Supervision in Office 365 is a mechanism for subjecting email, Microsoft Teams, Skype for Business and third-party sources  communications that match certain criteria to compliance reviews. Supervision review takes a policy-based approach and instead of configuring moderated transport on specific mailboxes or distribution groups, you can target multiple users with a single policy. Policies can be configured with a variety of conditions that are similar to mail flow rule conditions. This lets you target only the messages you’re interested in rather than targeting all communications to or from a user. Supervision review does not interrupt mail flow. The messages are not held for moderation. Instead, they are copied to a review mailbox for later analysis by a reviewer. Your policy can be adjusted so that you only receive a sample of messages. Perhaps your regulations only require that 10% of relevant messages are analyzed, or perhaps your security team just wants to look at a small percentage of emails that match a certain criteria. This reduces the burden on your reviews and environments where a large number of messages might trigger the policy. When email messages are reviewed, there are multiple outcomes or labels that can be applied to a message. Reviewers can also leave comments on messages they reviewed, and even change their decisions later. The Security and Compliance Center also includes reports for Supervision message traffic. From a licensing point of view, any user that is within scope of a policy or is a reviewer, will need to be licensed for the feature. Users monitored by supervision policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription.

Supervision polices are located in Security & Compliance center.

2019-06-26 16_33_34-Window.png

Let’s create a new policy. Click on + Create

2019-06-26 16_38_04-Window.png

You should give your policies a clear name and description so other administrators know what they’re being created for. You cannot change the name of a supervision policy after it is created. This is just a demo so I will type Supervision policy

2019-06-27 15_10_08-Window.png

Let’s go all in on this policy and supervise the members of the all users group. Now before you go doing these yourself, make sure you are licensed for all of the users that you’re supervising. It’s possible that only a subset of your users actually need supervision, perhaps those with access to the most sensitive corporate data. Just to point that dynamic distribution lists or dynamic groups are unsupported.

2019-06-29 14_05_18-Supervision - Security & Compliance.png

Now we need to define the characteristics of the messages that will trigger capture of copies for review. If you want to check every message sent to, from, and between the individuals defined earlier, do not define any conditions except the direction of traffic. Internal is not marked by default so make sure that it is checked.

CONDITIONS –>we can use conditions to narrow the traffic further to filter messages selected for checking. If you multiple conditions, the important thing is that all of the conditions that you add here are assessed together, and all of them must be true for the policy to find a match in the email message being analyzed.

2019-06-27 15_20_39-Window.png

Use match data model condition –> Select this option if you want to check communications for inappropriate or offensive language (insults, taunts, racism etc). There is only one supported model at the moment (Offensive Language). The model uses a combination of machine learning, artificial intelligence, and keywords to identify inappropriate email messages as part of anti-harassment and cyber bullying monitoring requirements. The current data model only checks for English language terms. To prevent or block offensive language for other communications in your organization you will need to create a data loss prevention policy that uses a custom keyword dictionary of offensive terms. We will take a look and configure DLP Policies in the future post.

2019-06-29 00_25_39-Supervision - Security & Compliance.png

Use advanced sensitive information condition –> check this if you want to use an Office 365 sensitive data type in the policy. Sensitive information types are either pre-defined or custom data types that can help identify and protect credit card numbers, bank account numbers, passport numbers, and more. As a part of Office 365 data loss prevention (DLP), the sensitive information configuration can use patterns, character proximity, confidence levels, and even custom data types to help identify and flag content that may be sensitive. Once done, click next

Next, let’s decide how much communication to review. I would suggest to you that when you first create a policy, you should review 100% of messages that match. As time goes on and you get a sense of how much of that communication is worth reviewing, you can turn this percentage down to a lower value so that you only review a sample instead.

2019-06-29 00_31_16-Supervision - Security & Compliance.png

Finally, choose a reviewer for the policy. The reviewer will automatically get access to the review mailbox in Outlook on the web after a short time. When a supervision policy is used in production rather than testing, you must make sure that the policy has enough reviewers assigned to handle the expected workload generated by the volume of captured items, including when some reviewers are ill, on vacation, or unavailable for another reason.

2019-06-29 00_33_13-Supervision - Security & Compliance.png

Click next and finish. Office 365 then sets up the supervision mailbox to hold captured messages and activates the policy. It can take some time before a policy is fully effective and begins to capture messages. You cannot make changes during the provisioning process. Instead, wait until the portal reports the policy status as “Active” and then make the change.

2019-06-29 00_36_03-Microsoft Edge.png

Once the status turns to Active, you will be able to edit the policy if needed.

2019-06-29 10_40_13-Microsoft Edge.png

Let’s go ahead now and look at how to review emails and reports for Supervision policy.

NOTE!! Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.

When we created a Supervision policy, we nominated admin as the reviewer for the policy. When admin logs into Outlook on the web, he will see a Supervision mailbox for that policy. Supervision policies use supervision mailboxes to store the copies of messages captured by the background agents for review. I would like to point that you cannot send email to this mailbox and this mailbox do not show up in any administrative interface.

2019-06-29 14_19_49-2019_06_29_14_18_55_Mail_N_M_Outlook.png - Paint.png

Let’s go into the mailbox for our new Supervision policy. The Supervision mailbox holds a copy of messages that match the conditions of the policy. These emails were delivered to their intended recipients. Supervisory policies don’t delay email delivery. So even if reviewer isn’t able to review these on a daily basis, email communication will not be interrupted. When a reviewer clicks into the email, he/she gets this Supervisory review add-on appearing near the top of the message, and this is where he/she can make review decisions.

2019-06-29 14_27_03-Mail - admin@nmehic.onmicrosoft.com.png

Here we can choose the classification. We can also add comments while doing that investigation so that others know what’s going on with that email, all of that activity is recorded in the history of the message, and that also includes who viewed the message if there were other supervisors also in charge of reviewing these particular items; and the message is subsequently moved to the non-compliant folder for historical record.

2019-06-29 14_38_39-Mail - admin@nmehic.onmicrosoft.com

2019-06-29 14_39_01-Mail - admin@nmehic.onmicrosoft.com

2019-06-29 14_40_37-Mail - admin@nmehic.onmicrosoft.com.png

Now an important note here is that these Supervision mailboxes only exist as long as the associated policy exists. If you delete a Supervisory policy, the Supervision mailbox will be removed as well. So if you feel you need to keep the Supervision mailbox for historical reference, you could just modify the policy so that it has conditions that won’t catch any further email.

As you notice, supervision policy shared mailbox is automatically installed when you are using OWA. That is not the case when you are using Outlook client. You will notice that things are more complex when it comes to configuring supervision mailbox on desktop outlook client. To configure supervision policy mailbox on the desktop outlook client, you need the address for the supervision mailbox. You can find that, when you click on your supervision policy

2019-06-29 15_15_32-Supervision - Security & Compliance.png

Next, you will need to configure permissions for the reviewer so that he can connect to supervision policy mailbox.

Connect to Exchange Online PowerShell and run these 2 commands

Add-MailboxPermission “SupervisoryReview{GUID}@domain.onmicrosoft.com” -User <alias or email address of the account that has reviewer permissions to the supervision mailbox> -AccessRights FullAccess

Second command is

Set-Mailbox “<SupervisoryReview{GUID}@domain.onmicrosoft.com>” -HiddenFromAddressListsEnabled: $false

Wait ca 1 hour before you go and create a new outlook profile.

2019-06-29 15_24_32-Alla objekt på Kontrollpanelen.png

In Mail Setup – Outlook, click Show Profiles.

2019-06-29 19_24_02-Alla objekt på Kontrollpanelen.png

In Mail, click Add. Then, in New Profile, enter a name for the supervision mailbox (example Supervision)

2019-06-29 19_25_43-Alla objekt på Kontrollpanelen.png

Choose the manual configuration and click next

2019-06-29 19_27_17-Alla objekt på Kontrollpanelen

In Choose Your Account Type, choose Office 365. Then, in the Email Address box, enter the address of the supervision mailbox you copied and next and finish

2019-06-29 19_28_18-Lägg till konto

As you can see there are a lot of manual steps to configure this so I would recommend that you use Security and Compliance reports or OWA because it will connect all supervision mailboxes that a user can access when they open an OWA session.

I hope this has been informative for you.

Stay Tuned!

Cheers,

Nedim