Many organizations of different sizes and industries use Office 365 and this number is constantly growing. Office 365 and SharePoint online are a huge success for Microsoft especially in a professional environment, however, enterprises have specific requirements when it comes to governance and auditing that needs to be addressed by Microsoft.
One of these specific requirements is the Supervision feature which is available in SharePoint online. With Supervision, companies can audit inbound and outbound communications and check if the communication is compliant with governance policies.
Let's have a look on how to configure Supervision policies and how they work.
To be able to create a new Supervision policy, an admin (Supervisory Review Administrator role) needs to navigate to the Office 365 admin center and click on "Security & Compliance". In the "Data Governance" section, click on "Supervision" to get to the landing page. On the Landing page, existing policies will be shown, new policies can be created, and existing policies can be updated.
Let's continue with creating a new Supervision policy which is a multi-stage process. In the first step, I need to provide a name and a description for the new policy.
In the next step, I need to provide the account I want to audit. This can be a single user or a group of users. In my example, I will use a single user. If you chose a group to supervise, you could explicitly exclude group members from being supervised.
In the third step of this process, you can specify what kind of communication should be supervised (options are: inbound, outbound or internal) and you can specify conditions that act as a filter.
In my basic example, I want to supervise inbound and outbound communication that contains the word "Softlanding". I click on "Add a condition" and choose "Message contains any of these words".
In the fourth step, I can define the percentage of communications that should be reviewed. In my basic example, I will change the value to 100%, but in a professional environment, the percentage will be most likely between 5% and 10% (or even less than 5%).
In the last step of this process, I need to specify the reviewers. In my example, I'm using a single user account as a reviewer, but in a professional environment it makes sense to specify a group of users as reviewers.
At the end of this process, a summary of the new policy is shown. This summary allows you to go back to a specific step and change the settings.
After clicking on Finish, the new policy will show up on the landing page, and it will be in effect almost immediately.
Let's see how SharePoint Supervision is working.
In my example, I will send an email from my Softlanding account to the account in my demo tenant who is now being supervised. This email will contain the word "Softlanding" to ensure, that the new policy gets triggered. The email will be sent to the mailbox of the demo user as a regular email. The addressee will not get any kind of notification that this email is about to be supervised. The supervision process is totally transparent to any user being supervised.
To be able to review an email, the reviewer needs to navigate to the Outlook web application. Supervision support for Outlook 2016 will be available soon.
The Outlook web application of each reviewer will get an additional section which shows up in the left navigation pane of the Outlook web application.
This new section (which technically is a link to an additional mailbox) shows the name of the Supervision Policy (in my example I named the policy "Demo"). In the above screenshot, you can see that there is one email waiting to be reviewed. In fact, this is the email I just sent from my Softlanding account to the demo user.
A closer look at the email shows that there is an additional section called "Supervisory Review". I marked this section in red in the above screen shot. This section is only visible to the reviewers.
A click on this new section shows the options that reviewers have to categorize this email.
Reviewers can categorize this email, and they even can add a comment to this email. A classification can be changed at any time. Changes to the classification will be maintained in a History that can be looked at by clicking on "History" just below "Classification" on the left (blue) navigation bar.
With Supervision, enterprises can review the communication between internal accounts or between internal accounts and external accounts. This can be helpful during a training phase or to improve the support quality of a service team. Supervision is transparent to regular users and does not effect sending or receiving emails in any way, which stops Supervision from being a security feature.