8. Supervision
_______________________________
In This Chapter
Introduction
Getting Started
- Remove Cmdlets
- Set Cmdlets
Supervision Reporting
Viewing Supervised Emails
- Security and Compliance Center
- Outlook Configuration
_______________________________
Introduction
Supervision is an option that Microsoft provides so that corporations can monitor an employee’s activities with respect to communications platforms like Exchange Online and Teams. Some scenarios that are recognized as targets for these cmdlet are Corporate Policies, Risk Management and Regulatory Compliance. With Supervision, a user with an account in the SCC (Hybrid or O365 native user) can be monitored with this features.
Communications that trigger a Supervision Policy/Rule pair are copied to a mailbox where a supervisor can review the contents. These emails can be reviewed in OWA, Outlook and the Security and Compliance Center. One critical control is Sampling Rate which determines the percentage of emails that are pulled for supervision purposes.
Supervision in the Security and Compliance Center is comprised of these parts:
Supervision Policy - Defines the reviewer, policy name and other options.
Supervision Rule - Defines reviewers and other conditions that will trigger Supervision.
Supervised Users - Users that are being monitored by the Supervision features and who have their emails copied to reviewer mailboxes for review of their content.
Reviewers - Users who receive emails from Supervised Users and who will review email content for violations.
Groups for users - Defines a group of users to be supervised.
Sensitive Information Types - Optional, can be used for a condition to trigger Supervision.
Custom Keyword Dictionaries - Same as Sensitive Information Types, also used as a conditional trigger.
Offensive Language - Option, can be used as a condition for triggering Supervision.
PowerShell
With almost any feature in the Security and Compliance Center, we have a set of PowerShell cmdlets that will allow us to manage the said feature. Let’s see what cmdlets we have for this feature:
Get-Command *SuperV*
This provides us a list of all the Supervisory cmdlets:
Get-SupervisoryReviewActivity
Get-SupervisoryReviewOverallProgressReport
Get-SupervisoryReviewPolicyReport
Get-SupervisoryReviewPolicyV2
Get-SupervisoryReviewReport
Get-SupervisoryReviewRule
Get-SupervisoryReviewTopCasesReport
New-SupervisoryReviewPolicyV2
New-SupervisoryReviewRule
Remove-SupervisoryReviewPolicyV2
Set-SupervisoryReviewPolicyV2
Set-SupervisoryReviewRule
Getting Started
First, let’s make sure that our tenant has zero activity, assuming we’ve not configured any Supervision components yet. If we run each of the ‘Get’ PowerShell cmdlets from the above list, we should not return any results or activity. This is indeed the case. Now, like other components in Office 365, we need to create a Policy first and then use this in a Rule. Our first PowerShell cmdlet to use in creating Supervisory Review Policies is the New-SupervisoryReviewPolicyV2.
** Note ** A V2 cmdlet is simply the latest iteration of a cmdlet. Typically only one version of the cmdlet is available at any one time. If however we see a regular and V2 version of cmdlet, the advice is to use the latest version of the cmdlet because the V2 one will eventually be the one to use. However, a cautionary note should be made as well. Other cmdlets have had this occur and then the V2 cmdlet name disappears. Assuming this just means that the V2 one was renamed and the old cmdlet was removed, it could cause issues with a script. So if a script fails due to a cmdlet name not being found, check to see what the current status is of the cmdlets/naming.
With a new Supervisory Review Policy, we can set a policy’s Name, Reviewers and Comments. We can set up a couple of sample Supervisory Policies - one for the Legal department and one for the HR department.
With this Supervisory Policy, we will have two reviewers:
New-SupervisoryReviewPolicyV2 -Name ‘Legal eMail Review Policy’ -Reviewers [email protected],[email protected] -Comment ‘Review email from Legal department’
For the HR Supervisory Policy, we will have one reviewer:
New-SupervisoryReviewPolicyV2 -Name ‘HR Mail Review Policy’ -Reviewers [email protected] -Comment ‘Review email from HR department’
After we created the two policies, we can verify they are created with the Get-SupervisoryReviewPolicyV2 cmdlet:
Notice that the two policies show as Activating. We might be able to deduce that it’s because we do not have a Supervisory Rule:
Notice that there is a mailbox that was created for the review process as well:
Once we have the Supervisory Policy in place, we can create a Supervisory Rule to complete Supervision:
Some sample parameters
Name - Name of the Supervision Rule
Policy - Which policy is affected by this rule
Condition - What triggers the rule to copy a message to the Supervision mailbox
SamplingRate - Percent of email to review up to 100%
Other parameters (no help?)
ContentSources - Option that shows in the cmdlet, but no help is available
ContentContainsSensitiveInformation - No help available for this option
ContentMatchesDataModel - No help available for this option
CcsiDataModelOperator - No help available for this option
Of the parameters, it appears that the Condition one is the most complicated. This is where a Rule is made, so we need to understand what is possible and if a Rule needs to be complicated:
Let’s try a couple of scenarios to see what it would take to create the proper conditions.
Scenario One - Legal Department
All messages from users in the Legal Department for Practical PowerShell Press that are outbound to external users, message contains the words ‘Legal Document’ and contains an attachment over 50Kb in size. Below are some criteria we will use:
(Reviewee:legal@practicalpowershell.com)
(Legal Document)
(AttachmentSize:50Kb)
(Direction:Outbound)
With these parameters, we can come up with a one-liner to create the respective Supervisory Rule:
New-SupervisoryReviewRule -Name ‘Legal Review Rule’ -Policy ‘Legal Mail Review Policy’ -SamplingRate 50 -Condition {(Reviewee:[email protected]) -AND (Legal Document) -AND (AttachmentSize:50Kb)}
Scenario Two - HR Department
For this next scenario, we need to check for documents from HR to any other users in the organization and contains the words ‘Employee Review’
(Reviewee:[email protected])
(Employee Review)
(Direction:Internal)
Again, with the right criteria we can create a rule to handle this configuration:
New-SupervisoryReviewRule -Name ‘HR Review Rule’ -Policy ‘HR Mail Review Policy’ -SamplingRate 75 -Condition {(Reviewee:[email protected]) -AND (Employee Review) -AND (Direction:Internal)}
Verifying Rules and Policies
Once we have our policies in place, we can verify their creation with a Get cmdlet, like so:
Get-SupervisoryReviewPolicyV2 | Ft -Auto
Get-SupervisoryReviewRule | Ft -Auto
Remove Cmdlets
Now what if we need to remove a Rule or Policy? Well, we do NOT have a way to directly remove a Supervisory Review Rule. We would need to remove the corresponding Supervisory Review Policy. This makes some sense as the two are interlinked. Removing a Policy is as simple as specifying it’s name with the Remove-SupervisoryReviewPolicyV2 cmdlet. Interesting, what is this mailboxes that is specified:
What about the mailbox listed above in the creation process or in the details of the Policy in the SCC. Would we see this mailbox with PowerShell? No. Neither Exchange nor the SCC show these mailboxes. So it must be a special hidden system mailbox. Later we will see how it can be accessed.
Now, once the Policy is removed, so is the Rule. There is no other way to remove a Rule. Trying to re-add a Policy, might error out: ( Sync? Waiting for?)
Set Cmdlets
Now if we want to change any supervisory settings, for Supervisory Review, we have a couple of these available to use:
Set-SupervisoryReviewPolicyV2
Set-SupervisoryReviewRule
Now, with each of these we can see available options with Ctrl-Space or Get-Help -Full for the cmdlet. Let’s start off with asking ‘What can we modify for a Supervisory Review Policy?’:
Add Reviewers, Replace Reviewers, how long messages are retained for review, change the comment
All of these options are quite useful. If people leave a position or the company, using the ‘AddReviewers’ or ‘Reviewers’ parameters will allow us to swap out or add to the list as needed. Changing the retention time for these messages might match up with any current legal requirements or company Policy for review. Lastly, changing the comment may be needed in case the Rule or reviewers change.
For the Set-SupervisoryReviewRule we have fewer options to change - Conditions and SamplingRate. Each of these changes will replace the current value. So if we have a Rule that has an 80% Sampling Rate and we need to pull this back a bit to 50%, we just need the name of the Rule and we can run this:
Set-SupervisoryReviewRule -Identity ‘Rule to be modified’ -SamplingRate 50
If conditions need to be changed, a new set of conditions, including a required Reviewee, would need to be constructed before running the cmdlet. In the below example, we take an existing rule and remove the requirement for a pair of words and instead scan all internal emails:
Set-SupervisoryReviewRule -Name ‘HR Review Rule’ -Condition {(Reviewee:[email protected]) -AND (Direction:Internal)}
No feedback, but we could check the settings with the Get-SupervisoryReviewRule cmdlet.
Supervision Reporting
After you have your tenant configured for Supervision, we have access to some PowerShell cmdlets to help with reporting activity and overall progress for Supervision emails. Below is a sample of the cmdlets as well as what they would be used for:
Get-SupervisoryReviewActivity
Currently this cmdlet does not work and throws Dr. Watson errors.
Get-SupervisoryReviewOverallProgressReport
This cmdlet produces this output:
Get-SupervisoryReviewPolicyReport
Get-SupervisoryReviewReport
Get-SupervisoryReviewTopCasesReport
No examples in Get-Help for the cmdlet
Viewing Supervised Emails
After we have configured Supervisory Security, Policies and Rules and after we’ve tested to make sure Supervision is working as expected we have a couple of options for viewing messages that are in Supervision. First we have the Security and Compliance Center which will work for some administrators. However, there will be others that may not want to use that as part of their work flow and may feel more comfortable using Outlook instead. For both of these users, we have a way to make that happen.
Security and Compliance Center
We can now open the SCC to see any emails that may be held by the new policies:
Example 1 (HR)
Example 2 (Legal)
Outlook Configuration
Now, instead of using the Security and Compliance Center, we can instead use an old familiar client - Outlook. In order to configure this, we will need some prerequisite information:
(1) Email address for the Supervisory mailbox. This can be found using PowerShell or the Security and Compliance Center. Here is an example using PowerShell:
(2) Configure the Supervision Mailbox for Outlook access: (code sample below uses previous examples as reference):
Add-MailboxPermission “SupervisoryReview{d7d59863-979b-4cc2-932d-fb2cf24e18f8}@tenant.onmicrosoft.com” -User [email protected] -AccessRights FullAccess
Set-Mailbox “SupervisoryReview{d7d59863-979b-4cc2-932d-fb2cf24e18f8}@tenant.onmicrosoft.com” -HiddenFromAddressListsEnabled: $false
(3) Open the mailbox with Outlook or OWA:
Now when emails arrive, the reviewer will be able to see emails in the above folders.
One caveat from Microsoft:
“Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.”
New Update 2020
Supervision will be moving from the Security and Compliance Center where is resides today (https://protection.office.com) to the Compliance Center (https://compliance.microsoft.com). A re-branding/renaming will also occur with the name changing to Communication Compliance. In order to access this new section, you also need to have the appropriate permissions:
More information on these changes can be found here:
https://docs.microsoft.com/microsoft-365/compliance/supervision-policies
https://docs.microsoft.com/microsoft-365/compliance/communication-compliance