Speed up Your Compliance Journey with Microsoft 365

Virtually any organization needs to comply with legal or regulatory standards. With the increasing number of regulations, it is quite common for organizations to invest in multiple tools to conform to all the rules. With more and more data being stored in public clouds, ensuring compliance can be a challenge. If your organization is using Microsoft 365, you should know you have multiple tools at hand, with your starting point being the Compliance Center. It is the home for managing compliance needs using integrated solutions for information protection, information governance, insider risk management, discovery, and more.

Microsoft 365 Compliance Center

The Microsoft 365 compliance center provides easy access to the data and tools you need to manage to your organization’s compliance needs. You can access it from the Microsoft 365 Admin Center or directly at https://compliance.microsoft.com/homepage. To do this, you need either Global Administrator or Compliance Administrator role.

When you first visit the Microsoft 365 compliance center, you will find out how your organization is doing with data compliance, what solutions are available to you and a summary of any active alerts.

Now let us have a look at each of the solutions that are part of the Compliance Center and how each one of them play an important role in your compliance journey.

Compliance Manager

The Compliance Manager solution gives you an overall score of how you are currently doing and provides recommendations how to improve your overall compliance with common industry regulations and standards. The dashboard contains real-time data and a score breakdown by category.

The Overview section contains the gauge that measures your organization’s score and gives you a breakdown of points that you have managed to achieve and points that are automatically achieved by Microsoft’s default settings. You can see a summary of key improvement actions with the number of points they can earn you, the status and type.

Exploring further, you will see a card for the solutions that affect your score and the Compliance score breakdown by areas with links to the improvement actions filtered by area.

It contains recommended actions that will help your organization complete assessments. Detailed implementation guidance tells you what steps to take and directs you to the appropriate solution. Clicking on View Improvement actions will take you to the Improvement actions section, filtered by area.

The Improvement actions section gives you a detailed list of all actions that are recommended for implementation, with grouping, search and filtering capabilities.

Clicking on any action will give you a detailed screen with implementation guidance, links to Microsoft official documentation and some additional notes.

As part of the improvement actions feature, you can assign any action to one of your Microsoft 365 users, change its status and set an implementation date. Once you set the status to Implemented and Compliance Manager verifies the steps is implemented, the points will be added to your Compliance Score. It might take up to 24 hours for the changes to be reflected.

Tip: Plan your compliance improvement actions in iterations and check status each week or bi-weekly.

The Solutions section gives you an overview of how each of the Microsoft 365 suite components contributes to your organization compliance with links to the remaining actions for each solution. The grouping by solution makes it easier for you to provide targeted information and advice to various domain experts in your organization, for example Azure AD experts, Security or Compliance.

The Assessments section contains a list of assessments that you can run and check your environment against a set of predefined that include common industry regulations and standards.

Clicking on each assessment will take you to a detailed report page containing the controls being measured, key improvement actions and their status.

On the Controls section of the report you will find a nice bar graphs indicating where you are doing well and where you have opportunity to improve by implementing the recommended actions. With the Generate report button, you can export the actions and their status into an Excel spreadsheet.

Tip: You can create a list from a spreadsheet in Microsoft Lists, collaborate with your team and easily track progress.

The last section of the Compliance Manager is the Assessment templates where you will find different templates that you can use to run assessments, for example templates that cover EU GDPR and some country specific regulations. The templates consist of controls and actions and are in two categories: Included and Premium. You will see only the templates that are available to your organization based on the license you have. Microsoft has recently introduced new licensing for Premium templates, so even if you see some of them now, they might not be accessible soon.

Data Classification

This solution gives you means to classify and protect content across the organization using sensitive info types and sensitivity labels.

The Overview section gives you a snapshot of how sensitive info and labels are being used across your organization’s locations.

There are multiple approaches to data classification. Manual, Automated or through Classifiers.

The manual way requires human judgment and action. An admin may either use the pre-existing labels and sensitive information types or create their own and then publish them. Users and admins apply them to content as they encounter it. You can then protect the content and manage its distribution.

The automated pattern matching is used to find content by:

• Keywords or metadata values (keyword query language).
• Using previously identified patterns of sensitive information like social security, credit card or bank account numbers (Sensitive information type entity definitions).
• Recognizing an item because it is a variation on a template (document finger printing).
• Using the presence of exact strings (exact data match).

Sensitivity and retention labels can then be automatically applied to make the content available for use in data loss prevention (DLP) and auto-apply polices for retention labels.

The Classifier method is particularly well suited to content that is not easily identified by either the manual or automated pattern matching methods. This method of classification is more about training a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching).

The Trainable classifiers is a preview feature that is an AI-based content classifier. The first time you go to that section you will have to choose whether to start a scanning process (taking 7 to 14 days to complete) or use some of the built-in classifiers, which would detect content such as source code, resumes, profanity, harassment and threats. One drawback of the classifiers feature is that it only works with documents that are not encrypted and are in English.

Clicking on any of the classifiers would give you the matched items in your content and some feedback.

If the pre-trained classifiers do not meet your organization’s needs, you can create and train your own classifiers. There is significantly more work involved with that, but they will be much better tailored to your organization’s needs. Here is just a snapshot of the process into which we will not deep dive.

The Sensitivity info types allow you to use the built-in types created by Microsoft or create your own.

When you are creating your own sensitivity info types, you basically put name and description and configure the requirements for matching. You can choose from multiple conditions, including the check against regular expressions, keywords or dictionaries.

Tip: You should choose the Confidence level carefully. You can use more restrictive actions (e.g. block content) with only the higher-confidence matches, and you can use less restrictive actions (e.g. send notification) with the lower-confidence matches.

Content Explorer is a powerful tool that searches for classified content in your organization. You can filter by sensitive info type, for example EU Debit Card Number, EU Passport Number IBAN, or a retention label to see how many items are classified, their storage location (e.g. Exchange, SharePoint, OneDrive) and drill down even more to inspect the actual email or document.

Note: Content Explorer requires either the Microsoft 365 E5 Compliance add-on or a full Microsoft 365 E5 license.

Activity explorer is basically an audit logging tool. It will give you a glimpse of data classification activities such as when labels were applied, sensitive data modified, files printed, and much more. Label activity is monitored across Exchange, SharePoint, OneDrive, and endpoint devices at the moment of writing this article. You can filter your searches by Location, Sensitivity label or User.

Data Connectors

The data connectors allow you to connect to third-party solutions e.g. your LinkedIn or Facebook business pages, Slack, etc., and then import the data into Microsoft 365 and analyze towards your compliance policies.

Alerts

In that section you will find a list of alerts related to the overall compliance. It is a good idea to check this list frequently. There is a functionality to export the alerts in CSV.

Reports

In the Reports section you can see things like DLP policy matches, DLP incidents, top labels, where labels are used, if any labels were auto applied, users who’ve shared the most files from cloud apps, publicly shared files, high risk applications and more. Most of the cards in that section take you to the Microsoft Cloud App Security (MCAS) if you want to explore further details.

Policies

In the Policies section, you configure automated rules that you want to enforce in three categories: Alert, Data and Access.

In the Alerts category you have two options – either configure basic Office 365 alerts or go to the advanced option – Microsoft Cloud App Security (MCAS) tool.

The Office 365 alert section takes you to the Security & Compliance Center. Here you can configure triggers like suspicious e-mail patterns, elevation of admin privileges, activities from infrequent countries etc.

If you choose to go Cloud App Security way you will see plenty of cybersecurity options. You can monitor for publicly shared confidential files, logons from risky IP addresses, suspicious e-mail forwarding rules etc.

In the Data category, you can configure Data loss prevention and retention policies.

In the Data loss prevention section you can see the built-in policies and create your own. You choose the conditions on which the content is matched and the actions that are triggered when content is matched. Actions can include restricting access to the content, encrypting it, notifying the users and educating them about the proper use of sensitivity info.

In the same section you can find alerts filtered by the Data loss prevention category. The newest feature is Endpoint DLP Settings which is still in preview at the time of writing this article. The settings inside contain Unallowed Apps (e.g. Notepad++), Unallowed browsers (e.g. Mozilla Firefox) and Service domains – an allow/block list of domains which can access sensitive files. You can also configure File type exclusions where the policies configured in the Data loss prevention section will not apply.

In the retention section you configure policies that apply to multiple Microsoft 365 locations and override location-specific policies that you may have already configured in one location, say Exchange Online.

Here you can create the retention policies based on the regulatory requirements your organization has to comply with.

After you choose the name of your policy you have to choose which locations to apply it to.

Tip: You should pilot the policies with a small subset of users/groups before applying it to the whole organization.

After the location you choose the policy actions e.g. keep content for 7 years and then delete it.

You can also create retention labels and publish them. When published, retention labels appear in your users’ apps, such as Outlook, SharePoint, and OneDrive. When a label is applied to email or docs (automatically or by the user), the content is retained based on the settings you chose. For example, you can create labels that retain content for a certain time or ones that simply delete content when it reaches a certain age. Label policies allow you to auto-apply labels. When you do that, users will see the labels automatically applied to content that matches your conditions (such as content containing specific sensitive info)

Not tightly related to compliance, but as part of the Information governance area you have the Import functionality which allows you to import your e-mail (in PST format) to Microsoft 365. There is also a shortcut to the Archive functionality of Exchange Online which gives you the list of mailboxes that have the Archive enabled.

Permissions

In this section you will see the different Microsoft 365 and Azure Active Directory roles that provide levels of access to the Microsoft 365 Compliance Center and the number of users having that role. Clicking on any role, you will see the assigned users. As a best practice, try to follow the least privileges access principle. Assign only the permissions needed for a certain persona to do their job and if you have the Azure AD P2 license, use the Azure Privileged Identity Management solution to assign those just-in-time e.g. on an as-needed basis and/or with an approval process in place.

Solutions

Under the Solutions Catalog section you will find all solutions that help you manage compliance and risk management in your organization.

Clicking View on each solution would give you a detailed description, score impact that you can achieve with it and the requirements in terms of licensing and permissions.

Audit is a key solution that gives you the ability to look for virtually any activity that takes place in your Microsoft 365 tenant. You can search for specific activities e.g. Accessed file, specific users and even specific file/folder/site locations. The search is trimmed by specific dates. It is best to search for shorter time intervals so you get the results quicker. To have Audit logs for extended periods of time up to 10 years, you need to configure an audit retention policy.

With Content Search you can search for virtually anything in all the Microsoft 365 suite. All the searches are recorded and the results can be exported.

Data Subject Requests is the place to create and store your cases when somebody requests the right to their personal data (GDPR).

eDiscovery is the solution that helps legal teams implement electronic discovery workflows. eDiscovery lets you create cases and run multiple searches assigned to one case. Advanced eDiscovery lets you identify and communicate with data custodians, preserve data that’s relevant to the case, add it to a review set, review it, and apply analytics to reduce the volume of data to what’s most responsive to the case. You can tag, annotate, and redact documents, and then export the working set for presentation.

With Information protection you can configure sensitivity labels and publish them for your users. Content tagged with labels can then be targeted by DLP policies for actions like external sharing restriction and more. We recommend to first define the document classifications within your business and then apply the same classification in the format of sensitivity labels, educate your users and promote the use of labels across the whole Microsoft 365 suite.

Insider risk management helps you Detect risky activity across your organization to help you quickly identify, investigate, and act on insider risks and threats. You need to configure the alert indicators and choose whether you want the full usernames to be visible in the alerts or set them to be anonymized.

The Records management features help you demonstrate compliance with regulations and corporate policies, take control of your content lifecycle by classifying and retaining business critical records, and increase efficiency with regular deletion of records that are no longer required to be retained, no longer of value, or no longer required for business purposes.

Settings

The Settings of the Compliance Center let you integrate ServiceNow if you are using it for your ticketing system, configure Device onboarding/offboarding to/from Microsoft Defender for Endpoint (MDE).

You can set up automated testing for your Compliance Manager improvement actions that are also monitored by Secure Score.

Conclusion

We have already explored that Microsoft 365 offers a myriad of compliance and security features. The suite comes with a lot of built-in and predefined templates along with the freedom to create your own rules. Do you have difficulties finding your way around the tool or does your compliance team need competent support during implementation?.If you’re not sure where to start, you can bet on our long experience with Microsoft 365, talk about your compliance journey and rest assured that your needs will be met on time.