No business is exempt from meeting some kind of compliance or governing regulation. These controls are put in place (generally speaking) to help ensure trust and consistency when dealing with goods and services. When it comes to “as a Service” offerings, these regulations can enter grey areas and offer misconceptions of who is responsible — and at fault — if there is a violation. When it comes to Microsoft 365 the availability of networking and infrastructure is covered by Microsoft, but any integrity or confidentiality of the data stored on this backbone is the responsibility of the customer. However, Microsoft does offer many tools in portals like Microsoft 365 Defender and Microsoft Purview Compliance. This article will cover some of the basics on where and how to start monitoring your Microsoft 365 data for compliance and security.
Health and Reports in Admin Center
The Microsoft 365 admin center is the gateway portal to many things like application admin centers, billing, support, and more. Simply typing admin.microsoft.com will take you to this portal. With so many features already highlighted in the admin portal two very useful sections can be overlooked: Reports and Heath.
Reports can help a business understand who, what, and the extent of applications being consumed in Microsoft 365. Understanding how an environment is being used can help narrow down the list of where to start with protection considerations. Adoption Score is a great starting point to understand how people are leveraging Microsoft 365 resources and where the company stands compared to industry benchmarking. A very handy report in Adoption is networking, which tracks how often users get disconnected from Microsoft 365 applications when actively using them. The usage report can help to see which applications are most used in the organization and the amount of data being consumed on these resources.
Health allows organizations to keep track of outages, software updates, and overall security settings. The Dashboard is a great place to start checking on service health and what percentage of consumers may be affected by potential service interruption. The message center displays changes that have occurred or planned to occur in the environment. Any unusual behavior investigation in Microsoft 365 should start in the Microsoft 365 admin center under Health.
Microsoft 365 Defender Portal
The Microsoft 365 Defender portal can be accessed by selecting security under Admin centers from the Microsoft 365 admin center or going to secrutiy.microsoft.com. This portal is built to create a single interface to for securing your data across all application in Microsoft 365. There are a few places to start with in this portal, like secure score, learning hub, policies & rules, and threat analytics.
Secure score recommends industry standard security tips, the impact of the security risk, and steps to address the concern. Well known recommendations like enabling MFA for all users and impersonation protection trail high on the list of risk impact and the secure score.
The learning hub offers an array of trainings specific to the navigation and utilization of the Microsoft 365 defender portal. The trainings are offered in modules making it easier to find the specific training to part of the portal you are ready to tackle.
Policies and rules can be found under e-mail & collaboration. This section displays different policy sets that apply to the organization like threat, alert, and activity. Threat contains handling for safe link and anti-phishing settings for the organization. Alert policy contains alerts that might indicate a compromised account sending too many emails or suspicious payloads. Alerts policies set up alerts for detecting unwanted actions or behaviors in the organization.
Threat analytics can be found under Threat intelligence in the Microsoft 365 Defender portal. Threats tracks known attacks out on the market that could affect your environment and the impact they could have if not protected. These displayed threats will report if the organization has already fallen victim to the attack, how it can be mitigated and what kind of attack it is. This portal should be checked for new and emerging threats to your organization.
Microsoft Purview Compliance Portal
The Microsoft Purview compliance portal can be accessed via https://compliance.microsoft.com/ or through navigating to compliance in the Microsoft admin center under Admin centers. This portal contains all things in management of sensitive data. A few highlight features in this portal are the compliance score, data classification, context search, and eDiscovery.
Compliance score can be found under compliance manager. This score is impacted by features that can be configured in the portal to make your environment meet common regulations and data protection. Each recommended feature is scored by the impact it can have on your organization. Each item has a detailed report about the risk associated and configuration documentation on how to best take action. Highlighting things in this list involve general over all data protection like self-service password resets and managing tole-based access control.
Data classification is used to assign labels to data based on the sensitivity of the data. These labels can be applied manually by end users or through classifiers. There are many classifiers built in for common data types like bank statements, credit reports, and more common sensitive types of data. Custom trainable classifiers can also be added with specific company documents. Once labels have been applied the content explorer can be used to search and export what data the label is being applied to. The activity explorer can be leveraged to see fluctuations in label assignments in the organization. Labels can also be used to define compliance hold retentions on data.
Context and eDiscovery are both used to find data in production and compliance holds through various meta data and data content. Content search follows a more simplified search and recovery process by offering a scope and content conditions. Once the content search is finished then data can be viewed in a sample explorer to make sure the desired data was gathered then downloaded for in-depth processing or to hand over in case of audit.
eDiscovery is a process that is more involved than a content search and follows multiple layers of discovery and export. There are two different versions of eDiscovery, standard and premium. Standard eDiscovery offers the ability to create case scopes defining who has access to the case. Each case then is made up of various searches of data (grouped content searches), holds to prevent removal of data being collected, exports performed, and the ability to manage the case details and access later. Premium adds a layer of simplicity by walking the user through the creation of multiple case management, advanced scopes in data collection, process management for cases, indexed data, and much more.
Search for Microsoft Teams Chats
Microsoft Teams chats can be a tricky item to search and export inside the compliance portal. Chats are the one to one conversations, group chats, and meeting conversations in Microsoft Teams. These chats can be searched for through a simple content search in the compliance portal. Start by making a new search.
Name the search and give it a description. On the locations section toggle on Exchange mailboxes. The scope can be narrowed by selecting the “included” line and selecting specific users, groups, or teams.
On the conditions screen select Add condition and add a “Type” condition for “Equals any of” and check “Instant messages”. This will pull both Microsoft Teams chats and Skype for business.
To return only Microsoft Teams chats then a KQL will need to be used. The query will be “kind:im AND kind:microsoftteams”.
This will take some time to run depending on how big the organization is and how large the scope is. Once complete, the search can be selected, and actions will become available — like export and review sample.
When viewing the sample, a content search explorer will populate with the messages exchanged in Microsoft Teams chats.
Audit is found both in the Microsoft 365 Defender and Microsoft Purview Compliance portal. The Audit search is the same in both portals. Anything dealing with changes in the admin centers or application data including licensings, permissions, access, restores, updates, and more can be searched for through Audit. In the screenshot are two examples searching for users added or deleted and license changes on users. Keep in mind, many of these searches do not go back six months unless additional audit retention policies have been put in place.
Securing Microsoft 365 data can be easy when leveraging the full extent of tools offered in the Microsoft 365 environment. As digital threats evolve and compliance becomes more intricate, it has never been more important to take steps to ensure your organization’s integrity. Many of these tools are available at any license level and offer more protection to the end users and the business. For more protection tips and tricks, subscribe to our blog!