# Messaging policy

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/messaging-policy

## Quick definition

A messaging policy is like a rulebook for your company's email and chat systems. It decides who can send messages to whom, what happens to sensitive data sent in emails, and how long messages are kept. These policies help protect the organization from data leaks and ensure everyone follows the law.

## Simple meaning

Imagine you work in a large office building with hundreds of people. The mailroom is where all the letters and packages arrive. Without any rules, anyone could send anything to anyone, packages could get lost, and sensitive documents might end up in the wrong hands. A messaging policy is like a set of instructions for the mailroom and all the employees. It says things like: only certain people can send packages marked 'confidential', all mail must be stamped with the date, and any package that looks suspicious needs to be inspected before delivery. In the digital world, this mailroom is your company's email server and chat system.

A messaging policy is not just one single rule. It is a collection of rules that work together. Some rules are about security, like scanning every email for viruses or blocking links to known malicious websites. Other rules are about compliance, meaning they help the company follow laws like GDPR or HIPAA. For example, a policy might automatically encrypt any email that contains a credit card number or a patient's medical record. There are also rules about retention, which decide how long emails and chat messages are kept before they are deleted. This is important because keeping everything forever can be a security risk and costs money to store.

Think of a messaging policy as the traffic lights, road signs, and speed limits for digital communication. Without them, traffic would be chaotic and dangerous. With them, messages flow in an orderly way, dangerous content gets blocked, and you know the right lane to use for urgent or sensitive information. For IT professionals, setting up these policies is a core part of managing Microsoft 365, Google Workspace, or any enterprise communication platform. You decide what happens when an email is sent from outside the company, whether internal chat messages are archived, and what alerts are triggered if someone tries to send a large file to a personal email address.

A simple analogy is a school library. The librarian has policies: no talking loudly, books must be returned in two weeks, and certain books (like encyclopedias) cannot be taken out of the library. Students follow these rules to keep the library useful for everyone. Similarly, a messaging policy keeps the company's communication system useful, safe, and organized. It is a foundational part of modern IT management and is critical for passing certification exams like the ones listed in this glossary.

## Technical definition

A messaging policy, in the context of enterprise IT and cloud-based collaboration platforms such as Microsoft 365 (Exchange Online, Teams), Google Workspace, and AWS WorkMail, is a structured set of rules and configurations that control the lifecycle, security, and flow of electronic messages within an organization. These messages include emails, instant messages (chats), and sometimes voicemail transcripts. Messaging policies are implemented through mechanisms like transport rules (in Exchange), data loss prevention (DLP) policies, retention policies, and compliance policies. They are a fundamental component of an organization's governance, risk, and compliance (GRC) framework.

At a technical level, messaging policies operate at multiple layers of the mail flow. In Microsoft Exchange Online, the transport pipeline processes messages through a series of agents. A transport rule (also known as a mail flow rule) is a type of messaging policy that inspects message properties such as the sender, recipient, subject, body content, and attachments. For example, a transport rule can be configured to prepend a disclaimer to all emails sent to external recipients, or to reject emails that contain specific keywords like 'confidential' if the sender is not authorized. These rules use conditions and exceptions with Boolean logic (AND/OR) and can apply actions like rejecting, redirecting, or modifying the message.

Data Loss Prevention (DLP) policies are another critical technical implementation of a messaging policy. DLP uses deep content analysis to detect sensitive data such as credit card numbers, social security numbers, or health records. It uses pattern matching algorithms (e.g., regex), machine learning classifiers, and exact data match (EDM) to identify data. Once a sensitive match is found, the policy can block the message, encrypt it, notify the sender, or allow it with a warning. In Microsoft Purview compliance portal, DLP policies can be scoped to specific users, groups, or locations (Exchange, Teams, SharePoint). They integrate with Microsoft Information Protection (MIP) sensitivity labels to apply encryption automatically.

Retention policies are messaging policies that manage the lifecycle of messages. They define how long messages are kept (retention period) and what happens afterward (delete or archive). In Exchange Online, you can use Messaging Records Management (MRM) policies which use retention tags. These tags can be applied to default folders (Inbox, Sent Items) or custom folders. When a message reaches its retention age, the mailbox assistant processes it and either moves it to the archive mailbox or permanently deletes it. In Microsoft Teams, retention policies apply to chat messages and channel messages. These are crucial for legal compliance, eDiscovery, and minimizing storage costs.

Compliance policies, such as those for Microsoft Teams, govern features like who can communicate with whom (external access), what types of messages are allowed (e.g., blocking GIFs or memes), and whether chat history is enabled. These are set via Teams admin center and can be assigned to specific users or groups. For example, a compliance policy might block users from creating private channels if they are not in a certain security group.

messaging policies interact with authentication and authorization mechanisms. For instance, an organization might set a policy that requires all emails sent to external domains to be signed with DKIM (DomainKeys Identified Mail) and authenticated via SPF (Sender Policy Framework) and DMARC. These are email authentication policies and are part of the messaging policy framework. They prevent spoofing and phishing. In AWS, for example, you can configure email sending policies in Amazon SES to control which domains can send emails and with what level of verification.

From a protocol perspective, messaging policies are enforced at the SMTP (Simple Mail Transfer Protocol) level, at the MAPI (Messaging Application Programming Interface) level for Outlook clients, and at the REST API level for modern apps. When a message is sent, the server evaluates the policies before the message is delivered. This is often done through a sequence of event sinks or hooks in the transport service. In large organizations with hybrid deployments (on-premises Exchange and Exchange Online), messaging policies can be synchronized via Hybrid Configuration Wizard and can apply across both environments.

messaging policies are a multi-faceted set of rules that involve Transport Rules, DLP, Retention, Compliance, and Email Authentication. They are configurable through admin portals (Exchange Admin Center, Teams Admin Center, Microsoft Purview, AWS Console), PowerShell scripts, and REST APIs. They are enforced in real-time and are essential for security, legal compliance, and operational control. Exam objectives for certifications like MS-102, SC-900, and AZ-104 frequently test the configuration and troubleshooting of these policies.

## Real-life example

Let's use the example of a busy hospital. In a hospital, doctors and nurses need to communicate quickly and securely about patients. They use a secure messaging system (similar to email and chat in an organization). The hospital's messaging policy is like the hospital's internal communication rules. It ensures that patient health information (PHI) is never shared in an unsecured way.

Imagine Dr. Smith sends a message to Dr. Jones about a patient named Mr. Brown. The message includes Mr. Brown's diagnosis and his social security number. Without a messaging policy, that message could be stored forever in a chat log, or it could be accidentally forwarded to someone outside the hospital. The policy kicks in: it scans the message for patterns that look like a social security number. It finds that pattern, and automatically encrypts the message so that only Dr. Jones can read it. It also applies a retention policy that says all patient-related messages must be kept for 7 years for legal reasons, after which they are securely deleted.

Now, consider the same scenario with a different policy. The hospital also has a policy that blocks all messages containing profanity or harassment language. If someone tries to send an inappropriate message to a coworker, the system blocks it and sends an alert to the compliance officer. This is like a hospital rule that says 'no harassment' but enforced automatically.

Another real-life example is a remote company that uses Microsoft Teams. The company has a messaging policy that blocks external access by default. This means that employees can only chat with people inside the company. If an employee wants to collaborate with a vendor, they need to request temporary external access, which is granted by an IT admin. This policy prevents hackers from pretending to be a vendor and tricking an employee into sharing secrets.

think about retention. An employee leaves the company. Without a policy, their email archive and chat history might sit on a server forever, costing money and being a liability. A messaging policy says that when an employee is terminated, their mailbox is converted to a shared mailbox, and after 90 days, all their data is deleted. This is like an office cleaning policy: after someone moves out, their desk is cleaned out within a month.

## Why it matters

Messaging policies matter because they are the frontline defense against data breaches, legal non-compliance, and operational chaos. In any organization, communication is the bloodstream of daily operations. If that bloodstream is not regulated, sensitive data can leak, malicious messages can enter, and the organization can face severe fines or reputational damage.

For IT professionals, understanding messaging policies is not optional. When you manage a Microsoft 365 tenant or a Google Workspace environment, you are responsible for configuring these policies. A single misconfiguration, like forgetting to enable a DLP rule for credit card numbers, can lead to a breach. On the other side, over-restrictive policies can block legitimate business communications and frustrate users. So, getting the balance right is a key skill.

In the context of certifications like MS-102 (Microsoft 365 Administrator) and SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), messaging policies are a major exam domain. You will be asked to interpret scenarios, choose the correct policy type, or troubleshoot why a message was blocked or not encrypted. For security certifications like Security+ and CISSP, messaging policies are part of the broader topics of security controls, data protection, and compliance frameworks.

messaging policies are essential for incident response. If a phishing attack occurs, a properly configured messaging policy can help contain the threat. For example, a transport rule can quarantine all emails from a malicious domain. This is a quick action that an admin can take. Without policies in place, the admin would have to manually delete thousands of emails.

In short, messaging policies are not just 'nice to have', they are a core requirement for any organization that takes security and compliance seriously. IT professionals who master this topic are better equipped to design, implement, and troubleshoot secure communication systems.

## Why it matters in exams

Messaging policies appear heavily in several certification exams. For Microsoft 365 exams (MS-102, MD-102, SC-900, AZ-104), messaging policies are a primary focus. For example, in the MS-102 exam, you must understand how to manage mail flow rules, DLP policies, and retention policies in the Microsoft Purview portal. You may be given a scenario where a company needs to prevent credit card numbers from being sent via email, and you must select the correct policy type (DLP policy) and configure the appropriate action (block and notify).

In the SC-900 exam, the focus is on explaining the capabilities of Microsoft Purview. You will get questions about DLP, records management, and compliance policies. You need to know when to use a retention policy vs. a DLP policy vs. a sensitivity label. The questions are often conceptual, asking 'which tool would you use to...'.

For the CompTIA Security+ and CySA+ exams, messaging policies appear in the context of security controls and data protection. You may see questions about email security best practices, such as implementing SPF, DKIM, and DMARC, which are types of messaging policies. You might also see a scenario where an organization needs to implement a policy to prevent data exfiltration via email, which maps to DLP.

The CISSP exam includes messaging policies under the domain of Communication and Network Security. You need to understand the concept of content filtering, email security, and the policy lifecycle. The question might be high-level, asking about the importance of setting a policy to block attachments of certain types.

In AWS SAA (Solutions Architect Associate), messaging policies are less central but appear as part of AWS WorkMail or Amazon SES policies. You might need to configure an email policy to only allow authenticated users to send emails. So it is light supporting.

In the MD-102 exam (Microsoft Endpoint Administrator), messaging policies relate to mobile device management and conditional access. You might configure a policy that requires an app protection policy to be in place before an email can be viewed on a mobile device.

Across all these exams, the question types are usually multiple-choice, drag-and-drop, or case studies. You need to know not just the name of the policy, but also the specific parameters, where to configure it (e.g., Exchange Admin Center vs. Teams Admin Center), and the order of precedence when multiple policies apply.

## How it appears in exam questions

Messaging policy questions appear in several common patterns. The first is the scenario question, where you are given a business requirement and asked to identify the correct policy or configuration action. For example: 'A healthcare organization needs to ensure that all emails containing patient data are encrypted before they are sent outside the organization. Which policy should you configure?' The correct answer is a DLP policy with an action to encrypt.

Another common pattern is configuration order or precedence. For example: 'An organization has a transport rule that adds a disclaimer to all external emails. They also have a DLP policy that blocks emails containing credit card numbers. A user sends an email to an external recipient that contains a credit card number. What happens?' You need to know that transport rules are applied before DLP policies, so the disclaimer would be added, but then the DLP policy would block the email anyway. However, the sequence matters.

Troubleshooting-style questions are also frequent. For example: 'Users report that emails sent to a specific external domain are not being delivered. The transport rule log shows no errors. What should you check?' The answer might be that the domain is blocked by an allow/block list or that the policies are not scoped correctly.

Another question type is 'choose the best policy' for a given requirement. For example: 'You need to prevent users from sharing sensitive information in Teams chat messages. Which policy should you create?' The answer is a DLP policy for Teams. Or: 'You need to ensure that emails older than 5 years are automatically deleted. Which policy should you create?' The answer is a retention policy.

Finally, some questions test your knowledge of policy scope and assignment. For example: 'You need to apply a DLP rule only to members of the HR department. How should you configure the policy?' The answer is to create a scope that includes specific users or groups. Understanding that policies can be scoped to locations, groups, or users is crucial.

## Example scenario

You are the IT administrator for a company called TechWorld Inc. The company uses Microsoft 365 with Exchange Online and Teams. The CEO has asked you to implement a policy that prevents employees from accidentally sending out confidential product plans via email. The confidential product plans are identified by the code name 'Project Phoenix'. 

You decide to create a transport rule in Exchange Online. You configure the rule with the condition 'If the subject or body contains such words' and add 'Project Phoenix' as the keyword. You then set the action to 'Prepend the subject with [UNCONFIRMED]' and 'Notify the sender with a message'. You also set an exception: if the sender is a member of the 'Executives' group, the rule does not apply. This ensures that only non-executives get the warning.

You also want to add a layer of DLP protection. You create a DLP policy that scans for any sensitive data patterns associated with 'Project Phoenix' (you have created a custom sensitive info type). The DLP policy is set to block the email and send a 'policy tip' to the user explaining why it was blocked. To avoid blocking executives, you add an exception for the Executives group.

Finally, you set a retention policy that keeps all emails containing 'Project Phoenix' in a legal hold for 10 years. 

After implementing these policies, you test by sending an email with the subject 'Project Phoenix update' from a regular user's account. The email gets the subject prepended, and the user receives a notification. The user tries to override and send anyway, but the DLP policy blocks it. You then test from an executive account, and the email goes through without issues. The scenario works as intended, and the CEO is satisfied.

## The Role and Purpose of Messaging Policy in Modern Collaboration

A messaging policy is a set of organizational rules and technical controls that govern how messages are created, transmitted, stored, and retained within a collaboration platform such as Microsoft Teams, Slack, or Google Workspace. For IT administrators and security professionals preparing for exams like the AWS Certified Solutions Architect (aws-saa), ISC2 CISSP, CompTIA Security+, CySA+, and Microsoft certifications (MD-102, MS-102, AZ-104, SC-900), understanding messaging policy is essential because it sits at the intersection of compliance, data governance, and operational security.

At its core, a messaging policy addresses two primary concerns: security and compliance. Security aspects include preventing unauthorized access to messages, ensuring encryption both at rest and in transit, and controlling who can send messages to whom. Compliance aspects cover data retention requirements mandated by regulations such as GDPR, HIPAA, or SOX, as well as eDiscovery capabilities for legal proceedings. In the context of collaboration workloads, messaging policies are often enforced through tools like Microsoft Purview, Azure Information Protection, or third-party data loss prevention (DLP) solutions.

One key component of messaging policy is the definition of message lifecycle. This includes how long messages are retained, when they are automatically deleted, and whether they can be edited or recalled after sending. For example, in Microsoft 365, administrators can create retention policies that apply to Teams chat messages, channel messages, and private channel messages separately. These policies can be set to retain messages for a specified number of days or years, then permanently delete them. This is critical for organizations that need to balance business continuity with privacy obligations.

Another important dimension is the enforcement of acceptable use policies. Many organizations restrict the use of certain messaging features, such as file sharing, GIFs, or external communications. Messaging policies can also enforce ethical walls, preventing specific groups (e.g., finance and sales) from communicating directly. This is especially relevant in regulated industries like banking and healthcare.

For collaboration workloads, messaging policies also integrate with broader information protection strategies. For instance, sensitivity labels can be applied to messages automatically based on content detection. If a message contains credit card numbers or health records, it may be blocked or flagged for review. This ties directly into exam topics for SC-900 and MS-102, where candidates must understand how Microsoft Purview and Microsoft 365 compliance center policies work together.

From an exam perspective, messaging policy questions often test the candidate's ability to design and implement policies that meet specific regulatory or business requirements. For example, the AWS-saa exam may ask about how to architect a message queuing system with appropriate retention policies, while the CISSP exam focuses on the governance and risk management aspects. The CySA+ and Security+ exams emphasize the detection and prevention of data exfiltration via messaging. Therefore, a solid grasp of messaging policy is not just about knowing the settings but understanding the underlying principles of data classification, risk assessment, and legal compliance.

## How Retention and Deletion Policies Control Message Lifecycle

Retention and deletion policies are the backbone of any messaging policy. They determine how long message data is kept and when it is permanently removed. In collaboration platforms like Microsoft Teams, messages are stored in Exchange Online mailboxes and in the Azure-based chat service. Administrators can configure retention policies at the organizational level, at the group level (e.g., for specific teams), or even at the user level using policy assignments.

The primary reason for having retention policies is to comply with legal and regulatory requirements. For example, financial institutions may be required to retain all business communications for seven years under SEC Rule 17a-4. Healthcare organizations must adhere to HIPAA’s retention requirements, which can vary by state. A messaging policy that enforces a fixed retention period ensures that messages are not deleted prematurely, but also that they are not kept longer than necessary, reducing litigation risk and storage costs.

Deletion policies work hand-in-hand with retention policies. Once the retention period expires, the system can automatically purge the messages. However, there are nuances: for example, if a legal hold is placed on a user or a team, the deletion policy is suspended for that data. This is a frequent exam scenario-candidates must understand the difference between a retention policy and a legal hold. A retention policy preserves data for a specific time, but a legal hold preserves it indefinitely until the hold is removed.

In Microsoft 365, administrators use the Microsoft Purview compliance portal to create and manage retention policies for Teams messages. You can choose to retain messages for a specific number of days (e.g., 365), then delete them; or you can retain them forever, or delete them after a set period. Importantly, policies can be applied to entire organizations, specific teams, or specific users using adaptive scopes or static scopes. For the MS-102 and SC-900 exams, you must know how to use adaptive scopes to target policies based on user attributes like department or geographic location.

Another critical aspect is the handling of edited and deleted messages. When a user edits a message, the original version may be retained for compliance purposes if a retention policy is in place. Similarly, if a user deletes a message, it might still be recoverable for a certain period (e.g., 30 days in Teams) before it is permanently removed. This is tested in the MD-102 exam, where you need to manage device and data retention across endpoints.

From a technical perspective, retention policies work by storing a copy of the message in a hidden folder within the user's mailbox. This copy is immutable for the duration of the policy. This mechanism is important for eDiscovery, as compliance officers can search these hidden folders without affecting the user's current view. For the AWS-saa exam, while not directly about Teams, the concept of message retention in services like Amazon SQS or Amazon MQ is analogous-you configure a retention period (e.g., 14 days) after which unprocessed messages are deleted. Understanding this parallel helps in grasping the broader pattern of message lifecycle management.

Finally, exam questions often test the consequences of misconfigured retention policies. For example, if you set a retention policy to delete messages after one year, but a legal hold is in place, the messages are not deleted. Another common pitfall is that retention policies do not apply to private chats unless explicitly configured. Candidates must be ready to identify such gaps. Mastery of retention and deletion policies ensures you can design a compliant, cost-effective messaging environment that meets both business and regulatory needs.

## Data Loss Prevention (DLP) in Messaging Policies for Collaboration

Data Loss Prevention (DLP) is a critical component of messaging policy, especially in collaboration workloads where sensitive information may be shared through chat, channels, or direct messages. DLP policies scan messages in real time for patterns that match predefined sensitive data types-such as credit card numbers, Social Security numbers, medical record identifiers, or intellectual property-and take automated actions like blocking the message, sending an alert, or notifying the sender.

For exams like the SC-900, MS-102, and Security+, DLP in messaging is a frequent topic because it represents a direct application of security controls to protect data. In Microsoft 365, DLP policies can be applied to Exchange email, SharePoint sites, OneDrive, and Microsoft Teams. When applied to Teams, DLP covers channel messages, private chats, and even messages sent in meetings. The policy engine evaluates messages based on conditions (e.g., content contains a specific pattern) and then applies actions (e.g., block the message from being sent, show a policy tip to the user).

One unique challenge in messaging DLP is that collaboration platforms often support rich content-images, files, links, and emojis. Therefore, DLP in messaging must be capable of scanning embedded file contents (like a PDF attached to a chat), as well as the text of the message. This adds complexity compared to email DLP, where the focus is on email body and attachments. For the MD-102 exam, you might need to understand how Microsoft 365’s built-in DLP integrates with Microsoft Endpoint Manager to enforce policies on mobile devices, ensuring that sensitive data is not copied out of corporate apps.

Another important exam concept is the use of policy tips. When a user tries to send a message that violates a DLP rule, a policy tip appears in the chat interface, warning the user that the message contains sensitive information and may be blocked. Users can sometimes override the block by providing a business justification, which is logged for compliance review. This balances security with usability-a key theme in Security+ and CySA+ exams.

For the CISSP exam, DLP in messaging is a prime example of a preventive control. You must understand how DLP relates to the data security lifecycle: classify data, apply controls, monitor, and respond. Messaging DLP also intersects with information rights management (IRM). For instance, Microsoft 365 allows you to apply sensitivity labels that encrypt messages, so even if a message is forwarded outside the organization, the recipient cannot access it without the proper credentials.

On the technical side, configuring DLP for messaging requires careful tuning to avoid false positives. A common mistake is enabling too many sensitive data types at once, causing user frustration and policy violations. Exam questions may test your ability to choose the right data types for a given scenario (e.g., healthcare requires HIPAA data types, finance requires PCI data types). You also need to know how to test DLP policies using the built-in simulation mode before enforcing them.

Finally, DLP policies must be complemented by incident response. When a DLP rule triggers, an admin can receive an incident report via email or the compliance center. This is tested in the MS-102 exam, where you need to configure DLP alerts and incident management. Overall, DLP is a cornerstone of messaging policy because it directly prevents data exfiltration, which is a top priority in any security certification.

## Managing External Access and Federation Through Messaging Policy

External access and federation are powerful features of collaboration platforms that allow users to communicate with people outside their organization. However, they also introduce significant security and compliance risks. A well-defined messaging policy must explicitly control who can communicate externally, under what conditions, and what data can be shared. This is a recurring theme in exams such as the AZ-104, MS-102, and SC-900.

In Microsoft Teams, external access (also called federation) allows users from other organizations to find and communicate with your users using Teams. There are two levels: federation (where external users need a Teams account from their own organization) and guest access (where external users sign in with their personal email account or a Microsoft account). Messaging policy can restrict federation to specific domains, block all federation, or allow it with certain conditions. For example, an organization might allow federation only with trusted partner domains such as 'partnercompany.com' but block all others.

From an exam perspective, the key is to understand the difference between federation and guest access. Federation is usually for inter-company collaboration between two Teams tenants, while guest access is for inviting external users as full participants in a team. Messaging policies can apply different controls to each type. For instance, a policy might allow guests to send messages but not access shared files, or it might enforce message retention only for internal users.

Another important consideration is data sovereignty. When external users are involved, messages may be stored in different geographic regions. For example, if a European user communicates with a US-based external user, data may flow across borders. Messaging policy must account for regional compliance requirements such as GDPR, which restricts the transfer of personal data outside the European Economic Area. In the AZ-104 exam, you might need to configure Azure policies to ensure that Teams data is stored in a specific region using data residency policies.

messaging policy can block external users from using certain features, such as file sharing, read receipts, or even dictation. This is managed through external access policies at the tenant level. For the SC-900 exam, you must know how to navigate the Microsoft 365 admin center to configure these settings, and how to use conditional access policies (Azure AD) to require multifactor authentication when external users join meetings or chats.

A common exam scenario involves a company that wants to collaborate with a partner but must ensure that no sensitive data is leaked. The solution is to create a separate team with its own messaging policy that enforces DLP, restricts file downloads, and logs all external interactions. This is a practical design question that appears in both MS-102 and Security+ exams.

Troubleshooting external access issues is also tested. For example, if an external user cannot send messages, the likely causes are: (1) federation is blocked at the tenant level, (2) the external user's domain is not allowed, or (3) the user’s policy does not grant external messaging rights. Knowing how to verify these settings using PowerShell cmdlets like Get-CsTenantFederationConfiguration or Get-CsExternalUserCommunicationPolicy is beneficial.

Finally, remember that external access policies can be audited. The compliance manager in Microsoft 365 provides reports on external communication patterns, which can be used for internal audits or regulatory reviews. For the CISSP exam, understanding how to balance business needs (collaboration) with security (access control) is fundamental. A robust messaging policy that includes external access controls ensures that collaboration does not become a liability.

## Common mistakes

- **Mistake:** Confusing transport rules with DLP policies
  - Why it is wrong: Transport rules operate on mail flow and can modify, redirect, or block messages based on conditions, but they do not do deep content analysis. DLP policies perform deep content inspection using pattern matching and classifiers.
  - Fix: Use transport rules for actions like adding disclaimers or routing based on subject. Use DLP policies for detecting and protecting sensitive data like credit cards or PII.
- **Mistake:** Setting a retention policy to delete emails immediately after they are received
  - Why it is wrong: A retention policy with a zero-day retention period would delete messages as soon as they arrive, which could cause data loss and compliance issues. Retention policies are meant to keep data for a minimum time, not delete it immediately.
  - Fix: Set retention periods that match your legal requirements (e.g., 3 years, 7 years). Use a retention label if you need to delete sooner for some items, but be careful.
- **Mistake:** Forgetting to enable DLP policy or not scoping it correctly
  - Why it is wrong: If a DLP policy is not enabled or is scoped only to certain locations (e.g., only Exchange but not Teams), sensitive data could leak via other channels. A common exam trap is that the policy is 'created' but not 'turned on'.
  - Fix: Always enable the policy after creation and review the scope to ensure it covers all relevant workloads (Exchange, Teams, SharePoint, Devices).
- **Mistake:** Assuming policies are applied in alphabetical or creation order
  - Why it is wrong: Transport rule policies are processed in a priority order (lowest number = highest priority). DLP policies have a different priority system. If multiple policies conflict, the higher priority one wins. Order is often tested.
  - Fix: Always check the policy priority in the admin center. Document the rule priority and test with sample messages.
- **Mistake:** Overlooking the 'Stop processing more rules' action
  - Why it is wrong: If a transport rule has the 'Stop processing more rules' action enabled, subsequent rules will not run. This can cause unexpected behavior if you have multiple rules that should all apply.
  - Fix: Only use 'Stop processing more rules' when you want a rule to be the final decision. Otherwise, ensure rules are set to 'Continue processing'.
- **Mistake:** Misunderstanding the difference between retention and eDiscovery hold
  - Why it is wrong: Retention policies and eDiscovery holds both preserve data, but they serve different purposes. Retention policies manage lifecycle (keep/delete), while eDiscovery holds preserve data for legal cases and override retention policies.
  - Fix: Use eDiscovery holds for litigation purposes. Use retention policies for routine compliance and data hygiene.

## Exam trap

{"trap":"A question asks: 'You need to ensure that all emails containing credit card numbers are encrypted automatically. What should you configure?' Many learners choose 'Transport Rule' with an encryption action.","why_learners_choose_it":"Transport rules can encrypt messages using OME (Office Message Encryption), so learners think this is correct. However, DLP policies are specifically designed for sensitive data detection and automatic encryption.","how_to_avoid_it":"Remember the principle: DLP policies are for protecting sensitive data. While transport rules can also encrypt, the best practice (and exam answer) is to use a DLP policy with an 'Encrypt' action because it can detect the data pattern more accurately and provide policy tips to users."}

## Commonly confused with

- **Messaging policy vs Mail flow rule:** A mail flow rule (transport rule) is a type of messaging policy, but it is not the only one. Messaging policies also include DLP, retention, and compliance policies. Mail flow rules are specifically for routing and modifying messages based on conditions like sender, recipient, or subject. DLP policies focus on content inspection. (Example: A mail flow rule might add a disclaimer to all external emails. A DLP policy might block an email that contains a social security number. Both are messaging policies, but they serve different purposes.)
- **Messaging policy vs Data Loss Prevention (DLP) policy:** DLP policy is a subset of messaging policy. Messaging policy is the overarching term for all rules that govern messages. DLP is a specific type that uses deep content analysis to prevent sensitive data from being shared. Not all messaging policies are DLP policies, but all DLP policies are messaging policies. (Example: A retention policy decides how long to keep a message. That is a messaging policy, not a DLP policy.)
- **Messaging policy vs Retention policy:** A retention policy is a type of messaging policy that manages the lifecycle of messages (how long to keep and what to do after). It is different from transport rules or DLP because it is about time-based management, not real-time content inspection. A retention policy might delete an email after 5 years, while a DLP policy blocks it immediately. (Example: You have a retention policy that automatically deletes emails over 7 years old. That does not block any email from being sent.)
- **Messaging policy vs Compliance policy (Teams):** Compliance policies for Teams control features like external access, private channels, and messaging type. They are a type of messaging policy but specific to Teams. They do not handle email. They are different from DLP policies which can apply to both email and Teams. (Example: A compliance policy might block users from creating private channels. A DLP policy might block a message with a credit card number in a Teams chat.)
- **Messaging policy vs Sensitivity label:** Sensitivity labels are used to classify and protect data (like 'Confidential' or 'Public'). They are not policies per se, but they can be auto-applied by a DLP policy or a transport rule. A messaging policy can use sensitivity labels, but the label itself is not a policy. (Example: A DLP policy can auto-apply a 'Highly Confidential' sensitivity label when a credit card number is detected. The label then enforces encryption.)

## Commands

```
Get-CsTeamsMessagingPolicy -Identity Global
```
Retrieves the global messaging policy for Microsoft Teams. Use this to review default settings for message editing, deletion, and read receipts.

*Exam note: Appears in MS-102 and SC-900 exams to test knowledge of PowerShell cmdlets for managing Teams policies.*

```
New-CsTeamsMessagingPolicy -Identity "FinanceMessagingPolicy" -AllowMemes $false -AllowGiphy $false
```
Creates a new Teams messaging policy for the Finance department that disables memes and Giphy. Apply this to restrict non-professional content.

*Exam note: Tests the ability to create custom policies with specific feature toggles, common in MD-102 and MS-102 exam scenarios.*

```
Set-CsTeamsMessagingPolicy -Identity "SalesPolicy" -AllowUserEditMessage $false -AllowUserDeleteMessage $false
```
Disables message editing and deletion for users assigned to the Sales policy. Useful for compliance in heavily regulated environments.

*Exam note: CISSP and Security+ exams test this concept as a preventive control against data tampering.*

```
Remove-CsTeamsMessagingPolicy -Identity "LegacyPolicy"
```
Deletes a custom messaging policy that is no longer needed. Users assigned to it will revert to the Global policy.

*Exam note: Used in AZ-104 and MS-102 exams to test policy lifecycle management and understanding of policy inheritance.*

```
Grant-CsTeamsMessagingPolicy -PolicyName "CompliancePolicy" -Identity "user@contoso.com"
```
Assigns the CompliancePolicy to a specific user. This is how you apply a custom messaging policy to an individual or group.

*Exam note: Essential for SC-900 and MS-102 exams, where you must know how to assign policies at the user level via PowerShell.*

```
Set-AadRightsPolicy -ProtectionRule "BlockExternalChat" -Action Block
```
Configures Azure AD rights protection to block external chat messages containing sensitive data. Often used with DLP policies.

*Exam note: Tests integration between Azure Information Protection and Teams messaging policy in SC-900 and CISSP exams.*

```
Get-CsTenantFederationConfiguration | Format-List
```
Displays the current federation settings for the tenant, including allowed and blocked domains. This script is critical for troubleshooting external messaging issues.

*Exam note: Commonly tested in AZ-104 and MS-102 to check understanding of external access configuration.*

## Troubleshooting clues

- **Users cannot send messages to external federated contacts** — symptom: Error message: "You can't send messages to this person" or the message fails to send in Teams.. The tenant federation policy may be set to block all external domains, or the specific external domain is not in the allowed list. The external user may not have a compatible policy. (Exam clue: Exam questions present this issue and ask the candidate to check Get-CsTenantFederationConfiguration or the federation allow/block list.)
- **Messages are being automatically deleted before the retention period** — symptom: Users report that old messages disappear from chat history even though retention policy says 365 days.. A separate deletion policy or litigation hold settings may be overriding the retention policy. Or, the retention policy is applied to the wrong scope (e.g., only channel messages but not private chats). (Exam clue: Tests understanding of policy precedence and scope in MS-102; common scenario where a retention policy and a deletion policy conflict.)
- **DLP policy is blocking legitimate messages** — symptom: Users receive policy tips blocking messages that do not contain sensitive data, such as passport numbers in a travel discussion.. The DLP policy is misconfigured-perhaps it uses a too broad sensitive data type or has a low confidence level threshold, causing false positives. (Exam clue: Security+ and CySA+ exams test the ability to tune DLP policies and use simulation mode before enforcing.)
- **Guest users can access files shared in Teams chat** — symptom: External guests can download and forward files that contain confidential information, violating compliance rules.. The guest access policy or the Teams messaging policy does not restrict file sharing for guest users. The setting AllowGuestFileShare is likely enabled. (Exam clue: Appears in SC-900 and MS-102 exams, requiring candidates to identify the correct policy setting to disable file sharing for guests.)
- **Read receipts are not working for some users** — symptom: Some users in a team see read receipts from others, but others do not.. Read receipts are controlled by the messaging policy. If a user has a policy that disables read receipts, they will not see them, and others may not see theirs. (Exam clue: MD-102 and MS-102 exams test the impact of per-user policy settings versus global settings.)
- **Users cannot edit or delete their own messages after 5 minutes** — symptom: The Edit and Delete buttons disappear shortly after sending a message, even though the policy allows editing.. The messaging policy has a TimeLimitForEdit or TimeLimitForDelete setting set to a low value (e.g., 5 minutes). The default is unlimited but can be customized. (Exam clue: A classic exam trap: candidates must check these specific parameters in PowerShell with Get-CsTeamsMessagingPolicy.)
- **No policy tips appear when sending sensitive content** — symptom: Users can send credit card numbers without any warning, even though DLP is supposedly enabled.. The DLP policy may not be applied to Teams chats, or the policy tip action is not enabled. Also, the policy may be in test mode without enforcing actions. (Exam clue: Tests the difference between DLP policy modes (test vs enforce) and the need to enable policy tips in the Microsoft Purview compliance portal.)

---

Practice questions and the full interactive page: https://courseiva.com/glossary/messaging-policy
