Teams Real Simple with Pictures: Setting up Supervision Policies for the Team

This blog is part of a series on Teams. For more articles, check back often. 

Written: 19/08/2019 | Updated: N/A

Supervision policies in Microsoft 365 are defined as capturing employee communications for examination by designated reviewers (docs.com). In layman’s this means policies can be set up for someone to review team members communications who may be disclosing sensitive information or violating HR policy in the use of profanity, racial slurs, taunts or sexually explicit language in Teams channels and private messages.

Of course, in an ideal world there would be no need for supervision – and whilst we can respect and admire the argument that trust alone should be enough amongst responsible adults and consummate professionals, trust alone does not always alert the business to a leak of sensitive information or help to safeguard employees against harassment, bullying, racism, sexism, ageism or a myriad of other issues borne out of unsupervised communications.

Whether it is for corporate policies, risk management or regulatory compliance, Supervision is all about doing the right thing so it is an essential tool in the kit bag for Microsoft Teams governance. Like DLP it is recommended to be applied to any Teams roll out.

WHY WOULD WE DO IT?

  • To prevent harassment, bullying, racism and sexism in the Team
  • To be alerted to any disclosure of private information within the Team
  • To implement supervised messaging for compliance purposes

PREREQUISITES

To setup

  • Office/Microsoft 365 E5 or an E3 with Advanced Compliance Add On
  • Supervisory Review Role

All users being supervised must also have E5 or E3 with Advanced Compliance. The Global Administrator role has Supervisory Review included. If the reviewer needs to review in the Security and Compliance Centre (SCC) as opposed to OWA/Outlook they will also need to have this role. It is added in the permissions section of the SCC.

Should multiple people need to review supervised users across a policy or multiple policies then it is recommended to setup one or multiple security groups to avoid complexity

HOW

1.) Log into Microsoft 365 at https://login.microsoftonline.com 

TeamsS1.PNG

2.) Select Admin

TeamsS2.PNG

3.) Under Admin Centres in the left navigation select Compliance

TeamsS3.PNG

4.) Select More Resources in the left navigation. Under Office 365 Security & Compliance Centre select Open

TeamsS4.PNG

5.) Select Classification then Sensitive Info Types in the left navigation. Select Create 

TeamsS5.PNG

6.) Enter a Name and Description of the Sensitive Info Type. In this example we’ll use Expletives. Select Next

TeamsS6

7.) Select Add an Element

TeamsS7.PNG

8.) Set Detect Content Containing to Dictionary (Large Keywords) and select Add a Dictionary

TeamsS8.PNG

9.) If there are no pre-existing dictionaries, Select You can create new keyword dictionaries here

TeamsS9.PNG

10.) Create the keyword dictionary and Save. Highlight the dictionary and then Add

TeamsS10.PNG

TeamsS11.PNG

11.) Select Next

TeamsS12.PNG

12.) Select Finish and check the sensitive info type has been created (as shown here by the creation of sensitive info type Expletives). At this point several other sensitive info types can be created such as Racist Language, Sexually Explicit Language if required

TeamsS13.PNG

TeamsS14.PNG

13.) Select Supervision in the left navigation and then Create

TeamsS15.PNG

14.) Enter a Name and Description. In this example we’ll use Expletives. Select Next

TeamsS16.PNG

15.) Add Groups or Users to Supervise. This section is important. For Teams channel conversations, Office 365 Groups must be selected and for private chat Individual users must be selected. In order to manage large numbers of individual users a distribution list can be used and must be added at this point in the Microsoft 365 Admin Centre or the Exchange Admin Centre (unless it already exists)

Ensure all boxes for Teams are selected, and select Next. Non supervised users who are exempt from the policy (I.e. within an Office 365 Group or Distribution List) can also be added at this point

TeamsS17

16.) Select Inbound, Outbound and Internal communications to cover all directions of communication with the Team. At this point it may also be worth selecting use match data model condition (Offensive Language) which uses machine learning and AI to augment the dictionary keywords added earlier. Select Next

TeamsS18

17.) Select the percentage of communications to be reviewed. Select Next

TeamsS19.PNG

18.) Select the Reviewers. This could be an individual, or as mentioned previously if it is multiple people select the security group. Select Next

TeamsS20.PNG

19.) Review the settings and then select Finish. Check that the Supervision Policy has been applied

TeamsS21.PNG

TeamsS22.PNG

20.) Our work here is done. The supervision policy has been applied. Several more policies can be created by repeating the steps above

+

What happens once the policy has been applied?

As referenced in docs.com, Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy and appear in the supervision portal or within the reviewers OWA/Outlook.

Let’s look at the Expletives policy above recently created.

Lidia is the reviewer of the policy. If Megan emails the Team shortly after it has been created as shown here

TeamsS23

It will trigger the policy and Lidia will be able to see this in OWA or in Outlook

TeamsS24.PNG

With correct permissions Lidia will also be able to see this in the Supervision area of the Security and Compliance Centre by selecting and opening the policy

TeamsS26.PNG

However, it will be 24 hours (or sometimes longer) before chats such as these come through

TeamsS27

TeamsS28

An example would be here as previously tested on a policy called Profanity where Megan is the reviewer. As you can see this is for a private message which has been logged in the supervision mailbox in OWA/Outlook

TeamsS29.PNG

So a period of testing the supervision policy is recommended with active participants who can trigger it via email and chats prior to rolling it out to the Team. Testing would also include the management of the policy violations in terms of tagging and resolving them as required. Reports for Supervision are available from the reports in the Security and Compliance Centre. These will also take a few days to populate.

TeamsS30.PNG

Supervision can be managed via Powershell as outlined here