Configure supervision policies for your organization

Use supervision policies to capture employee communications for examination by internal or external reviewers. For more information about how supervision policies can help you monitor communications in your organization, see Supervision policies in Office 365.

Note

Users monitored by supervision policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription. If you don't have an existing Enterprise E5 plan and want to try supervision, you can sign up for a trial of Office 365 Enterprise E5.

Follow these steps to set up and use supervision in your Office 365 organization:

Step 1 - Set up groups for Supervision (optional)

When you create a supervision policy, you define who has their communications reviewed and who performs reviews. In the policy, you'll use email addresses to identify individuals or groups of people. To simplify your setup, you can create groups for people who have their communication reviewed and groups for people who review those communications. If you're using groups, you may need several. For example, you want to monitor communications between two distinct groups of people or if you want to specify a group that isn't going to be supervised.

Use the following chart to help you configure groups in your organization for supervision policies:

Policy Member Supported Groups Unsupported Groups
Supervised users Distribution groups
Office 365 groups
Dynamic distribution groups
Reviewers Mail-enabled security groups Distribution groups
Dynamic distribution groups

To manage supervised users in large enterprise organizations, you may need to monitor all users across large groups. You can use PowerShell to configure a distribution group for a global supervision policy for the assigned group. This enables you to monitor thousands of users with a single policy and keep the supervision policy updated as new employees join your organization.

  1. Create a dedicated distribution group for your global supervision policy with the following properties: Make sure that this distribution group isn't used for other purposes or other Office 365 services.

    • MemberDepartRestriction = Closed. Ensures that users cannot remove themselves from the distribution group.
    • MemberJoinRestriction = Closed. Ensures that users cannot add themselves to the distribution group.
    • ModerationEnabled = True. Ensures that all messages sent to this group are subject to approval and that the group is not being used to communicate outside of the supervision policy configuration.
    New-DistributionGroup -Name <your group name> -Alias <your group alias> -MemberDepartRestriction 'Closed' -MemberJoinRestriction 'Closed' -ModerationEnabled $true
    
  2. Select an unused Exchange custom attribute to track users added to the supervision policy in your organization.

  3. Run the following PowerShell script on a recurring schedule to add users to the supervision policy:

    $Mbx = (Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited -Filter {CustomAttribute9 -eq $Null})
    $i = 0
    ForEach ($M in $Mbx) 
    {
      Write-Host "Adding" $M.DisplayName
      Add-DistributionGroupMember -Identity <your group name> -Member $M.DistinguishedName -ErrorAction SilentlyContinue
      Set-Mailbox -Identity $M.Alias -<your custom attribute name> SRAdded 
      $i++
    }
    Write-Host $i "Mailboxes added to supervisory review distribution group."
    

For more information about setting up groups, see:

Step 2 - Make supervision available in your organization (required)

To make Supervision available as a menu option in the Compliance Center, you must be assigned the Supervisory Review Administrator role.

To do this, you can either add yourself as a member of the Supervisory Review role group, or you can create a role group.

Add members to the Supervisory Review role group

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Compliance Center, go to Permissions.

  3. Select the Supervisory Review role group and then click the Edit icon.

  4. In the Members section, add the people who you want to manage supervision for your organization.

Create a new role group

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Compliance Center, go to Permissions and then click Add (+).

  3. In the Roles section, click Add (+) and scroll down to Supervisory Review Administrator. Add this role to the role group.

  4. In the Members section, add the people who you want to manage supervision for your organization.

For more information about role groups and permissions, see Permissions in the Compliance Center.

Enable remote PowerShell access for reviewers (if email is hosted on Exchange Online)

  1. Follow the guidance in Enable or disable access to Exchange Online PowerShell.

Step 3 - Create custom sensitive information types and custom keyword dictionaries (optional)

In order to pick from existing custom sensitive information types or custom keyword dictionaries in the supervision policy wizard, you first need to create these items if needed.

Create custom keyword dictionary/lexicon (optional)

Use a text editor (like Notepad), to create a new file that includes the keyword terms you'd like to monitor in a supervision policy. Make sure that each term is on a separate line and save the file in the Unicode/UTF-16 (Little Endian) format.

Create custom sensitive information types

  1. Create a new sensitive information type and add your custom dictionary in the Office 365 Security & Compliance Center. Navigate to Classifications > Sensitive info types and follow the steps in the New sensitive info type wizard. Here you will:

    • Define a name and description for the sensitive info type
    • Define the proximity, confidence level, and primary pattern elements
    • Import your custom dictionary as a requirement for the matching element
    • Review your selections and create the sensitive info type

    For more detailed information, see Create a custom sensitive information type and Create a keyword dictionary

    After the custom dictionary/lexicon is created, you can view the configured keywords with the Get-DlpKeywordDictionary cmdlet or add and remove terms using the Set-DlpKeywordDictionary cmdlet.

Step 4 - Set up a supervision policy (required)

  1. Sign into https://protection.office.com using credentials for an admin account in your Office 365 organization.

  2. In the Compliance Center, select Supervision.

  3. Select Create and then follow the wizard to set up the following pages of the policy. Using the wizard, you will:

    • Give the policy a name and description.
    • Choose the users or groups to supervise, including choosing users or groups you'd like to exclude.
    • Define the supervision policy conditions.
    • Choose if you'd like to include sensitive information types. This is where you can select default and custom sensitive info types.
    • Define the percentage of communications to review.
    • Choose the reviewers for the policy. Reviewers can be individual users or mail-enabled security groups. All reviewers must have mailboxes hosted on Exchange Online.
    • Review your policy selections and create the policy.

Step 5 - Test your supervision policy (optional)

After you create a supervision policy, it's a good idea to test to make sure that the conditions you defined are being properly enforced by the policy. You may also want to test your data loss prevention (DLP) policies if your supervision policies include sensitive information types. Follow these steps to test your supervision policy:

  1. Open an email client or Microsoft Teams logged in as a supervised user defined in the policy you want to test.

  2. Send an email or Microsoft Teams chat that meets the criteria you've defined in the supervision policy. This can be a keyword, attachment size, domain, etc. Make sure you determine if your configured conditional settings in the policy are too restrictive or too lenient.

    Note

    Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.

  3. Log into your Office 365 tenant as a reviewer designated in the supervision policy. Navigate to Supervision > Your Custom Policy > Open to view the report for the policy.

Step 6 - Configure Outlook for reviewers (optional)

Reviewers that want to use Outlook instead of the Supervision dashboard in Office 365 to review communications must configure their Outlook client.

Step 1: Copy the address for the supervision mailbox

To configure review for Outlook desktop or Outlook for the web, you need the address for the supervision mailbox created as part of the supervision policy setup.

Note

If someone else created the policy, you need to get this address from them to install the add-in.

To find the supervision mailbox address

  1. Sign into the Compliance Center using credentials for an admin account in your organization.

  2. Go to Supervision.

  3. Select a supervision policy for the communications you want to review.

  4. In the policy details flyout, under Supervision mailbox, copy the address.
    The 'Supervision Mailbox' section of a supervision policy's details flyout showing the supervision mailbox address highlighted

Step 2: Configure the supervision mailbox for Outlook access

Next, reviewers need to run a couple Exchange Online PowerShell commands so they can connect Outlook to the supervision mailbox.

  1. Connect to Exchange Online PowerShell. How do I do this?

  2. Run the following commands, where *SupervisoryReview{GUID}@domain.onmicrosoft.com* is the address you copied in Step 1 above, and User is the name of the reviewer who will connect to the supervision mailbox in Step 3.

    Add-MailboxPermission "SupervisoryReview{GUID}@domain.onmicrosoft.com" -User <alias or email address of the account that has reviewer permissions to the supervision mailbox> -AccessRights FullAccess

    Set-Mailbox "<SupervisoryReview{GUID}@domain.onmicrosoft.com>" -HiddenFromAddressListsEnabled: $false

  3. Wait at least an hour before moving on to Step 3.

Step 3: Create an Outlook profile to connect to the supervision mailbox

For the final step, reviewers need to create an Outlook profile to connect to the supervision mailbox.

Note

To create a new Outlook profile, you'll use the Mail settings in the Windows Control Panel. The path you take to get to these settings might depend on which Windows operating system (Windows 7, Windows 8, or Windows 10) you're using, and which version of Outlook is installed.

  1. Open the Control Panel. In the Search box at the top of the window, type Mail.
    (Not sure how to get to the Control Panel? See Where is Control Panel?)

  2. Open the Mail app.

  3. In Mail Setup - Outlook, click Show Profiles.
    The 'Mail Setup - Outlook' dialog box with the 'Show Profiles' button highlighted

  4. In Mail, click Add. Then, in New Profile, enter a name for the supervision mailbox (such as Supervision).
    The 'New Profile' dialog showing the name 'Supervision' in the 'Profile Name' box

  5. In Connect Outlook to Office 365, click Connect to a different account.
    The 'Connect Outlook to Office 365' message with the 'Connect to a different account' link highlighted

  6. In Auto Account Setup, choose Manual setup or additional server types, and then click Next.

  7. In Choose Your Account Type, choose Office 365. Then, in the Email Address box, enter the address of the supervision mailbox you copied previously.
    The 'Choose Your Account Type' page of the 'Add Account' dialog in Outlook showing the 'Email Address' box highlighted.

  8. When prompted, enter your Office 365 credentials.

  9. If successful, you'll see the Supervision — <policy name> folder listed in the Folder List view in Outlook.

PowerShell reference

If needed, you can create and manage supervision policies with the following PowerShell cmdlets: