Create communication compliance policies

  • 11 minutes

Before reviewers can investigate communications, policies must define what to look for. Communication compliance policies in Microsoft Purview determine which messages are reviewed, who reviews them, and what conditions trigger alerts. These policies help detect issues like offensive language, regulatory violations, sensitive data leaks, or misuse of generative AI.

Start with a template or create a custom policy

To create a communication compliance policy, go to the Communication compliance solution in the Microsoft Purview portal and select Policies.

You can either start from scratch or use a built-in template. Templates preconfigure policy settings to address specific use cases. The table outlines some available templates and what they focus on detecting:

Category Policy template Detection focus
Copilot Detect Copilot interactions Prompt Shields, Protected material
Inappropriate content Detect inappropriate text or images Hate, sexual, violence, discrimination
Sensitive data Detect sensitive info types Credit cards, health data, custom sensitive information types (SITs)
Regulatory compliance Detect regulatory violations Stock manipulation, collusion, customer complaints
Conflict of interest Detect internal risk Communications within scoped users only

Templates automatically configure locations, communication directions, and detection signals. You still need to choose reviewers, define the policy scope, and customize other settings if needed.

Create a communication compliance policy

You can create a policy from a template or create a custom policy. Both options use the same wizard, which guides you through each step.

Create a policy from a template

  1. Sign in to the Microsoft Purview portal.

  2. Go to Solutions > Communication compliance > Policies.

  3. Select Create policy, then choose a policy template.

    Screenshot showing the policy template options in Communication Compliance.

  4. A flyout opens with fields based on the template:

    • Confirm or rename the policy name.
    • Select users or groups in scope.
    • Select one or more reviewers.
    • Complete any other required fields specific to the template.

    Screenshot showing the options when creating a Communication Compliance policy from a template.

  5. Select Create policy to use the default template settings, or select Customize policy to review and modify advanced options before finalizing the policy.

Once created, the policy begins evaluating communications based on the configured conditions and reviewers are notified of their assignment.

Create a custom policy

Custom policies give you full control over scope, content detection, and review settings.

To create a custom policy:

  1. In Microsoft Purview, select Solutions > Communication compliance > Policies.

  2. Select Create policy, then select Custom policy.

  3. On the Name and describe your policy page, name the policy and optionally provide a description.

  4. On the Choose users and reviewers page:

    • Apply the policy to all users, selected users, or adaptive scopes.
    • Choose reviewers with Exchange Online mailboxes and appropriate permissions.

  5. On the Choose locations to detect communications page, select which locations and communication directions to include, such as Exchange, Teams, Viva Engage, or Microsoft 365 Copilot content.

    Screenshot of the communication locations selection screen in Communication Compliance.

  6. On the Choose conditions and review percentage page:

    • Choose the communication direction: inbound, outbound, internal, or any combination.
    • Define policy criteria using the condition builder. Conditions can include classifiers, sensitive info types, keywords, domains, or message properties.
    • Select a review percentage to limit how much content is flagged for review.
    • Enable OCR to detect printed or handwritten text in images (optional).
    • Leave Filter email blasts selected to reduce false positives from bulk messages.

  7. Review your settings and select Create policy.

Policies begin scanning content about an hour after creation. If the policy matches content based on your defined conditions, alerts are generated to the assigned reviewers.

Adjust policy behavior and thresholds

When configuring or editing a policy, you can set parameters that define how it works:

  • Users: Scope policies to all users, selected users, or adaptive scopes.
  • Direction: Inspect inbound, outbound, or internal messages.
  • Conditions: Combine classifiers, keywords, domains, file types, or sensitive information types using the condition builder.
  • Percentage to review: Specify what percentage of matching messages should be sent to reviewers.
  • Email blast filter: Exclude bulk email (like newsletters or spam) to reduce false positives.
  • Alert thresholds: Set how many messages must match within a timeframe to trigger an alert.
  • AI classifiers: Use Prompt Shield and Protected material classifiers to detect risky Copilot activity. These are typically configured through insider risk policy templates.

Policies scan messages hourly and generate alerts when the aggregation threshold is met. Email notifications are sent once daily, regardless of how many alerts occur.

Enable OCR for image content

Communication compliance supports optical character recognition (OCR) to detect inappropriate content in images. OCR scans embedded or attached images in email and Teams messages and extracts text that can be evaluated against policy conditions.

OCR is enabled automatically in template-based policies when supported. In custom policies, it becomes available after you define classifiers, keywords, or sensitive info types. Supported image formats include JPG, PNG, BMP, and TIFF, with a file size between 100 KB and 4 MB.

When OCR is enabled, flagged images appear alongside alerts for context. It might take up to 48 hours for image matches to display in the portal.

Enable user-reported messages

In Teams and Viva Engage, users can report inappropriate internal messages. These reports are routed to a dedicated User-reported messages policy. Reporting is enabled by default in Teams messaging policies. For Viva Engage, the feature must be turned on in the admin center.

Reported content appears in the policy review inbox and can trigger AI content safety classifiers. Admins should assign appropriate reviewers—such as compliance or HR staff—to respond to reported messages.

Monitor policy health

The Policy health tab in the portal flags warnings and recommendations, such as:

  • Storage limit reached: Each policy has a 100 GB or 1 million message limit. When reached, the policy stops working.
  • Blind spots: Recommendations suggest adding users who match conditions but aren't scoped.
  • Bulk senders: Recommendations might prompt you to enable filtering for newsletters or marketing emails.

Warnings must be addressed to keep policies active. Recommendations help improve accuracy but aren't mandatory.

Manage existing policies

You can take several actions on existing policies:

  • Pause or resume: Temporarily stop a policy without deleting it. This halts detection but retains data for investigation.
  • Copy: Create a duplicate of a policy with the same settings. Useful if a policy has reached its storage limit or needs minor variations for different user groups.
  • Favorite: Mark policies as favorites to prioritize them in the dashboard.

Integrate with Insider Risk Management

Communication compliance integrates with Insider Risk Management to detect broader behavioral patterns. For example, a user flagged for harassment or inappropriate messaging might be automatically added to an insider risk policy for further analysis.

  • Communication compliance signals can be used as triggers in insider risk policies.
  • Alerts generated from these integrations can be viewed in both tools.

Tips for policy configuration

  • Test conditions before finalizing the policy using preview features.
  • Trainable classifiers and keyword dictionaries can help reduce manual effort and increase accuracy.
  • Use adaptive scopes or groups for easier user management.
  • Assign reviewers with Exchange Online mailboxes and appropriate permissions.