Checking Communications for All Users in an Office 365 Tenant
Office 365 supervision policies allow tenants to monitor the communications of users in email and Teams. The usual situation is that a company needs to ensure that certain groups of users don’t infringe regulations in their communications inside or outside the company. Supervision policies allow this by capturing a set percentage of messages matching predefined criteria for reviewers to examine.
Typically, you use distribution lists to define the set of users whose communications are reviewed. The background assistants that examine email and Teams messages expand the distribution list membership to know what individual users to monitor. If a new member joins the distribution list, they are added to the supervision group. If they leave the list, they are removed.
You can’t use dynamic distribution groups for supervision policies because the overhead of continually evaluating the group membership would be too high. The question therefore arose of how to maintain a distribution list when you want a supervision policy to check the email sent by every user in a tenant.
PowerShell Server-Side Filtering
My solution is to build a relatively simple PowerShell script to scan for mailboxes that are not in a distribution list and add those mailboxes to the list. The list is then used by a supervision policy to monitor whatever traffic is needed, perhaps to make sure that no one in the tenant calls any other user something offensive in email (defining the list of offensive terms is an interesting exercise).
In any case, the basis of the script is that you use one of the fifteen custom attributes available for Exchange Online mailboxes to store an indicator to show if the mailbox has been added the distribution list. The reason for choosing a custom attribute is that the Get-Mailbox cmdlet supports server-side filtering against these attributes, so retrieving a set of mailboxes that aren’t on the list is faster than if you use a property that needs client-side filtering. Server-side filtering means that Exchange does the work before returning a set of objects while client-side filtering means that you fetch all objects from Exchange and then filter them on the client. As 15,000 mailboxes were involved in this case, server-side filtering is a big win.
Creating and Populating the Distribution List for the Supervision Policy
With the decision made about the technique to use, the code is simple. The first thing to do is to create a distribution list (later you might like to hide this DL from the Exchange address lists so that no one tries to use it for other purposes):
New-DistributionGroup -Name "Supervisory Review Mailboxes" -Alias SRReview -ManagedBy TRedmond -MemberDepartRestriction 'Closed' -MemberJoinRestriction 'Closed'
Now we can create a set of mailboxes that are not marked and then add those mailboxes to the DL. We also update the attribute for each mailbox to indicate that the mailbox is now in the DL. Note that we are careful to have Get-Mailbox only find user mailboxes because only people generate communications for supervision policies to monitor. There’s no sense in processing room mailboxes, shared mailboxes, and the like.
$Mbx = (Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited -Filter {CustomAttribute7 -eq $Null})
$i = 0
ForEach ($M in $Mbx) {
Write-Host "Adding" $M.DisplayName
Add-DistributionGroupMember -Identity SRReview -Member $M.DistinguishedName -ErrorAction SilentlyContinue
Set-Mailbox -Identity $M.Alias -CustomAttribute7 SRAdded
$i++}
Write-Host $i "mailboxes added to Supervisory Review distribution list"
The first time the script runs, it will take some time to complete because it finds and processes all user mailboxes. Thereafter, if you run the script weekly to pick up new mailboxes, it will be much faster because the call to Get-Mailbox will find only the new mailboxes.
For more information about supervision policies, read Chapter 21 of the Office 365 for IT Pros ebook. We have many other PowerShell examples throughout the book too.