Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Microsoft Teams|Office|Office 365

Office 365 Supervision Policies Now Include Teams

Microsoft.com

Office 365 Policies to Monitor Communications

In November 2017, I wrote about supervision policies, a feature of Office 365 that allows administrators to configure policies to monitor the flow of email between specific users. The idea is that supervisors (those nominated to check the messages) can detect problems in the traffic, such as people discussing topics that they shouldn’t, revealing trade secrets, infringing regulations, or being rude about management.

Time moves on, especially quickly in the cloud. Internal communications in many Office 365 tenants changed with the introduction of Teams, now used by 500,000 organizations. The transfer of traffic from email to Teams varies from company to company, but there’s no doubt that some communications that used to take place in email are now in Teams personal chats or channel conversations.

Acknowledging the new world, Microsoft has refreshed supervision policies to make it possible to monitor Teams traffic.

New Supervision Policies

The process to configure a supervision policy is documented online. In a nutshell, what’s new is:

Coverage of messages sent in Teams personal chats and channel conversations. Figure 1 shows how to add individual users and groups to a policy. The important thing here is that if you add an individual, their personal Teams communications and email are monitored but not any contributions they make to Teams channels. To monitor channel conversations, you must add the team to the policy.

Teams in a supervision policy
Figure 1: Selecting target users and groups for a supervision policy (image credit: Tony Redmond)

If you want to include Teams messages in existing policies, you must edit those policies to add the target users and teams.

Support for Office 365 sensitive data types, as used in Data Loss Prevention (DLP) policies. If necessary, you can create a custom sensitive data type pointing to a dictionary of words that you want to use for monitoring. If you’re used to configuring DLP policies, setting up a supervision policy based on sensitive data (like passport or social security numbers) will hold no surprises.

New review processing in the Security and Compliance Center, including some widgets (Figure 2) to inform administrators how supervision is working. These widgets suffer from time lag too as the information they display is a couple of days behind (I love the flat-line graph for overall supervision status).

Office 365 Supervision Policies
Figure 2: A set of supervision policies in the Security and Compliance Center (image credit: Tony Redmond)

Reviewing Captured Messages

If you select a policy and are one of the designated reviewers, you can open it to see what’s happening. Depending on their settings, supervision policies can gather an enormous volume of traffic for review. The new interface is designed to speed up processing. For instance, you can select multiple messages and mark them with the same compliance status. That’s a big help compared to the previous requirement for individual review using OWA or Outlook (see below).

Figure 3 shows a set of messages including Teams channel messages, personal chats, and email captured by a supervision policy. The reviewer can view the content of the message and decide whether it complies with organizational policy or not.

Supervision Policy messages
Figure 2: Viewing different kinds of messages captured by policy (image credit: Tony Redmond)

If the message doesn’t comply, its processing moves outside the boundaries of Office 365 as HR or line management might get involved to coach the user about what they’ve done. The reviewer can download a copy of the offending message to give to HR or the line manager.

Outlook Reviews

If they don’t want to use the Security and Compliance Center, those appointed to review messages captured by supervision policies can use OWA (Figure 4) or Outlook to review and approve messages. The supervisory policy add-in (shown in the screen shot), which gives users options to mark messages as compliant or not, is loaded automatically into OWA. However, I didn’t see the add-in if I switched to the new OWA, so that might be a problem for Microsoft to solve.

OWA Review Items
Figure 4: Reviewing items in OWA (image credit: Tony Redmond)

The 24-Hour Black Box

Items captured from Teams can take up to 24 hours to appear in a supervision mailbox. That’s just too long, even if such a delay is usual in other similar products. Those products run outside Office 365, so a certain period is needed to transfer information from Office 365 and ingest into the other platform.

But supervision policies run in the Office 365 substrate, so there’s no excuse for delaying items that need to be checked. Email turns up in the supervision mailbox a few seconds after messages are sent and Office 365 captures Teams compliance records for personal chats and conversations in Exchange mailboxes soon after they are sent. Teams compliance records look exactly like the messages captured by supervision policies, so it’s a complete mystery why one capture takes seconds while the other takes hours. One wonders why Microsoft could not have tweaked the routine that captures compliance records, which is already well proven in production, to generate messages needed by supervision policies. After all, it’s just a matter of creating messages in mailboxes.

In reality, the 24-hour time lag won’t affect how people review messages. However, the delay is frustrating when creating and testing policies because you’re never quite sure if a policy works. Each time you change a policy that affects Teams, you must wait another day for the change to be effective and items to appear in the supervision mailbox.

Licensing Supervision Policies

Supervision policies are licensed through either the Office 365 E5 plan or the Office 365 E3 plan with the Advanced Compliance add-on. Given that the target audience is companies operating in highly-regulated industries, the cost shouldn’t be an issue.

Supervision Isn’t for Everyone

Relatively few Office 365 tenants will care much about supervision policies, but those that do care really care. Regulatory oversight and the potential of large financial penalties usually concentrate the mind on making sure that people do the right thing. If compliance means that email and Teams communications to be monitored on an ongoing basis, at least the tools are now available.

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (3)

3 responses to “Office 365 Supervision Policies Now Include Teams”

  1. collabguy

    Hi Tony. Thanks for the review / insights above. What do you mean by this paragraph - "If the message doesn’t comply, its processing moves outside the boundaries of Office 365 as HR or line management might get involved to coach the user about what they’ve done. The reviewer can download a copy of the offending message to give to HR or the line manager." I'd agree if it said that it "moves outside the boundaries of Supervision" ... but then I suppose "downloading" a message takes it outside the boundaries of Office 365 by creating a non-tracked copy on a device. Is that what you mean?

  2. collabguy

    One other thought, re your last paragraph. For versions of Supervision before this latest one, where policies were focused on regulatory compliance (e.g., FINRA), then yes, there's a very clear line between those firms that do and don't care. What I see Microsoft attempting to do with the new version, however, is to broaden the applicability of Supervision beyond just regulatory compliance. The new version is positioned to address three use cases: [1] compliance with communications monitoring regulations, e.g., FINRA, [2] internal communications policy monitoring, and [3] identifying risks in communications. For internal communications policy monitoring, the service is being positioned to help with monitoring acceptable use, ethical standards, and the presence of offensive language. For identifying risks, Microsoft suggests that the service can look for unauthorized communications about confidential projects. This is a much broader remit for Supervision, and can be used in parallel with other capabilities like DLP that provide real-time stop-and-block approaches to communications violations. Whether organizations go for the new use cases in Supervision or not, of course, remains to be seen.

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.