This chapter covers Communication Compliance in Microsoft 365, a key topic under Exam Domain M365 Security, Objective 3.4. Communication Compliance helps organizations detect, capture, and act on inappropriate messages in email, Microsoft Teams, and other communication channels. For the MS-900 exam, you can expect 1-2 questions on this topic, often focusing on its purpose, key features, and how it differs from related solutions like Data Loss Prevention (DLP) and Microsoft Purview Audit. Understanding Communication Compliance is critical for demonstrating knowledge of Microsoft 365's built-in compliance and risk management capabilities.
Jump to a section
Imagine a large corporation with a centralized mailroom that processes all incoming and outgoing physical mail. Every letter, package, and internal memo passes through this mailroom. The company has strict policies: no confidential data can be sent outside, no harassing language, and all financial disclosures must be reviewed by legal. To enforce these policies, the mailroom employs a team of auditors who scan the content of every piece of mail. They use predefined rules — for example, a rule that flags any envelope containing the phrase 'trade secret' or a pattern that looks like a Social Security number. When a flagged item is found, the auditor doesn't stop delivery immediately; instead, they place it in a separate 'review' bin and send a notification to the manager and the compliance officer. The manager can then decide to allow delivery (override), reject it, or remove the sensitive content and deliver the rest. The auditors also keep a log of all flagged items for future audits and training. This system works silently in the background, scanning thousands of letters per day, and only surfaces items that need human attention. Communication Compliance in Microsoft 365 works exactly like this: it scans emails, Teams messages, and other communications for sensitive information, policy violations, and regulatory requirements, then alerts designated reviewers to take action.
What is Communication Compliance and Why Does It Exist?
Communication Compliance is a Microsoft Purview solution designed to help organizations detect and remediate communication violations in their Microsoft 365 environment. It enables compliance teams to monitor and review messages for internal policy violations such as harassment, threats, sharing confidential information, or regulatory non-compliance (e.g., SEC rules, FINRA). The solution is built to address the growing need for organizations to proactively manage communication risks, especially in industries like financial services, healthcare, and government where regulatory oversight is stringent.
Communication Compliance operates by scanning messages in Exchange Online (email), Microsoft Teams (chat and channel messages), and, with additional licensing, third-party sources like Bloomberg or Slack. It uses predefined and custom policies to flag messages that match certain conditions, then routes those messages to designated reviewers who can take action. The goal is not to block messages in real-time (that's DLP's job) but to detect, capture, and manage communication risks after they occur, enabling organizations to investigate and respond appropriately.
On the MS-900 exam, you need to know that Communication Compliance is part of Microsoft Purview, not a standalone service. It is licensed per user (as part of Microsoft 365 E5, Microsoft 365 E5 Compliance, or as an add-on). The exam tests your understanding of its purpose, key capabilities, and how it fits into the broader compliance ecosystem.
How Communication Compliance Works Internally
Communication Compliance operates through a pipeline of four main stages: policy creation, message capture, review, and remediation. Let's walk through each stage in detail.
1. Policy Creation: An administrator (or compliance officer) defines a policy using the Microsoft Purview compliance portal. Each policy consists of: - Scope: Which users or groups are monitored. You can select specific users, distribution groups, or entire organization. - Conditions: What triggers a flag. Conditions can include:
Sensitive information types (e.g., credit card numbers, Social Security numbers) via the Microsoft Purview Data Loss Prevention (DLP) sensitive info types.
Keywords or phrases (e.g., 'confidential', 'harassment', 'insider trading').
Trainable classifiers – machine learning models that detect specific categories like harassment, threats, or regulatory compliance (e.g., SEC rules).
Retention policies – messages already marked for retention can be included.
Percentage of communications to review: You can set a sampling rate (e.g., 10%) to review only a subset of flagged messages, reducing reviewer workload.
Reviewers: Designated users (compliance managers, legal team) who will receive notifications and review flagged messages.
2. Message Capture: Once a policy is active, Communication Compliance scans all messages sent or received by the monitored users. Scanning occurs in near real-time for Exchange Online and Teams messages. For Teams, both 1:1 chats and channel messages are captured. The solution uses the same indexing and search capabilities as Microsoft Purview eDiscovery. When a message matches a policy condition, it is copied to a secure, isolated storage (the Communication Compliance repository) and a notification is sent to the reviewers. The original message is not modified or deleted; this is a detective control, not a preventative one.
3. Review: Reviewers access the Communication Compliance dashboard in the Microsoft Purview compliance portal. There, they see a list of flagged messages with metadata (sender, recipient, timestamp, policy matched). They can expand the message to view the full content, including attachments. Reviewers can also see a timeline of related messages to understand context. The dashboard supports filtering by policy, date, severity, and status. Reviewers can also use eDiscovery to search across all captured messages.
4. Remediation: After reviewing a flagged message, the reviewer can take one of the following actions: - Resolve as compliant: The message does not violate policy; it's marked as reviewed and archived. - Resolve as non-compliant: The message violates policy; the reviewer can escalate to eDiscovery for further investigation, notify the sender's manager, or take other HR actions. - Notify the sender: Automatically send a warning or training notification to the sender (this is a configurable option in the policy). - Escalate to eDiscovery: If the violation is serious, the reviewer can create an eDiscovery case for deeper investigation. - Tag for further review: The message is kept for later analysis.
All actions are logged in the Microsoft Purview Audit log for compliance tracking.
Key Components, Defaults, and Timers
Sensitive Information Types: Over 100 built-in types (e.g., ABA routing number, SWIFT code, U.S. Social Security number). You can also create custom types using regular expressions.
Trainable Classifiers: Pre-built classifiers for harassment, threats, profanity, and regulatory compliance (e.g., SEC Rule 17a-4, FINRA). These are machine learning models that require initial training (at least 50 positive samples) but are ready to use after training.
Policy Templates: Microsoft provides several templates to get started: "Anti-harassment and anti-bullying", "Insider trading", "Offensive language", "Regulatory compliance (SEC/FINRA)", and "Conflict of interest".
Sampling Rate: Default is 100% (review all flagged messages). You can reduce it to a percentage (e.g., 10%) to manage reviewer workload.
Retention: Captured messages are retained for the duration specified in the policy (default 7 years) or until manually deleted. The retention period is separate from Microsoft 365 retention policies.
Notifications: Reviewers receive email notifications when new flagged messages are available. The notification frequency is configurable (immediate, daily digest, or weekly digest).
Licensing: Communication Compliance is available in Microsoft 365 E5, Microsoft 365 E5 Compliance, or as an add-on to E3. Each monitored user must be licensed.
Configuration and Verification
To configure Communication Compliance, an administrator must have the Communication Compliance Admin role (or a higher role like Compliance Admin). The main configuration is done in the Microsoft Purview compliance portal under "Communication Compliance".
Example PowerShell command to create a policy (using Exchange Online PowerShell):
New-ComplianceTag -Name "CommunicationCompliancePolicy" -Comment "Policy for monitoring insider trading"
New-CommunicationCompliancePolicy -Name "Insider Trading Policy" -PolicyType "Insider trading" -ExchangeLocation "All" -TeamsLocation "All" -RetentionDays 2555
New-CommunicationComplianceRule -Name "Insider Trading Rule" -Policy "Insider Trading Policy" -Condition "From: user@contoso.com AND Contains: 'insider information'" -Action NotifySenderNote: The above commands are illustrative; actual cmdlets may vary by version. In production, you use the Purview portal UI.
Verification: After policy creation, you can verify it by sending a test message that matches the condition. Then check the Communication Compliance dashboard for the flagged message. Use the Audit log to confirm policy actions.
Interaction with Related Technologies
Data Loss Prevention (DLP): DLP prevents sensitive data from being shared in real-time. Communication Compliance detects violations after the fact. They share sensitive information types and classifiers but serve different purposes. DLP can block messages; Communication Compliance only flags them.
Microsoft Purview Audit: All actions taken in Communication Compliance (policy creation, review actions, notifications) are logged in the Audit log. This provides a trail for compliance auditors.
Microsoft Purview eDiscovery: Communication Compliance can escalate flagged messages to eDiscovery for formal investigation and holds.
Microsoft Purview Information Protection: Sensitivity labels applied to messages are visible in Communication Compliance reviews, helping reviewers understand the data's classification.
Microsoft Teams: Communication Compliance captures Teams messages (1:1 chats and channel messages) as part of the communication record. It does not capture voice or meeting recordings unless they are transcribed.
Exam Focus: Specific Numbers and Values
Licensing: E5 or E5 Compliance required for monitored users.
Supported workloads: Exchange Online, Microsoft Teams (chats and channels), and third-party sources (with connector).
Default retention: 7 years (2555 days) but configurable.
Built-in classifiers: Harassment, threats, profanity, insider trading, SEC/FINRA.
Policy templates: 5 main templates as listed above.
Review actions: Resolve, notify sender, escalate to eDiscovery, tag.
Sampling rate: Configurable from 1% to 100%.
Roles needed: Communication Compliance Admin or Compliance Admin.
Not to be confused with: DLP (prevents), eDiscovery (investigates), or Audit (logs).
Define Communication Compliance Policy
The administrator navigates to the Microsoft Purview compliance portal and selects 'Communication Compliance'. They click 'Create policy' and choose a template (e.g., 'Anti-harassment') or create a custom policy. They specify the policy name, description, and the users or groups to monitor. They then define conditions: select sensitive information types, keywords, or trainable classifiers. They also set the sampling rate (e.g., 100% to review all flagged messages) and assign reviewers (users with the Communication Compliance Reviewer role). The policy is saved and activated.
Message Scanning and Capture
Once the policy is active, Communication Compliance continuously scans all messages sent and received by monitored users. For Exchange Online, it scans emails in real-time as they are delivered. For Teams, it captures 1:1 chats and channel messages. The scanning engine uses the same indexing as eDiscovery. When a message matches any condition in the policy (e.g., contains the keyword 'confidential' or a credit card number), the system creates a copy of the message and stores it in a secure, isolated repository. The original message remains unchanged in the user's mailbox or Teams. The system then generates an alert and sends a notification to the designated reviewers.
Reviewer Notification and Dashboard Access
Reviewers receive an email notification (configurable as immediate, daily, or weekly) that new flagged messages are available. They log into the Microsoft Purview compliance portal and navigate to the Communication Compliance dashboard. The dashboard shows a list of flagged messages with columns for sender, recipient, date, policy matched, and status. Reviewers can filter by policy, date range, severity, or status (e.g., 'Pending review', 'Resolved'). They can click on a message to expand it and view the full content, including attachments. The dashboard also provides a timeline of related messages to provide context.
Review and Remediate Flagged Message
The reviewer examines the flagged message content. They can see the matched condition highlighted (e.g., the specific keyword or sensitive info type). Based on their assessment, they choose an action: 'Resolve as compliant' if the message is not a violation; 'Resolve as non-compliant' if it violates policy; 'Notify sender' to send a warning email; or 'Escalate to eDiscovery' for formal investigation. They can also add notes or tags. Once action is taken, the message status changes and it is removed from the pending queue. All actions are logged in the Microsoft Purview Audit log.
Monitoring and Reporting
Administrators and compliance officers can generate reports on Communication Compliance activity using the built-in reports in the Purview portal. Reports include summary of flagged messages, actions taken, and trends over time. Additionally, the Audit log provides a detailed trail of all policy changes, reviews, and remediation actions. This data can be exported for external audits. Administrators can also adjust policies based on feedback from reviewers, such as adding new keywords or changing the sampling rate.
Enterprise Scenario 1: Financial Services Firm Monitoring Insider Trading
A large investment bank must comply with SEC Rule 17a-4, which requires monitoring communications for potential insider trading. The compliance team deploys Communication Compliance with the built-in 'Insider trading' policy template. They scope the policy to all employees in trading and research departments. The policy uses trainable classifiers to detect language patterns indicative of insider trading, such as discussing confidential merger information. Reviewers in the legal department receive daily digest notifications. When a flagged message appears, they review the context, including related messages. If a violation is confirmed, they escalate to eDiscovery for a formal investigation and notify the sender's manager. The firm also uses a custom sensitive information type to detect stock ticker symbols combined with terms like 'buy' or 'sell'. Performance considerations: with thousands of messages per day, the sampling rate is set to 25% to reduce reviewer workload while maintaining coverage. Misconfiguration risk: if the policy is scoped too broadly (e.g., all employees), reviewers may be overwhelmed with false positives; if too narrowly, violations may be missed.
Enterprise Scenario 2: Healthcare Organization Enforcing Anti-Harassment Policies
A hospital system wants to proactively detect workplace harassment in emails and Teams chats. They create a Communication Compliance policy using the 'Anti-harassment and anti-bullying' template. The policy is scoped to all employees. They add custom keywords specific to their industry, such as 'patient abuse' and 'neglect'. The policy uses the built-in harassment classifier. Reviewers are HR managers who receive immediate notifications for high-severity matches (based on classifier confidence). They review messages and can choose to notify the sender with a training message or escalate to HR investigation. The hospital also integrates with third-party sources (e.g., Slack) via a connector to capture all communications. Common pitfall: if the policy's sampling rate is too low, some harassment incidents may go undetected. The hospital runs monthly reports to tune the policy.
Enterprise Scenario 3: Technology Company Managing Conflict of Interest
A tech company with global offices uses Communication Compliance to detect potential conflict of interest, such as employees discussing business with competitors or sharing confidential information with family members. They create a custom policy with keywords like 'uncle', 'cousin', 'competitor', and sensitive information types for internal project codes. The policy is scoped to executives and R&D teams. Reviewers are compliance officers who receive weekly digests. When a message is flagged, they review the relationship and can tag it for further review. The company also uses eDiscovery to place a hold on the sender's mailbox if necessary. Misconfiguration example: if the policy lacks a condition to exclude benign uses (e.g., 'uncle' in a casual chat), reviewers see many false positives, leading to alert fatigue. The company adds exclusion keywords like 'Uncle Bob' (a fictional character) to reduce noise.
Exactly What MS-900 Tests on Communication Compliance
MS-900 Objective 3.4 covers "Describe the compliance management capabilities in Microsoft 365." Communication Compliance is one of several solutions under Microsoft Purview. Exam questions typically ask you to identify the purpose of Communication Compliance, distinguish it from DLP and eDiscovery, and recall licensing requirements. Common question formats: - "Which Microsoft Purview solution should an organization use to detect and review messages that may contain harassment?" (Answer: Communication Compliance) - "What is the primary difference between Communication Compliance and Data Loss Prevention?" (Answer: DLP prevents sharing of sensitive data; Communication Compliance detects and reviews policy violations after the fact.) - "Which licensing plan includes Communication Compliance?" (Answer: Microsoft 365 E5 or E5 Compliance)
Most Common Wrong Answers and Why Candidates Choose Them
Choosing 'Data Loss Prevention' when the scenario describes detecting harassment. Candidates confuse DLP's focus on sensitive data (credit cards, SSNs) with Communication Compliance's broader policy violations. Remember: DLP is for sensitive information; Communication Compliance is for inappropriate content.
Selecting 'eDiscovery' for detecting policy violations. eDiscovery is for investigating existing cases, not proactively scanning communications. Communication Compliance proactively flags messages.
Thinking Communication Compliance blocks messages in real-time. It does not; it only detects after delivery. DLP can block.
Assuming Communication Compliance is available in Microsoft 365 E3. It is not; it requires E5 or E5 Compliance add-on.
Specific Numbers and Terms That Appear Verbatim
Licensing: Microsoft 365 E5 or Microsoft 365 E5 Compliance.
Workloads: Exchange Online, Microsoft Teams (chats, channels), third-party sources.
Built-in classifiers: Harassment, threats, profanity, insider trading, regulatory compliance (SEC/FINRA).
Policy templates: Anti-harassment, insider trading, offensive language, regulatory compliance, conflict of interest.
Review actions: Resolve, notify sender, escalate to eDiscovery, tag.
Default retention period: 7 years (2555 days).
Roles: Communication Compliance Admin, Communication Compliance Reviewer.
Edge Cases and Exceptions
Communication Compliance does not capture voice calls or meeting recordings unless they are transcribed and stored in Exchange or Teams.
It can capture messages from third-party platforms (e.g., Slack, Bloomberg) via custom connectors, but this requires additional configuration and licensing.
If a user is not licensed for Communication Compliance, their messages are not scanned even if they are part of a policy scope.
The sampling rate applies to messages that match the policy conditions; it does not reduce the number of messages scanned, only the number surfaced for review.
How to Eliminate Wrong Answers
If the question mentions "detect and review" or "flag messages for review," it is Communication Compliance, not DLP or eDiscovery.
If the question mentions "block" or "prevent," it is DLP.
If the question mentions "investigate" or "hold," it is eDiscovery.
If the question mentions "audit trail" or "log," it is Audit.
Always check licensing: if the scenario uses E3, Communication Compliance is not available.
Communication Compliance is a Microsoft Purview solution for detecting and reviewing communication policy violations after they occur.
It supports Exchange Online, Microsoft Teams, and third-party sources via connectors.
Licensing required: Microsoft 365 E5 or E5 Compliance for each monitored user.
Built-in policy templates: anti-harassment, insider trading, offensive language, regulatory compliance, conflict of interest.
Trainable classifiers are available for harassment, threats, profanity, insider trading, and SEC/FINRA compliance.
Default retention period for flagged messages is 7 years (2555 days), configurable.
Review actions: resolve as compliant/non-compliant, notify sender, escalate to eDiscovery, tag.
Communication Compliance is detective, not preventative; DLP is preventative.
Roles needed: Communication Compliance Admin (create policies), Communication Compliance Reviewer (review messages).
Sampling rate can be set from 1% to 100% to control reviewer workload.
These come up on the exam all the time. Here's how to tell them apart.
Communication Compliance
Detects policy violations after messages are sent.
Focused on inappropriate content, harassment, threats, regulatory compliance.
Actions include review, notify sender, escalate to eDiscovery.
Requires Microsoft 365 E5 or E5 Compliance licensing.
Uses trainable classifiers and sensitive info types.
Data Loss Prevention (DLP)
Prevents sharing of sensitive data in real-time.
Focused on protecting sensitive information like credit cards, SSNs, and health records.
Actions include block, notify, and encrypt.
Available in Microsoft 365 E3 (limited) and E5 (advanced).
Uses sensitive info types and conditions only (no trainable classifiers).
Mistake
Communication Compliance blocks messages containing sensitive data in real-time.
Correct
Communication Compliance is a detective control, not a preventative one. It captures and flags messages after they are sent. Blocking is done by Data Loss Prevention (DLP) policies.
Mistake
Communication Compliance is included in Microsoft 365 E3.
Correct
Communication Compliance requires Microsoft 365 E5 or E5 Compliance add-on. E3 users do not have access to this solution.
Mistake
Communication Compliance only scans emails.
Correct
It scans emails, Microsoft Teams messages (1:1 chats and channel messages), and can be extended to third-party sources via connectors.
Mistake
Communication Compliance automatically deletes flagged messages.
Correct
It does not delete or modify messages. It only copies flagged messages to a secure repository for review. The original message remains unchanged.
Mistake
Trainable classifiers in Communication Compliance work immediately out-of-the-box without training.
Correct
Trainable classifiers require initial training with at least 50 positive samples before they can accurately detect specific content. Microsoft provides pre-trained classifiers for common categories like harassment and threats.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Communication Compliance detects and reviews messages that violate internal policies (e.g., harassment, insider trading) after they are sent. DLP prevents sensitive data (e.g., credit card numbers) from being shared in real-time by blocking or encrypting messages. Communication Compliance is detective; DLP is preventative. Both use sensitive information types, but Communication Compliance also uses trainable classifiers for content categories.
Communication Compliance is included in Microsoft 365 E5 and Microsoft 365 E5 Compliance. It is also available as an add-on to Microsoft 365 E3. Each user whose communications are monitored must have one of these licenses.
Yes, Communication Compliance can monitor 1:1 chats and channel messages in Microsoft Teams. It captures messages in near real-time. It does not capture voice calls or meeting recordings unless they are transcribed and stored in Exchange or Teams.
Reviewers can: resolve as compliant (no violation), resolve as non-compliant (violation), notify the sender with a warning email, escalate to eDiscovery for formal investigation, or tag for further review. The action taken is logged in the Audit log.
The default retention period is 7 years (2555 days). This is configurable when creating the policy. After the retention period ends, the captured messages are automatically deleted from the Communication Compliance repository.
Trainable classifiers are machine learning models that detect specific categories of content, such as harassment, threats, profanity, insider trading, and regulatory compliance (SEC/FINRA). They require initial training with at least 50 positive samples before they can be used effectively. Microsoft provides pre-trained classifiers for common categories.
Yes, with the appropriate connectors. Microsoft Purview supports connectors for third-party platforms such as Slack, Bloomberg, and others. These connectors allow Communication Compliance to ingest messages from those platforms and apply policies. Additional licensing and configuration are required.
You've just covered Communication Compliance in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?