This chapter covers Communication Compliance Policies in Microsoft 365, a key topic for the MS-102 exam. Communication compliance helps organizations detect, capture, and act on inappropriate messages in email, Microsoft Teams, and other communication channels. It is part of the Insider Risk Management suite and is tested in the 'Security Threats' domain under objective 3.3. Expect approximately 5-10% of exam questions to touch on communication compliance, often asking about policy configuration, conditions, actions, and integration with other compliance features.
Jump to a section
Imagine a large corporation's mailroom. Every piece of incoming and outgoing mail must pass through a compliance filter. The mailroom has a set of rules: any mail containing certain keywords (e.g., 'confidential', 'trade secret') is flagged for review. The mailroom supervisor (the compliance officer) can define these rules. Mail that matches a rule is diverted to a special 'review bin' where a compliance analyst reads it and decides: allow delivery, block delivery, or escalate to legal. The mailroom also keeps a log of all flagged mail for auditing. Now, this mailroom doesn't just handle physical letters—it also handles interoffice memos, emails, and even package deliveries. Each type of mail has its own routing but all pass through the same filter. The supervisor can create different rules for different departments or mail types. For example, the finance department might have stricter rules about sharing financial data. The mailroom operates 24/7, and any mail that matches a rule is automatically held until a human reviews it. If the reviewer doesn't act within a certain time (say, 7 days), the mail is escalated to a senior manager. This is exactly how Communication Compliance works in Microsoft 365: it monitors messages (email, Teams, Yammer, etc.) against customizable policies, flags violations, and routes them for human review with optional escalation.
What is Communication Compliance?
Communication Compliance is a Microsoft 365 solution that helps organizations identify and remediate inappropriate or risky communications. It is part of the Microsoft Purview Compliance Portal and is designed to address regulatory compliance requirements (e.g., SEC, FINRA, HIPAA) and internal policies. It works by scanning email, Microsoft Teams chats and channel messages, Yammer messages, and third-party data connectors for specific patterns or keywords defined in policies.
How It Works Internally
Communication compliance policies consist of three main components: conditions, actions, and reviewers. When a message is sent or received, it is evaluated against active policies. If it matches the conditions (e.g., contains a sensitive information type or a specific keyword), the message is captured and stored in a hidden mailbox called the 'Communication Compliance' mailbox. The message is then surfaced in the Communication Compliance review interface, where designated reviewers can investigate and take action (e.g., resolve, escalate, or mark as false positive).
The scanning process is asynchronous and typically completes within minutes. For email, messages are evaluated after delivery (or before delivery if using Exchange mail flow rules in conjunction). For Teams, messages are scanned in near real-time. The system uses the same classification engine as Microsoft Information Protection (MIP) and Data Loss Prevention (DLP).
Key Components and Defaults
Policies: A policy defines what to scan, where to scan, and what to look for. Each policy has a priority, and the highest priority policy is applied first. Up to 500 policies can be created.
Conditions: Conditions can include keywords, sensitive information types (e.g., credit card numbers), inappropriate content classifiers (e.g., profanity, harassment), and custom keyword dictionaries. You can also scope conditions by sender, recipient, or domain.
Actions: The primary action is to notify reviewers and create an alert. You can also configure automatic remediation (e.g., delete message) but that is less common.
Reviewers: Users with the Communication Compliance Reviewer role can see flagged messages. The reviewer must have a valid Exchange Online license.
Retention: Flagged messages are retained for 30 days by default, but you can increase retention up to 365 days. After that, they are automatically deleted.
Escalation: If a reviewer does not act within a configurable time (default 7 days), the message is escalated to the reviewers' manager.
Configuration and Verification
To create a communication compliance policy, you navigate to Microsoft Purview compliance portal > Communication compliance > Policies > Create policy. You must specify:
Policy name and description
Users or groups to monitor (can be all users or specific)
Communication direction (inbound, outbound, internal, or all)
Conditions (e.g., message contains 'confidential' or matches a sensitive info type)
Percentage of communications to review (default 100% for matching messages)
Reviewers (one or more users)
Verification: Use the Communication compliance dashboard to view alerts and activity logs. You can also use the Audit log in Microsoft 365 to track policy changes.
Interaction with Related Technologies
Communication compliance integrates with: - Data Loss Prevention (DLP): Both use the same sensitive information types. DLP can block messages; communication compliance flags them for review. - Microsoft Information Protection (MIP): Sensitivity labels can be used as conditions in policies. - Insider Risk Management: Communication compliance alerts can feed into insider risk policies. - Microsoft Teams: Monitors both 1:1 chats and channel messages. However, note that Teams messages are only captured if the user is included in the policy. - Exchange Online: Uses Exchange Web Services to scan mailboxes. - Third-party connectors: Data from platforms like Slack, Zoom, and Bloomberg can be ingested via connectors and then scanned.
Important Technical Details
License requirement: Communication compliance requires one of the following: Microsoft 365 E5/A5/G5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management. E3 users can be included if the organization has an E5 add-on.
Limitations: Communication compliance does not support scanning of encrypted messages (by user or by IRM) unless the encryption is removed. It also cannot scan messages in archive mailboxes (in-place archive).
Performance: For large organizations, scanning may introduce a slight delay in message delivery (typically under 5 minutes).
Default retention: 30 days; can be extended to 365 days via PowerShell.
PowerShell cmdlets: Use Get-CommunicationCompliancePolicy, New-CommunicationCompliancePolicy, Set-CommunicationCompliancePolicy to manage policies. Example:
New-CommunicationCompliancePolicy -Name "Trade Secrets" -Description "Monitors for trade secret keywords" -Conditions @{Keywords=@("confidential","proprietary")} -Reviewers "compliance@contoso.com"Policy Conditions in Detail
Conditions can be simple or complex. You can combine multiple conditions using AND/OR logic. The following condition types are available: - Message contains: Keywords, phrases, or regex patterns. - Message is classified as: Sensitive information types (e.g., U.S. Social Security Number, Credit Card Number). - Message contains: Trainable classifiers (e.g., inappropriate content, harassment). - Message from: Specific senders or domains. - Message sent to: Specific recipients or domains. - Message size is: Greater than or less than a size (in KB). - Message attachment: Contains specific file types or content. - Percentage of communications to review: You can set a lower percentage to sample messages, but for compliance it is often set to 100%.
Actions and Remediation
When a message matches a policy, the default action is to create an alert and notify reviewers. You can also configure: - Notify reviewers via email (default) - Create an alert in Microsoft 365 Defender - Apply a retention label (if configured) - Delete the message (only in certain scenarios, typically not recommended)
Reviewers can take the following actions on a flagged message: - Resolve: Mark as compliant and close. - Escalate: Send to another reviewer or to legal. - Mark as false positive: The message is removed from the review queue and the policy may be adjusted. - Send to Microsoft: For analysis of potential false positives (optional).
Monitoring and Reporting
Use the Communication Compliance dashboard to see:
Total alerts, pending, resolved
Policy match trends
Top users with matches
Average time to review
You can also export reports using the Export button or via PowerShell.
Common Misconfigurations
Not assigning the Communication Compliance Reviewer role to users.
Forgetting to license users (they need E5 or equivalent).
Setting too broad conditions causing alert fatigue.
Not scoping policies to specific users/groups (scanning all users may hit performance limits).
Using incorrect sensitive information type IDs.
Identify Compliance Requirements
Begin by determining what regulations or internal policies you need to comply with (e.g., SEC rules on insider trading, harassment policies). This step defines the scope of your communication compliance deployment. Document the types of communications to monitor (email, Teams, Yammer) and the users or groups in scope. Also decide on the conditions: keywords, sensitive info types, or trainable classifiers. This planning phase is critical because it drives all subsequent configuration. Without clear requirements, you risk over-scanning or missing key violations.
Enable Communication Compliance
In the Microsoft Purview compliance portal, navigate to Communication compliance and accept the terms if prompted. Ensure that the required licenses are assigned to users (Microsoft 365 E5 or E5 Compliance add-on). Also assign the Communication Compliance Reviewer role to users who will review flagged messages. This role can be assigned via the Microsoft 365 Defender portal (Permissions > Roles > Communication Compliance). Without this role, reviewers cannot see alerts.
Create a Communication Compliance Policy
Click 'Policies' then 'Create policy'. Choose a policy template (e.g., 'Detect inappropriate content' or 'Monitor for sensitive information') or start from scratch. Provide a name and description. Select the users/groups to monitor (you can choose all users or specific). Choose the communication direction (inbound, outbound, internal, or all). Add conditions: for example, message contains keyword 'confidential'. Set the percentage of communications to review (default 100%). Add reviewers. Review and submit. The policy will activate within minutes.
Configure Policy Conditions
After creating the policy, you can edit it to add more conditions. Conditions can be combined with AND/OR logic. For example, you can require both a keyword AND a sensitive information type. You can also add trainable classifiers (e.g., 'harassment') which are pre-trained AI models. Use the 'Condition builder' to specify advanced conditions like 'message size > 500 KB'. Each condition adds to the scanning load, so be specific. Avoid overly broad conditions like scanning all messages for 'confidential' without scoping.
Assign Reviewers and Set Escalation
Designate one or more users as reviewers. They must have the Communication Compliance Reviewer role. You can set an escalation threshold: if a message is not reviewed within a certain number of days (default 7), it is escalated to the reviewer's manager. This ensures timely action. You can also configure email notifications to reviewers when new alerts are generated. Reviewers will see flagged messages in the Communication compliance dashboard under the 'Alerts' tab.
Monitor and Remediate Alerts
Reviewers should regularly check the dashboard for new alerts. For each alert, they can view the message content (including attachments). They can then take action: resolve (mark as compliant), escalate (send to another reviewer or legal), or mark as false positive. The system logs all actions for auditing. Use the 'Activity' tab to see who did what. If a pattern of false positives emerges, consider adjusting the policy conditions to reduce noise.
Scenario 1: Financial Services Firm Monitoring Insider Trading
A large investment bank must comply with SEC regulations regarding insider trading. They use Communication Compliance to monitor all emails and Teams messages for keywords like 'insider', 'non-public', and 'material information'. They also scan for sensitive information types like stock ticker symbols combined with price alerts. The policy covers all employees in the trading and research departments. The compliance team consists of three reviewers who check alerts daily. They have set escalation to 48 hours because of the time-sensitive nature of trading. One misconfiguration they encountered: they initially scanned all users, which caused thousands of false positives from marketing communications. They scoped the policy to only trading and research, reducing alerts by 90%.
Scenario 2: Healthcare Organization Ensuring Patient Privacy
A hospital network must comply with HIPAA. They use Communication Compliance to detect PHI (Protected Health Information) in emails. They configure conditions to match sensitive info types like U.S. Social Security Number and Medical License Number. They also use a custom keyword dictionary for common medical terms. The policy applies to all employees. However, they found that legitimate patient care communications were being flagged. They added an exception for messages sent to specific domains (e.g., @patientportal.com) and trained reviewers to quickly mark false positives. They also integrated with DLP to block messages containing PHI sent to external addresses, while communication compliance only flags internal messages for review.
Scenario 3: Technology Company Preventing Harassment
A tech company wants to proactively detect harassment in Teams chats. They create a communication compliance policy using the built-in 'harassment' trainable classifier. They also add keywords like 'hostile work environment' and 'discrimination'. The policy covers all employees. The HR team reviews alerts weekly. Initially, they had a problem with the classifier generating many false positives for benign jokes. They worked with Microsoft to refine the classifier by submitting feedback on false positives. They also set a 30-day retention for flagged messages to comply with legal hold requirements. The system handles about 500 alerts per week, which is manageable for a team of two HR specialists.
What MS-102 Tests
Objective 3.3 covers 'Communication Compliance Policies'. The exam expects you to know:
How to create and manage communication compliance policies
The difference between communication compliance and DLP
Required licenses (E5 or E5 Compliance)
Roles needed (Communication Compliance Reviewer)
Default retention (30 days, can be extended to 365)
Policy conditions (keywords, sensitive info types, classifiers)
Escalation settings (default 7 days)
Integration with Insider Risk Management and Teams
Common Wrong Answers
Confusing Communication Compliance with DLP: Candidates often think DLP can block messages in transit. While DLP can block, communication compliance only flags for review. The exam may ask which solution to use for 'review before action'.
Assuming all users need E5 licenses: Only users being monitored need E5; reviewers do not need E5 if they only review alerts (but they need the role). However, all monitored users must be licensed appropriately.
Forgetting that Teams messages are only scanned if the user is in the policy: The exam may present a scenario where Teams messages are not being captured, and the answer is that the user was not added to the policy scope.
Setting retention too low: The default is 30 days, but the exam may ask what the maximum is (365 days via PowerShell).
Specific Values to Memorize
Default escalation time: 7 days
Default retention: 30 days
Maximum retention: 365 days
Maximum policies: 500
Required license: Microsoft 365 E5 or E5 Compliance add-on
Role: Communication Compliance Reviewer
Edge Cases
Communication compliance cannot scan encrypted messages (IRM or user-encrypted).
It cannot scan archive mailboxes (in-place archive).
It does not support scanning of messages in public folders.
For Teams, only messages from users included in the policy are scanned; channel names are not scanned.
How to Eliminate Wrong Answers
If a question asks about 'blocking' a message, eliminate communication compliance as the answer because it does not block—it only flags. If the question mentions 'real-time' blocking, think DLP. If the question mentions 'review by human', think communication compliance. Also, if the question mentions 'insider risk', it may be related to Insider Risk Management, which uses communication compliance as a source.
Communication compliance requires Microsoft 365 E5 or E5 Compliance add-on licenses for monitored users.
The default retention period for flagged messages is 30 days; maximum is 365 days via PowerShell.
Default escalation time if a reviewer does not act is 7 days; configurable.
Communication compliance does not block messages; it only flags them for review.
You can create up to 500 communication compliance policies per tenant.
Teams messages are only scanned if the user is included in the policy scope.
Encrypted messages (IRM or user-encrypted) cannot be scanned by communication compliance.
These come up on the exam all the time. Here's how to tell them apart.
Communication Compliance
Purpose: Detect and flag messages for human review to ensure compliance with policies.
Actions: Only creates alerts and notifies reviewers; does not block messages.
Scope: Monitors email, Teams, Yammer, and third-party connectors.
Review: Requires human intervention to resolve or escalate.
License: Requires Microsoft 365 E5 or E5 Compliance add-on.
Data Loss Prevention (DLP)
Purpose: Prevent accidental sharing of sensitive information by blocking or warning users.
Actions: Can block message delivery, show policy tips, or log incidents.
Scope: Applies to email, SharePoint, OneDrive, Teams, and endpoints.
Review: Can be automated with override options; does not require human review by default.
License: Included in Microsoft 365 E3 and higher; advanced features require E5.
Mistake
Communication compliance can automatically delete flagged messages.
Correct
Communication compliance does not automatically delete messages. It flags them for human review. Automatic deletion can be configured via DLP or retention policies, but communication compliance itself only creates alerts and notifications.
Mistake
All Microsoft 365 users are automatically licensed for communication compliance.
Correct
Only users with Microsoft 365 E5, A5, G5, or E5 Compliance add-on licenses are eligible. E3 users can be monitored only if the organization has an E5 add-on license for them.
Mistake
Communication compliance scans all messages in real time.
Correct
Scanning is asynchronous and typically completes within minutes. For email, messages are scanned after delivery. For Teams, scanning is near real-time but not instantaneous.
Mistake
Communication compliance can scan encrypted messages.
Correct
Communication compliance cannot scan messages that are encrypted by the user (e.g., via Outlook's Encrypt button) or by IRM (Information Rights Management). The encryption must be removed for scanning to occur.
Mistake
You can set retention for flagged messages to unlimited.
Correct
The maximum retention period is 365 days. The default is 30 days. Retention can be configured via PowerShell using the `RetentionDuration` parameter.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Communication compliance requires Microsoft 365 E5, A5, G5, or Microsoft 365 E5 Compliance add-on licenses for users being monitored. Users who only review alerts do not need these licenses, but they must have the Communication Compliance Reviewer role assigned. E3 users can be included if the organization has an E5 add-on license for them.
Flagged messages are retained for 30 days by default. You can extend this up to 365 days using PowerShell with the `Set-CommunicationCompliancePolicy -RetentionDuration` cmdlet. After the retention period, messages are automatically deleted.
Yes, communication compliance can scan Microsoft Teams 1:1 chats and channel messages. However, only messages sent by users who are included in the policy scope are scanned. The scanning is near real-time. Note that messages in private channels are also scanned if the user is in scope.
Communication compliance is designed for human review of messages that match policy conditions; it does not block messages. DLP (Data Loss Prevention) can block messages, show policy tips, and enforce rules automatically. DLP is more about preventing data leaks, while communication compliance is about detecting and remediating policy violations through human oversight.
Users need the Communication Compliance Reviewer role to view and act on alerts. This role can be assigned in the Microsoft 365 Defender portal under Permissions > Roles > Communication Compliance. Users who create policies need the Communication Compliance Admin role.
No, communication compliance cannot scan messages that are encrypted by the user (e.g., using Outlook's Encrypt-Only option) or protected by Information Rights Management (IRM). The encryption must be removed for the message to be scanned. This is a known limitation.
Use the PowerShell cmdlet `Set-CommunicationCompliancePolicy -Identity "PolicyName" -RetentionDuration 365` to set retention to 365 days. The maximum is 365 days. You must have the Communication Compliance Admin role to run this cmdlet.
You've just covered Communication Compliance Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?