Microsoft Overselling E5 Capabilities Through Data Loss Prevention

Posted on by Tony Redmond

Second Example of Trend Emerges with Offer to Use Communications Compliance

I don’t like the trend now emerging in Microsoft 365 Data Loss Prevention (DLP) where Microsoft uses DLP policies as a conduit to sell other Microsoft 365 solutions. A case can probably be made to extend a DLP policy to cover Teams, but the October 21 announcement in MC293000 that Microsoft will “surface” recommendations to use Communications Compliance within the DLP workflow (Figure 1) is a step too far.

Microsoft 365 suggests that communications compliance might be a good counterpart to a DLP policy
Figure 1: Microsoft 365 suggests that communications compliance might be a good counterpart to a DLP policy

You might think it is awfully helpful for Microsoft to make suggestions about making better use of DLP. This feeling would be justified if the recommendations improved DLP. However, as I point out when discussing the need to move away from Exchange DLP policies, extending a policy to Teams is not something which can often be done automatically. Likewise, gaining “the ability to apply DLP policy insights to your insider risk practice to better identify user behavior and intent” by configuring a communications compliance policy is not something that should happen as the result of a prompt at the end of updating a DLP policy.

Monitoring Communications

Communications compliance policies monitor interactions between people to detect problems like using offensive or threatening language. The communications covered are email, Teams, Yammer, and Skype for Business conversations (soon to disappear). For Teams and Yammer (only networks configured in Microsoft 365 mode), monitoring happens against the compliance records captured in Exchange Online. Matching occurs using one or more of the trainable classifiers available within a tenant (Figure 2), including those configured by the tenant.

Adding trainable qualifiers to a communications compliance policy for data loss prevention
Figure 2: Adding trainable qualifiers to a communications compliance policy

Since the launch of communications compliance in 2019, Microsoft has done a good job of building out the set of available classifiers and expanding language coverage. The image classifiers are language independent. Classifiers won’t catch everything, but they improve over time and the idea is to detect gratuitous and persistent offenders rather than picking up every conceivable issue.

Policy matches result in referrals to human reviewers to check the content and context of the problem messages. The reviewers can decide if a policy violation is present and if so, how best to deal with the offender. All of which is grounded in an organizations HR policies and procedures, and probably heavily influenced at a local level.

There’s lots to like about communications compliance and it’s a good solution for Microsoft 365 to offer. However, this is not a solution that every organization needs or is comfortable with. Communications compliance has a hint of big brother is watching you about it that makes many people uncomfortable. Its implementation requires careful planning to ensure that the organization is prepared and that everyone involved in policy creation and operation from HR to reviewers to managers understand their roles and how to deal with offenses. This is not a project to start on a whim.

Inappropriate Connection

All of which makes me think that it is inappropriate for Microsoft to link DLP with communications compliance. There’s too big a jump between monitoring for inadvertent disclosure of sensitive corporate information outside the organization (the normal DLP scenario) to checking internal communications to detect violations in tone and language. I don’t see the natural connection between policies largely under the control of IT (DLP) and those where HR has huge influence and oversight.

One thing that links both suggestions Microsoft surface within DLP is that they need Office 365 E5 or Microsoft 365 E5 Compliance licenses. Office 365 E3 covers DLP for Exchange and SharePoint, but you need E5 for Teams (a differentiation that’s always seemed strange and inexplicable). Communications compliance is a premium E5 feature. I hope that Microsoft isn’t simply using DLP to push higher-price features to customers. That’s a tactic which might seem reasonable inside Microsoft, but it’s just tacky out in the real world.

PS. Microsoft will run a webinar about moving Exchange DLP policies to Microsoft 365 DLP policies on November 9. Register here.

Keep up to date with developments in compliance and other areas of Microsoft 365 by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

One Reply to “Microsoft Overselling E5 Capabilities Through Data Loss Prevention”

  1. Pingback: Microsoft 365 DLP Switches from Envelope to Header for Sender Evaluations - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.