Comma Compliance

Microsoft 365

Your full Microsoft 365 stack, in one compliant archive.

Without depending on Purview.

Comma captures email, Teams, SharePoint, and OneDrive into an external tamper-proof WORM archive the moment it's created. That archive lives outside your Microsoft environment. WhatsApp, Signal, iMessage, and 30+ other channels land in the same place.

One OAuth admin-consent connection. No per-user enrollment. Every Microsoft 365 message and file written to an immutable archive.

Get in Touch
Comma archived messages view showing Outlook email, WhatsApp, and Microsoft Teams records in one unified, filterable list with contact, message preview, thread name, and download-PDF actions

Already using Microsoft 365? So are most of your clients.

The moment an employee texts a client from a personal phone, that conversation never touches Microsoft 365, and no archive of it will exist unless something else captures it. The channels people actually use outside Outlook and Teams, like WhatsApp, Bloomberg Chat, iMessage, and others, don’t live inside Microsoft 365. Purview wasn’t built to capture them. FINRA’s $2B+ in off-channel enforcement since 2021 has been almost entirely about communications outside the Microsoft stack.

When an examiner shows up, they don’t care which platform stored what. They want every message between Rep X and Client Y, across every channel, immutable, and produceable within hours. SEC Rule 17a-4 requires records to be non-rewritable, non-erasable, and produceable in that window. FINRA Rule 3110 requires written supervisory procedures to match the channels your team actually uses. WSPs that name Microsoft 365 but omit WhatsApp, Signal, or Slack are routinely cited.

Filling those gaps with a second archive means another vendor, another integration, another search interface, and another supervisory workflow your team has to run in parallel. Two archives means two exam exports. Cross-channel search becomes manual reconciliation, done under deadline pressure while an examiner is waiting.

Comma writes Microsoft 365 records to immutable WORM storage outside the tenant, and captures every non-Microsoft channel into the same archive. Search across every channel, produce records in one export, and close exam requests without stitching archives together.

How Comma Closes the Gap

Comma captures Microsoft 365 alongside dozens of other channels into one immutable archive. One search interface, one supervisory review queue, one export. The Microsoft stack is covered. So is every channel your team uses that Microsoft doesn’t.

Architecture diagram: Microsoft 365 (Outlook, Microsoft Teams, SharePoint, OneDrive) and non-Microsoft channels (WhatsApp, Signal, iMessage, and 35+ more) all feed into Comma's immutable WORM archive, which sits outside the Microsoft tenant. Beneath the archive: one search across every channel, one supervisory queue, one regulator-ready export.

  1. The whole Microsoft stack, captured in one connection

    • Outlook / Exchange Online — every inbound, outbound, CC, BCC, and attachment
    • Microsoft Teams — 1:1 chats, channel messages, meetings, voice/video, edits, deletions, reactions
    • SharePoint and OneDrive — files, version history, sharing permissions, external shares
    • Calendar events, meeting recordings, and supporting metadata

  2. OAuth admin consent, no per-user setup

    • A single Microsoft 365 admin authorizes Comma once for the entire tenant
    • No individual users log in, install agents, or approve scopes separately
    • Refresh tokens are stored securely and revocable from the Azure admin console at any time

  3. External WORM archive, independent of Microsoft 365 configuration

    • Records are written to immutable WORM storage outside Microsoft 365
    • Independent of Microsoft 365 retention or hold configuration
    • SEC Rule 17a-4 and FINRA Rule 4511 compliant by design

  4. Unified with every other channel your team uses

    • Microsoft 365 records sit alongside WhatsApp, Signal, iMessage, Bloomberg Chat, and 30+ other channels in one archive
    • One search interface for examiners. One supervisory review queue. One exam-ready export workflow
    • No Purview gap when employees text clients on personal devices

Why the architecture matters

For your compliance team

  • Email captured at delivery

    Email is the first thing regulators ask for. Every message from Outlook and Exchange Online is written to the archive the moment it's received, not synced on a schedule, not dependent on a litigation hold being in place.

  • Outside-the-tenant immutability

    Records are written to WORM storage Comma controls. Tenant admins cannot retroactively modify retention, alter classifications, or shorten holds on the archived copy.

  • Regulator-ready storage

    SEC Rule 17a-4 and FINRA Rule 4511 compliant. Time-stamped, tamper-proof, with a complete audit trail of every record.

  • Cross-channel exam readiness

    Examiners rarely ask only about email. With Comma, Microsoft 365 records and mobile messaging records are searchable, exportable, and exam-ready from the same interface.

For your IT team

  • One admin-consent flow

    Tenant-wide authorization through OAuth with Microsoft Graph. No per-user enrollment, no MDM dependency, no client-side agents to deploy.

  • Least-privilege scopes

    Comma requests only the Microsoft Graph scopes needed for the chosen access tier. Directory access alone, contact discovery, or full mail capture — granted per the documented permission tiers.

FAQ about Microsoft 365 Compliance Archiving

Does this replace Microsoft Purview?
For regulated firms with SEC Rule 17a-4 and FINRA Rule 4511 obligations, Comma replaces Purview as the books-and-records archive.
Does Comma archive our Microsoft 365 email?
Yes — every inbound, outbound, CC, BCC, and attachment from Outlook and Exchange Online is captured in full, the moment it's received.
What Microsoft 365 licensing do we need?
Comma works with any Microsoft 365 plan that allows OAuth admin consent (Business Basic and above). You do not need Microsoft 365 E5 or the Advanced Compliance add-on to use Comma — Comma provides the regulatory-grade retention layer that those tiers are designed to deliver inside Microsoft 365.
How does this work alongside our existing Microsoft 365 retention?
Comma operates independently of Microsoft 365 retention configuration. You can keep your existing Purview policies in place — Comma captures a separate, immutable copy of every record into its own WORM archive. Any future change to Microsoft 365 retention or holds has no effect on the Comma archive.
Are Teams chat and OneDrive files included?
Yes. Microsoft 365 capture covers Outlook / Exchange, Teams chat (1:1 and channel) and meetings, SharePoint, and OneDrive — all in the same archive, captured through the same admin-consent connection.
How quickly can we produce records for an SEC or FINRA exam?
Records are retrievable directly from the Comma platform within minutes. No support ticket, no Microsoft Graph search to script. Cross-channel — including non-Microsoft channels like WhatsApp and Signal — from the same interface.
Can we revoke Comma's access?
Access can be revoked from the Azure admin console. Existing records in the Comma archive are unaffected — but revocation stops future capture, which should be coordinated with your compliance team before disconnecting.

See how Comma archives Microsoft 365.

A 20-minute walkthrough — one admin-consent connection, real capture across email, Teams, and OneDrive, and exam-ready export.

Get in Touch Pricing

Related reading

Other channels we support

WhatsApp Compliance Archiving

WhatsApp archiving via the official Business API — full message capture including attachments, voice notes, and group chats.

See solution →

iMessage Compliance Archiving

Point-of-delivery iMessage capture. No iCloud dependency, no MDM. Built for BYOD.

See solution →

All 35+ Channels

Microsoft 365 is one of 35+ channels Comma archives. WhatsApp, Signal, iMessage, Bloomberg Chat, and more — all from one platform.

See all channels →