Configure supervision policies for your organization

Use supervision policies to capture employee communications for examination by internal or external reviewers. For more information about how supervision policies can help you monitor communications in your organization, see Supervision policies in Office 365.

Note

Users monitored by supervision policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription. If you don't have an existing Enterprise E5 plan and want to try supervision, you can sign up for a trial of Office 365 Enterprise E5.

Follow these steps to set up and use supervision in your Office 365 organization:

Step 1 - Set up groups for Supervision (optional)

When you create a supervision policy, you'll determine who will have their communications reviewed and who will perform those reviews. In the policy, you'll use email addresses to identify individuals or groups of people. To simplify your setup, you can create groups for people who will have their communication reviewed and groups for people who will review those communications. If you're using groups, you might need several—for example, if you want to monitor communications between two distinct groups of people or if you want to specify a group that isn't going to be supervised.

Use the following chart to help you configure groups in your organization for supervision policies:

Policy Member Supported Groups Unsupported Groups
Supervised users Distribution groups
Office 365 groups
Dynamic distribution groups
Reviewers Mail-enabled security groups Distribution groups
Dynamic distribution groups

For more information about setting up groups, see:

Step 2 - Make supervision available in your organization (required)

To make Supervision available as a menu option in the Security & Compliance Center, you must be assigned the Supervisory Review Administrator role.

To do this, you can either add yourself as a member of the Supervisory Review role group, or you can create a new role group.

Add members to the Supervisory Review role group

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Security & Compliance Center, go to Permissions.

  3. Select the Supervisory Review role group and then click the Edit icon.

  4. In the Members section, add the people who you want to manage supervision for your organization.

Create a new role group

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Security & Compliance Center, go to Permissions and then click Add (+).

  3. In the Roles section, click Add (+) and scroll down to Supervisory Review Administrator. Add this role to the role group.

  4. In the Members section, add the people who you want to manage supervision for your organization.

For more information about role groups and permissions, see Permissions in the Office 365 Security & Compliance Center.

Enable remote PowerShell access for reviewers (if email is hosted on Exchange Online)

  1. Follow the guidance in Enable or disable access to Exchange Online PowerShell.

Step 3 - Create custom sensitive information types and custom keyword dictionaries (optional)

In order to pick from existing custom sensitive information types or custom keyword dictionaries in the supervision policy wizard, you first need to create these items if needed.

Create custom keyword dictionary/lexicon (optional)

Using a text editor (like Notepad), create a new file that includes the keyword terms you'd like to monitor in a supervision policy. Make sure each term is on a separate line and save the file in the Unicode/UTF-16 (Little Endian) format.

Create custom sensitive information types

  1. Create a new sensitive information type and add your custom dictionary in the Office 365 Security & Compliance Center. Navigate to Classifications > Sensitive info types and follow the steps in the New sensitive info type wizard. Here you will:

    • Define a name and description for the sensitive info type
    • Define the proximity, confidence level, and primary pattern elements
    • Import your custom dictionary as a requirement for the matching element
    • Review your selections and create the sensitive info type

    For more detailed information, see Create a custom sensitive information type and Create a keyword dictionary

    After the custom dictionary/lexicon is created, you can view the configured keywords using the Get-DlpKeywordDictionary cmdlet or add and remove terms using the Set-DlpKeywordDictionary cmdlet.

Step 4 - Set up a supervision policy (required)

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Security & Compliance Center, select Supervision.

  3. Select Create and then follow the wizard to set up the following pages of the policy. Using the wizard, you will:

    • Give the policy a name and description.
    • Choose the users or groups to supervise, including choosing users or groups you'd like to exclude.
    • Define the supervision policy conditions.
    • Choose if you'd like to include sensitive information types. This is where you can select default and custom sensitive info types.
    • Define the percentage of communications to review.
    • Choose the reviewers for the policy. Reviewers can be individual users or mail-enabled security groups.
    • Review your policy selections and create the policy.

Step 5 - Test your supervision policy (optional)

After you create a supervision policy, it's a good idea to test to make sure that the conditions you defined are being properly enforced by the policy. You may also want to test your data loss prevention (DLP) policies if your supervision policies include sensitive information types. Follow the steps below to test your supervision policy:

  1. Open an email client or Microsoft Teams logged in as a supervised user defined in the policy you want to test.

  2. Send an email or Microsoft Teams chat that meets the criteria you've defined in the supervision policy. This can be a keyword, attachment size, domain, etc. Make sure you determine if your configured conditional settings in the policy is too restrictive or too lenient.

    Note

    Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.

  3. Log into your Office 365 tenant as a reviewer designated in the supervision policy. Navigate to Supervision > Your Custom Policy > Open to view the report for the policy.

Step 6 - Configure Outlook for reviewers (optional)

Reviewers that want to use Outlook instead of using the Supervision dashboard in Office 365 to review communications must configure their Outlook client.

Step 1: Copy the address for the supervision mailbox

To configure review for Outlook desktop or Outlook for the web, you'll need the address for the supervision mailbox that was created as part of the supervision policy setup.

Note

If someone else created the policy, you'll need to get this address from them to install the add-in.

To find the supervision mailbox address

  1. Sign into the Security & Compliance Center using credentials for an admin account in your Office 365 organization.

  2. Go to Supervision.

  3. Click the supervision policy that's gathering the communications you want to review.

  4. In the policy details flyout, under Supervision mailbox, copy the address.
    The 'Supervision Mailbox' section of a supervision policy's details flyout showing the supervision mailbox address highlighted

Step 2: Configure the supervision mailbox for Outlook access

Next, reviewers will need to run a couple Exchange Online PowerShell commands so they can connect Outlook to the supervision mailbox.

  1. Connect to Exchange Online PowerShell. How do I do this?

  2. Run the following commands, where *SupervisoryReview{GUID}@domain.onmicrosoft.com* is the address you copied in Step 1 above, and User is the name of the reviewer who will be connecting to the supervision mailbox in Step 3.

    Add-MailboxPermission "SupervisoryReview{GUID}@domain.onmicrosoft.com" -User <alias or email address of the account that has reviewer permissions to the supervision mailbox> -AccessRights FullAccess

    Set-Mailbox "<SupervisoryReview{GUID}@domain.onmicrosoft.com>" -HiddenFromAddressListsEnabled: $false

  3. Wait at least an hour before moving on to Step 3 below.

Step 3: Create an Outlook profile to connect to the supervision mailbox

For the final step, reviewers will need to create an Outlook profile to connect to the supervision mailbox.

Note

To create a new Outlook profile, you'll use the Mail settings in the Windows Control Panel. The path you take to get to these settings might depend on which Windows operating system (Windows 7, Windows 8, or Windows 10) you're using, and which version of Outlook is installed.

  1. Open the Control Panel, and in the Search box at the top of the window, type Mail.
    (Not sure how to get to the Control Panel? See Where is Control Panel?)

  2. Open the Mail app.

  3. In Mail Setup - Outlook, click Show Profiles.
    The 'Mail Setup - Outlook' dialog box with the 'Show Profiles' button highlighted

  4. In Mail, click Add. Then, in New Profile, enter a name for the supervision mailbox (such as Supervision).
    The 'New Profile' dialog showing the name 'Supervision' in the 'Profile Name' box

  5. In Connect Outlook to Office 365, click Connect to a different account.
    The 'Connect Outlook to Office 365' message with the 'Connect to a different account' link highlighted

  6. In Auto Account Setup, choose Manual setup or additional server types, and then click Next.

  7. In Choose Your Account Type, choose Office 365. Then, in the Email Address box, enter the address of the supervision mailbox you copied previously.
    The 'Choose Your Account Type' page of the 'Add Account' dialog in Outlook showing the 'Email Address' box highlighted.

  8. When prompted, enter your Office 365 credentials.

  9. If successful, you'll see the Supervision - <policy name> folder listed in the Folder List view in Outlook.

PowerShell reference

If needed, you can create and manage supervision policies using the following PowerShell cmdlets: