In my previous post, I covered what the Microsoft Compliance Score was and how it worked. This year at Ignite, Microsoft announced a new console in the Microsoft 365 tenant compliance console. On November 5, 2019, the new Microsoft Compliance Manager was rolled out to targeted release tenants. The console is there to assist tenant admins in protecting the data of their organizations.
What is the Microsoft Compliance Manager?
The Microsoft Compliance Manager (MCM) is a newly updated tool that Microsoft has released to support tenant admins in building up and maintaining their organization’s tenant compliance score. The MCM provides up to date reports on the status of the tenant’s compliance with security and governance recommendations and through workflow-enabled processes allows administrators to complete actions in the tenant that will increase the compliance score and thus the protection rating of their environment. The best part of all of this? It’s included with your Office 365, Microsoft 365 and/or Azure Active Directory Subscription.
The Compliance Manager can be found as an option within the Compliance Console (Security and Compliance for O365) of your M365 tenant. On the left-hand menu simply click on Compliance score. This will open the MCM for you.
As you can see from the screenshot I haven’t done much with this tenant. But you should also see from the screenshot, that Microsoft has done a lot already to protect my data.
Microsoft Compliance Manager Landing Page
As you can see from the screenshot above, there is quite a bit going on with the landing page. First and foremost you have your current compliance score. This indicates how many points you have attained through the actions suggested to you by the compliance wizard for securing your tenant and making it compliant. It also indicates how many actions you have left to complete to be “fully compliant”. As you can see, I haven’t done very well for my tenant, but Microsoft is on track as they have maxed out the possible actions available to them on the back end.
Under the key improvement actions is a list of some top actions that have been recommended for completion and the points to be gained by doing so. Clicking “View all improvement actions” will navigate the screen to the “Improvement Action” tab of the MCM. By default, all actions that have not yet been completed are listed here. Some key columns to be aware of:
- Assessments: The test template the action was flagged in. M365 MCM can make use of multiple templates to determine the compliance of your tenant. By default, only the Data Protection Baseline is applied. Other baselines like FFIEC IS, HIPAA, NIST 800-53, etc can be applied as well. When these templates are run through the tenant, new actions based on these scans will also be listed here and highlighted as coming from that assessment (I will demonstrate adding other assessments in a future post).
- Groups: Really only need to come into play if you are utilizing multiple assessments. Using Groups you can compartmentalize action items from similar assessments together.
- Solutions: Are used to group actions based on the feature they exist within. For example, “Create DLP Policies for Personally Identifiable Information” and “Create DLP Policies for Company Sensitive Information” are both part of the Data Loss Prevention solution.
- Categories: Group actions into main compliance concepts within M365. Examples include Control Access, Protect Information, Discover and Respond and many more.
The two remaining tabs in the MCM are:
- Solutions: As discussed above, this tab groups the different features/solutions within M365. It highlights the score the tenant has achieved and the potential score it could achieve. Clicking on the Remaining number will filter the actions to be taken under that particular solution.
- Assessments: Similar to the solutions tab, the assessments tab provides an overview of the compliance based on the different assessment templates applied to the tenant. In this tab, it is possible for administrators to view the customer completed actions left and the Microsoft completed actions remaining.
In a future post, I will cover completing actions from the Microsoft Compliance Manager.
Thanks for reading!