Microsoft Defender for Cloud Apps
Formerly known as “Cloud App Security”, Microsoft Defender for Cloud Apps is a Cloud Access...
Nathan O'Bryan MCSM
Office 365 is a collection of online services that allow organizations to use Exchange, Skype for Business, and SharePoint in the cloud. In the nearly five years that Office 365 has been available most of the organizations using Office 365 have used it just like that; for Exchange or Skype for Business or SharePoint in the cloud. Some organizations are using more than one of those services, but for the most part they are still using them separately.
A couple of weeks ago, we put up part 1 of this series. Today, we’re going back to finish that up with part 2 and taking a look at the rest of the Security & Compliance center in Office 365.
Search & Investigation
The next section of the Security & Compliance center to we’re going to look at is the Search & Investigation section. In this section we’ve got three subsections; Content Search, Audit Log Search, and eDiscovery.
The Content search allows you to search your organization for content in email, documents, and IM conversations from a single portal. This portal is one of the truly great parts of the Security & Compliance center as it really does make it easy to find information in your Office 365 tenant.
Below is a picture of a new search. I’ve added a name to the search, three mailboxes, a site collection, and selected to include public folders in my search.
The second page of the search wizard allows you to enter the data you are looking for. This post on support.office.com gives the details of what information is searchable within the query, and it is a lot. Here I’ve left the query section blank to include all data, and set a couple of conditions to narrow the results.
Once the wizard is complete, I can see information about my search on the content search page.
You can quickly see that this search has discovered 1.52 GB of data matching this search. The Preview Search results link allows me to quickly asses if it looks like this search is finding the proper data, and the Start export link allows me to export this data from Office 365 to files on my local computer that I can analyze or send to someone else. The Prepare results for analysis link takes you to the Advanced eDiscovery tool, which requires an E5 license (or separate advanced eDsicovery license). This tool will help you narrow down the results of your search to only give you the most relevant data, but is going to be beyond the scope of this blog post.
The next subsection here is the Audit log search section. There is some great functionality here, but I’m going to point you to my recent webcast for details about how to search the Office 365 audit logs. In my opinion this GUI option here is OK, but PowerShell is much better suited to searching audit logs.
The next subsection here is one that confuses me, the eDiscovery search. I certainly understand the need for an eDiscovery search, I just don’t understand having this tool in the same portal as the content search tool. These two tools are very close to the same thing. There are some minor differences in functionality between the content search and the eDiscovery search, but it’s really not a lot of difference. The eDiscovery search adds the ability to place the items you discover on in-place hold, as well as eDiscovery searches can be access directly via a SharePoint link. Results from both searches can be sent to the advanced eDiscovery tool for better refined results.
The final subsection under Data Management is Supervisory review. This is a new feature to Office 365 that is currently in preview. This section may no show in your tenant yet, but it will be there soon.
Supervisory review is a tool that lets you define policies to capture communications within your organization for later review by internal or external supervisors. This new tool deserves its own blog post, so I will cover it separately later.
Reports
The next major section of the Security & Compliance center is the Reports section. This section only has a single subsection, view reports.
Most of the content in the View reports subsection is links to other tools, both in and outside of the Security & Compliance center. The auditing section of view reports contains links to the Exchange audit reports, Office 365 audit report, and Azure AD audit reports. Again, I’m of the opinion there are better ways to access this information via PowerShell.
The devices management section of view reports links you to the Device Compliance Report. From there, you can see information about devices that are connecting to your Office 365 tenant, and their compliance status.
The Supervisory Review section of View reports links you to the Supervisory review reports. This is a new tool, and it deservers its own blog post so instead of giving it short shrift here I’ll write a blog post focusing on this new tool separately.
The data loss prevention section of View reports links you to reports about the SharePoint and OneDrive for Business DLP actions. This section does not link to any Exchange DLP reports.
The final section of the Security & Compliance center is…
Service assurance
The Service assurance section of the Security & Compliance center is a portal for Microsoft to provide information about how Office 365 is kept secure and compliant. This is where your organizations management will need to go to find answers to questions like “Is Office 365 HIPPA compliant?” Answering questions like that is never easy or straight forward. Yes, Office 365 can be HIPPA compliant, but ensuring that takes a lot of work from you and your organization. There is no check box in a portal you can tick to make everything compliant.
The Dashboard sub-section gives you information about what information is available around Office 365 compliance. There is also a link here that allows you to add users to the Service Assurance Users permission set. These users will have access to office 365 compliance reports and information. The Onboarding guide linked here gives you information about how to use the Security & Compliance center.
The Compliance reports and Trust document section link to a large number of documents pertaining to various compliancy accreditations that Microsoft maintains for Office 365. The reports shown here are specific to the industry you define for your organization in the settings sub-section. It’s important that your organizations compliance office and/or appropriate management personal review the documentation in this portal.
The final subsection is the settings page. This is where you need to define your organizations region and industry. This setting will control what documentation you see in the rest of the service assurance section.
Wrapping it up
If you’ve made it this far, you’ve gone through about three thousand words for me to give you a high level overview of what is going on in the Office 365 Security & Compliance center. The Security & Compliance center is a new, and evolving portal in Office 365. There have been changes in my portal since I have started righting this article, and I expect many more changes to come.
Microsoft is working toward a single portal for all security and compliance controls for Office 365, but they are not there yet. As of now, this portal is confusing and a little disorganized. It will get better over time. If your organization has compliance requirements, this portal can be a useful tool but it is by no means going to ensure all your compliance issues are taken care of. I’ll keep watching this new tool to see where it goes.
