New-SupervisoryReviewRule

This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.

Use the New-SupervisoryReviewRule cmdlet to create supervisory review rules in the Microsoft Purview compliance portal. Supervisory review lets you define policies that capture communications in your organization so they can be examined by internal or external reviewers.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

New-SupervisoryReviewRule
   [-Name] <String>
   -Policy <PolicyIdParameter>
   [-CcsiDataModelOperator <String>]
   [-Condition <String>]
   [-Confirm]
   [-ContentContainsSensitiveInformation <PswsHashtable[]>]
   [-ContentMatchesDataModel <String>]
   [-ContentSources <String[]>]
   [-DayXInsights <Boolean>]
   [-ExceptIfFrom <MultiValuedProperty>]
   [-ExceptIfRecipientDomainIs <MultiValuedProperty>]
   [-ExceptIfRevieweeIs <MultiValuedProperty>]
   [-ExceptIfSenderDomainIs <MultiValuedProperty>]
   [-ExceptIfSentTo <MultiValuedProperty>]
   [-ExceptIfSubjectOrBodyContainsWords <MultiValuedProperty>]
   [-From <MultiValuedProperty>]
   [-IncludeAdaptiveScopes <String[]>]
   [-InPurviewFilter <String>]
   [-Ocr <Boolean>]
   [-SamplingRate <Int32>]
   [-SentTo <MultiValuedProperty>]
   [-WhatIf]
   [<CommonParameters>]

Description

To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.

Examples

Example 1

New-SupervisoryReviewRule -Name "EU Brokers Rule" -Policy "EU Brokers Policy" -SamplingRate 100 -Condition "((NOT(Reviewee:US Compliance)) -AND (Reviewee:EU Brokers) -AND ((trade) -OR (insider trading)) -AND (NOT(approved by the Contoso financial team)))"

This example creates a new supervisory review rule named EU Brokers Rule with the following settings:

  • Policy: EU Brokers Policy
  • Sampling rate: 100%
  • Conditions: Supervise inbound and outbound communications for members of the EU Brokers group that contain the words trade or insider trading.
  • Exceptions: Exclude supervision for members of the EU Compliance group, or messages that contain the phrase "approved by the Contoso financial team".

Parameters

-CcsiDataModelOperator

{{ Fill CcsiDataModelOperator Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Condition

The Condition parameter specifies the conditions and exceptions for the rule. This parameter uses the following syntax:

  • User or group communications to supervise: "((Reviewee:<emailaddress1>) -OR (Reviewee:<emailaddress2>)...)". Exceptions use the syntax "(NOT((Reviewee:<emailaddress1>) -OR (Reviewee:<emailaddress2>)...))".
  • Direction: "((Direction:Inbound) -OR (Direction:Outbound) -OR (Direction:Internal))".
  • Message contains words: "((<Word1orPhrase1>) -OR (<Word2orPhrase2>)...)". Exceptions use the syntax "(NOT((<Word1orPhrase1>) -OR (<Word2orPhrase2>)...))".
  • Any attachment contains words: "((Attachment:<word1>) -OR (Attachment:<word2>)...)". Exceptions use the syntax "(NOT((Attachment:<word1>) -OR (Attachment:<word2>)...))".
  • Any attachment has the extension: "((AttachmentName:.<extension1>) -OR (AttachmentName:.<extension2>)...)". Exceptions use the syntax "(NOT((AttachmentName:.<extension1>) -OR (AttachmentName:.<extension2>)...))".
  • Message size is larger than: "(MessageSize:<size in B, KB, MB or GB>)". For example "(MessageSize:300KB)". Exceptions use the syntax "(NOT(MessageSize:<size in B, KB, MB or GB>))".
  • Any attachment is larger than: "(AttachmentSize:<size in B, KB, MB or GB>)". For example "(AttachmentSize:3MB)". Exceptions use the syntax "(NOT(AttachmentSize:<size in B, KB, MB or GB>))".
  • Parentheses ( ) are required around the whole filter.
  • Separate multiple conditions or exception types with the AND operator. For example, "((Reviewee:[email protected]) -AND (AttachmentSize:3MB))".
Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ContentContainsSensitiveInformation

{{ Fill ContentContainsSensitiveInformation Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ContentMatchesDataModel

{{ Fill ContentMatchesDataModel Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ContentSources

{{ Fill ContentSources Description }}

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DayXInsights

{{ Fill DayXInsights Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfFrom

{{ Fill ExceptIfFrom Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfRecipientDomainIs

{{ Fill ExceptIfRecipientDomainIs Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfRevieweeIs

{{ Fill ExceptIfRevieweeIs Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfSenderDomainIs

{{ Fill ExceptIfSenderDomainIs Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfSentTo

{{ Fill ExceptIfSentTo Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExceptIfSubjectOrBodyContainsWords

{{ Fill ExceptIfSubjectOrBodyContainsWords Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-From

{{ Fill From Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-IncludeAdaptiveScopes

{{ Fill IncludeAdaptiveScopes Description }}

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-InPurviewFilter

{{ Fill InPurviewFilter Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Name

The Name parameter specifies the unique name for the supervisory review rule. The name can't exceed 64 characters. If the value contains spaces, enclose the value in quotation marks (").

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Ocr

{{ Fill Ocr Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Policy

The Policy parameter specifies the supervisory review policy that's assigned to the rule. You can use any value that uniquely identifies the policy. For example:

  • Name
  • Distinguished name (DN)
  • GUID
Type:PolicyIdParameter
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SamplingRate

The SamplingRate parameter specifies the percentage of communications for review. If you want reviewers to review all detected items, use the value 100.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SentTo

{{ Fill SentTo Description }}

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-WhatIf

The WhatIf switch doesn't work in Security & Compliance PowerShell.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance