Skip to main content

Compliance Policies - Upcoming Changes in Q2 2025

  • Updated

This article is also available in German, Spanish or French, you can choose your preferred language by selecting it from the drop-down menu above.

In Q2 2025, the Compliance Policies are being updated with new UI and functionality:

  • New UI, where all settings are shown in one screen for clearer visibility.

  • All Site related settings are now always enforced and automatically remediated if they do not match the values set in the policy, so admins have full control of the site settings through the product.

  • Microsoft Teams related settings have been streamlined. This functionality is always enabled going forward where the admins get to set for how long the internal and external sharing links are valid, and whether they want the files to be removed or not.

  • More flexibility has been introduced to the sharing policy settings, enabling better customization for monitoring and auto-remediation, which can now be set per criteria.

  • Admins no longer receive multiple violation emails per policy. Instead, the daily digest email has been enhanced to include all relevant information on the status of the organization.


Existing Policy Translations

All existing compliance policies for all tenants onboarded will be automatically converted to the new format based on your current policy settings. With the updates in functionality, some settings require adjustments to fit the new policies. Site settings and Teams policy settings are required to have a value defined, as these are now always enforced. Where site settings are not enabled, default configurations will enforce the most restrictive options as a security best practice


All policies assigned to sites will be reassigned to the same sites as new policies after conversion. Thus, administrators are encouraged to review existing policies to ensure settings are correctly configured ahead of migration. This also presents an ideal opportunity to remove any policies that are no longer needed. Additionally, previously approved permissions may trigger new violations on the day of this release, requiring an audit. Based on policy settings, these would need to be manually re-approved, otherwise they will be auto-remediated or become non-compliant.


Therefore, it is advisable to go through the different settings in the existing policy and understand how they will be translated.

In the side menu, go to 'Compliance Policies' to get a list of all your existing policies. For each policy, click the button to review the settings and if changes are made, press [Save].

 

What you need to action


SETTINGS FOR SITES

To ensure the optimal outcome when the new policies are enforced, it's best for you to enable the site settings in the current policies and set your desired values now.

For all settings mentioned below, if they remain disabled, the most restrictive settings will apply.

Example scenarios below:

 

Example 1 - Site settings currently Disabled - After conversion, Enabled to most restrictive setting



Example 2 - Site settings currently Enabled - After conversion, Enabled to same values


  • Monitor for the maximum external sharing level allowed
    if enabled, the same setting will be used in the new policy (irrespective of auto-fix/enforce setting)
    if disabled, it will be set to "Only people in your organization"

  • Monitor for the default sharing level for new links
    if enabled, the same setting will be used in the new policy (irrespective of auto-fix/enforce setting)
    if disabled, it will be set to "Specific People"


  • Monitor for the default permission level for new links
    if enabled, the same setting will be used in the new policy (irrespective of auto-fix/enforce setting)
    if disabled, it will be set to "Can View"


  • Monitor for guest access expiration setting higher than
    if enabled, the same setting and value will be used in the new policy
    if disabled, it will be set to "1 day"


  • Monitor for anyone links expiration setting higher than
    if enabled, the same setting and value will be used in the new policy
    if disabled, it will be set to "1 day"

 

MICROSOFT TEAMS SHARING POLICY DEFINITION

When files are shared in Microsoft Teams private chats, a copy of the file is created in the sender’s OneDrive with a sharing link to it. With this update, sharing links to these files will be automatically removed if the file is unused for the period defined in the policy. The minimum allowed period is 1 day and the maximum is 730 days. Additionally, the admin may choose to also have the Teams copy of the file deleted (moved to Recycle bin).


Is Deletion of the Teams copy of the file desired?


If deletion of the Teams copy of the file is desired, ensure that the settings “Monitor for items shared via Teams“ and “Automatically delete items shared via Teams (move to recycle bin) if no action is taken by the user during the grace period” are Enabled.





In this case, the auto-remediation period for files and links will be the addition of the existing settings:

    • Monitor for items shared via Teams [2 days]
    • Automatically delete items shared via Teams (move to recycle bin) if no action is taken by the user during the grace period [3 days]
    • Set a grace period for users and site-owners to remediate [7 days]

Therefore in the above example, both the links and the Teams copy of the file will be auto-remediated after 12 days.


If deletion of the Teams copy of the file is NOT desired, ensure that the setting “Automatically delete items shared via Teams (move to recycle bin) if no action is taken by the user during the grace period” is Disabled. In this case, auto-remediation period for links will depend on which of the other settings are set. The below scenarios are possible:

  1. Both “Monitor for links to items shared via Teams“ and “AutoRemediate violations if no action is taken by the user during the grace period“ are enabled



    In this case, the auto-remediation period for links will be the addition of the existing settings:

    • Monitor for links to items shared via Teams [1 day]
    • AutoRemediate violations if no action is taken by the user during the grace period [4 days]
    • Set a grace period for users and site-owners to remediate [7 days]

      Therefore in the above example, the links will be auto-remediated after 12 days.

  2. “Monitor for links to items shared via Teams“ is Enabled and “AutoRemediate violations if no action is taken by the user during the grace period“ is Disabled

    In this case, the auto-remediation period for links will be the addition of the existing settings (but capped to a minimum of 14 days):

    • Monitor for items shared via Teams [1 day]

    • Set a grace period for users and site-owners to remediate [7 days]

      Therefore in the above example, the links will be auto-remediated after 14 days (since total [8] is less than the minimum [14]).

  3. “Monitor for links to items shared via Teams“ is Disabled



    • In this case, the auto-remediation period for links will be set to the maximum value of 730 days.


Note that all past sharing links to Teams shared files will be evaluated and automatically remediated if policy criteria is met, even if they were previously approved.

With the new policies, Teams' sharing violations are always auto-remediated without notification. However, these files are still subject to the other sharing policy settings assigned to the site and violations will be raised accordingly.



No action required but good to know

 

SHARING POLICY DEFINITION

The sharing policy criteria will be converted in order to ensure a smooth transition with minimal impact. The below applies for both Internal and External sharing.

Example scenarios below:

Example 1 - Sharing Policy criteria disabled in current policy


Example 2 - Sharing Policy criteria enabled, Auto-Remediation disabled in current policy



Example 3 - Sharing Policy criteria and Auto-Remediation enabled in current policy



In this case;

  • if a setting is Disabled, it will remain Disabled
  • if a setting is Enabled and AutoRemediate is Disabled, it will remain Enabled and set to Monitor Only
  • if a setting is Enabled and AutoRemediate is Enabled, it will remain Enabled and set to Monitor and AutoRemediate

    • Exceptions: To maintain the current policy behaviour, some settings* will always be set to 'Monitor Only', as no remediation action is currently available.

  • existing grace period and re-audit period settings will be retained. If site owner notifications are enabled, these will be retained but only sent once daily going forward

* Exceptions:

  • 'Monitor for new permissions granted indirectly through a group'
  • 'Monitor for permissions granted indirectly to external users through a group' (new setting which follows the existing 'Monitor for permissions granted to external users')
  • 'Monitor for groups' privacy level set to Public'

 

TRUSTED DOMAINS


All existing domains listed here will be added to the new policies.

 

OTHER NOTES

  • All existing policies will be converted as listed above

  • Converted policies will be marked accordingly to be easily identified

  • Sites which are assigned a policy, will be re-assigned the same policy in the converted format as specified above

Related articles

Articles in this section