Plan for communication compliance

Completed

Before you start working on communication compliance in your organization, it's essential to discuss important planning activities and considerations with your IT and compliance management teams. By understanding and preparing for deployment in the following areas, you can ensure a successful implementation that aligns with best practices for the solution.

Work with stakeholders in your organization

To effectively manage communication compliance alerts, identify the appropriate stakeholders in your organization. Consider including representatives from the following areas in the initial planning and throughout the communication compliance workflow:

  • Information technology
  • Compliance
  • Privacy
  • Security
  • Human resources
  • Legal

Plan for the investigation and remediation workflow

Choose dedicated stakeholders to regularly investigate and review alerts and cases in the Microsoft Purview compliance portal. Ensure you understand how to assign users and stakeholders to different communication compliance role groups within your organization.

Configure permissions

There are six role groups that help you manage communication compliance features. To access Communication compliance in the Microsoft Purview compliance portal and follow the configuration steps, you need to be a member of one of those groups. For more details, check out Enable permissions for communication compliance.

Scoped users

Before using communication compliance, decide which users' communications need to be reviewed. In the policy, you use email addresses to identify individuals or groups of people the policy applies to. Examples of these groups include Microsoft 365 Groups, Exchange-based distribution lists, Yammer communities, and Microsoft Teams channels. You can also exclude specific users or groups from being checked by using an exclusion group or a list of groups. For more information about the types of groups supported in communication compliance policies, see Get started with communication compliance.

Selecting reviewers

When creating a communication compliance policy, you need to decide who reviews messages of scoped users. In the policy, use email addresses to identify individuals or groups responsible for reviewing these communications. All reviewers must meet these requirements:

  1. Have mailboxes hosted on Exchange Online.
  2. Be assigned to either the Communication Compliance Analysts or Communication Compliance Investigators role groups.
  3. Be assigned to the policy they need to investigate.

When added to a policy, reviewers automatically receive an email notifying them of their assignment and providing links to information about the review process.

Groups for scoped users and reviewers

To make setup easier, we recommend creating groups for people whose communications need to be reviewed and groups for people who review those communications. You might need several groups, for example, if you want to identify communications between two distinct groups of people or specify a group that isn't in scope. When you assign a Distribution group in the policy, the policy detects all emails from each user in the Distribution group. When you assign a Microsoft 365 group in the policy, the policy detects all emails sent to that group, not the individual emails received by each group member.

Note

Before you create a policy, you should decide whether you want to apply an adaptive scope for users or groups. For more information, see Adaptive policy scopes for compliance solutions.

When setting up communication compliance policies, you can configure groups and distribution lists as part of the conditions and rules. Each policy can support around 20 groups or distribution lists, depending on the number of additional conditions in the policy.

The following chart can help you configure groups in your organization for communication compliance policies:

Policy Member Supported Groups Unsupported Groups
Scoped users
Excluded users
Distribution groups
Microsoft 365 Groups
Dynamic distribution groups
Nested distribution groups
Mail-enabled security groups
Microsoft 365 groups with dynamic membership
Reviewers None Distribution groups
Dynamic distribution groups
Nested distribution groups
Mail-enabled security groups

Privacy

To protect user privacy, you can choose to anonymize usernames in communication compliance alerts. This setting only applies to user names displayed in the communication compliance solution and doesn't affect other compliance solutions or admin centers.

You can select one of the following settings in Communication compliance settings:

  • Show anonymized versions of usernames: Usernames are anonymized, and users in the Communication Compliance Analysts role group see randomized pseudonyms instead of actual names. Users in the Communication Compliance Investigators role group see actual usernames.
  • Do not show anonymized versions of usernames: Usernames are displayed for all current and past policy matches for communication compliance alerts, along with user profile information.

Plan for communication compliance policies

When planning communication compliance policies, consider including all users in your organization, decide whether to apply an adaptive scope, configure the percentage of communications to review, and analyze communications from third-party sources if needed. Keep in mind that all organizations have different communication standards and policy needs. Detect specific keywords using communication compliance policy conditions or detect specific types of information with custom sensitive information types. You can also support detecting languages other than English by building custom keyword dictionaries or using trainable classifiers in Microsoft 365.