I’ll be honest and say that I’m known to be quite partial to dropping the favourite phrase of a certain well known celebrity chef but I also know there is a time and a place for it so why are we talking about a profanity filter?
At Arcible, our style is formal but fun: we do our work in a professional and courteous manner but we like to be light-hearted and friendly about the whole thing too. That means we don’t want to be seeing or using such words in our communications. In the Microsoft 365 suite, there are a number of ways that we can police this to make sure we stay true to our image and maintain our reputation.
- An Exchange Online Transport rule
- A Data Loss Prevention (DLP) rule
- A Supervision policy
The word list
Before we start, let’s talk about the words that you want to filter out. You can probably conjour up a list yourself but users can be creative at character substitution like we ask them to be with passwords.
Rather than trying to invent our own list, we used one from GitHub that was formerly part of a Google API for profanity filters. You can download the list for yourself from the GitHub repo at https://github.com/RobertJGabriel/Google-profanity-words and it contains 451 different words.
An Exchange Online Transport rule
This, the first option, is the most accessible because it can be used by anyone that is licensed for Exchange Online and upwards. This means we can implement a profanity filter for any customer with licenses from Exchange Online Plan 1 standalone all the way up.
This option is quite rigid and has some flaws, however.
- It will only apply to email messages
- You will need to manually add the words to the list
- Each rule has a character limit of 8,192 characters
Our list in question is 3,620 characters long so will fit into one rule but if you wanted to make your own list or go a little crazy then you might need to create multiple rules that process in order to get the desired effect.
Most importantly, as collaboration evolves, this method only applies to email which means Teams messages won’t be picked up.
A Supervision policy
A supervision policy requires that the user under supervision has either a Microsoft 365 E5 Compliance license or an Office 365 Enterprise E3 license plus the Advanced Compliance add-on which means that this option won’t be for everyone.
Supervision policy isn’t going to block messages but it will alert somebody that they are being used. If you want to allow the communication to happen but to alert HR so that the user can be reminded of corporate policy then this could be an option for you.
We won’t go into the detail of a supervision policy here purely because it doesn’t meet the goal for us to set-up a profanity filter and block the messages, however, if you want to know more, you can take a look at https://docs.microsoft.com/en-us/microsoft-365/compliance/supervision-policies?view=o365-worldwide.
What is worth noting, however, for supervision policies is that there is a built-in list for profane language which may be ideal if you don’t want to manage this list yourselves.
A Data Loss Prevention rule
On our opinion, this is the best option and is the option we use at Arcible for managing a profanity filter. This option covers not only email messages being sent but also covers content being saved to SharePoint sites, personal data being saved to OneDrive for Business storage as well as covering Microsoft Teams chat and channel messages.
Using a DLP rule requires an Office 365 Enterprise E3 license so it may not be viable for everyone but as E3 tends to be the go-to license for most people.
Before we can create the DLP rule, we need to create a custom Sensitive Info Type. When we create the Sensitive Info Type, we can use the Dictionary info type and upload the text file containing all the words.
Once the Sensitive Info Type is ready, create the DLP rule.
In the DLP rule, we can specify multiple rules that apply the actions we specify. At Arcible, we’ve got a strict policy that doesn’t permit any bad language for our profanity filter so we’ve got a single condition and action configured that blocks it and shows a Policy Tip to the user to warn them that they are breaking policy. If you wanted to be a bit looser about it then you could define a multi-tier policy that allows one or two instances of language use but anything above that and block it.
Going multi-lingual
An obvious way that a user could exploit our current configuration would be to swear in another language; maybe your organisation is multi-lingual and you need to cover off extra languages.
Using the DLP rule approach, we can define multiple Sensitive Info Types, one for each language, and reference them all in the policy.
Data loss prevention strategy
Implementing a profanity filter is one step in an overall and successful data loss prevention strategy. For organisations to protect themselves, their content, intellectual property, and more, there will be many other things that you will want to police and control.
At Arcible we use, and encourage our customers to use, Microsoft Information Protection (MIP) which allows us to label our corporate data and apply policy and protection to the data according to the classification. This set-up combines MIP, DLP, Exchange Online Transport rules as well as an overall organisational security strategy.
If you are interested in implementing MIP, DLP, or understanding how you can address your security and DLP strategy as a whole please, speak with us and we can assist you with that. We love working with Microsoft 365 to implement solutions to help protect organisations and would be happy to share our knowledge with you.