This chapter covers Communication Compliance in Microsoft 365, a key compliance solution for detecting and acting on inappropriate messages in your organization. For the SC-900 exam, this topic falls under Objective 4.3: Describe the compliance management capabilities in Microsoft 365. Expect 1-2 questions on Communication Compliance, focusing on its purpose, key features, and how it differs from similar tools like Data Loss Prevention (DLP) and Insider Risk Management. Understanding the underlying mechanism—how policies are defined, how messages are processed, and how reviewers handle alerts—is critical for exam success.
Jump to a section
Imagine a large corporate mailroom that receives all incoming and outgoing mail for employees. The mailroom has a set of rules: it scans every envelope for keywords like 'confidential' or 'proprietary', checks if the sender or recipient is on a watchlist, and flags any mail with attachments or unusual patterns. It also records metadata (sender, recipient, timestamp) for audit. The mailroom doesn't open every letter; it uses automated scanners to detect potential policy violations. If a letter is flagged, it is set aside for a human reviewer (supervisor) to examine. The reviewer can decide to release the letter, mark it as a policy violation, or escalate to legal. The mailroom also allows employees to voluntarily report suspicious letters. This mirrors Communication Compliance in Microsoft 365: messages (email, Teams, Yammer) are processed by policies that detect inappropriate content, sensitive data, or regulatory violations. The system uses classifiers and machine learning to reduce false positives, and designated reviewers investigate and remediate flagged messages. Just as the mailroom logs all actions for compliance, Communication Compliance retains audit records for investigation and reporting.
What is Communication Compliance and Why It Exists
Communication Compliance is a Microsoft 365 solution that helps organizations detect, capture, and act on inappropriate messages in email, Microsoft Teams, Yammer, and third-party sources. It is part of the Microsoft Purview compliance portal. The primary purpose is to address regulatory compliance requirements (e.g., SEC, FINRA, GDPR) and internal policies related to workplace harassment, insider trading, confidential information sharing, and other communication risks.
Unlike Data Loss Prevention (DLP), which focuses on preventing data leaks, Communication Compliance is designed for supervision and review of communications. It allows organizations to define policies that automatically detect specific types of content, assign reviewers, and escalate issues. The solution is built on Microsoft 365's compliance backbone, leveraging advanced classifiers, machine learning models, and integration with eDiscovery and audit logs.
How Communication Compliance Works Internally
Communication Compliance operates through a pipeline of policy definition, message ingestion, classification, alert generation, and review. Here is the step-by-step mechanism:
1. Policy Creation: An administrator creates a policy in the Microsoft Purview compliance portal. The policy specifies: - Policy name and description - Users or groups to supervise (e.g., all users, specific distribution groups, or users in a certain role) - Detection conditions: These are the criteria that trigger a policy match. Conditions include: - Keyword lists: Specific words or phrases (e.g., 'insider trading', 'confidential') - Sensitive information types: Predefined or custom DLP sensitive info types (e.g., credit card numbers, Social Security numbers) - Trainable classifiers: Prebuilt classifiers for harassment, threats, profanity, or custom classifiers - Message direction: Inbound, outbound, or internal - Attachments: Whether messages with attachments are included - Size limits: Messages over a certain size can be excluded - Percentage of communications to review: A sampling rate (0-100%) to reduce volume - Reviewers: Designated users who will investigate and resolve alerts
Message Ingestion: Communication Compliance continuously ingests messages from Exchange Online, Microsoft Teams, Yammer, and third-party sources (via connector). For Exchange Online, it processes email messages in mailboxes that are enabled for supervision. For Teams, it captures channel messages, chat messages, and shared files. The ingestion happens via the Microsoft 365 compliance pipeline, which indexes messages and makes them searchable.
3. Policy Evaluation: Each ingested message is evaluated against active policies. The evaluation includes: - Keyword matching: The system scans message body, subject, and attachments (if configured) for specified keywords. - Sensitive information detection: Uses the same Microsoft 365 DLP engine to identify sensitive data patterns. - Classifier analysis: Trainable classifiers (e.g., 'Harassment classifier', 'Threat classifier') analyze the message using machine learning models trained on large datasets. These classifiers produce a confidence score. If the score exceeds a threshold (default is 0.8 or 80%, configurable), the message is flagged. - Sampling: If the policy has a sampling percentage less than 100%, the system randomly selects only that percentage of matching messages for alert generation.
Alert Generation: When a message matches a policy condition and is selected by sampling, an alert is created in the Communication Compliance dashboard. The alert includes:
- The message content (subject, body, attachments) - Sender and recipient information - Timestamp - Policy name and matched condition - Classification details (e.g., which sensitive info type was found)
5. Review and Remediation: Designated reviewers access the Communication Compliance dashboard in the Microsoft Purview compliance portal. They can: - Tag the message: Options include 'Compliant', 'Non-compliant', 'Questionable', or 'Resolved' (customizable). - Escalate: Send the alert to another reviewer or to eDiscovery for further investigation. - Notify: Send a notification to the sender or manager. - Remove: If the message is a violation, the reviewer can request removal from the user's mailbox (requires additional permissions). - Resolve: Mark the alert as resolved after investigation.
Audit and Reporting: All actions taken in Communication Compliance are logged in the Microsoft 365 audit log. Reports are available in the compliance portal showing trends, policy matches, and resolution times.
Key Components, Values, and Defaults
Policy conditions: You can combine up to 10 conditions per policy.
Sampling rate: Default is 100% (all matches generate alerts). You can set it to a lower percentage to reduce volume.
Trainable classifiers: Microsoft provides prebuilt classifiers for harassment, threats, profanity, and others. You can also create custom classifiers with a minimum of 50 positive samples and 50 negative samples.
Sensitive information types: Over 200 predefined types, plus custom types.
Reviewer roles: To review alerts, a user must be assigned the 'Communication Compliance' role group, which includes roles like 'Communication Compliance Analyst', 'Communication Compliance Investigator', and 'Communication Compliance Admin'.
Retention: Alerts are retained for 30 days by default (configurable via retention policy).
Message size limit: Messages larger than 10 MB are not processed (by default).
Configuration and Verification
To create a Communication Compliance policy, you can use the Microsoft Purview compliance portal or PowerShell. Example PowerShell cmdlets:
# Create a new policy
New-ComplianceTag -Name "InsiderTradingPolicy" -Comment "Detect insider trading keywords"
New-CommunicationCompliancePolicy -Name "InsiderTrading" -PolicyType "Supervision" -GroupsToSupervise @("All Users") -Direction "Outbound"
# Add a condition for keywords
New-CommunicationComplianceRule -Name "InsiderTradingRule" -Policy "InsiderTrading" -KeywordQuery "insider trading OR confidential OR material nonpublic"To verify, check the Communication Compliance dashboard for alerts and use Get-CommunicationCompliancePolicy to list policies.
Interaction with Related Technologies
Data Loss Prevention (DLP): Communication Compliance can use DLP sensitive info types as conditions, but DLP policies block or warn users proactively, while Communication Compliance is detective.
Insider Risk Management: Insider Risk Management uses signals from Communication Compliance (e.g., policy violations) as one of its indicators for risk scoring.
eDiscovery: Alerts can be escalated to eDiscovery for legal hold and advanced investigation.
Audit Log: All reviewer actions are logged and can be searched via the Audit log in the compliance portal.
Trap Patterns on the Exam
Confusing Communication Compliance with DLP: DLP is about preventing data loss; Communication Compliance is about monitoring communications for policy violations. Both use sensitive info types, but the purpose and actions differ.
Believing Communication Compliance works only for email: It also supports Teams, Yammer, and third-party sources.
Thinking it requires a license for every user: Communication Compliance is included in Microsoft 365 E5, E5 Compliance, or as an add-on. However, only supervised users need licenses.
Assuming sampling is always 100%: Sampling can be set to any percentage, which is a common exam trick.
Define Communication Compliance Policy
An admin navigates to the Microsoft Purview compliance portal > Communication Compliance > Policies tab. They click 'Create policy' and choose a policy template (e.g., 'Detect inappropriate content' or 'Monitor for sensitive information'). They then configure the policy name, supervised users/groups, detection conditions (keywords, sensitive info types, classifiers), sampling rate, and reviewers. The policy is saved and becomes active within minutes.
Ingest Messages from Sources
Communication Compliance continuously ingests messages from Exchange Online mailboxes, Teams channel and chat messages, Yammer conversations, and third-party sources via connectors. The ingestion process indexes the messages and stores them in a secure, isolated storage. Messages are processed as they arrive; there is no batch processing delay. For Teams, all messages (including file attachments and inline images) are captured.
Evaluate Messages Against Policy Conditions
Each ingested message is evaluated against active policies. The evaluation engine runs keyword matching, sensitive information type detection, and trainable classifier analysis. If a message matches any condition, it is flagged. The sampling rate is applied: if the policy has a 50% sampling rate, only half of the flagged messages proceed to alert generation. This reduces the volume for reviewers.
Generate Alerts for Flagged Messages
Flagged messages that pass sampling are used to create alerts in the Communication Compliance dashboard. Each alert contains the full message content, metadata (sender, recipients, timestamp), the policy that triggered it, and the matched condition. Alerts are visible to designated reviewers in the 'Alerts' tab. Alerts are retained for 30 days by default.
Review and Remediate Alerts
Reviewers log into the Microsoft Purview compliance portal and navigate to Communication Compliance > Alerts. They open an alert to view the message and attached files. They can tag the message as compliant, non-compliant, or questionable. They can also escalate to eDiscovery, notify the sender, or request removal of the message. After action, they resolve the alert. All actions are logged in the audit log.
In a large financial services firm, Communication Compliance is used to monitor trader communications for insider trading and market manipulation. The firm creates a policy that supervises all employees in the trading department. The policy uses keyword lists containing terms like 'material nonpublic information', 'insider trading', and 'pump and dump'. It also uses the sensitive information type for stock symbols to detect potential tips. The policy is set to sample 20% of flagged messages to manage volume. Reviewers are compliance officers who triage alerts daily. When a trader sends an email with the phrase 'confidential deal' to an external party, an alert is generated. The reviewer investigates, finds no actual violation, and tags it as compliant. The firm also integrates third-party data from Bloomberg chat via a connector, so all communications are captured in one dashboard.
In a healthcare organization, Communication Compliance monitors for inappropriate patient information sharing in Teams chats. The policy uses the sensitive information type for medical record numbers and keywords like 'HIPAA violation'. Supervised users include all clinical staff. The policy is set to 100% sampling due to high regulatory risk. When a nurse sends a patient's name and diagnosis in a Teams message, the system flags it. The reviewer (privacy officer) sees the alert, determines it was a genuine error, and notifies the nurse's manager. The message is tagged as non-compliant and escalated for training.
Common misconfigurations include: (1) Not assigning reviewers, so alerts go uninvestigated. (2) Setting sampling too low, missing critical violations. (3) Forgetting to enable supervision for Teams messages (requires enabling the Teams connector). (4) Not training classifiers adequately, leading to high false positives. Performance wise, the system can handle millions of messages per day, but alert volume can overwhelm reviewers if policies are too broad. Best practice is to start with a small pilot and refine conditions.
For SC-900 Objective 4.3, focus on the purpose and high-level capabilities of Communication Compliance. The exam will test your ability to distinguish it from other compliance solutions. Key points:
- What it does: Detects, captures, and acts on inappropriate messages in email, Teams, Yammer, and third-party sources. - Common exam scenarios: Identifying which solution to use for monitoring employee communications for harassment or insider trading. - Wrong answers to avoid: 1. Choosing DLP when the question is about reviewing communications (DLP is proactive blocking, not review). 2. Choosing eDiscovery when the question is about ongoing monitoring (eDiscovery is for litigation hold and search, not real-time supervision). 3. Choosing Insider Risk Management when the question is about communication content (Insider Risk Management uses broader signals, but Communication Compliance is specifically for communications). - Trap: The exam may present a scenario where a company needs to monitor external emails for confidential data. Many candidates pick DLP, but if the requirement is to *review* and *investigate* rather than block, Communication Compliance is the correct answer. - Numbers to remember: Sampling rate (0-100%), alert retention (30 days default), message size limit (10 MB default). - Edge case: Communication Compliance can also be used to detect policy violations in third-party data via connectors (e.g., Bloomberg, Slack). This is less known but testable. - How to eliminate wrong answers: If the question mentions 'supervision', 'review', 'investigate', or 'policy violation detection in communications', it is Communication Compliance. If it mentions 'prevent', 'block', or 'warn', it is DLP. If it mentions 'risk scoring' or 'user behavior analytics', it is Insider Risk Management.
Communication Compliance is a detective solution for monitoring communications, not a preventive one like DLP.
It supports email, Microsoft Teams, Yammer, and third-party sources via connectors.
Policies use conditions: keywords, sensitive info types, and trainable classifiers.
Sampling rate (0-100%) controls what percentage of matched messages generate alerts.
Designated reviewers investigate and tag alerts (compliant, non-compliant, etc.).
Alerts are retained for 30 days by default.
Message size limit is 10 MB by default.
Communication Compliance is part of Microsoft Purview and requires E5 or E5 Compliance license for supervised users.
These come up on the exam all the time. Here's how to tell them apart.
Communication Compliance
Detective: reviews communications after they are sent.
Used for supervision and policy violation detection.
Actions: tag, escalate, notify, remove.
Supports email, Teams, Yammer, third-party.
Requires assigned reviewers.
Data Loss Prevention (DLP)
Preventive: blocks or warns users before sending.
Used to prevent data leaks of sensitive info.
Actions: block, warn, allow override.
Primarily email and SharePoint, but also Teams and endpoints.
Automated enforcement, no reviewer needed for blocking.
Mistake
Communication Compliance only works for email.
Correct
It also supports Microsoft Teams (channel and chat messages), Yammer, and third-party sources via connectors (e.g., Slack, Bloomberg).
Mistake
Communication Compliance is the same as Data Loss Prevention (DLP).
Correct
DLP proactively prevents data leaks by blocking or warning users. Communication Compliance is detective and allows reviewers to investigate and remediate after the fact.
Mistake
All messages are reviewed by a human.
Correct
Only messages that match policy conditions and pass sampling are turned into alerts for review. The system uses automated classifiers to reduce volume.
Mistake
Communication Compliance requires a license for every user in the organization.
Correct
Only users who are supervised (i.e., whose communications are monitored) need to be licensed. Reviewers also need a license, but not all users.
Mistake
Sampling rate must be 100% for compliance.
Correct
Sampling can be set to any percentage. It is a risk-based decision; lower sampling reduces reviewer workload but may miss violations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Communication Compliance is a Microsoft 365 solution that helps organizations detect, capture, and act on inappropriate messages in email, Teams, Yammer, and third-party sources. It allows you to define policies that automatically flag messages containing keywords, sensitive information, or inappropriate content, and assign reviewers to investigate and resolve alerts. It is part of the Microsoft Purview compliance portal.
Communication Compliance is detective: it reviews messages after they are sent and allows human investigation. DLP is preventive: it blocks or warns users before they send sensitive data. Both use sensitive info types, but the purpose and actions differ. On the exam, if the scenario involves 'reviewing' or 'investigating' communications, choose Communication Compliance. If it involves 'blocking' or 'preventing', choose DLP.
It can monitor email in Exchange Online, Microsoft Teams channel and chat messages, Yammer posts and replies, and third-party data sources like Bloomberg and Slack via connectors. Attachments are also scanned if configured. It supports text, but not images or audio directly (though OCR for images in attachments may be supported in some cases).
Communication Compliance is included in Microsoft 365 E5, E5 Compliance, and E5 eDiscovery and Audit add-on. Users whose communications are supervised must have one of these licenses. Reviewers also need a license. Organizations can purchase Communication Compliance as an add-on for E3 or lower plans.
Yes, via connectors. Microsoft provides connectors for platforms like Slack, Bloomberg, and others. These connectors ingest messages from the third-party service into Communication Compliance, where they are evaluated against policies. This is a key exam point: Communication Compliance is not limited to Microsoft 365 sources.
Alerts are retained for 30 days by default. This can be configured via a retention policy in the Microsoft Purview compliance portal. After retention, alerts are permanently deleted. The exam may ask about this default value.
Users must be assigned to the 'Communication Compliance' role group. Within that group, specific roles include 'Communication Compliance Analyst' (can view and tag alerts), 'Communication Compliance Investigator' (can escalate and remove messages), and 'Communication Compliance Admin' (can create and manage policies).
You've just covered Communication Compliance — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?