This article will give you an overview of office 365 security and compliance center through which you can centrally manage your Office 365 tenant security and compliance lifecycle.
Microsoft Office 365 consists of a large application suite. If you visit the Office 365 admin center, for instance, and view a whopping 10 separate sub-admin centers:
- Exchange: messaging
- Skype for Business: IM and telephony/teleconferencing
- SharePoint: collaboration
- OneDrive: file sharing
- Yammer: collaboration
- PowerApps: code-free cloud application development platform
- Flow: workflow engine
- Azure AD: identity management
- Intune: endpoint management
High-level overview
From the Office 365 admin center (https://portal.office.com), open the Admin center menu and select Security & Compliance. The Security & Compliance Center opens in a separate browser tab as shown next. The direct URL to the site is https://protection.office.com.
Before I show you the specific tasks you can perform in the Security & Compliance Center, click Permissions from the navigation bar. You need to understand the following two points about this page, shown in the following screenshot:
- The Security & Compliance Center uses a role-based access control (RBAC) authorization model just like the other Office 365 services use.
- The roles and permissions you assign here grant users permissions only to the Security & Compliance Center.
Next, let me show you some of the more important tasks you can accomplish in the Security & Compliance Center. In this article I'll show you some of them; you should certainly consult the documentation for full information.
Another thing you'll want to do is navigate to Service assurance > Dashboard and give Office 365 your business' geographic location and industry. When you provide Microsoft with that data, Office 365 gives you compliance reports and trust documents customized to your business. Pretty awesome!
NOTE: You need to assign your compliance officers' Office 365 user accounts to the Service Assurance User role in Permissions for them to access the compliance reports.
Alerts
The alerting function in the Office 365 Security & Compliance Center is a huge value to administrators because it proactively informs us when particular actions occur within the tenant.What kind of "particular actions," you wonder? Stuff like:
- privilege escalation
- deleted folders and files
- deleted users and groups
- eDiscovery activities
- unusual external user activity
- detected malware/phishing
Office 365 sends the alerts to its notification (bell) menu, targeted email addresses, as well as to the View security alerts page in the Security & Compliance Center. The following screenshot shows you what a representative email alert looks like.
Data Loss Prevention (DLP)
DLP in Office 365 combines the best parts of Active Directory Rights Management Services (AD RMS) and the Intune device management product. Whereas configuring AD RMS on premises is a giant pain in the you-know-where, configuring DLP in Office 365 is wizard driven and remarkably straightforward.The heart of DLP is the policy, which I show you in the next screenshot. Depending on your industry and security/compliance requirements, you may need to take special actions on sensitive data like patient records, financial numbers, and so forth.
A DLP policy can cover multiple data sources, such as Exchange Online, SharePoint Online, and OneDrive for Business. You can restrict access to data the policy identifies, including (a) notifying the users of any actions they need to take on the sensitive data; and (b) preventing users from copying, forwarding, and performing other actions on that data.
You can run DLP reports from the Security & Compliance Center by navigating to the Reports > Dashboard page.
Programmatic access
There's so much to see in the Office 365 Security & Compliance Center! Let's finish up by learning how to connect to the center with PowerShell. The bad news is that the Office 365 PowerShell story is a royal, confusing mess. So many modules, so many versions—it's gross.The good news is that we can actually use PowerShell remoting to establish a direct connection to the Office 365 Security & Compliance Center.
On your Windows 8.1 or Windows 10 administrative workstation, make sure you've temporarily relaxed the system's script execution policy:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Next, let's store our Office 365 global admin credentials:
$cred = Get-Credential
Now we'll create the remote session, storing it in a variable:
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Finally, we'll use implicit remoting to import the remote Office 365 session into our current runspace:
Import-PSSession $session
So now we have access to the Office 365 Security & Compliance Center PowerShell cmdlets. The exported Office 365 cmdlets are stored in a temporary module; you can then run Get-Command to see what's available:
PS C:\> Get-Command -Module tmp_huth43a3.oxz | Select-Object -Property Name | Format-Wide -Column 2
This module is pretty big (148 functions as of this writing), and you can perform most security/compliance tasks using them.
Conclusion
Overall, I found that once you get past your initial learning curve, the Office 365 Security & Compliance Center gives you excellent insight into your tenant. In my experience, managing Office 365 can sometimes feel like a bad game of "Whack a Mole" given how many moving parts there are.We hope that the Office 365 product teams will continue the trend of unifying the Office 365 control plane because we all (Microsoft, our business, and we as individuals) are better off for it.
Credit: 4Sysops