Microsoft Purview · Communication Compliance

Communication Compliance Investigators

Investigate alerts, view full messages, and take remediation actions without policy configuration access.

Scope: Full investigation and remediation access without policy configuration rights

Permissions

  • Message Content - View full message content and complete conversation threads (Teams, Exchange, Copilot)
  • Conversation History - Access conversation history, context, and related communications
  • Remediation Actions - Take remediation actions (notify user, escalate to management, tag for review)
  • Message Removal - Remove messages that violate policies (if configured and approved)
  • Investigation Notes - Document investigation findings with notes, tags, and case files
  • Evidence Export - Export messages and evidence for legal review or regulatory reporting
  • Case Files - Access all investigation case files and audit trails
  • Attachments - View attachments, images, and embedded content in messages
  • Pseudonymization - Access pseudonymized data with ability to de-anonymize for investigations
  • Copilot Content - Review Microsoft 365 Copilot interaction content when flagged
  • Administrative Units - Filter investigations by administrative unit scope
  • Alert Resolution - Mark alerts as resolved, false positive, or escalated with justification

Common use cases

  • HR investigators conducting formal harassment or discrimination inquiries
  • Legal team reviewing potential employment law violations or regulatory breaches
  • Senior compliance officers investigating serious incidents (insider trading, threats)
  • Remediation and resolution of confirmed policy violations
  • Financial services compliance reviewing regulated communications for FINRA/SEC violations
  • Employee relations specialists handling workplace conduct investigations
  • Corporate security investigating threats or violent communications
  • Privacy officers reviewing potential data leakage through communications

Best practices

  • Document all investigation steps, decisions, and findings comprehensively
  • Maintain strict confidentiality of investigations per legal and HR requirements
  • Coordinate with HR and legal counsel before taking remediation actions
  • Follow established investigation playbooks and standard operating procedures
  • Preserve evidence properly for potential litigation or regulatory review
  • Use measured escalation approach (educate, warn, suspend, terminate)
  • Regular training on evolving workplace standards and regulatory requirements
  • Respect pseudonymization during initial review before de-anonymizing if necessary
  • Export and archive evidence with proper chain of custody documentation
  • Coordinate with Communication Compliance Analysts on investigation feedback
  • Review administrative unit scope to ensure proper jurisdiction before investigating
  • Consider privacy implications when investigating Copilot interactions

Security considerations

  • Full access to employee communications - extremely sensitive and privacy-invasive
  • Must comply with privacy laws and employment regulations (GDPR, CCPA, etc.)
  • All investigation activities are logged in unified audit log and auditable
  • Remediation actions (especially message removal) can have legal implications
  • Message removal is permanent and may impact eDiscovery or legal holds
  • Should not configure policies to maintain separation of duties and checks
  • Pseudonymization de-anonymization should be documented with justification
  • Copilot interaction viewing may expose highly sensitive business strategy
  • Attorney-client privileged communications may be visible - coordinate with legal
  • Export and evidence preservation requires secure handling and encryption
  • Administrative units scope but investigators still need proper authorization

Official Microsoft Learn documentation →

Open the interactive RBACMap →