Associate

Start Wide, Go Deep with Microsoft Security SC-200 Course

Microsoft designed their recently updated Microsoft Security Operations Analyst course (SC-200) using a method that lends itself well not only to learning, but also to implementation.

Winter 2024 Newsletter and Schedule

Read the Winter 2024 newsletter and course information.

Happy holidays or bah humbug due to cyber attacks?

Here are a few tips to help you stay safe online while buying gifts this holiday season.

Webinar Recording: The NIST Cybersecurity Framework 2.0 Initial Public Draft

This webinar discusses the NIST Cybersecurity Framework 2.0 Initial Public Draft, with updates making it easier to implement the tool to improve cybersecurity programs.

Microsoft Teams desktop client update!

Here we are, in October, with the newly released Microsoft Teams desktop client being made publicly available for Windows and Mac.