Microsoft Purview · Communication Compliance

Supervisory Review

Members can create and manage the policies that define which communications are subject to review in an organization. Used for regulatory supervisory review requirements (e.g., FINRA, SEC) where designated reviewers must sample employee communications.

Scope: Supervisory review policy administration within Communication Compliance

Permissions

  • Supervisory Review Administrator - Create and manage supervisory review policies
  • Define communication sampling rules and reviewer assignments
  • Configure conditions for communications subject to review
  • Manage reviewer groups and escalation paths
  • View and report on supervisory review activity

Common use cases

  • FINRA Rule 3110 supervisory review for broker-dealers
  • SEC Rule 17a-4 communication retention and review
  • Healthcare regulatory communication oversight
  • Legal industry communication supervision
  • Government and defense contractor communication review programs

Best practices

  • Coordinate with Legal and Compliance teams on regulatory requirements
  • Document reviewer assignment rationale for audit purposes
  • Use scoped policies (specific groups/users) rather than tenant-wide
  • Regularly audit reviewer activity and escalations

Security considerations

  • Supervisory review policies access employee communications — privacy implications
  • Reviewer access should be limited to designated compliance staff
  • All review activity is itself audited for regulatory chain of custody
  • Configure data minimization where regulations permit

Common questions

When should I assign the Supervisory Review role?

Assign Supervisory Review when you need to: FINRA Rule 3110 supervisory review for broker-dealers; SEC Rule 17a-4 communication retention and review; Healthcare regulatory communication oversight; Legal industry communication supervision; and Government and defense contractor communication review programs. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Supervisory Review role do?

The Supervisory Review role grants permissions including: Supervisory Review Administrator - Create and manage supervisory review policies; Define communication sampling rules and reviewer assignments; Configure conditions for communications subject to review; Manage reviewer groups and escalation paths; and View and report on supervisory review activity. See the Permissions section above for the full list.

What are the security risks of the Supervisory Review role?

Key considerations when assigning Supervisory Review: Supervisory review policies access employee communications — privacy implications; Reviewer access should be limited to designated compliance staff; All review activity is itself audited for regulatory chain of custody; and Configure data minimization where regulations permit. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →