+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier1

+- Tier2

+- Tier1

+- Tier2

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+|Groups an admin can create|There are no Microsoft 365 group specific limits. There's an overall Azure AD object limit specific to each organization. An Azure AD admin who can manage groups in the organization can create an unlimited number of Microsoft 365 groups up to the Azure AD object limit. See [AAD service limits and restrictions](/active-directory/enterprise-users/directory-service-limits-restrictions).|

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+Message center posts are written in English-only due to the timeliness of the information we are posting, but can be automatically displayed in the language specified by your personal language settings for Microsoft 365. If you set your preferred language to anything other than English, you'll see an option in Message center to automatically translate posts. The messages are machine translated to your preferred language, meaning that a computer did the translation. This option controls the default view, but you can also use the drop-down menu to translate and display posts in any of the languages we support for translation. If you select English, we'll revert the message to the original English version.

+- Tier2

+- Tier2

+- Tier3

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier3

+- Tier2

+- Tier1

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+To get started with Microsoft 365 usage analytics you must first make the data available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, then select **Reports** > **Usage** and initiate the template app in Power BI.

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier2

+- Tier1

+- Tier1

+- scotvorg

+- Tier1

+- scotvorg

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+## Supported geographic locations

+Commercial marketplace offerings can be purchased in 141 geographies as defined by the customer's billing address, and transactions can be completed in 17 currencies. The following table lists each supported geographic location, its [ISO 3166 two-digit alpha code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes), and the assigned currency.

+A CSP can purchase an offer in Partner Center in their end customer's currency so they can bill them in that same currency. For additional information on this, refer to [these FAQs](https://partner.microsoft.com/resources/detail/eu-efta-change-of-partner-billing-currency-faq-pdf).

+| Country/Region Name | ISO-2 | Currency</br>(All offer types) | Currency</br>(Consulting service offers only) |

+|-|--|--||

+| Afghanistan | AF | USD | AFN, EUR, USD |

+| Albania | AL | USD | ALL, EUR, USD |

+| Algeria | DZ | USD | DZD, EUR, USD |

+| Andorra | AD | EUR | EUR, USD |

+| Angola | AO | USD | AOA, EUR, USD |

+| Argentina | AR | USD | ARS, EUR, USD |

+| Armenia | AM | USD | AMD, EUR, USD |

+| Australia | AU | AUD | AUD, EUR, USD |

+| Austria | AT | EUR | EUR, USD |

+| Azerbaijan | AZ | USD | AZN, EUR, USD |

+| Bahrain | BH | USD | BHD, EUR, USD |

+| Bangladesh | BD | USD | BDT, EUR, USD |

+| Barbados | BB | USD | BBD, EUR, USD |

+| Belarus | BY | USD | BYN, EUR, USD |

+| Belgium | BE | EUR | EUR, USD |

+| Belize | BZ | USD | BZD, EUR, USD |

+| Bermuda | BM | USD | BMD, EUR, USD |

+| Bolivia | BO | USD | BOB, EUR, USD |

+| Bosnia and Herzegovina | BA | USD | BAM, EUR, USD |

+| Botswana | BW | USD | BWP, EUR, USD |

+| Brazil | BR | BRL\* | BRL, EUR, USD |

+| Brunei | BN | USD | BND, EUR, SGD, USD |

+| Bulgaria | BG | EUR | BGN, EUR, USD |

+| Cabo Verde | CV | USD | CVE, EUR, USD |

+| Cameroon | CM | USD | EUR, USD, XAF |

+| Canada | CA | CAD | CAD, EUR, USD |

+| Cayman Islands | KY | USD | EUR, KYD, USD |

+| Chile | CL | USD | CLP, EUR, USD |

+| China\** | CN | N/A | N/A |

+| Colombia | CO | USD | COP, EUR, USD |

+| Costa Rica | CR | USD | CRC, EUR, USD |

+| C├┤te d'Ivoire | CI | USD | EUR, USD, XOF |

+| Croatia | HR | EUR | EUR, HRK, USD |

+| Curaçao | CW | USD | ANG, EUR, USD |

+| Cyprus | CY | EUR | EUR, USD |

+| Czechia | CZ | EUR | CZK, EUR, USD |

+| Denmark | DK | DKK | DKK, EUR, USD |

+| Dominican Republic | DO | USD | DOP, EUR, USD |

+| Ecuador | EC | USD | EUR, USD |

+| Egypt | EG | USD | EGP, EUR, USD |

+| El Salvador | SV | USD | EUR, USD |

+| Estonia | EE | EUR | EUR, USD |

+| Ethiopia | ET | USD | ETB, EUR, USD |

+| Faroe Islands | FO | DKK | DKK, EUR, USD |

+| Fiji | FJ | AUD | AUD, EUR, FJD, USD |

+| Finland | FI | EUR | EUR, USD |

+| France | FR | EUR | EUR, USD |

+| Georgia | GE | USD | EUR, GEL, USD |

+| Germany | DE | EUR | EUR, USD |

+| Ghana | GH | USD | EUR, GHS, USD |

+| Greece | GR | EUR | EUR, USD |

+| Guatemala | GT | USD | EUR, GTQ, USD |

+| Honduras | HN | USD | EUR, HNL, USD |

+| Hong Kong SAR | HK | USD | EUR, HKD, USD |

+| Hungary | HU | EUR | EUR, HUF, USD |

+| Iceland | IS | EUR | EUR, ISK, USD |

+| India | IN | INR | EUR, INR, USD |

+| Indonesia | ID | USD | EUR, IDR, USD |

+| Iraq | IQ | USD | EUR, IQD, USD |

+| Ireland | IE | EUR | EUR, USD |

+| Israel | IL | USD | EUR, ILS, USD |

+| Italy | IT | EUR | EUR, USD |

+| Jamaica | JM | USD | EUR, JMD, USD |

+| Japan | JP | JPY | EUR, JPY, USD |

+| Jordan | JO | USD | EUR, JOD, USD |

+| Kazakhstan | KZ | USD | EUR, KZT, USD |

+| Kenya | KE | USD | EUR, KES, USD |

+| Korea (South) | KR | KRW | EUR, KRW, USD |

+| Kuwait | KW | USD | EUR, KWD, USD |

+| Kyrgyzstan | KG | USD | EUR, KGS, USD |

+| Latvia | LV | EUR | EUR, USD |

+| Lebanon | LB | USD | EUR, LBP, USD |

+| Libya | LY | USD | EUR, LYD, USD |

+| Liechtenstein | LI | EUR | CHF, EUR, USD |

+| Lithuania | LT | EUR | EUR, USD |

+| Luxembourg | LU | EUR | EUR, USD |

+| Macao SAR | MO | USD | EUR, MOP, USD |

+| Malaysia | MY | USD | EUR, MYR, USD |

+| Malta | MT | EUR | EUR, USD |

+| Mauritius | MU | USD | EUR, MUR, USD |

+| Mexico | MX | USD | EUR, MXN, USD |

+| Moldova | MD | USD | EUR, MDL, USD |

+| Monaco | MC | EUR | EUR, USD |

+| Mongolia | MN | USD | EUR, MNT, USD |

+| Montenegro | ME | USD | EUR, USD |

+| Morocco | MA | USD | EUR, MAD, USD |

+| Namibia | NA | USD | EUR, NAD, USD, ZAR |

+| Nepal | NP | USD | EUR, NPR, USD |

+| Netherlands | NL | EUR | EUR, USD |

+| New Zealand | NZ | NZD | EUR, NZD, USD |

+| Nicaragua | NI | USD | EUR, NIO, USD |

+| Nigeria | NG | USD | EUR, NGN, USD |

+| North Macedonia | MK | USD | EUR, MKD, USD |

+| Norway | NO | NOK | EUR, NOK, USD |

+| Oman | OM | USD | EUR, OMR, USD |

+| Pakistan | PK | USD | EUR, PKR, USD |

+| Palestinian Authority | PS | USD | EUR, ILS, JOD, USD |

+| Panama | PA | USD | EUR, PAB, USD |

+| Paraguay | PY | USD | EUR, PYG, USD |

+| Peru | PE | USD | EUR, PEN, USD |

+| Philippines | PH | USD | EUR, PHP, USD |

+| Poland | PL | EUR | EUR, PLN, USD |

+| Portugal | PT | EUR | EUR, USD |

+| Puerto Rico | PR | USD | EUR, USD |

+| Qatar | QA | USD | EUR, QAR, USD |

+| Romania | RO | EUR | EUR, RON, USD |

+| Russia | RU | RUB | EUR, RUB, USD |

+| Rwanda | RW | USD | EUR, RWF, USD |

+| Saint Kitts and Nevis | KN | USD | EUR, USD, XCD |

+| Saudi Arabia | SA | USD | EUR, SAR, USD |

+| Senegal | SN | USD | EUR, USD, XOF |

+| Serbia | RS | USD | EUR, RSD, USD |

+| Singapore | SG | USD | BND, EUR, SGD, USD |

+| Slovakia | SK | EUR | EUR, USD |

+| Slovenia | SI | EUR | EUR, USD |

+| South Africa | ZA | USD | EUR, USD, ZAR |

+| Spain | ES | EUR | EUR, USD |

+| Sri Lanka | LK | USD | EUR, LKR, USD |

+| Sweden | SE | SEK | EUR, SEK, USD |

+| Switzerland | CH | CHF | CHF, EUR, USD |

+| Taiwan | TW | TWD | EUR, TWD, USD |

+| Tajikistan | TJ | USD | EUR, TJS, USD |

+| Tanzania | TZ | USD | EUR, TZS, USD |

+| Thailand | TH | USD | EUR, THB, USD |

+| Trinidad and Tobago | TT | USD | EUR, TTD, USD |

+| Tunisia | TN | USD | EUR, TND, USD |

+| Turkey | TR | USD | EUR, TRY, USD |

+| Turkmenistan | TM | USD | EUR, TMT, USD |

+| Uganda | UG | USD | EUR, UGX, USD |

+| Ukraine | UA | USD | EUR, RUB, UAH, USD |

+| United Arab Emirates | AE | USD | AED, EUR, USD |

+| United Kingdom | GB | GBP | EUR, GBP, USD |

+| United States | US | USD | EUR, USD |

+| U.S. Virgin Islands | VI | USD | EUR, USD|

+| Uruguay | UY | USD | EUR, USD, UYU |

+| Uzbekistan | UZ | USD | EUR, USD, UZS |

+| Vatican City (Holy See) | VA | EUR | EUR, USD |

+| Venezuela | VE | USD | EUR, USD, VES |

+| Vietnam | VN | USD | EUR, USD, VND |

+| Yemen | YE | USD | EUR, USD, YER |

+| Zambia | ZM | USD | EUR, USD, ZMW |

+| Zimbabwe | ZW | USD | EUR, USD |

+\* For customers in Brazil, the commercial marketplace through Cloud Solution Providers (CSP) uses USD.

+\** Free and BYOL VM images only.

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier2

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+- Tier1

+ Title: "Case study - Contoso configures a communication compliance policy to identify potentially inappropriate text"

+description: "A case study for Contoso and how they quickly configure a communication compliance policy to detect potentially inappropriate text in Microsoft Teams, Exchange Online, and Yammer communications."

+# Case study - Contoso configures a communication compliance policy to identify potentially inappropriate text for Microsoft Teams, Exchange, and Yammer communications

+> [!IMPORTANT]

+> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+[Microsoft Purview Communication Compliance](/microsoft-365/compliance/communication-compliance) helps minimize communication risks by helping you detect, capture, and act on messages with potentially inappropriate text in your organization. Potentially inappropriate text may include profanity, threats, harassment, and adult content. Pre-defined and custom [policies](/microsoft-365/compliance/communication-compliance-policies) allow you to review internal and external communications for policy matches, so they can be examined by designated reviewers. Reviewers can [investigate alerts](/microsoft-365/compliance/communication-compliance-investigate-remediate#investigate-alerts) for email, Microsoft Teams, Yammer, or third-party communications throughout your organization and take appropriate [remediation actions](/microsoft-365/compliance/communication-compliance-investigate-remediate#remediate-alerts) to make sure they're compliant with your organization's message standards.

+The Contoso Corporation is a fictional organization that needs to quickly configure a policy to detect potentially inappropriate text. They have been using Microsoft 365 primarily for email, Microsoft Teams, and Yammer support for their users, but have new requirements to enforce company policy around workplace harassment. Contoso IT administrators and compliance specialists have a basic understanding of the fundamentals of working with Microsoft 365 and are looking for end-to-end guidance for how to quickly get started with communication compliance.

+This case study covers the basics for quickly configuring a communication compliance policy to detect potentially inappropriate text. This guidance includes:

+Contoso IT administrators and compliance specialists attended online webinars about compliance solutions in Microsoft Purview and decided that communication compliance policies will help them meet the updated corporate policy requirements for reducing workplace harassment. Working together, they've developed a plan to create and enable a communication compliance policy that will detect potentially inappropriate messages. This configuration includes detecting text for chats sent in Microsoft Teams, private messages and community conversations in Yammer, and in email messages sent in Exchange Online.

+Their plan includes identifying the:

+- IT administrators who need access to communication compliance features.

+- Compliance specialists who need to create and manage communication compliance policies.

+- Compliance specialists and other colleague in other departments (Human Resources, Legal, etc.) who need to investigate and remediate communication compliance alerts.

+- Users who will be in-scope for the communication compliance potentially inappropriate text policy.

+The first step is to confirm whether Contoso's Microsoft 365 licensing includes support for the communication compliance solution. To access and use communication compliance, Contoso IT administrators need to verify Contoso has one of the following:

+Contoso decides to use the *Communication Compliance* role group assign all the communication compliance administrators, analysts, investigators, and viewers to the group. This role group configuration makes it easier for Contoso to get started quickly and best fits their compliance management requirements.

+To get started with a communication compliance policy, there are several prerequisites that Contoso IT administrators need to configure before setting up the new policy to detect potentially inappropriate text. After these prerequisites have been completed, Contoso IT administrators and compliance specialists can configure the new policy, and compliance specialists can start investigating and remediating any generated alerts.

+Communication compliance requires that the Yammer tenant for an organization is in Native Mode to detect potentially inappropriate text in private messages and public community conversations.

+Contoso compliance specialists want to add all users to the communication policy that will detect potentially inappropriate text. They could decide to add each user account to the policy separately, but they've decided it's much easier and saves time to use an **All Users** distribution group for the users for this policy.

+### Creating the policy to detect potentially inappropriate text

+With all the prerequisites completed, the IT administrators and the compliance specialists for Contoso are ready to configure the communication compliance policy to detect potentially inappropriate text. Using the text policy template, configuring this new policy is simple and quick.

+1. The Contoso IT administrators and compliance specialists sign into the **Microsoft Purview compliance portal** and select **Communication compliance** from the left navigation pane. This action opens the dashboard that has quick links for communication compliance policy templates. They choose **Policies**, scroll to the **Detect inappropriate text** template, and then select the **Create policy** template.

+ 

+ 

+Now that the communication compliance policy to detect potentially inappropriate text is configured, the next step for the Contoso compliance specialists will be to investigate and remediate any alerts generated by the policy. It will take up to an hour for the policy to fully process communications in all the communication source channels and for alerts to show up in the **Alert dashboard**.

+After alerts are generated, Contoso compliance specialists will continue to follow the [workflow instructions](/microsoft-365/compliance/communication-compliance-investigate-remediate) to investigate and remediate potentially inappropriate text issues.

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+With communication compliance policies, you can choose to analyze messages in one or more of the following communication platforms as a group or as standalone sources. Original messages captured across these platforms are retained in the original platform location in accordance with your organization's [retention and hold policies](/microsoft-365/compliance/information-governance). Copies of messages used by communication compliance policies for analysis and investigation are retained for as long as policy is in place, even if users leave your organization and their mailboxes are deleted. When a communication policy is deleted, copies of messages associated with the policy are also deleted.

+Chats in both public and private Microsoft Teams channels and individual communications can be analyzed. When users are assigned to a communication compliance policy with Microsoft Teams coverage selected, chat communications for the users are automatically detected across all Microsoft Teams where users are a member.

+Microsoft Purview Communication Compliance automatically includes Microsoft Teams coverage for pre-defined policy templates and is selected as the default in the custom policy template. Teams chats matching communication compliance policy conditions may take up to 48 hours to process.

+For Teams private chat and private channels, communication compliance policies support [Shared Channels](/MicrosoftTeams/shared-channels) and modern attachment analysis. Shared Channels support in Teams is handled automatically and don't require additional communication compliance configuration changes. The following table summarizes communication compliance behavior when sharing Teams channels with groups and users:

+Modern attachments are files sourced from [OneDrive](/onedrive/plan-onedrive-enterprise#modern-attachments) or [SharePoint](/sharepoint/dev/solution-guidance/modern-experience-customizations) sites that are included in Teams messages. Text is automatically extracted from these attachments for automated processing and potential matches with active communication compliance policy conditions and classifiers. There isn't any additional configuration necessary for modern attachment detection and processing. Text is only extracted for attachments matching policy conditions at the time the message is sent. Text isn't extracted for attachments for messages with policy matches, even if the attachment also has a policy match.

+Modern attachment analysis is supported for the following file types:

+Extracted text for modern attachments is included with the associated message on the **Pending** tab of the policy's dashboard. The extracted text for an attachment is named as the attachment file name (and format extension) and the .txt extension. For example, the extracted text for an attachment named *ContosoBusinessPlan.docx* would appear as *ContosoBusinessPlan.docx.txt* in the **Pending** tab of the policy's dashboard.

+- **For Teams chats:** Assign individual users or assign a [distribution group](https://support.office.com/article/Distribution-groups-E8BA58A8-FAB2-4AAF-8AA1-2A304052D2DE) to the communication compliance policy. This setting is for one-to-one or one-to-many user/chat relationships.

+- **For Teams channel communications:** Assign every Microsoft Teams channel or Microsoft 365 group you want to analyze that contains a specific user to the communication compliance policy. If you add the same user to other Microsoft Teams channels or Microsoft 365 groups, be sure to add these new channels and groups to the communication compliance policy. If any member of the channel is a supervised user within a policy and the *Inbound* direction is configured in a policy, all messages sent within the channel are subject to review, and potential policy matches (even for users in the channel that aren't explicitly supervised). For example, User A is the owner or a member of a channel. User B and User C are members of the same channel and use language that is matched to the potentially inappropriate content policy that supervises only User A. User B and User C create policy matches for conversations within the channel even though they aren't directly supervised in the potentially inappropriate content policy. Teams conversations between User B and User C that are outside of the channel and include User A wouldn't be subject to the potentially inappropriate content policy that includes User A. To exclude channel members from supervision when other members of the channel are explicitly supervised, turn off the *Inbound* communication direction setting in the applicable communication compliance policy.

+- **For Teams chats with hybrid email environments**: Communication compliance can detect chat messages for organizations with an Exchange on-premises deployment or an external email provider that have enabled Microsoft Teams. You must create a distribution group for the users with on-premises or external mailboxes. When creating a communication compliance policy, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users).

+## Exchange

+Mailboxes hosted on Microsoft Exchange Online as part of your Microsoft 365 or Office 365 subscription are all eligible for message analysis. Exchange email messages and attachments matching communication compliance policy conditions may take approximately 24 hours to process. Supported attachment types for communication compliance are the same as the [file types supported for Exchange mail flow rule content inspections](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection).

+Private messages and public conversations and associated attachments in Microsoft Yammer communities can also be analyzed. When users are added to a communication compliance policy that includes Yammer as a defined channel, communications across all Yammer communities that a user is a member of are included in the analysis. Yammer chats and attachments matching communication compliance policy conditions may take up to 24 hours to process.

+Yammer must be configured in [Native Mode](/yammer/configure-your-yammer-network/overview-native-mode) for communication compliance policies to detect Yammer communications and attachments. In Native Mode, all Yammer users are in Azure Active Directory (AAD), all groups are Office 365 Groups, and all files are stored in SharePoint Online.

+You can analyze communications for data imported into all mailboxes in your Microsoft 365 organization from third-party sources like [Instant Bloomberg](/microsoft-365/compliance/archive-instant-bloomberg-data), [Slack](/microsoft-365/compliance/archive-slack-data), [Zoom](/microsoft-365/compliance/archive-zoommeetings-data), SMS, and many others. For a full list of connectors supported in communication compliance, see [Learn about connectors for third-party data](/microsoft-365/compliance/archiving-third-party-data).

+You must configure a [third-party connector](/microsoft-365/compliance/archiving-third-party-data) for your Microsoft 365 organization before you can assign the connector to a communication compliance policy. The **Third-Party Sources** section of the communication compliance policy wizard only displays currently configured third-party connectors.

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+Use communication compliance policies to identify user communications for analysis by internal or external reviewers. For more information about how communication compliance policies can help you detect communications in your organization, see [communication compliance policies](/microsoft-365/compliance/communication-compliance-policies). If you'd like to review how Contoso quickly configured a communication compliance policy to detect potentially inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications, check out this [case study](/microsoft-365/compliance/communication-compliance-case-study).

+Before getting started with communication compliance, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans) and any add-ons. To access and use communication compliance, your organization must have one of the following subscriptions or add-ons:

+> Communication compliance is currently available for tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that communication compliance is supported for your organization, see [Azure dependency availability by country/region](/troubleshoot/azure/general/dependency-availability-by-country).

+The following recommendations are available to help you get started and maximize your communication compliance configuration:

+- **Get to know communication compliance**: Before completing set up, review our official documentation to learn about, plan for, and deploy communication compliance in your organization.

+- **Assign permissions to ensure your team can get their jobs done**: Ensure that only the appropriate stakeholders can access the solution by assigning team members responsible for managing communication compliance features and investigating and reviewing alerts.

+- **Create distribution groups for users' whose communications you want to detect**: Create distribution groups containing users who will be included in communication compliance policies.

+- **Create your first policy to start detecting communications**: Detect and investigate potential regulatory compliance violations by first setting up a policy that identifies potential violations across your organization's internal and/or external communications.

+- **Review alerts to investigate detected messages and take action**: Identify and analyze messages that match a policy's conditions to trigger alerts that provide context around a policy violation, so you can investigate and take action if needed.

+- **Review reports for quick insights into how policies are performing**: Get quick insights into how your policies are performing, view detailed reports to drill down further, and export results for further analyses.

+Each action in communication compliance has three attributes:

+Select recommendations from the list to get started with configuring communication compliance. Each recommended action guides you through the required activities for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization. Some recommended actions will be automatically marked as complete when configured. If not, you'll need to manually select the action as complete when configured.

+Depending on how you want to manage communication compliance policies and alerts, you'll need to assign users to specific role groups to manage different sets of communication compliance features. You have the option of assigning users with different compliance responsibilities to specific role groups to manage different areas of communication compliance features. Or you may decide to assign all user accounts for designated administrators, analysts, investigators, and viewers to the *Communication Compliance* role group. Use a single role group or multiple role groups to best fit your compliance management requirements.

+In Native Mode, all Yammer users are in Azure Active Directory (Azure AD), all groups are Office 365 Groups, and all files are stored in SharePoint Online. Your Yammer tenant must be in Native Mode for communication compliance policies to check and identify risky conversations in private messages and community conversations in Yammer.

+>Want to see an in-depth walkthrough of setting up a new communication compliance policy and remediating an alert? Check out [this 15-minute video](/microsoft-365/compliance/communication-compliance-plan#creating-a-communication-compliance-policy-walkthrough) to see a demonstration of how communication compliance policies can help you detect potentially inappropriate messages, investigate potential violations, and remediate compliance issues.

+ > If you want to enable [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) to identify embedded or attached images in messages for printed or handwritten text that match policy conditions, select **Customize policy** > **Conditions and percentage** and enable **Extract printed or handwritten text from images for evaluation**.

+ - Choose the communication channels to check, including Exchange, Microsoft Teams, or Yammer. You'll also choose to check third-party sources if you've configured a connector in Microsoft 365.

+ - Choose if you'd like to enable classifiers. Classifiers can detect potentially inappropriate language and images sent or received in the body of email messages or other types of text. You can choose the following built-in classifiers: *Threat*, *Profanity*, *Targeted harassment*, *Adult images*, *Racy images*, and *Gory images*.

+ - Enable [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) to identify embedded or attached images in messages for printed or handwritten text that match policy conditions. For custom policies, one or more conditional settings associated with text, keywords, classifiers, or sensitive info types must be configured in the policy to enable the selection of optical character recognition (OCR) documents.

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+After you've configured your [communication compliance policies](/microsoft-365/compliance/communication-compliance-policies), you'll begin receiving alerts in the [Microsoft Purview compliance portal](https://compliance.microsoft.com) for message issues that match your policy conditions. To view and act on alerts, users must be assigned to the following permissions:

+- The *Communication Compliance Analysts* or the *Communication Compliance Investigators* role group

+- Reviewer in the policy that is associated with the alert

+After you establish required permissions, follow the workflow instructions below to investigate and remediate alert issues.

+The first step to investigate issues detected by your policies is to review alerts in the Microsoft Purview compliance portal. There are several areas in the communication compliance area to help you to quickly investigate alerts, depending on how you prefer to view alert grouping:

+- **Communication compliance policy page**: When you sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, select **Communication compliance** to display the communication compliance **Policy** page. This page displays communication compliance policies configured for your Microsoft 365 organization and links to recommended policy templates. Each policy listed includes the count of alerts that need review, the number of escalated and resolved items, status of the policy, and the date and time of the last policy check. Select a policy to display all pending alerts for matches to the policy, then select a specific alert to launch the policy details page and to start remediation actions.

+- **Alerts**: Navigate to **Communication compliance** > **Alerts** to display the last 30 days of alerts grouped by policy matches. This view allows you to quickly see which communication compliance policies are generating the most alerts ordered by severity. To start remediation actions, select the policy associated with the alert to launch the **Policy details** page. From the **Policy details** page, you can review a summary of the activities on the **Overview** page, review and act on alert messages on the **Pending** tab, or review the history of closed alerts on the **Resolved** tab.

+The next step is to sort the messages so it's easier for you to investigate alerts. From the **Policy details** page, communication compliance supports multi-level filtering for several message fields to help you quickly investigate and review messages with policy matches. Filtering is available for pending and resolved items for each configured policy. You can configure filter queries for a policy or configure and save custom and default filter queries for use in each specific policy. After configuring fields for a filter, you'll see the filter fields displayed on the top of the alert message queue that you can configure for specific filter values.

+| **Item class** | The source of the message based on the message type, email, Microsoft Teams chat, Bloomberg, etc. For more information, see [Item Types and Message Classes](/office/vba/outlook/concepts/forms/item-types-and-message-classes). |

+| **Recipient domains** | The domain to which the message was sent; typically your Microsoft 365 subscription domain by default. |

+ 

+

+After reviewing the message basics, now you can open a message to examine the details and determine further remediation actions. Select a message to view the complete message header and body information. Several different options and views are available to help you decide the proper course of action:

+- **Attachments**: This option allows you to examine modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the policy's **Pending** alerts tab. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels).

+- **Remove message in Teams**: Using the **Remove message in Teams** control, you can block potentially inappropriate messages and content identified in alerts from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal.

+> Are you receiving prompts for additional license validation when testing Power Automate flows? Your organization may not have received service updates for this preview feature yet. Updates are being deployed and all organizations with Microsoft 365 subscriptions that include communication compliance should have license support for flows created from the recommended Power Automate templates before October 30, 2020.

+Follow these steps to create a Power Automate flow from a default template:

+5. The flow lists the embedded connections needed for the flow and displays if the connection statuses are available. If needed, update any connections that aren't displayed as available. Select **Continue**.

+By default, Power Automate flows created by a user are only available to that user. For other communication compliance users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the **Power Automate** control when working directly in an alert.

+Follow these steps to share a Power Automate flow:

+5. Select the flow to share, then select **Share** from the **Flow Options** menu.

+Follow these steps to edit a Power Automate flow:

+If you need to delete a flow, use the **Power Automate** control when working directly in an alert. To delete a Power Automate flow, you must be a member of at least one communication compliance role group.

+Follow these steps to delete a Power Automate flow:

+| **Sender address** | Yes | Address of one or more users or groups that send the message to the user with a policy match, selected from the Active Directory for your subscription. |

+When messages are resolved, they're removed from the **Pending** tab view and displayed in the **Resolved** tab. Investigation and remediation actions aren't available for messages in the *Resolved* view. However, there may be instances where you need to take additional action on a message that was mistakenly resolved or that needs further investigation after initial resolution. You can use the unresolve command feature move one or more messages from the *Resolved* view back to the *Pending* view.

+Follow these steps to unresolve messages:

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+You can also check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) for how insider risk management and communication compliance work together to help minimize data risks from users in your organization.

+## Transition from Supervision in Office 365

+### Configure permissions

+Before you start using communication compliance, you must determine who needs their communications reviewed. In the policy, user email addresses identify individuals or groups of people to supervise. Some examples of these groups are Microsoft 365 Groups, Exchange-based distribution lists, Yammer communities, and Microsoft Teams channels. You also can exclude specific users or groups from checking with a specific exclusion group or a list of groups. For more information about groups types supported in communication compliance policies, see [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure#step-3-optional-set-up-groups-for-communication-compliance).

+To simplify your setup, we recommend you create groups for people who need their communications reviewed and groups for people who review those communications. If you're using groups, you might need several. For example, if you want to identify communications between two distinct groups of people, or if you want to specify a group that isn't supervised. When you assign a Distribution group in the policy, the policy detects all emails from each user in Distribution group. When you assign a Microsoft 365 group in the policy, the policy detects all emails sent to that group, not the individual emails received by each group member.

+The following chart can help you configure groups in your organization for communication compliance policies:

+## Plan for communication compliance policies

+Creating communication compliance policies is quick and easy with the [pre-defined templates](/microsoft-365/compliance/communication-compliance-policies#policy-templates) for analyzing potentially inappropriate content, sensitive information, and regulatory compliance issues. Custom communication compliance policies allow the flexibility for detecting and investigation issues specific to your organization and requirements.

+- You can analyze communications from [third-party sources](/microsoft-365/compliance/communication-compliance-channels#third-party-sources) for data imported into mailboxes in your Microsoft 365 organization. To include review of communications in these platforms, you'll need to configure a third-party connector to these services before messages meeting policy conditions are detected by a communication policy.

+## Create a communication compliance policy walkthrough

+Want to see an in-depth walkthrough of setting up a new communication compliance policy and remediating an alert? Check out the following 15-minute video to see a demonstration of how communication compliance policies can help you detect potentially inappropriate messages, investigate potential violations, and remediate compliance issues.

+To configure communication compliance for your Microsoft 365 organization, see [Configure communication compliance](/microsoft-365/compliance/communication-compliance-configure) or check out the [case study for Contoso](/microsoft-365/compliance/communication-compliance-case-study) and how they quickly configured a communication compliance policy to detect potentially inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications.

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+

+- **Recent policy matches**: displays the number of matches by active policies over time.

+- **Resolved items by policy**: displays the number of policy match alerts resolved by policies over time.

+

+- **Match ID**: Unique ID for the message in the policy.

+- **Sender**: Sender of the message.

+- **Recipients**: Recipients included for the message.

+- **Date Sent**: Date the message was sent.

+- **Match Date**: Date the message was a match for the policy conditions.

+- **Subject**: Subject of the message.

+- **Contains Attachments**: Status of any attachments for the message. Values are either *Yes* or *No*.

+- **Policy Name**: Name of the policy associated with the message. This value will be the same for all messages in the report.

+- **Item Status**: Status of the message item in the policy. Values are *Pending* or *Resolved*.

+- **Tags**: Tags assigned to the message. Values are *Questionable, Compliant*, or *Non-compliant*.

+- **Keyword Matches**: Keyword matches for the message.

+- **Reviewers**: Reviewers assigned to message.

+- **Pending for (days)**: Number of days the message has been in a pending state. For resolved messages, the value is 0.

+- **Comment for resolved**: Comments for the message entered when resolved.

+- **Resolved Date**: Date and time the message was resolved.

+- **Last Updated By**: User name of the last updater.

+- **Last Updated On**: Date and time the message was last updated.

+- **History of comments**: List of all comments for the message alert, including comment author and date/time of the comment.

+| **CreationDate** | Date the update activity was performed in a policy. |

+| **UserIds** | User that performed the update activity in a policy. |

+| **Operations** | Update operations performed on the policy. |

+| **AuditData** | Main data source for all policy update activities. All update activities are recorded and separated by comma delimiters. |

+| **CreationDate** | Date the review activity was performed in a policy. |

+| **UserIds** | User that performed the review activity in a policy. |

+| **Operations** | Review operations performed on the policy. |

+| **AuditData** | Main data source for all policy review activities. All review activities are recorded and separated by comma delimiters. |

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+[Communication compliance](/microsoft-365/compliance/communication-compliance) is an insider risk solution in Microsoft Purview that helps minimize communication risks by helping you detect, capture, and act on potentially inappropriate messages in your organization. Security information and event management (SIEM) solutions such as [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel) or [Splunk](https://www.splunk.com/) are commonly used to aggregate and track threats within an organization.

+A common need for organizations is to integrate communication compliance alerts and their SIEM solutions. With this integration, organizations can view communication compliance alerts in their SIEM solution and then remediate alerts within the communication compliance workflow and user experience.

+For example, an employee sends an offensive message to another employee and that message is detected by a communication compliance policy for potentially inappropriate content. Events such as this are tracked in Microsoft 365 Audit (also known as "unified audit log") by the communication compliance solution and are then imported into the SIEM solution. Alerts triggered in the SIEM solution that are included in the Microsoft 365 Audit are then associated with communication compliance alerts. Investigators are notified of these alerts in their SIEM solution, and then they can then investigate and remediate the corresponding alerts in the communication compliance dashboard.

+CreationDate: 7/7/2022 5:30:11 AM

+AuditData: {"CreationTime":"2022-07-07T05:30:11","Id":"44e98a7e-57fd-4f89-79b8-08d941084a35","Operation":"SupervisionRuleMatch","OrganizationId":"338397e6\-697e-4dbe-a66b-2ea3497ef15c","RecordType":68,"ResultStatus":"{\\"ItemClass\\":\\"IPM.Note\\",\\"CcsiResults\\":\\"\\"}","UserKey":"SupervisionStoreDeliveryAgent","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"\<HE1P190MB04600526C0524C75E5750C5AC61A9@HE1P190MB0460.EURP190.PROD.OUTLOOK.COM\>","UserId":"user1@contoso.onmicrosoft.com","IsPolicyHit":true,"SRPolicyMatchDetails":{"SRPolicyId":"53be0bf4-75ee-4315-b65d-17d63bdd53ae","SRPolicyName":"Adult images","SRRuleMatchDetails":\[\]}}

+CreationDate: 7/6/2022 9:50:12 PM

+AuditData: {"CreationTime":"2022-07-06T21:50:12","Id":"5c61aae5-26fc-4c8e-0791-08d940c8086f","Operation":"SupervisionRuleMatch","OrganizationId":"338397e6\-697e-4dbe-a66b-2ea3497ef15c","RecordType":68,"ResultStatus":"{\\"ItemClass\\":\\"IPM.Note\\",\\"CcsiResults\\":\\"public\\"}","UserKey":"SupervisionStoreDeliveryAgent","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"\<20210706174831.24375086.807067@sailthru.com\>","UserId":"user2@contoso.onmicrosoft.com","IsPolicyHit":true,"SRPolicyMatchDetails":{"SRPolicyId":"a97cf128-c0fc-42a1-88e3-fd3b88af9941","SRPolicyName":"Insiders","SRRuleMatchDetails":\[{"SRCategoryName":"New insiders lexicon"}\]}}

+| Policy detecting a custom sensitive information type keyword list | { <br> CreationTime: 2022-09-17T16:29:57 <br> ID: 4b9ce23d-ee60-4f66-f38d-08d979f8631f <br> IsPolicyHit: true <br> ObjectId: <CY1PR05MB27158B96AF7F3AFE62E1F762CFDD9@CY1PR05MB2715.namprd05.prod.outlook.com> <br> Operation: SupervisionRuleMatch <br> OrganizationId: d6a06676-95e8-4632-b949-44bc00f0793f <br> RecordType: 68 <br> ResultStatus: {"ItemClass":"IPM.Note","CcsiResults":"leak"} <br> SRPolicyMatchDetails: { [+] } <br> UserId: user1@contoso.OnMicrosoft.com <br> UserKey: SupervisionStoreDeliveryAgent <br> UserType: 0 <br> Version: 1 <br> Workload: Exchange <br> } |

+| Policy detecting potentially inappropriate language | { <br> CreationTime: 2022-09-17T23:44:35 <br> ID: e0ef6f54-9a52-4e4c-9584-08d97a351ad0 <br> IsPolicyHit: true <br> ObjectId: <BN6PR05MB3571AD9FBB85C4E12C1F66B4CCDD9@BN6PR05MB3571.namprd05.prod.outlook.com> <br> Operation: SupervisionRuleMatch <br> OrganizationId: d6a06676-95e8-4632-b949-44bc00f0793f <br> RecordType: 68 <br> ResultStatus: {"ItemClass":"IPM.Yammer.Message","CcsiResults":""} <br> SRPolicyMatchDetails: { [+] } <br> UserId: user1@contoso.com <br> UserKey: SupervisionStoreDeliveryAgent <br> UserType: 0 <br> Version: 1 <br> } |

+>Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+Protecting sensitive information and detecting and acting on workplace harassment incidents is an important part of compliance with internal policies and standards. Microsoft Purview Communication Compliance helps minimize these risks by helping you quickly detect, capture, and take remediation actions for email and Microsoft Teams communications. These include potentially inappropriate communications containing profanity, threats, and harassment and communications that share sensitive information inside and outside of your organization.

+> [!IMPORTANT]

+> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

+Microsoft Purview Communication Compliance is an insider risk solution that helps minimize communication risks by helping you detect, capture, and act on potentially inappropriate messages in your organization. Pre-defined and custom policies allow you to check internal and external communications for policy matches so they can be examined by designated reviewers. Reviewers can investigate email, Microsoft Teams, Yammer, or third-party communications in your organization and take appropriate actions to make sure they're compliant with your organization's message standards.

+- Checking increasing types of communication channels

+For the latest Ignite videos for communication compliance, see the following:

+ Users must comply with acceptable use, ethical standards, and other corporate policies in all their business-related communications. Communication compliance policies can detect policy matches and help you take corrective actions to help mitigate these types of incidents. For example, you could check user communications in your organization for human resources concerns such as harassment or the use of potentially inappropriate or offensive language.

+ Organizations are responsible to all communications distributed throughout their infrastructure and corporate network systems. Using communication compliance policies to help identify and manage potential legal exposure and risk can help minimize risks before they can damage corporate operations. For example, you could check messages in your organization for unauthorized communications and conflicts of interest about confidential projects such as upcoming acquisitions, mergers, earnings disclosures, reorganizations, or leadership team changes.

+ Most organizations must comply with some type of regulatory compliance standards as part of their normal operating procedures. These regulations often require organizations to implement some type of supervisory or oversight process for messaging that is appropriate for their industry. The Financial Industry Regulatory Authority (FINRA) Rule 3110 is a good example of a requirement for organizations to have supervisory procedures in place to check user communications and the types of businesses in which it engages. Another example may be a need to review broker-dealer communications in your organization to safeguard against potential insider trading, collusion, or bribery activities. Communication compliance policies can help your organization meet these requirements by providing a process to both analyze and report on corporate communications. For more information on support for financial organizations, see [Key compliance and security considerations for US banking and capital markets](../solutions/financial-services-secure-collaboration.md).

+- **Customizable pre-configured templates**: Policy templates help address the most common communications risks. Initial policy creation and follow-on updating are now quicker with pre-defined templates to analyze and mitigate potentially inappropriate content, sensitive information, conflict of interest, and regulatory compliance issues.

+- **New machine learning support**: Built-in [classifiers](/microsoft-365/compliance/classifier-get-started-with) to analyze and mitigate discrimination, threats, harassment, profanity, and potentially inappropriate images and help reduce misclassified content in communication messages, saving reviewers time during the investigation and remediation process.

+- **Improved condition builder**: Configure policy conditions that are now streamlined into a single, integrated experience in the policy wizard, reducing confusion in how conditions are applied for policies.

+- **Conversation policy matching**: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the *Pending Alerts* view will automatically show all messages in a Teams channel that have matches for your communications policies for analyzing and mitigating potentially inappropriate messages. Other messages in conversations that don't match your communications policies wouldn't be displayed.

+- **Keyword highlighting**: Terms matching policy conditions are highlighted in the message text view to help reviewers quickly analyze and remediate policy alerts.

+- **Optical character recognition (OCR) (preview)**: Check, detect, and investigate printed and handwritten text within images embedded or attached to email or Microsoft Teams chat messages.

+- **Pattern detected notification**: Many harassing and bullying actions take place over time and involve reoccurring instances of the same behavior by a user. The pattern detected notification displayed in alert details helps raise attention to these alerts and this type of behavior.

+- **Attachment detection**: Check, detect, and investigate linked content (Modern attachments) from OneDrive and Microsoft Teams that match policy classifiers and conditions for Microsoft Teams messages. Attachment content is automatically extracted to a text file for detailed review and action.

+Communication compliance policies check, detect, and capture messages across several communication channels to help you quickly review and remediate compliance issues:

+- **Microsoft Teams**: Chat communications for public and private [Microsoft Teams](/MicrosoftTeams/Teams-overview) channels and individual chats are supported in communication compliance as a standalone channel source or with other Microsoft 365 services. You'll need to manually add individual users, distribution groups, or specific Microsoft Teams channels when you select users and groups to supervise in a communication compliance policy. Teams users can also self-report potentially inappropriate messages in private and group channels and chats for review and remediation.

+- **Exchange Online**: All mailboxes hosted on [Exchange Online](/Exchange/exchange-online) in your Microsoft 365 organization are eligible for analyses. Emails and attachments matching communication compliance policy conditions are instantly available for investigation and in compliance reports. Exchange Online is now an optional source channel and is no longer required in communication compliance policies.

+- **Yammer**: Private messages and public community conversations in [Yammer](/yammer/yammer-landing-page) are supported in communication compliance policies. Yammer is an optional channel and must be in [native mode](/yammer/configure-your-yammer-network/overview-native-mode) to support checking of messages and attachments.

+- **Third-party sources**: You can check messages from [third-party sources](/microsoft-365/compliance/archiving-third-party-data) for data imported into mailboxes in your Microsoft 365 organization. Communication compliance supports connections to several popular platforms, including Instant Bloomberg and others.

+Whether you're setting up communication compliance for the first time or getting started with creating new policies, the new [recommended actions](/microsoft-365/compliance/communication-compliance-configure#recommended-actions-preview) experience can help you get the most out of communication compliance capabilities. Recommended actions include setting up permissions, creating distribution groups, creating policies, and more.

+In this workflow step, you identify your compliance requirements and configure applicable communication compliance policies. Policy templates are a great way to not only quickly configure a new compliance policy, but to also quickly modify and update policies as your requirements change. For example, you may want to quickly test a policy for potentially inappropriate content on communications for a small group of users before configuring a policy for all users in your organization.

+>By default Global Administrators do not have access to communication compliance features. To enable permissions for communication compliance features, see [Make communication compliance available in your organization](/microsoft-365/compliance/communication-compliance-configure#step-1-required-enable-permissions-for-communication-compliance).

+- **Monitor for sensitive information**: Use this template to quickly create a policy to check communications containing defined sensitive information types or keywords to help make sure that important data isn't shared with people that shouldn't have access.

+- **Monitor for financial regulatory compliance**: Use this template to quickly create a policy to check communications for references to standard financial terms associated with regulatory standards.

+> [!TIP]

+> Use [recommended actions](/microsoft-365/compliance/communication-compliance-configure#recommended-actions) to help you determine if you need a sensitive information type policy or if you need to update existing inappropriate content policies.

+In this step, you can look deeper into the issues detected as matching your communication compliance policies. This step includes the following actions available in the Microsoft Purview compliance portal:

+- **Remove message in Teams (preview)**: Potentially inappropriate messages may be removed from displaying in Microsoft Teams channels or personal and group chat messages. Those identified messages that are removed are replaced with a notification that the message has been removed for a policy violation.

+Keeping track and mitigating compliance issues identified by communication compliance policies spans the entire workflow process. As alerts are generated and investigation and remediation actions are implemented, existing policies may need review and updates, and new policies may need to be created.

+- Check out the [case study for Contoso](/microsoft-365/compliance/communication-compliance-case-study) and see how they quickly configured a communication compliance policy to detect potentially inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications.

+1. [Do a quick check of your environment using the Microsoft Compliance Configuration Manager](compliance-manager-mcca.md)

+- [Do a quick check of your environment using the Microsoft Compliance Configuration Analyzer for Compliance Manager (preview)](compliance-manager-mcca.md)

+Analytics within Insider Risk Management enables you to conduct an evaluation of potential insider risks that may lead to a data security incident in your organization without configuring any insider risk policies. Analytics check results may take up to 48 hours before insights are available as reports for review. These assessment results are aggregated and anonymized, and offer organization-wide insights, like the percentage of users performing potential sensitive data exfiltration activities.

+- [Do a quick check of your environment using the Configuration Analyzer for Microsoft Purview](compliance-manager-mcca.md)

+When you come to Compliance Manager for the first time, your initial score is based on the [Microsoft 365 data protection baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment). This baseline assessment, which is available to all organizations, is a set of controls that includes common industry regulations and standards. Compliance Manager checks your existing Microsoft 365 solutions and gives you an initial assessment based on your current privacy and security settings. As you add assessments that are relevant to your organization, your score becomes more meaningful for you.

+A pre-defined *Detect inappropriate text* policy template allows you to check internal and external communications for policy matches so they can be examined by designated reviewers. Reviewers can investigate email, Microsoft Teams, Yammer, or third-party communications in your organization and take appropriate remediation actions to make sure they're compliant with your organization's standards.

+The pre-defined *Detect sensitive info* policy template helps you quickly create a policy to check email and Microsoft Teams communications containing defined sensitive information types or keywords to help make sure that important data isn't shared with people that shouldn't have access. These activities could include unauthorized communication about confidential projects or industry-specific rules on insider trading or other collusion activities.

+### Step 7: Enter keywords or a query, or asset ID for SharePoint and OneDrive

+Now you narrow the scope of the content. You do this by specifying keywords or a query. For SharePoint and OneDrive content, you can also do this by specifying asset IDs.

+Queries use Keyword Query Language (KQL). For more information about the query syntax, see [Keyword Query Language (KQL) syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). For more information about the searchable properties that you can use, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).

+Investigating potentially risky user activities is an important first step in minimizing insider risks for your organization. These risks may be activities that generate alerts from insider risk management policies. They can also be risks from compliance-related activities that are detected by policies, but don't immediately create insider risk management alerts for users. You can investigate these types of activities by using the **User activity reports (preview)** or with the **Alert dashboard**.

+User activity reports allow you to examine potentially risky activities (for specific users and for a defined time period) without having to assign these activities, temporarily or explicitly, to an insider risk management policy. In most insider risk management scenarios, users are explicitly defined in policies, and they may have policy alerts (depending on triggering events) and risk scores associated with the activities. But in some scenarios, you may want to examine the activities for users that aren't explicitly defined in a policy. These activities may be for users that you've received a tip about the user and potentially risky activities, or users that typically don't need to be assigned to an insider risk management policy.

+After you've configured indicators on the insider risk management **Settings** page, user activity is detected for potentially risky activity associated with the selected indicators. This configuration means that all detected activity for users is available for review, regardless if it has a triggering event or if it creates an alert. Reports are created on a per-user basis and can include all activities for a custom 90-day period. Multiple reports for the same user aren't supported.

+After examining potentially risky activities, investigators can dismiss individual user's activities as benign. They can also share or email a link to the report with other investigators, or choose to assign users (temporarily or explicitly) to an insider risk management policy. Users must be assigned to the *Insider Risk Management Investigators* role group to view the **User activity reports** page.

+To get started, select **Manage reports** in the **Investigate user activity** section on the insider risk management **Overview** page.

+To view activities for a user, first select **Create user activity report** and complete the following fields in the **New user activity report** pane:

+- **User**: Search for a user by name or email address.

+

+

+- **User activity**: Use this chart view to investigate potentially risky activities and view potentially related activities that occur in sequences. This tab is structured to enable quick review of a case, including a historical timeline of all activities, activity details, the current risk score for the user in the case, the sequence of risk events, and filtering controls to help with investigative efforts.

+- **Activity explorer**: This tab provides risk investigators with a comprehensive analytics tool that provides detailed information about activities. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all potentially risky activities associated with alerts. To learn more about using the Activity explorer, see the *Activity explorer* section later in this article.

+Insider risk management alerts are automatically generated by risk indicators that are defined in insider risk management policies. These alerts give compliance analysts and investigators an all-up view of the current risk status and allow your organization to triage and take actions for discovered potential risks. By default, policies generate a certain amount of low, medium, and high severity alerts, but you can [increase or decrease the alert volume](insider-risk-management-settings.md#alert-volume) to suit your needs. Additionally, you can configure the [alert threshold for policy indicators](insider-risk-management-settings.md#indicator-level-settings-preview) when creating a new policy with the policy creation tool.

+

+> Insider risk management uses built-in alert throttling to help protect and optimize your risk investigation and review experience. This throttling guards against issues that might result in an overload of policy alerts, such as misconfigured data connectors or data loss prevention policies. As a result, there might be a delay in displaying new alerts for a user.

+- **Dismissed**: An alert dismissed as benign in the triage process. You can provide a reason for the alert dismissal and include notes that are available in the user's alert history to provide additional context for future reference or for other reviewers. Reasons could range from expected activities, non-impactful events, simply reducing the number of alert activities for the user, or a reason related to the alert notes. Reason classification choices include *Activity is expected for this user*, *Activity is impactful enough for me to investigate further*, and *Alerts for this user contain too much activity*.

+Alert risk scores are automatically calculated from several risk activity indicators. These indicators include the type of risk activity, the number and frequency of the activity occurrence, the history of users' risk activity, and the addition of activity risks that may boost the seriousness of the potentially risky activity. The alert risk score drives the programmatic assignment of a risk severity level for each alert and can't be customized. If alerts remain untriaged and risk activities continue to accrue to the alert, the risk severity level can increase. Risk analysts and investigators can use alert risk severity to help triage alerts in accordance with your organization's risk policies and standards.

+- **High severity**: The potentially risky activities and indicators for the alert pose significant risk. The associated risk activities are serious, repetitive, and corelate strongly to other significant risk factors.

+- **Medium severity**: The potentially risky activities and indicators for the alert pose a moderate risk. The associated risk activities are moderate, frequent, and have some correlation to other risk factors.

+- **Low severity**: The potentially risky activities and indicators for the alert pose a minor risk. The associated risk activities are minor, more infrequent, and don't corelate to other significant risk factors.

+Depending on the number and type of active insider risk management policies in your organization, reviewing a large queue of alerts can be challenging. Using alert filters can help analysts and investigators sort alerts by several attributes.

+To filter alerts on the **Alerts dashboard**, select the **Filter** control. You can filter alerts by one or more attributes:

+- **Severity**: Select one or more alert risk severity levels to filter the alert list The options are *High*, *Medium*, and *Low*.

+This section contains general information about the user and alert. This information is available for context while reviewing detailed information about the detected risk management activity included in the alert for the user:

+- **Activity that generated this alert**: Displays the top potentially risky activity and policy match during the activity evaluation period that led to the alert being generated.

+This tab opens the summary of risk factors for the user's alert activity. Risk factors can help you determine how risky this user's risk management activity is during your review. The risk factors include summaries for:

+- **Sequences of activities**: Displays the detected potentially risky activities associated with risk sequences.

+- **Unusual activity for this user**: Displays specific activities for the user that are considered potentially risky, as they are unusual and a departure from their typical activities.

+- **Priority content**: Displays potentially risky activities associated with priority content.

+- **Unallowed domains**: Displays potentially risky activities for events associated with unallowed domains.

+- **Health record access**: Displays potentially risky activities for events associated with accessing health records.

+- **Risky browser usage**: Displays potentially risky activities for events associated with browsing to potentially inappropriate websites.

+With these filters, you'll only see alerts with the above risk factors, but the activity that generated an alert might not fall into any of these categories. For example, an alert containing sequence activities might have been generated simply because the user copied a file to a USB device.

+The **User activity** chart is one of the most powerful tools for internal risk analysis and investigation for alerts and cases in the insider risk management solution. This tab is structured to enable quick review of all activities for a user, including a historical timeline of all alerts, alert details, the current risk score for the user, and the sequence of risk events.

+

+1. **Time filters**: By default, the last three months of potentially risky activities displayed in the User activity chart. You can easily filter the chart view by selecting the *6 Months*, *3 Months*, or *1 Month* tabs on the bubble chart.

+2. **Risk alert activity and details**: Potentially risky activities are visually displayed as colored bubbles in the User activity chart. Bubbles are created for different categories of risk and. Select a bubble to display the details for each potentially risky activity. Details include:

+ - **Sort by**: List the timeline of potentially risky activities by *Date occurred* or *Risk score*.

+4. **Risk sequence**: The chronological order of potentially risky activities is an important aspect of risk investigation and identifying these related activities is an important part of evaluating overall risk for your organization. Alert activities that are related are displayed with connecting lines to highlight that these activities are associated with a larger risk area. Sequences are also identified in this view by an icon positioned above the sequence activities relative to the risk score for the sequence. Hover over the icon to see the date and time of the risky activity associated with this sequence. This view of activities can help investigators literally 'connect the dots' for risk activities that could have been viewed as isolated or one-off events. Select the icon or any bubble in the sequence to display details for all the associated risk activities. Details include:

+ - **Number of events associated with each alert in the sequence**. Links to each file or email associated with each potentially risky activity are also available.

+The Activity explorer provides risk investigators and analysts with a comprehensive analytics tool that provides detailed information about alerts. With the Activity explorer, reviewers can quickly review a timeline of detected potentially risky activity and identify and filter all risk activities associated with alerts.

+

+- **Cumulative exfiltration detection**: Cumulative exfiltration detection analyzes event logs, but applies a model that includes de-duplicating similar activities to compute cumulative exfiltration risk. Additionally, there may also be a difference in the number of potentially risky activities displayed in the Activity explorer if you have made changes to your existing policy or settings. For example, if you modify allowed/unallowed domains or add new file type exclusions after a policy has been created and potentially risky activity matches have occurred, the cumulative exfiltration detection activities will differ from the results before the policy or settings changes. Cumulative exfiltration detection activity totals are based on the policy and settings configuration at the time of computation and don't include activities prior to the policy and settings changes

+- **Emails to external recipients**: Potentially risky activity for emails sent to external recipients is assigned a risk score based on the number of emails sent, which may not match the activity event logs.

+As alert is reviewed and triaged, you can create a new case to further investigate the potentially risky activity. To create a case for an alert, follow these steps:

+As insider risk management alerts age, their value to minimize potentially risky activity diminishes for most organizations. Conversely, active cases and associated artifacts (alerts, insights, activities) are always valuable to organizations and shouldn't have an automatic expiration date. This includes all future alerts and artifacts in an active status for any user associated with an active case.

+To help minimize the number of older items that provide limited current value, the following retention and limits apply for insider risk management alerts, cases, and user reports:

+Reviewing, investigating, and acting on potentially risky insider alerts are important parts of minimizing insider risks in your organization. Quickly taking action to minimize the impact of these risks can potentially save time, money, and regulatory or legal ramifications for your organization. In this remediation process, the first step of reviewing alerts can seem like the most difficult task for many analysts and investigators. Depending on your circumstances, you may be facing some minor obstacles when acting on potentially risky insider alerts. Review the following recommendations and learn how to optimize the alert review process.

+3. **Select an alert to discover more information and to review the alert details**. If needed, use the [Activity explorer](insider-risk-management-activities.md#activity-explorer) to review a timeline of the associated potentially risky behavior and to identify all risk activities for the alert.

+- **Focus analyst and investigator efforts on the highest risk alerts first**. Depending on your policies, you may be capturing user activities and generating alerts with varying degrees of potential impact to your risk mitigation efforts. [Filter alerts](insider-risk-management-activities.md#filter-alerts-on-the-alert-dashboard) by severity and prioritize *High severity* alerts.

+- **Use automated insider risk features to help discover the highest risk activities**. Insider risk management [sequence detection](insider-risk-management-policies.md#sequence-detection-preview) and [cumulative exfiltration detection](insider-risk-management-policies.md#cumulative-exfiltration-detection-preview) features can help you quickly discover harder to find potential risks in your organization. Consider fine-tuning your [risk score boosters](insider-risk-management-settings.md#indicators), [file activity detection](insider-risk-management-settings.md#file-activity-detection), [domains](insider-risk-management-settings.md#domains), and the minimum [indicator threshold settings](insider-risk-management-settings.md#indicator-level-settings-preview) for your policies.

+The insider risk management audit log enables you to stay informed on the actions taken on insider risk management features. This log allows independent review of the actions taken by users assigned to one or more insider risk management role groups. The insider risk management audit log is automatically enabled in your organization and cannot be disabled.

+The audit log is automatically and immediately updated whenever detected identified risk activities occur. The audit log retains information for 180 days (about six months). After 180 days, data is permanently deleted from the log.

+Areas in identified risk activity detection include:

+> The insider risk management audit log isn't associated with the Microsoft 365 audit log, as they are independent auditing systems and capture information on separate areas. Disabling Microsoft 365 auditing doesn't impact activity auditing within insider risk management.

+- **Activity:** A description of the identified risk activity taken within the insider risk management solution by a user.

+- **Category:** The area or item where the identified risk activity was performed. For example, you'll see *Policies* as the category when policy change activities were performed.

+- **Activity performed by:** The user name of the user that performed the identified risk activity.

+- **Date:** The date and time the identified risk activity was performed. The date and time are the local date and time for your organization.

+For more information about a logged activity, select the activity to display the activity details pane. This pane includes additional information about the identified risk activity.

+To make it easier for auditors to review audit logs, filtering is supported in the **Insider risk audit log**. For basic filtering, queue columns are available to add to the view to provide different pivots on the files and messages. You can filter identified risk activities by the **Category, Date range,** and **Activity performed by** fields.

+To add or remove column headings for the queue, use the **Customize columns** control and select from the column options. These columns map to common conditions supported in the **Insider risk audit log** and are listed later in this article.

+Users assigned to the *Insider Risk Management* or *Insider Risk Management Auditors* role groups can export audit log activity to a .csv (comma-separated values) file by selecting **Export** on the **Insider risk audit log** page. Depending on the audit log activity, some fields may not be included in the filtered queue, and therefore those fields will appear as blank in the exported file.

+The file contains audit log activity information for the following fields:

+- **Activity performed by:** Name of the user modifying an item value. Users listed here have been assigned to one or more of the following role [insider risk management role groups](insider-risk-management-configure.md#step-1-required-enable-permissions-for-insider-risk-management): *Insider Risk Management*, *Insider Risk Management Admins*, *Insider Risk Management Analysts*, *Insider Risk Management Investigators*. Each role group has different permission levels for managing insider risk features.

+- **Activity:** Type of activity taken on an item. Values are *Viewed, Deleted, Added, Edited policy, Case, User, Alert,* and *Settings.*

+- **Added**: Objects that were added during the identified risk activity, such as users, file types, or domains.

+- **Alert volume**: Level of alert volume defined in insider risk management settings.

+- **Amount**: Currently selected custom indicator amounts for a policy.

+- **Asset ID**: Asset ID of the priority physical asset the activity was performed on.

+- **Category:** Category of the item modified. Values are *Policies, Cases, Users, Alerts, Settings,* and *Notice templates.*

+- **Description**: Description input by the user for the object being acted on (such as a policy or a priority user group).

+- **Indicator**: Indicator in the within insider risk settings that the activity was performed on (such as adding or removing an indicator).

+- **Notice template**: Notice template that the identified risk activity was performed on.

+- **Number of days**: Policy activation window defined in insider risk settings.

+- **Number of files**: File volume limit defined in insider risk management settings.

+- **Policy template**: Policy template that the indicators acted on belongs to.

+- **Previous amount**: Previously selected custom indicator amounts for a policy.

+- **Priority user group**: Priority user group the identified risk activity was performed on.

+- **Removed**: Objects that were removed during the identified risk activity, such as users, file types, or domains.

+- **Sender**: Sender field of the notice template the identified risk activity was performed on.

+- **Target policy**: The policy the identified risk activity was performed on (such as adding a user to or removing a user from).

+- **Template message body**: The message body of the notice template the identified risk activity was performed on.

+- **Template subject**: The subject field of the notice template the identified risk activity was performed on.

+- **User:** User the identified risk activity was performed on.

+Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in [Microsoft Edge](https://www.microsoft.com/edge) and [Google Chrome](https://www.google.com/chrome) browsers. With these signals, analysts and investigators can quickly act when any of the following risk activities are performed by in-scope policy users when using these browsers:

+- Browsing potentially risky websites

+The following table summarizes identified risk activities and extension support for each browser:

+| **Detected activities** | **Microsoft Edge** | **Google Chrome** |

+| -- | | -- |

+| Files copied to personal cloud storage | Native | Extension |

+| Files printed to local or network devices | Native | Extension |

+| Files transferred or copied to a network share | Extension | Extension |

+| Files copied to USB devices | Extension | Extension |

+| Browsing risky websites | Extension | Extension |

+Use this option to configure a single machine self-host for each device in your organization when testing browser signal detection.

+Use this option to configure single machine self-host for each device in your organization when testing browser signal detection.

+> [!Important]

+> These registry keys are required to ensure proper functionality of the extension. You must enable these registry keys before testing any signals.*

+- Sending the user a notice

+- Resolving the case as benign

+- Sharing the case with your ServiceNow instance or with an email recipient

+- Escalating the case for an eDiscovery (Premium) investigation

+

+- **Policy matches**: The name of the insider risk management policy associated with the match alerts for potentially risky user activity that may lead to a security incident.

+The **User activity** tab allows risk analysts and investigators to review user activity details and use a visual representation of all the potentially risky activities associated with risk alerts and cases to determine whether those risky activities may lead to a security incident. For example, as part of the alert triage process, analysts may need to review all the risk activities associated with the case for more details. In cases, risk investigators can review user activity details and the bubble chart to help understand the overall scope of the risk activities associated with the case. For more information about the User activity chart, see the [Insider risk management activities](insider-risk-management-activities.md#user-activity) article.

+The **Activity explorer** tab allows risk analysts and investigators to review case activity details associated with risk alerts. For example, as part of the case management actions, investigators and analysts may need to review all the risk activities associated with the case for more details. With the **Activity explorer**, reviewers can quickly examine a timeline of detected potentially risky activity and identify and filter all risk activities associated with alerts.

+## Forensic evidence (preview)

+- Request information from HR or business about a user in an insider risk case.

+- Notify manager when a user has an insider risk alert.

+- Create a record for an insider risk management case in ServiceNow.

+- Notify users when they're added to an insider risk policy.

+1. Select **Automate** on the case action toolbar.

+2. Choose the Power Automate flow to run, then select **Run flow**.

+ ### View or create a Microsoft Teams team for the case

+- **Choose policy indicators**: Indicators are essentially the risk management activities you want to detect and investigate. You can choose indicators to track activity across several Microsoft 365 locations and services.

+- **Action**: Name and description of the recommended action.

+- **Status**: Status of the recommended action. Values are *Not started*, *In progress*, *Saved for later*, or *Completed*.

+Select a recommendation from the list to get started with configuring insider risk management. Each recommended action guides you through the required action for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization. Each recommended action is automatically marked as complete when configured or you'll need to manually select the action as complete when configured.

+Insider risk management uses Microsoft 365 audit logs for user insights and risk management activities identified in policies and analytics insights. The Microsoft 365 audit logs are a summary of all activities within your organization and insider risk management policies may use these activities for generating policy insights.

+To enable insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admin*, or Microsoft 365 *Global admin* role group.

+### Configure a healthcare-specific data connector

+Insider risk management supports importing user and log data imported from 3rd-party on existing electronic medical record (EMR) systems. The Microsoft Healthcare and Epic data connectors allow you to pull in activity data from your EMR system with CSV files, including improper patient record access, suspicious volume activities, and editing and exporting activities. This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization.

+If you configure more than one Healthcare or Epic connector for your organization, insider risk management automatically supports event and activities signals from all Healthcare and Epic connectors. The Microsoft 365 Healthcare or Epic connector is required when using the following policy templates:

+Data loss policies help identify users to activate risk scoring in insider risk management for high severity DLP alerts for sensitive information and are an important part of configuring full risk management coverage in your organization. For more information about insider risk management and DLP policy integration and planning considerations, see [Insider risk management policies](insider-risk-management-policies.md#general-data-leaks).

+> Make sure you've completed the following:

+> - The **Incident reports** setting in the DLP policy for insider risk management used with these templates are configured for *High* severity level alerts. Insider risk management alerts won't be generated from DLP policies with the **Incident reports** field set at *Low* or *Medium*.

+ > In order to receive alerts for potentially risky activities as defined in your policies, you must select one or more indicators. If indicators aren't configured in Settings, the indicators won't be selectable in insider risk policies.

+

+11. Select **Save** to enable these settings for your insider risk policies.

+Insider risk management policies include assigned users and define which types of risk indicators are configured for alerts. Before potentially risky activities can trigger alerts, a policy must be configured. Use the policy wizard to create new insider risk management policies.

+ - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint sites you have access to and want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.

+ - **Scoring**: Decide whether to assign risk scores to all risk management activities detected by this policy or only for activities that include priority content. Choose **Get alerts for all activity** or **Get alerts only for activity that includes priority content**.

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+The insider risk management **Content explorer** allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new risk activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. If needed, case data files may be exported as a portable document file (PDF) or in the original file format.

+| **Compliance labels** | Compliance labels applied in Microsoft 365. |

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Insider risk management notice templates allow you to automatically send email messages to users when a case is created for risk activities that have generated a policy match and confirmed alert. For most alerts that generate cases, user actions are the result of mistakes or inadvertent actions without ill intent. Notices serve as simple reminders to users to be more careful, to provide links to information for refresher training, or to corporate policy resources. Notices can be an important part of your internal compliance training program and can help create a documented audit trail for users with recurring risk activities.

+Create notice templates if you want to send users an email reminder notice for policy matches as part of the case resolution process. Notices can only be sent to the user email address associated with the specific case being reviewed. When selecting a notice template to apply to a policy match, you can choose to accept the field values defined in the template or overwrite the fields as needed.

+3. On the notice details page, select **Edit**.

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Before getting started with [insider risk management](insider-risk-management.md) in your organization, there are important planning activities and considerations that should be reviewed by your information technology and compliance management teams. Thoroughly understanding and planning for deployment in the following areas will help ensure that your implementation and use of insider risk management features goes smoothly and is aligned with best practices.

+If you have requirements for specific stakeholders to be involved in case investigations that involve users in certain regions, roles, or divisions, you may want to implement separate (even if identical) [insider risk management policies](insider-risk-management-policies.md) targeting the different regions and populations. This configuration makes it easier for the right stakeholders to triage and manage cases that are relevant to their roles and regions. You may want to consider creating processes and policies for regions where investigators and reviewers speak the same language as the users, which can help streamline the escalation process for insider risk management alerts and cases.

+Depending on how you want to manage insider risk management policies and alerts, you'll need to assign users to specific role groups to manage different sets of insider risk management features. You have the option to assign users with different compliance responsibilities to specific role groups to manage different areas of insider risk management features. Or you may decide to assign all user accounts for designated administrators, analysts, investigators, and viewers to the Insider Risk Management role group. Use a single role group or multiple role groups to best fit your compliance management requirements.

+Choose from the following role group options and solution actions when working with insider risk management:

+|Access and investigate alerts|Yes|No|Yes|Yes|No|No|

+|Access and investigate cases|Yes|No|Yes|Yes|No|No|

+|Access and view the Content Explorer|Yes|No|No|Yes|No|No|

+|View and export audit logs|Yes|No|No|No|Yes|No|

+|Access and view forensic evidence captures|Yes|No|No|Yes|No|No|

+> [!IMPORTANT]

+> Make sure you always have at least one user in the *Insider Risk Management* or *Insider Risk Management Admin* role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.

+**Policy template requirements:** Depending on the policy template you choose, you need to be sure you understand the following requirements and plan accordingly prior to configuring insider risk management in your organization:

+- When using the **Data theft by departing users** template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector.

+- When using the **Data leaks** template, you must configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information in your organization and to receive insider risk alerts for High Severity DLP policy alerts. See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies.

+- When using the **Security policy violation** template, you must enable Microsoft Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For step-by-step guidance to enable Defender for Endpoint integration with insider risk management, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features).

+- When using the **Disgruntled user** template, you must configure a Microsoft 365 HR connector to periodically import performance or demotion status information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector.

+Before enabling this solution broadly in your production environment, you should consider testing the policies with a small set of production users while conducting for the necessary compliance, privacy, and legal reviews in your organization. Evaluating insider risk management in a test environment requires that you generate simulated user actions and other signals to create alerts for triage and cases for processing. This approach may not be practical for many organizations, so we recommended that you test insider risk management with a small group of users in a production environment.

+If you don't see any alerts immediately after configuring an insider risk management policy, it may mean the minimum risk threshold hasn't been met yet. Check the **Users** page to verify that the policy is triggered and working as expected and to see if users are in-scope for the policy.

+Ready to configure insider risk management for your organization? We recommend that you review the following articles:

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potentially malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a security policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores, and level and frequency of alerts.

+You can also configure quick data leak and data theft policies by departing user policies that automatically define policy conditions based on results from the latest analytics. Also, risk score boosters and anomaly detections help identify potentially risky user activity that is of higher importance or unusual. Policy windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.

+- **Policy name**: Name assigned to the policy in the policy wizard.

+- **Status**: Health status for each policy. Displays number of policy warnings and recommendations, or a status of *Healthy* for policies without issues. You can select the policy to see the health status details for any warnings or recommendations.

+- **Active alerts**: Number of active alerts for each policy.

+- **Confirmed alerts**: Total number of alerts that resulted in cases from the policy in the last 365 days.

+- **Actions taken on alerts**: Total number of alerts that were confirmed or dismissed for the last 365 days.

+- **Policy alert effectiveness**: Percentage determined by total confirmed alerts divided by total actions taken on alerts (which is the sum of alerts that were confirmed or dismissed over the past year).

+

+Insider risk analytics gives you an aggregate view of anonymized user activities related to security and compliance, enabling you to evaluate potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher risk and help determine the type and scope of insider risk management policies you may consider configuring. If you decide to act on analytics results for general data leaks or data theft by departing users policies, you even have the option to configure a quick policy based on these results.

+For many organizations, getting started with an initial policy can be a challenge. If you're new to insider risk management and are using the recommended actions to get started, you can configure a quick policy to expedite a *General data leaks* or *Data theft by departing users* policy. Quick policy settings are automatically populated based on results from the latest analytics scan in your organization. For example, if the scan detected potential data leak activities, the quick policy would include the indicators used to detect those activities.

+To get started, review the quick policy settings and configure the policy with a single selection. If you need to customize a quick policy, you can change the conditions during the initial configuration or after the policy has been created. Also, you can stay up to date with the detection results for a quick policy by configuring email notifications each time you have a policy warning or each time the policy generates a high severity alert.

+Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. Each policy must have a template assigned in the policy creation wizard before the policy is created. Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, choose from one of the following policy templates:

+When users leave your organization, there are specific risk indicators typically associated with potential data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft HR connector or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.

+> When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector. If you choose not to use the HR connector, you must select the User account deleted from Azure Active Directory option when configuring trigger events in the policy wizard.

+When creating or modifying data loss prevention policies for use with insider risk management policies, consider the following guidelines:

+ For example, if your DLP policy rules are scoped to only users on the Sales Team and the insider risk policy created from the **Data leaks** template has defined all users as in-scope, the insider risk policy will only process high severity DLP alerts for the users on the Sales Team. The insider risk policy won't receive any high priority DLP alerts for users to process that aren't defined in the DLP rules in this example. Conversely, if your insider risk management policy created from **Data leaks** templates is scoped to only users on the Sales Team and the assigned DLP policy is scoped to all users, the insider risk policy will only process high severity DLP alerts for members of the Sales Team. The insider risk management policy will ignore high severity DLP alerts for all users not on the Sales Team.

+When users experience employment stressors, they may become disgruntled, which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with disgruntlement is identified. Examples may include performance improvement notifications, poor performance reviews, changes to job level status, or email and other messages that may signal disgruntlement. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services.

+When using this template, you must also configure a Microsoft HR connector to periodically import organization profile data for users in your organization. See the [Set up a connector to import HR data](/microsoft-365/compliance/import-hr-data) article for step-by-step guidance to configure the Microsoft 365 HR connector.

+Identifying user visitation to potentially inappropriate or unacceptable web sites on organization devices and networks is an important part of minimizing security, legal, and regulatory risks. Users that inadvertently or purposefully visit these types of websites may expose the organization to legal actions from other users, violate regulatory requirements, elevate network security risks, or jeopardize current and future business operations and opportunities. This misuse is often defined in an organization's acceptable use policy for user devices and organization network resources but is often difficult to quickly identify and act upon.

+When using this template, you must configure a HR connector, or select the option to [integrate communication compliance disgruntlement signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance disgruntlement integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in communication compliance do not need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy. To configure a HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in wizard when you configure the policy.

+> [!NOTE]

+> If you configure a policy to generate alerts only for activity that includes priority content, no changes are applied to risk score boosters.

+Risk management activities may not occur as isolated events. These risks are frequently part of a larger sequence of events. A sequence is a group of two or more potentially risky activities performed one after the other that might suggest an elevated risk. Identifying these related user activities is an important part of evaluating overall risk. When sequence detection is selected for data theft or data leaks policies, insights from sequence information activities are displayed on the **User activity** tab within an insider risk management case. The following policy templates support sequence detection:

+These insider risk management policies can use specific indicators and the order that they occur to detect each step in a sequence of risk. For policies created from the *General data leaks* and *Data leaks by priority user* templates, you can also select which sequences trigger the policy. File names are used when mapping activities across a sequence. These risks are organized into four main sequence detection types:

+- **Collection**: Detects download activities by in-scope policy users. Example risk management activities include downloading files from SharePoint sites or moving files into a compressed folder.

+- **Exfiltration**: Detects sharing or extraction activities to internal and external sources by in-scope policy users. An example risk management activity includes sending emails with attachments from your organization to external recipients.

+- **Obfuscation**: Detects the masking of potentially risky activities by in-scope policy users. Example risk management activities include renaming files on a device or removing or downgrading sensitivity labels on SharePoint files.

+- **Clean-up**: Detects deletion activities by in-scope policy users. An example risk management activity includes deleting files from a device.

+You can customize individual threshold settings for each sequence detection type when configured in the policy. These threshold settings adjust alerts based on the volume of files associated with the sequence type.

+- *Recommendations*: An issue with the policy that may prevent the policy from operating as expected.

+- *Warnings*: An issue with the policy that may prevent it from identifying potentially risky activities.

+For more details about any recommendations or warnings, select a policy on the **Policy** tab to open the policy details card. More information about the recommendations and warnings, including guidance on how to address these issues, is displayed in the **Notifications** section of the details card.

+Insider risk management policy templates use limits to manage the volume and rate of processing for in-scope user risk activities and how this process is integrated with supporting Microsoft 365 services. Each policy template has a maximum number of users that can be actively assigned risk scores for the policy that it can support and effectively process and report potentially risky activities. In-scope users are users with triggering events for the policy.

+To create a new insider risk management policy, you'll generally use the policy wizard in the **Insider risk management** solution in the Microsoft Purview compliance portal. You can also create quick policies for general data leaks and data theft by departing users from Analytics scans if applicable.

+ > [!NOTE]

+ > Users configuring the policy and determining priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+ > [!NOTE]

+ > Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+ > [!IMPORTANT]

+ > If you're unable to select a listed indicator, it's because they aren't enabled for your organization. To make them available to select and assign to the policy, enable the indicators in **Insider risk management** > **Settings** > **Policy indicators**.

+- When users are identified with risk concerns and you want to immediately start assigning risk scores to their activity for one or more of your policies.

+- When there's an incident that may require you to immediately start assigning risk scores to involved users' activity for one or more of your policies.

+- When you haven't configured your HR connector yet, but you want to start assigning risk scores to user activities for HR events by uploading a .csv file for the users.

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+ > [!IMPORTANT]

+ > To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.

+- **Triggering events**: Events that determine if a user is active in an insider risk management policy. If a user is added to an insider risk management policy doesn't have a triggering event, the user isn't evaluated by the policy as a potential risk. For example, User A is added to a policy created from the *Data theft by departing users* policy template and the policy and Microsoft 365 HR connector are properly configured. Until User A has a termination date reported by the HR connector, User A isn't evaluated by this insider risk management policy for potential risk. Another example of a triggering event is if a user has a *High* severity DLP policy alert when using *Data leaks* policies.

+- **Global settings indicators**: Indicators enabled in global settings for insider risk management define both the indicators available for configuration in policies and the types of events signals collected by insider risk management. For example, if a user copies data to personal cloud storage services or portable storage devices and these indicators are selected only in global settings, the user's potentially risky activity will be available for review in the Activity explorer. However, if this user wasn't defined in an insider risk management policy, the user isn't evaluated by the policy as a potential risk and therefore won't be assigned a risk score or generate an alert.

+Certain policy indicators and sequences may also be used for customizing triggering events for specific policy templates. When configured in the policy wizard for the *General data leaks* or *Data leaks by priority users* templates, these indicators or sequences allow you more flexibility and customization for your policies and when users are in-scope for a policy. Also, you can define risk management activity thresholds for these triggering indicators for more fine-grained control in a policy.

+- **Microsoft Defender for Cloud Apps indicators (preview)**: These include policy indicators from shared alerts from Defender for Cloud Apps. Automatically enabled anomaly detection in Defender for Cloud Apps immediately starts detecting and collating results, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. To include these risk management activities in policy alerts, select one or more indicators in this section. To learn more about Defender for Cloud Apps analytics and anomaly detection, see [Get behavioral analytics and anomaly detection](/cloud-app-security/anomaly-detection-policy).

+- **Risk score boosters**: These include raising the risk score for potentially risky activity that is above what is typical or for users with previous cases resolved as a policy violation. Enabling risk score boosters increase risk scores and the likelihood of alerts for these types of activities. For risk management activity that is above what is typical, scores are boosted if the detected potentially risky activity deviates from activities that are considered compliant. For users with previous cases resolved as a policy violation, scores are boosted if a user had more than one case previously resolved as a confirmed policy violation. Risk score boosters can only be selected if one or more indicators are selected.

+You must enable device checking and onboard your endpoints before you can detect insider risk management activities on a device. Both actions are taken in the Microsoft Purview compliance portal.

+When you want to enable devices that haven't been onboarded yet, you need to download the appropriate script and deploy it as outlined below.

+In this deployment scenario, you'll enable devices that haven't been onboarded yet, and you just want to detect insider risk activities on Windows devices.

+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

+ - Onboard Windows machines using Group Policy

+ - Onboard Windows machines using Mobile Device Management tools

+ - Onboard Windows machines using a local script

+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

+ - Onboard Windows machines using Group Policy

+ - Onboard Windows machines using Mobile Device Management tools

+ - Onboard Windows machines using a local script

+> This experience is under license enforcement. Without the required license, data will not be visible or accessible.

+When creating a policy using the policy wizard, you can configure how the daily number of risk events should influence the risk score for insider risk alerts. These indicator settings help you control how the number of occurrences of risk events in your organization should affect the risk score, and so the associated alert severity, for these events. If you prefer, you can also choose to keep the default event threshold levels recommended by Microsoft for all enabled indicators.

+

+Another option for policy thresholds is to assign the policy triggering event to risk management activity that is above the typical daily amount of users. Instead of being defined by specific threshold settings, each threshold is dynamically customized for anomalous activities detected for in-scope policy users. If threshold activity for anomalous activities is supported for an individual indicator, you can select **Activity is above user's usual activity for the day** in the policy wizard for that indicator. If this option isn't listed, anomalous activity triggering isn't available for the indicator. If the **Activity is above user's usual activity for the day** option is listed for an indicator, but not selectable, you need to enable this option in **Insider risk settings** > **Policy indicators**.

+Intelligent detection settings help refine how the detections of risky activities are processed for alerts. In certain circumstances, you may need to define file types to ignore, or you want to enforce a detection level for daily events to boost risk scores for users. Use these settings to control file type exclusions, boosting risk score for potentially risky activity, and file volume limits.

+Potentially risky activities detected by insider risk policies are assigned a specific risk score, which in turn determines the alert severity (low, medium, high). By default, we'll generate a certain amount of low, medium, and high severity alerts, but you can increase or decrease the volume to suit your needs. To adjust the volume of alerts for all insider risk management policies, choose one of the following settings:

+Domain settings help you define risk levels for risk management activities to specific domains. These activities include sharing files, sending email messages, downloading, or uploading content. By specifying domains in these settings, you can increase or decrease the risk scoring for risk management activity that takes place with these domains.

+- **Unallowed domains:** By specifying unallowed domains, risk management activity that takes place with these domains will have *higher* risk scores. Some examples are activities involving sharing content with someone (such as sending email to someone with a gmail.com address) and when users download content to a device from one of these unallowed domains.

+- **Allowed domains:** Certain risk management activity related to allowed domains will be ignored by your policies and won't generate alerts. These activities include:

+ By specifying allowed domains in settings, the risk management activity with these domains is treated similarly to how internal organizational activity is treated. For example, domains added here map to activities may involve sharing content with someone outside your organization (such as sending email to someone with a gmail.com address).

+- **Third party domains:** If your organization uses third-party domains for business purposes (such as cloud storage), include them here so you can receive alerts for potentially risky activity related to the device indicator *Use a browser to download content from a third-party site*.

+Configure site URL exclusions to prevent potential risky activities that occur in SharePoint (and SharePoint sites associated with Team channel sites) from generating policy alerts. You might want to consider excluding sites and channels that contain non-sensitive files and data that can be shared with stakeholders or the public. You can enter up to 500 site URL paths to exclude.

+Configure exclusions for keywords that appear in file names, file paths, or email message subject lines. This allows flexibility for organizations that need to reduce potential alert frequency due to flagging of benign terms specified for your organization. Such activities related to files or email subjects containing the keyword will be ignored by your insider risk management policies and won't generate alerts. You can enter up to 500 keywords to exclude.

+> [!IMPORTANT]

+> To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts. Exported alerts will display usernames for each alert.

+

+Instead of being open to review by all analysts and investigators, priority users groups may also need to restrict review activities to specific users or insider risk role groups. You can choose to assign individual users and role groups to review users, alerts, cases, and reports for each priority user group. Priority user groups can have review permissions assigned to the built-in *Insider Risk Management*, *Insider Risk Management Analysts*, and *Insider Risk Management Investigators* role groups, one or more of these role groups, or to a custom selection of users.

+For example, you need to protect against data leaks for a highly confidential project where users have access to sensitive information. You choose to create *Confidential Project* *Users* priority user group for users in your organization that work on this project. Also, this priority user group shouldn't have users, alerts, cases, and reports associated with group visible to all the default insider risk management admins, analysts, and investigators. In **Settings**, you create the *Confidential Project Users* priority users group and assign two users as reviewer that can view data related to the groups. Use the policy wizard and the *Data leaks by priority users* policy template to create a new policy and assign the *Confidential Project Users* priority users group to the policy. Activities examined by the policy for members of the *Confidential Project Users* priority user group are more sensitive to risk and activities by these users will be more likely to generate an alert and have alerts with higher severity levels.

+To create a new priority user group, use the setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. To create a priority user group, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group.

+To delete an existing priority user group, use setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. To delete a priority user group, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group.

+ b) To add a list of physical asset IDs from a .csv file, choose **Import priority physical assets**. From the file explorer dialog, select the CSV file you wish to import, then select **Open**. The physical asset IDs from the CSV files are added to the list.

+Analytics scans for risk management activity from several sources to help identify insights into potential areas of risk. Depending on your current configuration, analytics looks for qualifying risk activities in the following areas:

+Analytics insights from scans are based on the same risk management activity signals used by insider risk management policies and report results based on both single and sequence user activities. However, the risk scoring for analytics is based on up to 10 days of activity while insider risk policies use daily activity for insights. When you first enable and run analytics in your organization, you'll see the scan results for one day. If you leave analytics enabled, you'll see the results of each daily scan added to the insight reports for a maximum range of the previous 10 days of activity.

+

+After the first analytics scan is complete for your organization, members of the *Insider Risk Management Admin* role group will automatically receive an email notification and can view the initial insights and recommendations for potentially risky activities by your users. Daily scans continue unless you turn off analytics for your organization. Email notifications to admins are provided for each of the three in-scope categories for analytics (data leaks, theft, and exfiltration) after the first instance of potentially risky activity in your organization. Email notifications aren't sent to admins for follow-up risk management activity detection resulting from the daily scans. If analytics in **Insider risk management** > **Settings** > **Analytics** are disabled and then re-enabled in your organization, automatic email notifications are reset and emails are sent to members of the *Insider Risk Management Admin* role group for new scanning insights.

+

+For completed analyses, you'll see the potential risks discovered in your organization and insights and recommendations to address these risks. Identified risks and specific insights are included in reports grouped by area, the total number of users with identified risks, the percentage of these users with potentially risky activities, and a recommended insider risk policy to help mitigate these risks. The reports include:

+- **Data leaks insights**: For all users that may include accidental oversharing of information outside your organization or data leaks by users with malicious intent.

+- **Data theft insights**: For departing users or users with deleted Azure Active Directory accounts that may include risky sharing of information outside your organization or data theft by users with malicious intent.

+- **Top exfiltration insights**: For all users that may include sharing data outside of your organization.

+Inline alert customization allows you to quickly tune an insider risk management policy directly from the **Alert dashboard** while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.

+When enabled, analysts and investigators can select **Reduce alerts for this activity** for an alert on the **Alert dashboard** and can view details about the risk management activity and indicators associated with the alert. Additionally, the current policy thresholds are displayed for the number of events used to create low, medium, and high severity alerts. If **Reduce alerts for this activity** is selected and a previous policy edit has been made that changes the threshold or has removed the associated indicator, you'll see a notification message detailing previous changes to the policy.

+- **Stop getting alerts for this activity**: This removes this indicator from the policy and this risk management activity will no longer be detected by the policy. This applies to all indicators, regardless of if the indicator is threshold-based.

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Employees now have more access to create, manage, and share data across a broad spectrum of platforms and services. In most cases, organizations have limited resources and tools to identify and mitigate organization-wide risks while also meeting compliance requirements and employee privacy standards. These risks include potential data theft by departing employees and risk of data leaks of information outside your organization by accidental oversharing or malicious intent.

+Microsoft Purview Insider Risk Management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on potentially risky activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators. After identifying the risks, you can take action to mitigate these risks, and if necessary open investigation cases and take appropriate legal action.

+

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+- **Users**: Username for a user. This field is anonymized if the global anonymization setting for insider risk management is enabled.

+- **Risk level**: Current calculated risk level of the user. This score is calculated every 24 hours and uses the alert risk scores from all active alerts associated to the user. For users with only triggering indicators, the risk level is zero.

+- **Active alerts**: Number of active alerts for all policies.

+- **Confirmed violations**: Number of cases resolved as *confirmed policy violation* for the user.

+- **Case**: Current active case for the user.

+To quickly locate a specific user, use **Search** at the top right of the Users dashboard. When searching for users, you must use the user principal name (UPN). For example, when searching for a user named 'Tiara Hidayah' that has a UPN of 'thidayah' in your organization, you would enter 'thidayah' or some part of the UPN in **Search**.

+

+ - **Name and title**: Name and position title for the user from Azure Active Directory. These user fields will be anonymized or empty if the global anonymization setting for insider risk management is enabled.

+ - **User email**: Email address for the user.

+ - **Alias**: Network alias for the user.

+ - **Organization or department**: Organization or department for the user.

+ - **History of recent user activity**: Lists both triggering indicators and insider risk indicators for risk activities up to the last 90 days. All risk activities pertinent to insider risk indicators are also scored, though the activities may or may not have generated an insider risk alert. Triggering indicator examples may be a resignation date or the last scheduled date of work for the user. Insider risk indicators are activities determined to have an element of risk, which may potentially lead to a security incident, and are defined in policies that the user is included in. Event and risk activities are listed with the most recent item listed first.

+There may be scenarios where you need to stop assigning risk scores to users in insider risk management policies. Use **Remove users** on the **Users dashboard** page to stop assigning risk scores for one or more users from all insider risk management policies that they are currently in-scope for. This action does not remove users from the overall policy assignment (when you add users or groups to a policy configuration), but simply removes the users from active processing by policies after current triggering events. If the users have another triggering event in the future, risk scores from policies will automatically begin to be assigned to the users again. Any existing alerts or cases for this user will not be removed.

+> Removing a user from a policy may take several minutes to complete. Once complete, the user no longer is listed on the Users page. If the removed user has active alerts or cases, then the user will remain on the Users page and the details for the user will show that they are no longer in-scope for a policy.

+Using recommended Power Automate flows, risk investigators and analysts can quickly take action to notify users when they're added to an insider risk policy.

+To run, manage, and create Power Automate flows for insider risk management users:

+For more information and an overview of the planning process to address potentially risky activities in your organization that may lead to a security incident, see [Starting an insider risk management program](https://download.microsoft.com/download/b/2/0/b208282a-2482-4986-ba07-15a9b9286df0/pwc-starting-an-insider-risk-management-program-with-pwc-and-microsoft.pdf).

+Managing and minimizing risk in your organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors that are outside of direct control. Other risks are driven by internal events and user actions that can be minimized and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by users in your organization. These behaviors include a broad range of internal risks from users:

+Quickly investigate all risk activities for a selected user with [User activity reports (preview)](insider-risk-management-activities.md#user-activity-reports). These reports allow investigators in your organization to examine activities for specific users for a defined time period without having to assign them temporarily or explicitly to an insider risk management policy. After examining activities for a user, investigators can dismiss individual activities as benign, share or email a link to the report with other investigators, or choose to assign the user temporarily or explicitly to an insider risk management policy.

+- **User activity**: User risk activity is automatically displayed in an interactive chart that plots activities over time and by risk level for current or past risk activities. Reviewers can quickly filter and view the entire risk history for the user and drill into specific activities for more details.

+Users typically have a large degree of control when managing their devices in the modern workplace. This control may include permissions to install or uninstall applications needed in the performance of their duties or the ability to temporarily disable device security features. Whether this risk activity is inadvertent, accidental, or malicious, this conduct can pose risk to your organization and is important to identify and act to minimize. To help identify these risky security activities, the following insider risk management security policy violation templates scores security risk indicators and uses Microsoft Defender for Endpoint alerts to provide insights for security-related activities:

+Employment stressor events can impact user behavior in several ways that relate to insider risks. These stressors may be a poor performance review, a position demotion, or the user being placement on a performance review plan. Stressors may also result in potentially inappropriate behavior such as users sending potentially threatening, harassing, or discriminatory language in email and other messages. Though most users don't respond maliciously to these events, the stress of these actions may result in some users to behave in ways they may not normally consider during normal circumstances. To help identify these types of potentially risky activities, the following insider risk management policy templates can use the HR connector and/or integration with a [dedicated communication compliance policy](/microsoft-365/compliance/communication-compliance-policies#integration-with-insider-risk-management-preview) to bring users into scope for insider risk management policies and start scoring risk indicators relating to behaviors that may occur:

+Insider risks are one of the top concerns of security and compliance professionals in the modern workplace. Industry studies have shown that insider risks are often associated with risky activities. Protecting your organization against these risks can be challenging to identify and difficult to mitigate. Insider risks include vulnerabilities in a variety of areas and can cause major problems for your organization, ranging from the loss of intellectual property to confidential data, and more. The following figure outlines common insider risks:

+[Microsoft Purview Communication Compliance](communication-compliance.md) helps minimize communication risks by helping you detect, capture, and act on potentially inappropriate messages in your organization.

+[Microsoft Purview Insider Risk Management](insider-risk-management.md) helps minimize internal risks by enabling you to detect, investigate, and act on potentially malicious and inadvertent activities in your organization.

+> Retention policies support [shared channels](/MicrosoftTeams/shared-channels). Any shared channels inherit retention settings from the parent team.

+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Under review |

+- For encrypted documents in Office for the web, [screen captures aren't prevented](/azure/information-protection/faqs-rms#can-rights-management-prevent-screen-captures). Until recently, copying to the clipboard also wasn't prevented for these documents. Now rolling out, when documents are labeled and encrypted, and the **Copy** [usage right](/azure/information-protection/configure-usage-rights) isn't granted, Office on the web prevents copying to clipboard in the same way as desktop apps prevent this action. There are currently some exceptions for relabeling scenarios until the browser is refreshed, another session is started, or the document is opened again:

+ - Mid-session, the document changes from unencrypted to encrypted.

+ - Mid-session, the document changes from encrypted and the Copy usage right is granted, to encrypted but the Copy usage right is not granted.

+### Data lifecycle management and records management

+- **General availability (GA)**: [Relabeling at the end of the retention period](retention-settings.md#relabeling-at-the-end-of-the-retention-period).

+- **General availability (GA)**: [Starting a record unlocked](declare-records.md#configuring-retention-labels-to-declare-records).

+- **General availability (GA)**: Users can now apply published retention labels to files [directly in Teams](create-apply-retention-labels.md#applying-retention-labels-using-microsoft-365-groups).

+- New retention support statements: Retention policies for Teams supports the [chat with myself](https://support.microsoft.com/office/start-a-chat-in-teams-0c71b32b-c050-4930-a887-5afbe742b3d8?storagetype=live#bkmk_chatwithself) feature and [video clips](https://support.microsoft.com/office/record-a-video-clip-in-teams-0c57dae5-2974-4214-9c46-7a2136386f1c), and retention policies for Yammer support [storyline posts](https://support.microsoft.com/office/overview-of-storyline-for-yammer-and-viva-engage-530e4e66-9f1c-4be1-b371-08ea40dc4b69).

+- Improved in-product experience if retention policies have errors: You'll now see a detailed description of the error in the details pane, with in-product actions to take that can resolve the problem. For example, remove invalid locations and resynchronize the policy.

+### Microsoft Priva

+- **In preview**: [Data transfer policies](/privacy/priva/risk-management-policy-data-transfer) in Privacy Risk Management now offers additional flexible boundary conditions: detecting transfers based on users' Azure Active Directory attributes, transfers between users in different Microsoft 365 groups, and transfers between SharePoint sites.

+### On-premises scanner

+- **In preview**: The Azure Information Protection (AIP) on-premises scanner is being renamed **Microsoft Purview Information Protection scanner** and [configuration is moving to the Microsoft Purview compliance portal](/information-protection/deploy-aip-scanner-configure-install).

+### Sensitivity labels

+- Call to action: [Migration guidance](sensitivity-labels-aip.md) to help you move from the AIP add-in for Office apps, with a [migration playbook](https://microsoft.github.io/ComplianceCxE/playbooks/AIP2MIPPlaybook) from our Customer Experience Engineering (CxE) team

+- **General availability (GA)**: Authentication contexts for label [groups and site settings](sensitivity-labels-teams-groups-sites.md#how-to-configure-groups-and-site-settings) that work with Azure AD Conditional Access policies to enforce more stringent access conditions to a site.

+- **General availability (GA)**: [Site sharing permissions by using PowerShell](sensitivity-labels-teams-groups-sites.md#configure-site-sharing-permissions-by-using-powershell-advanced-settings).

+- **Rolling out**: [Preventing copy to clipboard is honored for labeled and encrypted files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md#limitations), with some exceptions for relabeling scenarios.

+- **In preview**: The AIP add-in for Office apps is [disabled by default](sensitivity-labels-aip.md#how-to-disable-the-aip-add-in-to-use-built-in-labeling-for-office-apps) and requires a new setting to override this default.

+- Support statement: [Files types supported for SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md#supported-file-types), after enabling sensitivity labels for these services.

+- New [prerequisite for co-authoring](sensitivity-labels-coauthoring.md#prerequisites) and the Azure Information Protection unified labeling client and scanner: It's not supported to use Double Key Encryption in the same tenant as the co-authoring feature.

+

+### Compliance Manager

+- [Compliance Manager templates list](/microsoft-365/compliance/compliance-manager-templates-list): New template added for Australian Information Security Registered Assessor Program (IRAP) with ISM Version 3.5 - Official).

+> Exchange Online automatically relocates the user's mailbox if the PDL changes and the MailboxRegion no longer matches the Mailbox Database Geo Location code. For more information, see [Administering Exchange Online mailboxes in a multi-geo environment](./administering-exchange-online-multi-geo.md).

+ > The rule ID should not have any leading or trailing spaces.

+The display name of this service is _Connected User Experiences and Telemetry_.

+If you're using the Microsoft Monitoring Agent (MMA) on Windows devices, it's important to keep this agent updated. For Windows Server 2012 R2 and Windows Server 2016, Microsoft recommends upgrading to the new, unified agent for Defender for Endpoint. This article describes how to:

+- **[Update the MMA on your devices](#update-mma-on-your-devices)** (for devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1).

+- **[Upgrade to the new, unified agent for Defender for Endpoint](#upgrade-to-the-new-unified-agent-for-defender-for-endpoint)** (for devices running Windows Server 2012 R2 and Windows Server 2016).

+## Update MMA on your devices

+## Upgrade to the new, unified agent for Defender for Endpoint

+> Devices running Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 that haven't been upgraded to the [new, unified solution](application-deployment-via-mecm.md) will remain dependent on MMA. In such cases, [AMA](/azure/azure-monitor/agents/agents-overview) cannot be used as a substitute for Defender for Endpoint.

+## See also

+- [Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint](switch-to-mde-overview.md)

+- [Microsoft Defender for Endpoint deployment overview](deployment-phases.md)

+- [Onboard to the Microsoft Defender for Endpoint service](onboarding.md)

+Apart from these, Microsoft 365 Defender works closely with Azure Active Directory Identity Protection, App Governance, and Microsoft Data Loss Prevention to provide integrated protection against sophisticated attacks.

+> Microsoft treats your feedback as your organization's permission for us to analyze all of the previously described information to fine tune the message hygiene algorithms. We hold your message in our secure audited datacenters in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for email in Microsoft 365. However, your email is still treated as confidential between you and Microsoft, and we will not provide your email or attachments to any other party as part of the review process.

+ >

+ > Using another service to wrap links before Defender for Office 365 might invalidate the ability of Safe Links to process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.