This blog is part of a series on Teams. For more articles, check back often.
Written: 19/08/2019 | Updated: N/A
Supervision policies in Microsoft 365 are defined as capturing employee communications for examination by designated reviewers (docs.com). In layman’s this means policies can be set up for someone to review team members communications who may be disclosing sensitive information or violating HR policy in the use of profanity, racial slurs, taunts or sexually explicit language in Teams channels and private messages.
Of course, in an ideal world there would be no need for supervision – and whilst we can respect and admire the argument that trust alone should be enough amongst responsible adults and consummate professionals, trust alone does not always alert the business to a leak of sensitive information or help to safeguard employees against harassment, bullying, racism, sexism, ageism or a myriad of other issues borne out of unsupervised communications.
Whether it is for corporate policies, risk management or regulatory compliance, Supervision is all about doing the right thing so it is an essential tool in the kit bag for Microsoft Teams governance. Like DLP it is recommended to be applied to any Teams roll out.
WHY WOULD WE DO IT?
- To prevent harassment, bullying, racism and sexism in the Team
- To be alerted to any disclosure of private information within the Team
- To implement supervised messaging for compliance purposes
- Office/Microsoft 365 E5 or an E3 with Advanced Compliance Add On
- Supervisory Review Role
All users being supervised must also have E5 or E3 with Advanced Compliance. The Global Administrator role has Supervisory Review included. If the reviewer needs to review in the Security and Compliance Centre (SCC) as opposed to OWA/Outlook they will also need to have this role. It is added in the permissions section of the SCC.
Should multiple people need to review supervised users across a policy or multiple policies then it is recommended to setup one or multiple security groups to avoid complexity
1.) Log into Microsoft 365 at https://login.microsoftonline.com
2.) Select Admin
3.) Under Admin Centres in the left navigation select Compliance
4.) Select More Resources in the left navigation. Under Office 365 Security & Compliance Centre select Open
5.) Select Classification then Sensitive Info Types in the left navigation. Select Create
6.) Enter a Name and Description of the Sensitive Info Type. In this example we’ll use Expletives. Select Next
7.) Select Add an Element
8.) Set Detect Content Containing to Dictionary (Large Keywords) and select Add a Dictionary
9.) If there are no pre-existing dictionaries, Select You can create new keyword dictionaries here
10.) Create the keyword dictionary and Save. Highlight the dictionary and then Add
11.) Select Next
12.) Select Finish and check the sensitive info type has been created (as shown here by the creation of sensitive info type Expletives). At this point several other sensitive info types can be created such as Racist Language, Sexually Explicit Language if required
13.) Select Supervision in the left navigation and then Create
14.) Enter a Name and Description. In this example we’ll use Expletives. Select Next
15.) Add Groups or Users to Supervise. This section is important. For Teams channel conversations, Office 365 Groups must be selected and for private chat Individual users must be selected. In order to manage large numbers of individual users a distribution list can be used and must be added at this point in the Microsoft 365 Admin Centre or the Exchange Admin Centre (unless it already exists)
Ensure all boxes for Teams are selected, and select Next. Non supervised users who are exempt from the policy (I.e. within an Office 365 Group or Distribution List) can also be added at this point
16.) Select Inbound, Outbound and Internal communications to cover all directions of communication with the Team. At this point it may also be worth selecting use match data model condition (Offensive Language) which uses machine learning and AI to augment the dictionary keywords added earlier. Select Next
17.) Select the percentage of communications to be reviewed. Select Next
18.) Select the Reviewers. This could be an individual, or as mentioned previously if it is multiple people select the security group. Select Next
19.) Review the settings and then select Finish. Check that the Supervision Policy has been applied
20.) Our work here is done. The supervision policy has been applied. Several more policies can be created by repeating the steps above
What happens once the policy has been applied?
As referenced in docs.com, Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy and appear in the supervision portal or within the reviewers OWA/Outlook.
Let’s look at the Expletives policy above recently created.
Lidia is the reviewer of the policy. If Megan emails the Team shortly after it has been created as shown here
It will trigger the policy and Lidia will be able to see this in OWA or in Outlook
With correct permissions Lidia will also be able to see this in the Supervision area of the Security and Compliance Centre by selecting and opening the policy
However, it will be 24 hours (or sometimes longer) before chats such as these come through
An example would be here as previously tested on a policy called Profanity where Megan is the reviewer. As you can see this is for a private message which has been logged in the supervision mailbox in OWA/Outlook
So a period of testing the supervision policy is recommended with active participants who can trigger it via email and chats prior to rolling it out to the Team. Testing would also include the management of the policy violations in terms of tagging and resolving them as required. Reports for Supervision are available from the reports in the Security and Compliance Centre. These will also take a few days to populate.
Supervision can be managed via Powershell as outlined here