Microsoft Purview · Communication Compliance

Communication Compliance Analysts

Access and investigate alerts, view message metadata, but cannot view full message content - limited investigation access.

Scope: Alert triage and classification without full message content viewing access

Permissions

  • Alert View - View communication compliance alerts across all monitored channels
  • Message Metadata - See message metadata (sender, recipient, subject, timestamp, platform)
  • Match Context - View match context, highlighted violations, and confidence scores
  • Alert Classification - Classify alerts (false positive, needs review, confirmed violation, escalate)
  • Alert Routing - Route alerts to Communication Compliance Investigators for full message review
  • Reports - Access aggregate reporting, trends, and policy effectiveness dashboards
  • Investigation Notes - Add investigation notes and tags for case management
  • Pseudonymized Data - View pseudonymized investigator identities if configured
  • Alert Filtering - Filter alerts by policy, severity, user, or administrative unit
  • Metadata Export - Export alert metadata and statistics (not message content)

Common use cases

  • Initial triage of communication compliance alerts to filter noise
  • Filtering false positives before escalation to senior investigators
  • Entry-level compliance monitoring and alert categorization
  • High-volume alert management and prioritization for investigation team
  • First-line compliance support for financial services message supervision
  • Regional compliance teams managing alerts scoped to their administrative units
  • SOC analysts monitoring for threat or harassment communications

Best practices

  • Develop comprehensive and consistent triage criteria playbooks
  • Escalate serious violations to Communication Compliance Investigators promptly
  • Document triage decisions and rationale for audit trail and quality review
  • Track detailed metrics on false positive rates by policy for Admin tuning
  • Regular calibration sessions with Investigators on edge cases and gray areas
  • Use alert tagging and notes to provide context for Investigators
  • Monitor alert queue metrics to identify policy tuning opportunities
  • Create standard operating procedures for different violation types
  • Balance thoroughness with efficiency in high-volume alert environments
  • Coordinate with Admins when policies generate excessive false positives
  • Respect pseudonymization and avoid attempting to identify investigators
  • Use administrative units to focus on relevant regional or business alerts

Security considerations

  • Cannot view full messages - significantly reduced privacy impact compared to Investigators
  • Message metadata still reveals sensitive communication patterns and relationships
  • Escalation decisions to Investigators should be documented with clear justification
  • Alert classification decisions directly affect investigation priorities and resources
  • False positive dismissals can create gaps if patterns are not reported to Admins
  • User metadata may reveal sensitive organizational relationships or hierarchies
  • Alert volume visibility may indicate business-sensitive activities or projects
  • Pseudonymization protects investigators but Analysts can still see monitored users
  • Administrative units scope visibility but may still expose sensitive regional data
  • Excessive alert dismissals should be monitored for potential blind spots

Official Microsoft Learn documentation →

Open the interactive RBACMap →