Apr 25, 2019. The Office 365 Compliance Center grants you access to assign permissions, manage the lifecycle of your organization’s content, provide additional storage for your users, and so on. Despite this, many admins fail to use the full potential of the Compliance Center, if use it at all.
Microsoft Office 365 is popular because of its mobility and collaboration features. However, in a cloud-hosted environment, security is the main concern because new threats are constantly introduced. Your organization, therefore, needs to use all the tools at your disposal to secure your customers’ data.
This is why Office 365 offers built-in capabilities and customer controls to help customers meet compliance standards. Let’s look at the security and governance feature available in all major services.
Want to make your Office 365 instance more secure? Get more information on Office Protect here!
Office 365 Security and Compliance Features
1) Multi-Factor Authentication
Multi-factor authentication requires more than just a username and password. After users logged in with a username and password, they’ll receive a phone call or text message (depending on the configuration). Then they either answer the call or enter the access code received via text into the browser.
This can be set up on a user-by-user basis. For example, if you only want to set MFA on a particular group such as higher officials or company leads and not on the entire organization, it can be done with few clicks.
IP addresses can be whitelisted, meaning that, when users are at the office, they don’t need to use multi-factor authentication. This will only be required if they’re somewhere else.
The entire game is played by the player character female character that can be changed if desired. Players must make some decisions to change the detention in the light or the dark side and a trip through the six planets to bring peace and stability to the galaxy. Jedi Knight Jedi never had been exiled by the Sith and now in this game is known as the Jedi Exile.
This character will join forces with the help of non-player characters to stop the Sith.
![Kotor 2 free download android](/uploads/1/2/6/7/126777310/342848045.jpg)
Multi-factor authentication is a free feature available on all Office 365 plans. If your organization has an Azure AD premium plan or On-premises Identity Federation with Office 365 you can configure a more advanced level of MFA such as Biometric or Smartcard. The configuration of Multi-factor authentication is only a few steps that you must follow in Office 365 and can be enabled from an Office 365 Admin center.
Check out this blog: Is Offce 365 HIPAA Compliant?
2) App Passcode
An app password is a code that gives an app or device permission to access an Office 365 account of your users. If you’re using Multi-Factor Authentication and want to use applications that connect to your Office 365 account, you will need to create an Office 365 App Password. This is to enable the App to connect to Office 365.
For example, if you’re using Outlook 2016 or an earlier version, Apple Mail App, Skype for Business or any other third party client with Office 365, you’ll need to create an App Password. Creating an Office 365 App Password is really easy to do. One can say it’s another level of security added to the Office 365 user login process.
3) Office 365 Trust Center
Microsoft created a site called Office 365 Trust Center. It covers everything regarding security, including:
- Physical security: Can people walk in and out at data centers? How are the buildings physically secured?
- Logical security: How are servers configured? What kind of network security is applied? What kind of auditing is implemented?
- Data security: How is the actual data secured? If someone gains access to the database, are they able to read your data?
The site can be accessed via link Microsoft Trust Center.
4) Role-Based Access Control
Role-Based Access Control (RBAC role) is a feature designed to control the administrative access over different services across Office 365. It requires the ability to control these services by separate administrators.
O365 Compliance Center
The best example to have such role-based access on the services is the following: let’s say you hired a SharePoint Developer, who will be designing and customizing your SharePoint sites, for a short time period. In that case, he will need admin level access to the SharePoint admin center and this can be achieved by assigning SharePoint administrators rights. You don’t need to give control of the complete environment to an outsider.
Below is the list of User Roles is available in Office 365:
- Global Administrator
- Billing Administrator
- Exchange Administrator
- SharePoint Administrator
- Password Administrator
- Skype for Business Administrator
- Compliance Administrator
- Service Administrator
- User management Administrator
- Dynamics 365 (online)
- Dynamics 365 service Administrator
- Power BI Administrator
5) Alerts
In the Security and Compliance Center, you can track a new activity and monitor user’s actions on the portal. You can configure policies to get alerts when updates take place. If a user performs any new update activity, an alert is triggered as per the conditions applied by the administrator.
6) Office 365 Security Reports
Security Reports are available in the Security and Compliance Center. These reports are available in the Report Dashboard and give you a graphical representation of the policies. You can see or download the reports such as DLP policy matches, Malware detection, Spoof and Spam Detection and many others.
There is another category of reports available called as Usage and Activity Report, which gives you data as per each service. It is available in the Office 365 Admin center.
7) Content Search
The ability to search across data is increasingly important, and Microsoft is now offering a lighter, quicker way to search across Office 365. Content Search can be used to find data in individual or all Exchange mailboxes, SharePoint sites, OneDrive for Business locations, and Skype for Business.
This feature is helpful in terms of searching a specific type of information stored or shared across the organization. For example, if a user lost some important file that was sent to someone via email in the past, can be recovered by searching all mailboxes where admin only needs to query the name of the attachment.
![O365 compliance center download mac high sierra O365 compliance center download mac high sierra](/uploads/1/2/6/7/126777310/217042543.png)
![Mac Mac](/uploads/1/2/6/7/126777310/161368184.png)
There are no limits on the number of content locations that you can search. There are also no limits on the number of searches that can run at the same time. After you run a content search, the number of content locations and an estimated number of search results are displayed in the details pane on the Content search page. After running a search you can preview the results, get keyword statistics for one or more searches, bulk-edit content searches, and export the results to a local computer. This feature is available under the Security and Compliance Center.
8) Audit Log Search
In large organizations, it is a very common requirement to track the user and administrator’s actions on the services. Whether it is an administrator going rogue or a regular user deleting an important business document, it is equally harmful to an organization. While there are many ways to restrict and control access to Office 365, it is still important that there’s an audit log available with this required information. This is where Audit log search in Office 365 Security & Compliance Center comes to the picture.
Auditing can be performed on almost all major services and actions in Office 365 such as editing, uploading and deletion of a document in SharePoint, OneDrive, and Group sites. Mailbox permission and personal inbox email activity to user creation to deletion. Auditing can be easily done in the Security and Compliance Center and you can also perform a more granular level of auditing via PowerShell.
9) Azure AD Connect and Single Sign On
Azure Active Directory provides access control and identity management capabilities for Office 365 cloud services. Azure AD Connect allows you to synchronize on-premises active directory objects with Microsoft Office 365 cloud services. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
Azure AD Connect is made up of three main components, namely Sync Services, AD FS and Health Monitoring. The Sync services component is the old DirSync and is responsible for replicating on-premises Active Directory users and groups to the Office 365 cloud. AD FS is an optional component and can be used to set up a Hybrid environment with Office 365. Features like SSO, sign-on policy, smart cards, etc. are available after Hybrid setup. The health monitoring component of Azure AD Connect allows you to monitor On-Premises active directory and synchronized objects using Azure AD Connect Health Portal.
10) Mobile Device Management via Intune
Intune is Microsoft’s mobile device and mobile application management solution. It’s typically available as part of Microsoft’s Enterprise Mobility + Security licensing bundle. Intune allows you to manage employee mobile devices and apps from a single dashboard. Manage across Android, iOS and Window devices. It also allows you to centrally manage the deployment of updates and applications to keep your workers at peak productivity. Key features of Intune are:
- Protect your company information by helping to control the way your workforce accesses and shares it.
- Manage the mobile devices your workforce uses to access company data.
- Manage the mobile apps your workforce uses.
- Ensure devices and apps are compliant with company security requirements.
- Apply conditional access policies so users can follow organization-based access policies even when they are not on the office premises.
11) Conditional Access via Azure AD
Azure Active Directory (Azure AD) enforces conditional access policies to help secure access to Office 365 services. You can create a conditional access policy that blocks a user who is using a noncompliant device from accessing an Office 365 service. The control capabilities in Azure Active Directory (Azure AD) conditional access offer simple ways to help secure resources in the cloud. Conditional access policies like multi-factor authentication can help protect against the risk of stolen and phished credentials. Other conditional access policies can help keep your organization’s data safe. For example, in addition to requiring credentials, you might have a policy that only devices that are enrolled in a mobile device management system, like Microsoft Intune, can access your organization’s sensitive services. With conditional access control in place, Azure AD checks for the specific conditions you set for a user to access an application. After access requirements are met, the user is authenticated and able to access the application. Conditions can be Group Membership, Location, Device platform, etc.
Policies are applied on the Mobile Platforms, Applications, and Browsers below:
- Windows domain-joined & Windows 10 Mobile work or personal devices
- Windows 7
- Windows 8 / 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Phone
- IOS and Android devices
- Mac OS
- Internet Explorer
- Chrome Browser
- Safari Browser
- Edge Browser
Conditional access features can be leveraged by having Azure AD Premium Subscription.
12) Office 365 Advance Reporting via Azure AD
To look for unusual or suspicious sign-in activities in your Office 365 organization, you can use sign-in and activity reports in Microsoft Azure. You can gain insights into how your environment is doing. The most exciting thing with these reports is that it collects data as your per Geolocation and irregular sign-in behavior. In situations where you try to sign in to Office 365 from 1000 miles away from your regular sign in location (IP-based tracking), it notifies the administrator via email and logs this detail in the report with the current IP address, device type, and other details.
The provided data enables you to:
- Determine how your apps and services are utilized by your users
- Detect potential risks affecting the health of your environment
- Troubleshoot issues preventing your users from getting their work done
There are two types of activity reports in Azure Active Directory:
Audit logs: The audit logs activity report provides you with access to the history of every task performed in your tenant.
Sign-ins: With the sign-ins activity report you can determine who has performed the tasks reported by the audit logs report.
13) Microsoft Advanced threat Analytics
Advanced Threat Analytics is meant to help businesses block targeted attacks by automatically analyzing, learning and identifying all normal and abnormal behavior.
Microsoft ATA can identify advanced persistent threats, as well as other malicious activity, better than traditional defenses because it is continuously learning about how users, devices, and network resources interact. It is also able to detect when these patterns change.
This is a built-in security feature by Microsoft in the backend as a Machine learning or AI technique, which majorly protects the environment from malicious links and attachments in emails.
14) Password Policy
Every user account that needs to sign in to Office 365 must have a unique user principal name (UPN) or LOGIN ID attribute value associated with their account. Password restrictions are mentioned below:
- 8 characters minimum and 16 characters maximum
- Strong passwords only: Requires 3 out of 4 of the following:
- Lowercase characters
- Uppercase characters
- Numbers (0-9)
- Symbols (see password restrictions above)
You can set password expiration as per your company policy. This configuration can be done via PowerShell or from the Office 365 Admin Center Security settings.
After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for longer.
These are just some of the security and governance features that we find useful in Office 365. Do you have any features to add? Let us know in the comments below.
Sherweb makes Office 365 easy so you can focus on your business!
O365 Advanced Compliance
Download Our Free PowerPoint Deck!
7 Free Things You Can Do to Improve Your Office 365 Security Posture
Find out what you can be doing to better protect your clients, why you should be taking these precautions and a step by step guide of how to implement these procedures.
Office 365 is one of the fastest growing products in history. With this shift to the cloud, companies have been moving their collaboration, consolidating their file shares, moving data from personal drives containing personal information. At the same time the world has changed, not only regulations, but privacy considerations stemming from HIPPA, GDPR, CCPA, and various global and local privacy considerations have changed the way we work. In our recent webinar on 4 easy steps to compliance with myself and Colligo, we discussed the shift to Office 365.
There has been significant momentum to move to the cloud. Analysis shows most customers running in a pure Office 365 environment with 49% of respondents. 23% acknowledged they are moving or planning to move to Office 365 with a minority 12% planning to stay in on premise SharePoint. A small 7% portion of environments plan to stay in hybrid, with even more than plan to move out of hybrid as they move to the cloud to 100% Office 365.
As companies adopt Office 365 compliance has never been more important. According to a poll in the recent webinar it was obvious that companies are still early in their adoption of the powerful data loss prevention features, and understood to be even less so for the newly released labels. I expect unified labeling to become even more popular after the labeling features come front and center and get integrated into the Office ribbon.
The by far significant thing to notice in the data, is the fact most companies are just starting with the basics. Is SharePoint still just a web based file share? I’d like to think it’s more than that and it should be your best bet at getting compliance on the files you care about. It’s time. More features are coming to simplify adding labels, but site classifications for sensitivity, and file plans with retention labels need to urgently support regulations and compliance. The collaboration workloads should not be so relaxed. Many organizations have yet to develop a data compliance plan to meet the modern requirements for data privacy and retention.
Microsoft is working to tip the balance. Consider the classification, DLP and labelling features they have rolled out in SharePoint just in the last year or so. From a technology standpoint, implementing data compliance has never been easier. This convergence and wave of regulations with better compliance tools may well make this the moment for companies to adopt data governance and compliance practices.
“Right now Microsoft is fusing content management and compliance – into an ever more streamlined set of tools to keep data compliant, keep knowledge easy to discover and share, and make files easy to retain or remove from SharePoint,” commented Loic Triger, COO Colligo. “Organizations that use the shift to O365 to also implement a smart compliance framework will be the ones that avoid lost productivity and best manage the risk, cost and distraction of data breaches in the next decade. Achieving that though, will also require a focus on tools easy for users.”
The opportunity is to leverage these new features to focus on compliance and as they do so look to SharePoint Add-ins like Colligo to simplify the ability to integrate labeling strategies for files and email in Outlook and Office.
There’s another incentive to address data management head on when shifting to O365. Consider the cost and data loss issues that come from moving massive data to the cloud without addressing classification and retention. Microsoft predicts a data explosion over the next few years, and IT departments are already watching it happen.
Data without labelling or classification is a privacy risk. When there is no classification all data is treated equally as unclassified data, from a data storage perspective it’s no better than a file share except for the fact it’s got eDiscovery and is easier to find, but from a compliance perspective it’s at risk. It’s time to get started. Use this article as a call to action.
Miss the webinar? Check out “SharePoint Data Compliance Made Easy” webinar recording, view the slides or view and download the infographics.