As Office 365 evolves, Microsoft is very interested in creating unified services that span those three major products. Microsoft is trying to create services that are only available in their cloud. While I think there is value in moving the service in this direction, looking at the new Office 365 Security & Compliance Center makes it obvious that there is still work to be done.
In this blog post series, I’m going to walk through the new Office 365 security & Compliance center. I’ll take a look at the features and functionality available, and how they compare to the other management options available elsewhere in other Office 365 management tools. This post will cover Permissions, Security policies, and Data management sections with a future post covering the rest of the sections in the Security & Compliance center.
Before getting started, it is important to note that is section of the Office 365 portal is under fairly heavy development at this time. The features and organization of the Security & Compliance center is likely to change significantly in the fairly near future.
The Office 365 Security & Compliance Center for your tenant can be accessed via http://protection.office.com.
Here you can see what the interface looks like. It is done in the new cartoonish style of the Admin Center preview. While I, being a grownup, don’t feel the need to have pretty cartoon pictures everywhere I do understand that the world we live in pretty much demands that everything has to be designed to the asthenic of a twelve-year-old girl. While there is a prominently displayed button that allows me to “Switch back to the Compliance Center”, I assume that’s not going to be there forever so I might as well get accustomed to the tools that are going to be around long term.
The boxes in the center of the screen give you a brief tour of some of the features available. I’d recommend you take a few minutes to click around those and read what Microsoft has to say about these features.
Down the left hand side of the screen are the areas we are interested in today.
This section of the Security & Compliance center is a great example of what Microsoft is trying to achieve with a cross product control panel. This Permissions section is meant to give administrators a “one stop shop” to delegate rights that allow people in your organization to perform tasks in the Security & Compliance center. The problem is, it doesn’t really work.
In order to grant someone permissions to do a unified compliance search across both Exchange Online and SharePoint Online, you obviously need to be able to grant permissions in those two different products. Both SharePoint Online and Exchange Online use RBAC permissions, so building an interface to grant the needed RBAC permissions in each of those products is not too terribly difficult. However, SharePoint Online also requires additional permissions that have to be granted via the SharePoint Online web interface. Those permissions cannot be set via this interface, so an administrator who is not familiar with that process will find this Security & Compliance Center very frustrating since adding a user to the to the “ComplianceAdministrator” Role Group may not give you all the functionality you’re expecting.
At this time, I would recommend using the standard Exchange and SharePoint controls to manage these permissions.
The Security policies section includes two sub-sections; Device management and Data loss prevention. The Device management sub-section is a direct port of the Device management you have always had as part of the Office 365 Admin Center.
The Data loss prevention sub-section is where I would like to focus for a minute.
Both Exchange Online and SharePoint Online have a feature called “Data Loss Prevention”. These are two different features that do similar but different things. The Data loss prevention sub-section in the Office 365 Security & Compliance Center only controls SharePoint Online DLP policies (which also apply to One Drive for Business).
SharePoint Online DLP policies allow you to control access to specific content, automatically encrypt documents stored in specific locations, or notify users if content is saved to the wrong location. As I am a long way away from being a SharePoint expert, I’m not going to spend much time speaking to that functionality. You can read up on the DLP policies functionality in this TechNet article.
The Data management section of the Security & Compliance center includes three sub-sections; Import, Archive, and Retention.
The Import sub-section contains a link to the Import Service section of the Office 365 Admin portal. The Office 365 Import Service is a new feature that offers an alternative to standard migrations. Instead of copying existing data into Office 365 via the internet, the Import Service allows organizations to load data on to hard drives and ship them to Microsoft. This service works for both Exchange and SharePoint data. This feature is in preview as of the writing of this post, so details and pricing information may change by the time you are reading this.
The Archive sub-section gives administrations a view and control of archive mailboxes. Archive mailboxes can be enabled or disabled for users with Exchange mailboxes (and the licensing to support archive mailboxes). In addition, information about the size of user’s mailbox, archive mailbox, and recoverable items is also displayed. All this information is available in the Exchange Admin Center, and via PowerShell.
The third sub-section in the Data management section is Retention.
This sub-section gives administrators control over both the deletion and preservation of user data within their origination’s Office 365 tenant. The delete actions here are links to either SharePoint Online or Exchange Online administrator portals to complete these actions. The Exchange Online links go to the sections of the EAC that allow you to manage retention tags, manage retention policies, and assign retention policies to users. The SharePoint Online link goes to the SharePoint Online Compliance Policy Center where you can create and manage policies to delete documents from SharePoint Online and One Drive for Business sites after a specified period of time.
The Preservation policies under the Retention sub-section of the Security & Compliance center, however, do provide unique functionality within the Office 365 admin tool sets. Theses preservation policies allow administrators to keep the content that matches specific search conditions in email, documents, and Skype for Business conversations from being changed or deleted by users.
I setup a preservation policy to keep anything that matches the search term “jobs” in my mailbox, any public folders, and my personal One Drive for Business site within my Office 365 tenant. These preservation policies can be time based or indefinite. Any messages or documents that are preserved via these policies would have to be discovery via a separate eDiscovery search.
That’s the first half of the sections currently available in the Security & Compliance center. As you can hopefully see, this is a new type of administration portal that is very much a work in progress. At this point the Security & Compliance center is probably not a net positive for Office 365 administrators, it takes a good deal of work to figure out what controls are and are not available to you.
Check back here in a couple of weeks and we’ll go through the second half of the sections and look at the controls that are there. As always, if you have any questions you can tweet me @MCSMLab.