Office 365 Policies to Monitor Communications
In November 2017, I wrote about supervision policies, a feature of Office 365 that allows administrators to configure policies to monitor the flow of email between specific users. The idea is that supervisors (those nominated to check the messages) can detect problems in the traffic, such as people discussing topics that they shouldn’t, revealing trade secrets, infringing regulations, or being rude about management.
Time moves on, especially quickly in the cloud. Internal communications in many Office 365 tenants changed with the introduction of Teams, now used by 500,000 organizations. The transfer of traffic from email to Teams varies from company to company, but there’s no doubt that some communications that used to take place in email are now in Teams personal chats or channel conversations.
Acknowledging the new world, Microsoft has refreshed supervision policies to make it possible to monitor Teams traffic.
New Supervision Policies
The process to configure a supervision policy is documented online. In a nutshell, what’s new is:
Coverage of messages sent in Teams personal chats and channel conversations. Figure 1 shows how to add individual users and groups to a policy. The important thing here is that if you add an individual, their personal Teams communications and email are monitored but not any contributions they make to Teams channels. To monitor channel conversations, you must add the team to the policy.
If you want to include Teams messages in existing policies, you must edit those policies to add the target users and teams.
Support for Office 365 sensitive data types, as used in Data Loss Prevention (DLP) policies. If necessary, you can create a custom sensitive data type pointing to a dictionary of words that you want to use for monitoring. If you’re used to configuring DLP policies, setting up a supervision policy based on sensitive data (like passport or social security numbers) will hold no surprises.
New review processing in the Security and Compliance Center, including some widgets (Figure 2) to inform administrators how supervision is working. These widgets suffer from time lag too as the information they display is a couple of days behind (I love the flat-line graph for overall supervision status).
Reviewing Captured Messages
If you select a policy and are one of the designated reviewers, you can open it to see what’s happening. Depending on their settings, supervision policies can gather an enormous volume of traffic for review. The new interface is designed to speed up processing. For instance, you can select multiple messages and mark them with the same compliance status. That’s a big help compared to the previous requirement for individual review using OWA or Outlook (see below).
Figure 3 shows a set of messages including Teams channel messages, personal chats, and email captured by a supervision policy. The reviewer can view the content of the message and decide whether it complies with organizational policy or not.
If the message doesn’t comply, its processing moves outside the boundaries of Office 365 as HR or line management might get involved to coach the user about what they’ve done. The reviewer can download a copy of the offending message to give to HR or the line manager.
If they don’t want to use the Security and Compliance Center, those appointed to review messages captured by supervision policies can use OWA (Figure 4) or Outlook to review and approve messages. The supervisory policy add-in (shown in the screen shot), which gives users options to mark messages as compliant or not, is loaded automatically into OWA. However, I didn’t see the add-in if I switched to the new OWA, so that might be a problem for Microsoft to solve.
The 24-Hour Black Box
Items captured from Teams can take up to 24 hours to appear in a supervision mailbox. That’s just too long, even if such a delay is usual in other similar products. Those products run outside Office 365, so a certain period is needed to transfer information from Office 365 and ingest into the other platform.
But supervision policies run in the Office 365 substrate, so there’s no excuse for delaying items that need to be checked. Email turns up in the supervision mailbox a few seconds after messages are sent and Office 365 captures Teams compliance records for personal chats and conversations in Exchange mailboxes soon after they are sent. Teams compliance records look exactly like the messages captured by supervision policies, so it’s a complete mystery why one capture takes seconds while the other takes hours. One wonders why Microsoft could not have tweaked the routine that captures compliance records, which is already well proven in production, to generate messages needed by supervision policies. After all, it’s just a matter of creating messages in mailboxes.
In reality, the 24-hour time lag won’t affect how people review messages. However, the delay is frustrating when creating and testing policies because you’re never quite sure if a policy works. Each time you change a policy that affects Teams, you must wait another day for the change to be effective and items to appear in the supervision mailbox.
Licensing Supervision Policies
Supervision policies are licensed through either the Office 365 E5 plan or the Office 365 E3 plan with the Advanced Compliance add-on. Given that the target audience is companies operating in highly-regulated industries, the cost shouldn’t be an issue.
Supervision Isn’t for Everyone
Relatively few Office 365 tenants will care much about supervision policies, but those that do care really care. Regulatory oversight and the potential of large financial penalties usually concentrate the mind on making sure that people do the right thing. If compliance means that email and Teams communications to be monitored on an ongoing basis, at least the tools are now available.