It’s not all about the data! Protecting Your Users in Teams with Communications Compliance

Associated Microsoft Ignite Sessions
CTS04 | Protect Everything with End-to-End Security
BRK241 | Manage risk and compliance with end-to-end security solutions
OD187 | Insider Risks, Beware! How M365 secures & supports your organization from the inside out

Microsoft Ignite Book of News: Here

In recent years studies by Microsoft have shown that on average

  • 61% of apps go undetected by IT (2019)
  • There are 99 days between infiltration and detection (2018)
  • 59% of leavers take sensitive data with them

These are worrying trends.

As administrators if we don’t know or have line of sight of the apps our users are using; or have any idea if malicious actors are already inside of our network; if we cannot control our own data from insider threats it begs the question – what else are we missing? Are we aware of – or do we have any control over – our users’ devices? Do we drive their servicing to ensure they are current and have the latest protection? Are we thinking about concepts such as Zero Trust or Conditional Access or AI driven security? Investing in Passwordless? Do we know what a SIEM is? What MITRE attack is? And do we have any oversight of regulatory or code of conduct violations through the apps we use like Exchange, Yammer, and Microsoft Teams?

Earlier this year I spoke at aMS Marseille on Microsoft Teams and Communication Compliance. It’s an area of Teams I am passionate about since the consequences of harassment, racism, sexism, homophobia, transphobia or the divulgence of secrets or sensitive data in communications can be devastating for both the organisation and the individual. Here I am talking about legal action, loss of IP, loss of competitive advantage, damage to the brand and reputation, a culture of mistrust, a loss of faith in leadership. Worst of all it could mean self-harm, or the harm of another.

Having attended Ignite last week. Communications Compliance was back on the agenda. But before we look at the new innovations to make it better and more valuable for us, let’s recap on what Communications Compliance is, how do we apply it to Teams and what features really jump out when we start using it.

What is Communications Compliance?

Communication compliance is an insider risk solution in Microsoft 365 which can be applied to Exchange, Yammer, or Microsoft Teams. It helps minimize risks by helping you detect, capture, and act on inappropriate messages in your organization. Let’s identify some of the following scenarios where Communications Compliance may help us day to day in Microsoft Teams

  • Identifying aggressive language and profanity in private chats or channel conversations
  • Identifying racial, sexist, or homophobic language in private chats or channel conversations
  • Identifying explicit images in private chats or channel conversations
  • Identifying sensitive information on a confidential project in private chats or channel conversations

By configuring policies, scanning content, and examining matches which violate either regulatory standards or our own organisations code of conduct, an organisation can take action to safeguard users and stop situations developing such as harassment and discrimination of an employee, conflict of interest, money laundering, insider trading, collusion, or bribery activities.

Configure - Investigate - Remediate.png

Straightforward Setup

Communications compliance can be straightforward to set up and get going. I am going to run through a fictious scenario to show how it can be implemented. In this scenario I am the IT administrator and I want to apply a policy to users in my sales department to monitor profanity. My business wants to ensure that communications from this team always remain professional and that bad language doesn’t jeopardise deals. They also want to safeguard the team and intervene if customers become abusive. Whilst the organisation is happy that it covers Exchange and Yammer, the primary focus is Teams.

1. In the Microsoft 365 Admin Portal Ensure I ensure that every user who will be in the compliance policy is licenced for communications compliance and that this is enabled within their licence (see licencing requirements below; purchasing method may vary). Due to the services it monitors they should also be enabled for Teams, Exchange and Yammer. For it to work on Yammer, Yammer must be in native mode.

M365 Admin Portal.png

2. Next, whilst I can add individual users to a communications compliance policy, I am also going to check that the sales team has an associated group. The way the service is architected, I will need to set one communications compliance policy with individual users to cover Teams private chats and one with a Microsoft 365 group to cover Teams channel conversations. In the Microsoft 365 Admin Portal, I make sure that a Microsoft 365 group exists for the Sales Team. To note, whilst I could have used a distribution list as opposed to individual users for private chats, I decided against it this time. To note, only DL’s and M365 groups are supported: dynamic groups or mail enabled security groups aren’t.

Active Teams and Groups.png

3. Now that users are licenced and the Microsoft 365 group for Sales exists, I need to ensure that I, as the administrator for the service are set up to use Communications Compliance. In the Microsoft 365 Compliance Centre within Permissions, I set myself up with the Communications Compliance Role as well as the Communications Compliance Investigator and Analyst roles. This ensures I have all the access end to end to manage it, create policies, and perform investigation. Whilst there are several roles for communications compliance where management and investigation can be separated and be granular for larger organisations, my organisation is an SMB. I am the one expected to do it all.

Compliance.png

4. Before I can create my policies, I need to ensure that auditing is turned on in my Microsoft 365 tenant. This is also in the Compliance Centre under Audit. Most organisations should already have this turned on where they have been using Microsoft 365 for some time and have needed to look at the audit logs for such services as Microsoft Teams, Exchange, and SharePoint

Audit.png

5. Having the group set up, permissions assigned, and auditing turned on I am now ready to create my first policy. In the Compliance Centre I select Communications Compliance and from the drop down I select Monitor for Inappropriate Content. It’s awesome that Microsoft has provided templates based on trainable classifiers so that I can pretty much instantly deploy a policy without having to build one. This template not only includes Profanity, but Harassment, Threat, Adult, Racy and Gory Images.

Communication Compliance.png

6. In this policy I want to capture violations in Teams Chats. I add the users in the Sales Team individually and set myself as the reviewer. I also name the policy appropriately. Once done I select create policy. You’ll notice here that the policy is set for all inbound, outbound, and internal communications, and not only covers Teams but Exchange and Yammer too. This is all set up by Microsoft in the template.

Monitor Communications For Inapporpriate Content.png

7. Having created the first, I set up a second policy which captures matches in Channel Conversations

Channel Conversations.png

8. Awesome! In less than 30 minutes I’ve set up two Communications Compliance policies which covers Teams, Exchange, and Yammer for the Sales users in our organisation. The policies will propagate, and the first results should appear within 24 hours. The organisation can now identify, investigate, escalate, or remove this content if things like profanity appears in Exchange, Teams or Yammer. They can act on such situations as bullying involving members of the team, abusive customers, and the sharing of illicit content such as pornographic images not in line with the organisations’ code of conduct.

4 good to knows

With Communications Compliance, it’s good to be aware of some of the functionality you can leverage today even before the Ignite announcements.

Anonymity when Reviewing
You can protect the privacy of users that have policy matches and help promote objectivity in data investigation by splitting the communications compliance roles across more than one person. You can set anonymity to apply to those with the Communication Compliance Analyst role – the one who reviews the match – since it is critical to mitigate bias as well as nepotism. However, if the same person also has the Investigator role or the Communication Compliance role which contains Investigator; they will always see the true name.

Anonymity when Reviewing.png

Custom Policies
If the templates provided are not enough for your needs, you can create custom policies based upon trainable classifiers or sensitive information types. You can easily do that by building a classifier or sensitive information type and then walkthrough the policy wizard to apply within minutes. Everything can be built and repurposed.

Custom Policies.png

Deep Examination
There are several ways to be able to investigate and examine a policy match. This includes a summary of the match, a plain text view highlighting keywords triggering the match as well as an annotate view allowing reviewers to add annotations directly on the message for escalation purposes. From using conversation view to put the violation in the context of a Teams conversation, we can also look at the user history to see if they are a repeat offender. There is pattern matching to connect violations over time, and policies now go beyond the messages themselves to detect violations within documents shared in private chats within Teams. Today, this covers Word documents, Excel documents, PowerPoint documents, Text documents and PDF’s.

User History.png

Remediation options
In addition to having several ways to examine policy matches, there are several options open to us for how we can remediate matches. This includes resolving the match should action have been taken even unresolving an accidently resolved match (in preview). We can report the match as being misclassified to Microsoft. We can use Power Automate with matches such as triggering a flow which informs the user’s manager when a policy match occurs. We can tag for advanced filtering, escalate message to another reviewer, or even escalate for investigation which opens an e-discovery case. One of the most powerful features is remove message in Teams which blocks the message in a private chat or a Teams channel.

Remediation Options.png

New Innovations at Microsoft Ignite

Having looked at some of the awesome features of Communications Compliance today; there were several announcements at Microsoft Ignite which meaning the service is going to get even better in the coming months. Here are some highlights – the full list can be viewed here.

Zero Day Insights
Day Zero Insights displays the aggregate number of matches per classification type, with none of the insights containing any personally identifiable information (PII). These Insights are designed to help organizations identify potential areas of risk and determine the type/scope of communication policies to be configured. What’s amazing about Zero Day Insights is that insights display without any policies being set up which will make the organisation acutely aware of the risk they are under by having no policies applied.

Zero Day Insights.png

Create a Communications Compliance Policy off the back of a DLP Workflow
Administrators will soon be directed to configure a policy in Communication Compliance at the end of the Data Loss Prevention policy configuration flow.

DLP Workflow.png

Review Activity Summary
RAS is a new report providing a summary of all activities and remediation actions occurring against a policy, such as date sent, date flagged, reviewed by and message reconciliation. This can analyse the policy lifecycle, fulfil regulatory compliance and enhance tracking of unresolved matches.

Review Activity Summary.png

New Languages Supported
To expand the ability to detect policy violations in communications beyond English, French, Spanish, German, Portuguese, Italian, Japanese, and Chinese, Communication Compliance will now enable organisations to detect threats, harassment, and profanity in Arabic, Dutch, Korean, and Chinese Traditional.

Global Feedback Loop
Global feedback loop allows investigators to submit feedback directly to Microsoft on misclassified policy matches for the purposes of effectively retraining and improving detection algorithms.

Global Feedback Loop.png

New Video and Documentation
Whilst new in-product video will be introduced in the near future to help administrators get started and use Communications Compliance effectively, new documentation has already been released including:

  • This MS Learn Cloud Guide walkthrough
  • This Docs.com article on Communications Compliance and SIEM Integration
  • This Financial Services Industry Playbook

Interactive Guide.png

How to get started

You can order licences for Communication Compliance via CSP or direct with Microsoft today. You can also start a 90-day trial directly through the Compliance Centre to test things out. This will be available in all Microsoft 365 tenants worldwide in the coming months. Find out more about the trial here.

Licencing Requirements

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance Add-On, Microsoft 365 F5 Security & Compliance Add-On and Microsoft 365 E5/A5/G5 Insider Risk Management provide the rights for a user to benefit from communication compliance.

Do you want to know more?

Get Started with Communications Compliance
Communication Compliance with Microsoft Teams
Communications Compliance with SIEM Solutions
Detect Workplace Harassment & Respond – Communication Compliance in Microsoft 365
Discover and Manage Communication Risks with Communication Compliance
Microsoft Compliance Configuration Analyzer
MS Learn Cloud Guide walkthrough
Financial Services Industry Playbook

Statistical Sources

Microsoft (2018) Microsoft uses threat intelligence to protect, detect, and respond to threats
Microsoft (2019) Discover and manage shadow IT with Microsoft 365
Microsoft (2019) Insider Threat and Predictive Analytics

Bio
Chris Hoard is a Microsoft Certified Trainer Regional Lead (MCT RL), Educator (MCEd) and 2 x Office Apps and Services MVP. With over 12 years of cloud computing experience, he is currently building an education practice for Vuzion (Tier 2 UK CSP). His focus areas are Microsoft Teams, Microsoft 365 and entry level Azure. In his spare time, he is very active in the Microsoft Tech Community, blogging at microsoft365pro.co.uk and since 2019 has spoken at many public events such as Microsoft Ignite, Microsoft Build, Commsverse, Galactic Summit, Microsoft 365 Virtual Marathon, and the Modern Workplace Conference Paris. As the co-creator of Teams Nation (previously TeamsFest and the European Teams User Group), he is a member of the British Computer Society (BCS), the Microsoft 365 Partner Council and currently sits on the Microsoft Certifications Advisory Board.

https://techcommunity.microsoft.com/t5/microsoft-teams-community-blog/it-s-not-all-about-the-data-protecting-your-users-in-teams-with/ba-p/2944740 https://techcommunity.microsoft.com/t5/microsoft-teams-community-blog/it-s-not-all-about-the-data-protecting-your-users-in-teams-with/ba-p/2944740 2021-11-09 21:06:30Z

Leave a Reply