Introduction to communication compliance policies

  • 10 minutes

Communication compliance policies

Communication compliance policies in your organization determine which communications and users are subject to review. These policies also outline the specific conditions that the communications must meet and specify the individuals responsible for conducting the reviews. The Communication Compliance Admins role enables access to policy setup on the Communication compliance page and relevant settings. A record of policy modifications, alerts, and resolved items can be exported as a .csv file. Policies can't be renamed and can be deleted when no longer needed.

You create communication compliance policies for Microsoft 365 organizations in the Microsoft Purview compliance portal. Using PowerShell to create and manage communication compliance policies isn't supported.

Policy templates

Policy templates contain predefined policy settings that you can use to quickly create policies to address common compliance scenarios. Each of these templates has differences in conditions and scope, and all the templates use the same types of scanning signals. You can choose from the following policy templates in the Microsoft Purview compliance portal:

Area Policy template Details
Inappropriate text Detect inappropriate text - Locations: Exchange Online, Microsoft Teams, Yammer
- Direction: Inbound, Outbound, Internal
- Review Percentage: 100%
- Conditions: Threat, Discrimination, Targeted harassment classifiers
Inappropriate images Detect inappropriate images - Locations: Exchange Online, Microsoft Teams, Yammer
- Direction: Inbound, Outbound, Internal
- Review Percentage: 100%
- Conditions: Adult, Racy image classifiers
Sensitive information Detect sensitive info types - Locations: Exchange Online, Microsoft Teams, Yammer
- Direction: Inbound, Outbound, Internal
- Review Percentage: 10%
- Conditions: Sensitive information, content patterns, custom dictionary option, attachments larger than 1 MB
Regulatory compliance Detect financial regulatory compliance - Locations: Exchange Online, Microsoft Teams, Yammer
- Direction: Inbound, Outbound
- Review Percentage: 10%
- Conditions: Customer complaints, Gifts & entertainment, Money laundering, Regulatory collusion, Stock manipulation, Unauthorized disclosure classifiers
Conflict of interest Detect conflict of interest - Locations: Exchange Online, Microsoft Teams, Yammer
- Direction: Internal
- Review Percentage: 100%
- Conditions: None

User-reported messages policy

To help maintain a safe and compliant work environment, users can report inappropriate messages in Microsoft Teams. This feature allows users to report internal personal and group chat messages containing harassment, adult content, or sensitive information. The Report inappropriate content option in Teams messages is enabled by default in the Teams admin center and supports reporting messages in Teams group and private chats.

Screenshot of reporting a message in Microsoft Teams.

When a user reports a message, it's copied to the User-reported message policy, but remains visible to chat members without any notification. Reviewers can take standard remediation actions during the review process, including removing the message from the chat.

Screenshot of user-reported in the Communication compliance portal.

Admins should immediately assign custom reviewers to the User-reported messages policy, such as Compliance Officers or HR members. Follow these steps to customize the reviewers for chat messages:

  1. Sign into Microsoft Purview compliance portal.
  2. Go to Communication compliance.
  3. On the Policy tab, select the User-reported messages policy and select Edit.
  4. On the Detect user-reported messages pane, assign reviewers for the policy. Reviewers must have mailboxes hosted on Exchange Online.
  5. Select Save.

The Report inappropriate content option is enabled by default and can be controlled via Teams messaging policies in the Teams Admin Center. Edit the global policy or create custom policies to turn the option on or off.

Policy settings

You can customize several policy settings:

  • Users. You can select All users or specific users in a communication compliance policy. Selecting All users applies the policy to all users and all groups that any user is included in as a member. Defining specific users applies the policy to the defined users and any groups the defined users are included in as a member.
  • Direction. Direction settings in a policy can be chosen individually or together:
    • Inbound. You can choose Inbound to review communications sent to the people you chose to supervise.
    • Outbound. You can choose Outbound if you want to review communications sent from the people you chose to supervise.
    • Internal. You can choose Internal to review communications sent between the people you identified in the policy.
  • Sensitive information types. You have the option of including sensitive information types to help identify and protect credit card numbers, bank account numbers, passport numbers, and more. As a part of data loss prevention (DLP), the sensitive information configuration uses various methods to identify and flag content that may be sensitive. These methods include patterns, character proximity, confidence levels, and even custom data types to help identify and flag content that may be sensitive.

To learn more about sensitive information details and the patterns included in the default types, see What sensitive information types look for.

  • Custom keyword dictionaries. You can create custom dictionaries when you need to support terms or languages specific to your organization and policies. For more information, see Create a keyword dictionary.

  • Classifiers. Built-in classifiers scan sent or received messages across all communication channels in your organization for different types of compliance issues. Classifiers use a combination of artificial intelligence and keywords to identify language in messages likely to violate anti-harassment policies. Communication compliance built-in classifiers scan communications for terms and sentiment for the following types of language:

    • Harassment. Scans for offensive conduct targeting people regarding race, color, religion, national/regional origin.
    • Profanity. Scans for profane expressions that embarrass most people.
    • Threat. Scans for threats to commit violence or physical harm to a person or property.

    For information about classifiers in Microsoft 365, see Classifiers.

  • Images. Communication compliance detects images of the following types:

    Classifier Description
    Adult images Detects images that are potentially sexually explicit.
    Gory images Detects images that potentially depict violence and gore.
    Racy images Detects images that are potentially sexually suggestive, but contain less explicit content than images deemed as Adult.

For information about applying content flags that can detect adult, gory, and racy material in images, see Adult content detection.

  • Language. Communication compliance policies with classifiers check messages with a minimum word count, depending on the language. For a list of supported languages, word count requirements, and file types, see Trainable classifier definitions. To identify inappropriate language in messages that don't meet the word count, create a custom keyword dictionary for policies detecting such content. This table provides more information about each classifier that is available.

  • Conditional settings. The conditions you choose for the policy apply to communications from both email and third-party sources in your organization (like from Facebook or DropBox). This table explains more about each condition that is available and when to use it.

  • Review percentage. If you want to reduce the amount of content to review, you can specify a percentage of all the communications governed by a supervision policy. A real-time, random sample of content is selected from the total percentage of content that matches chosen policy conditions. If you want reviewers to review all items, you can configure 100% in a communication compliance policy.

Supervised users and reviewers

Before you start using communication compliance, you must determine who needs their communications reviewed. In the policy, user email addresses identify individuals or groups of people to supervise. Some examples of these groups are Microsoft 365 Groups, Exchange-based distribution lists, and Microsoft Teams channels. You also can exclude specific users or groups from scanning with a specific exclusion group or a list of groups.

Before you create a communication compliance policy, you must also determine who reviews the messages of the supervised users. In the policy, user email addresses identify individuals or groups of people to review supervised communications. All reviewers must have mailboxes hosted on Exchange Online and must be assigned the Case Management and Review roles.

To simplify your setup, you can create groups for people who need their communications reviewed and groups for people who review those communications. If you're using groups, you might need several. For example, if you want to scan communications between two distinct groups of people, or if you want to specify a group that isn't supervised.

When you select a Microsoft 365 group for supervised users, the policy scans the content of the shared Office 365 mailbox and the Microsoft Teams channels associated with the group. When you select a distribution list, the policy scans individual user mailboxes.

Integration with Microsoft 365 services

Communication compliance policies check, detect, and capture messages across several communication channels to help you quickly review and remediate compliance issues:

  • Microsoft Teams: Communication compliance supports chat communications in both public and private Microsoft Teams channels and individual chats. These chat communications can be used on their own or in combination with other Microsoft 365 services. You need to manually add individual users, distribution groups, or specific Microsoft Teams channels when you select users and groups to apply a communication compliance policy to. Teams users can also self-report potentially inappropriate messages in private and group channels and chats for review and remediation.
  • Exchange Online: All mailboxes hosted on Exchange Online in your Microsoft 365 organization are eligible for analyses. Emails and attachments matching communication compliance policy conditions are instantly available for investigation and in compliance reports. Exchange Online is now an optional source channel and is no longer required in communication compliance policies.
  • Yammer: Private messages and public community conversations in Yammer are supported in communication compliance policies. Yammer is an optional channel and must be in native mode to support checking of messages and attachments.
  • Third-party sources: You can check messages from third-party sources for data imported into mailboxes in your Microsoft 365 organization. Communication compliance supports connections to several popular platforms, including Instant Bloomberg and others.

To learn more about messaging channel support in communication compliance policies, see Detect channel signals with communication compliance.

Learn more