Hybrid workspaces are continuously evolving, with changes like increasingly varied work locations and the shift of more workplace communications and interactions to collaboration platforms, such as Microsoft Teams. These apps make hybrid work possible through their flexibility and seamless digital collaboration. Yet, at the same time, organizations’ security and compliance leaders are scaling imperatives like compliance management across platforms and expanding traditional office settings, because industry regulations and corporate policies must protect data and employees, regardless of where work takes place. Compliance and regulatory risks in collaboration and cloud-driven hybrid workspaces include policy violations, like oversharing sensitive business information internally. Employees additionally need ways to report security-related concerns for company review.
Customers tell us they need to reduce blind spots around data security risks introduced by these new ways of working. As hybrid work becomes the norm across enterprises, fewer internal reports of compliance violations during the same timeframe suggests risks may be going unreported at larger scale. According to Gartner® research, in 2020 and 2021 compliance teams learned of about 31 fewer instances of potential violations per 1,000 employees than in 2018 and 2019, before the COVID-19 pandemic massively accelerated remote and hybrid work transformations.
By empowering employees to report security-related compliance and regulatory violations seamlessly and more easily through collaboration apps, you can help reduce the number of potential data security risks that could threaten your entire organization.
Built with privacy by design
Many businesses have processes to manage workplace policies and engage employees who raise concerns around regulatory compliance violations. However, it can be difficult for employees to know who to contact when reporting a concern. Today, we are announcing the general availability of the ‘Report a concern’ feature, a new capability offered in Microsoft Purview Communication Compliance, which empowers employees of Communication Compliance customers to report concerns about potential regulatory policy violations, in addition to security-related concerns directly within Microsoft Teams. Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (e.g. SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to ensure user-level privacy.
This feature is rolling out to Communication Compliance customers who already have policies deployed in their tenant. For these customers, the ‘Report a concern’ feature comes on by default and adds a menu option to the Teams interface, allowing users to report potentially non-compliant content from directly within the app, itself. This content could include improper sharing of regulated or confidential business information or sharing malicious links that could result in a security incident.
Message gets reported by end user by right-clicking on the message, selecting “report a concern”
To protect the privacy of the user reporting the message, none of the chat participants will be informed or made aware that the message was reported. When Teams users report a concern, these messages are flagged, and a workflow in Communication Compliance is initiated for customers’ designated compliance administrators to review and investigate.
Built with privacy by design, the ‘Report a concern’ feature pseudonymizes employee usernames by default. Pseudonymization protects end-user privacy by replacing personally identifiable information with placeholder values (e.g. instead of seeing the user’s name, a policy analyst will see “ANON4652”). Role-based access controls help customers limit Report a concern details to designated compliance managers. Investigators must be explicitly added by an administrator to a policy, and audit logs are in place to further serve user-level privacy.
This ‘Report a concern’ feature helps customers scale their existing compliance or internal governance policies across changing hybrid workspaces, while empowering employees to maximize productivity and collaboration through Microsoft Teams. Learn more about the “Report a concern” feature in our technical documentation.
Review reported messages in Communication Compliance
When a user submits a Teams chat message for review, the message is copied to the ‘User reported messages’ queue in Communication Compliance, where a designated Communication Compliance investigator in the customer’s organization can review it. If the investigator deems the message to be a policy violation, they can perform remediation actions like notifying the user of violating a corporate policy, escalating for legal investigation or removing the message from the Teams chat or channel.
Learn more about user reported messages in our technical documentation.
Message gets copied to the ’User-reported messages’ policy, where an Admin can scope the policy to the appropriate policy investigator
Prince William County Public Schools empowering students with ‘report a concern’ feature
With Microsoft Purview, Prince William County Public Schools in Virginia prioritizes a safe learning environment by taking a proactive approach to data security. Looking for potential violations is also an important compliance need for the school district. Learn more here about how PWCS is leveraging the ‘Report a concern’ feature to empower students to report potential violations that occur over Microsoft Teams.
The ‘Report a concern’ feature is rolling out to existing Communication Compliance customers. The ‘Report a concern’ capability is enabled by default and can be controlled via Teams messaging policies in the Teams admin center. All users in your organization will automatically get this capability as part of the Teams global messaging policy; however, you can choose to scope this capability to specific users by creating and assigning a custom messaging policy. Edit the settings in the global policy or create and assign one or more custom policies to turn on or turn off this feature. To learn more, please refer to: Manage messaging policies in Teams.
We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial (an active Microsoft 365 E3 subscription is required as a prerequisite). By enabling the trial in the compliance portal, you can quickly start using all capabilities of Microsoft Purview, including Insider Risk Management, Communication Compliance, Records Management, Audit, eDiscovery, Information Protection, Data Lifecycle Management, Data Loss Prevention, and Compliance Manager.
Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial (an active Microsoft 365 E3 subscription is required as a prerequisite).
Learn more about how to get started and configure policies in your tenant in the supporting documentation for Communication Compliance. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.
Christophe Fiessinger, Principal Product Manager
 Gartner, Encouraging Reporting in a Hybrid World: Building a Reporting Value Proposition, 29 June 2022
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.