SC-900 - Module 4 D...
Clear all

SC-900 - Module 4 Describe the capabilities of Microsoft compliance solutions

5 Posts
1 Users
0 Reactions
11.8 K Views
Posts: 108
Topic starter
Joined: 4 years ago


Organizations must stay in line with compliance-related legal and regulatory standards to protect their customers, partners, and themselves. Microsoft provides tools and capabilities to enable organizations to manage compliance.

In this lesson, you’ll learn about the common compliance needs organizations are required to meet. You will know where to go to find compliance documentation by exploring the Service Trust Portal. You will also learn about Microsoft's privacy principles. You’ll also explore solutions like the Microsoft 365 compliance center and the Compliance Manager, which can help manage and simplify compliance across an organization.

After completing this lesson, you'll be able to:

  • Find compliance documentation.

  • Describe Microsoft’s privacy principles.

  • Explore the Microsoft 365 compliance center.

  • Describe the benefits of Compliance Manager.

Describe common compliance needs

Data has become more important than ever. Organizations, institutions, and entire societies generate and rely on data to function on a day-to-day basis. Any manipulation or loss of data can damage organizations, institutions, and societies alike. The sheer scale of data generated and the increasing reliance on it, means data management has become pivotal.

Governments are working hard to protect people by creating regulations (laws) that are designed to protect data through several measures including:

  • Granting individuals the right to access their data at any time.

  • Granting individuals the right to correct or delete data about them if needed.

  • Introducing retention periods that dictate a minimum or maximum amount of time data should be stored.

  • Enabling governments and regulatory agencies the right to access and examine data when necessary.

  • Defining rules for what data can be processed and how that should be done.

Some regulations also require that data remains protected even if it’s moved between geographic locations. For example, regulations in some countries require that any personal data transferred outside of their borders meets several conditions including:

  • The destination country where personal data is to be transferred must be considered to have adequate protections for the data.

  • Organizations must create appropriate safeguards, such as specific clauses that must be included in contracts with organizations or bodies that handle any personal data.

Common compliance regulations

Some of the regulations that organizations and institutions commonly work with include:

  • Health Insurance Portability and Accountability Act (HIPAA) – introduces rules on how health-related information should be protected.

  • The Family Educational Rights and Privacy Act (FERPA) – introduces rules to protect student information.

  • ISO 27701 – specifies rules and guidance to manage personal information, and demonstrate compliance.

Microsoft supports organizations’ compliance needs with built-in tools and capabilities to help them protect information, manage data governance, and respond to regulatory requests.

Explore the Service Trust Portal

The Service Trust Portal provides information, tools, and other resources about Microsoft security, privacy, and compliance practices. Sign in with your Microsoft cloud services account to access all the available documentation.

From the main menu, you have access to:

  • Service Trust Portal – home page.

  • Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards. To learn more, see the Microsoft Compliance Manager documentation in the Learn More section below.

  • Trust Documents – links to a security implementation and design information.

  • Industries & Regions – contains compliance information about Microsoft Cloud services organized by industry, and region. The Industry Solutions link currently displays the home page for Financial Services. The Regional Solutions links currently have information for: Australia, Canada, Czech Republic, Denmark, Germany, Poland, Romania, Spain, and the United Kingdom.

  • Trust Center - links to the Microsoft Trust Center, which provides more information about security, compliance, and privacy in the Microsoft Cloud.

  • Resources - links to resources including Information about the features and tools available for data governance and protection in Office 365, the Microsoft Global Datacenters, and Frequently Asked Questions.

  • My Library - allows you to add documents and resources that are relevant to your organization, everything is in one place. You can also opt to have email notifications sent when a document is updated, as well as the frequency you receive notifications.

Interactive guide

Explore the Service Trust Portal through an interactive click-through guide. Select the link below to get started.

Explore the Service Trust Portal


Describe Microsoft's privacy principles

Microsoft’s products and services run on trust. Microsoft focuses on six key privacy principles when making decisions about data. Privacy is about making meaningful choices about how and why data is collected and used. It's about ensuring that you have the information you need to make the choices that are right for you across all Microsoft products and services.

The six privacy principles are:

  • Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.

  • Transparency: Being transparent about data collection and use so that everyone can make informed decisions.

  • Security: Protecting the data that is entrusted to Microsoft by using strong security and encryption.

  • Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.

  • No content-based targeting: Not using email, chat, files, or other personal content to target advertising.

  • Benefits to you: When Microsoft does collect data, it is used to benefit you, the customer, and to make your experiences better.

These principles form Microsoft’s privacy foundation, and they shape the way that products and services are designed. To learn more visit Privacy at Microsoft.


Describe the Compliance Center

The Microsoft 365 compliance center brings together all of the tools and data that are needed to help understand and manage an organization’s compliance needs.

Compliance center is available to customers with a Microsoft 365 SKU with one of the following roles:

  • Global administrator

  • Compliance administrator

  • Compliance data administrator

When an admin signs in to the Microsoft 365 compliance center portal, they’ll get a bird’s-eye view of how the organization is meeting its compliance requirements, along with which solutions can be used to help with compliance, information about any active alerts, and more.

Microsoft Compliance Center dashboard

The default compliance center home page contains several cards including:

  • The compliance score card. This card shows the compliance score, and will forward admins to the Compliance Manager where they can see a breakdown of the compliance score. Compliance score measures the progress in completing recommended improvement actions within controls. The score helps an organization to understand its current compliance posture. It also helps an organization to prioritize actions based on their potential to reduce risk.

    The compliance score card

  • The new Solution catalog card, links to collections of integrated solutions that are used to manage end-to-end compliance scenarios across three compliance solutions areas:

    • The Information protection & governance section quickly shows you how to use Microsoft 365 compliance solutions to protect and govern data in your organization.

    • The Insider risk management section on the home page shows how your organization can identify, analyze, and act on internal risks before they cause harm.

    • The Discovery & respond section on the home page shows how your organization can quickly find, investigate, and respond to compliance issues with relevant data.

    A solution's capabilities and tools might include a combination of policies, alerts, reports, and more.

    Solutions catalog card

  • The Active alerts card includes a summary of the most active alerts and a link where admins can view more detailed information, such as alert severity, status, category, and more.

    Active alerts card


In addition to the cards on the home page, there’s a navigation pane on the left of the screen that gives easy access to alerts, reports, policies, compliance solutions, and more. To add or remove options for a customized navigation pane, the Customize navigation control on the navigation pane can be used to configure which items appear there.

Compliance Center left navigation pane

Interactive guide

In this interactive guide, you will explore some of the capabilities of the Microsoft 365 Compliance Center, your home for managing compliance needs using integrated solutions for information protection, information governance, insider risk management, discovery, and more. Select the link below to get started.

Interactive guide - Explore Compliance Center


Describe Compliance Manager

Microsoft Compliance Manager is a feature in the Microsoft 365 Compliance Center that helps admins to manage an organization’s compliance requirements with greater ease and convenience. Compliance Manager can help organizations throughout their compliance journey, from taking inventory of data protection risks, to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Refer to Compliance Manager for a brief video overview.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments based on common regional and industry regulations and standards. Admins can also use custom assessment to help with compliance needs unique to the organization.

  • Workflow capabilities that enable admins to efficiently complete risk assessments for the organization.

  • Step-by-step improvement actions that admins can take to help meet regulations and standards relevant to the organization. Some actions will also be managed for the organization by Microsoft. Admins will get implementation details and audit results for those actions.

  • Compliance score, which is a calculation that helps an organization understand its overall compliance posture by measuring how it's progressing with improvement actions.

The Compliance Manager dashboard shows the current compliance score, helps admins to see what needs attention, and guides them to key improvement actions.

Compliance manager overview pane

Compliance Manager uses several data elements to help manage compliance activities. As admins use Compliance Manager to assign, test, and monitor compliance activities, it’s helpful to have a basic understanding of the key elements: controls, assessments, templates, and improvement actions.


A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.

Compliance Manager tracks the following types of controls:

  • Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.

  • Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.

  • Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.


An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps to meet the requirements of a standard, regulation, or law. For example, an organization may have an assessment that, when the admin completes all actions within it, it helps to bring the organization’s Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

  • In-scope services: the specific set of Microsoft services applicable to the assessment.

  • Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft implements for the organization.

  • Your controls: these controls, sometimes referred to as customer-managed controls, are implemented and managed by the organization.

  • Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.

  • Assessment score: shows the progress in achieving total possible points from actions within the assessment that are managed by the organization and by Microsoft.

When creating assessments, an admin will assign them to a group. The admin can configure groups in whatever way is most logical for the organization. For example, they might group assessments by audit year, region, solution, teams within the organization, or some other way. Once the admin has created groups, the admin can filter the Compliance Manager dashboard to view the score by one or more groups.


Compliance Manager provides templates to help admins to quickly create assessments. They can modify these templates to create an assessment optimized for their needs. Admins can also build a custom assessment by creating a template with their own controls and actions. For example, the admin may want a template to cover an internal business process control, or a regional data protection standard that isn’t covered by one of Microsoft’s 150-plus prebuilt assessment templates.

Improvement actions

Improvement actions help centralize compliance activities. Each improvement action provides recommended guidance that's intended to help organizations to align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to do implementation and testing work. Admins can also store documentation, notes, and record status updates within the improvement action.

Benefits of Compliance Manager

Compliance Manager provides many benefits, including:

  • Translating complicated regulations, standards, company policies, or other control frameworks into a simple language.

  • Providing access to a large variety of out-of-the-box assessments and custom assessments to help organizations with their unique compliance needs.

  • Mapping regulatory controls against recommended improvement actions.

  • Providing step-by-step guidance on how to implement the solutions to meet regulatory requirements.

  • Helping admins and users to prioritize actions that will have the highest impact on their organizational compliance by associating a score with each action.


Describe compliance score

Compliance score measures progress in completing recommended improvement actions within controls. The score can help an organization to understand its current compliance posture. It also helps organizations to prioritize actions based on their potential to reduce risk.

Admins can get a breakdown of the compliance score in the Compliance Manager overview pane:n of the compliance score in the Compliance Manager overview pane:

A breakdown of compliance score

What is the difference between Compliance Manager and compliance score?

Compliance Manager is an end-to-end solution in Microsoft 365 compliance center to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. The compliance score is available through Compliance Manager.

Compliance Manager gives admins the capabilities to understand and increase their compliance score, so they can ultimately improve the organization’s compliance posture and help it to stay in line with compliance requirements.

How to understand the compliance score

The overall compliance score is calculated using scores that are assigned to actions. Actions come in two types:

  • Your improved actions: actions that the organization is expected to manage.

  • Microsoft actions: actions that Microsoft manages for the organization.

These action types have points assigned to them that count towards the compliance score. Actions can also be considered technical or nontechnical, which also affects how they impact the overall compliance score. Actions are also assigned a score value based on whether they’re categorized as mandatory, discretionary, preventative, detective, or corrective:

  • Mandatory – these actions shouldn’t be bypassed. For example, creating a policy to set requirements for password length or expiration.

  • Discretionary – these actions depend on the users understanding and adhering to a policy. For example, a policy where users are required to ensure their devices are locked before they leave them.

The following are subcategories of actions that can be classified as mandatory or discretionary:

  • Preventative actions are designed to handle specific risks, like using encryption to protect data at rest if there were breaches or attacks.

  • Detective actions actively monitor systems to identify irregularities that could represent risks, or that can be used to detect breaches or intrusions. Examples of these types of actions are system access audits, or regulatory compliance audits.

  • Corrective actions help admins to minimize the adverse effects of security incidents, by undertaking corrective measures to reduce their immediate effect or possibly even reverse damage.

How compliance score can be calculated

Actions that are mandatory and preventative, with 27 points, provide the highest points value towards your compliance score. Organizations accumulate points for every action completed. And the compliance score is shown as a percentage representing all the actions completed, compared with the ones outstanding:

Example of a compliance score

Interactive guide

In this interactive guide, you’ll explore compliance score. Select the link below to get started.

Interactive guide - Explore compliance score.



Knowledge check

Multiple choice

Item 1. When browsing Microsoft compliance documentation in the Service Trust Portal, you have found several documents that are specific to your industry. What is the best way of ensuring you keep up to date with the latest updates?

Multiple choice

Item 2. A new admin has joined the team and needs to be able to access the Microsoft 365 Compliance Center. Which of the following roles could the admin use to access the Compliance Center?​​

Multiple choice

Item 3. Your new colleagues on the admin team are unfamiliar with the concept of shared controls in Compliance Manager. How would the concept of shared controls be explained?

Multiple choice

Item 4. A customer has requested a presentation on how the Microsoft 365 Compliance Center can help improve their organization’s compliance posture. The presentation will need to cover Compliance Manager and compliance score. What is the difference between Compliance Manager and compliance score?


Summary and resources

In this lesson you learned about the various tools provided by Microsoft to manage compliance for your organization. You explored how compliance center and Compliance Manager can help organizations to manage compliance.

Without these tools, organizations couldn't manage compliance, and they would be at risk of not meeting required legal and regulatory standards. With these tools, they can stay in line with compliance requirements.

Now that you’ve completed this lesson, you should be able to:

  • Find compliance documentation.

  • Describe Microsoft’s privacy principles.

  • Explore the Microsoft 365 compliance center.

  • Describe the benefits of Compliance Manager.

Learn more

4 Replies
Posts: 108
Topic starter
Joined: 4 years ago


Organizations need to protect all sorts of information, including financial and personal information. This must be done to ensure customers, employees, and the organization are protected from risks. The organization needs to stay in line with compliance standards wherever it operates.

Microsoft provides solutions that can help organizations to implement information protection and governance.

In this lesson, you’ll learn about how Microsoft solutions and capabilities like data classification, records management, and data loss prevention, can help you implement information protection and governance.

After completing this lesson, you'll be able to:

  • Describe data classification capabilities.

  • Describe records management.

  • Describe data loss prevention.

Know your data, protect your data, and govern your data

Microsoft Information Protection discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. It provides the tools to know your data, protect your data, and prevent data loss.

Microsoft Information Governance manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't. It gives organizations the capabilities to govern their data, for compliance or regulatory requirements. Microsoft Information Protection and Microsoft Information Governance work together to classify, protect, and keep your data where it lives, and wherever it goes.

The concept of know your data, protect your data, prevent data loss, and govern your data, represented by four circles.

  • Know your data: Organizations can understand their data landscape and identify important data across on-premises, cloud, and hybrid environments. Capabilities and tools such as trainable classifiers, activity explorer, and content explorer allow organizations to know their data.

  • Protect your data: Organizations can apply flexible protection actions including encryption, access restrictions, and visual markings.

  • Prevent data loss: Organizations can detect risky behavior and prevent accidental oversharing of sensitive information. Capabilities such as data loss prevention policies and endpoint data loss prevention enable organizations to avoid data loss.

  • Govern your data: Organizations can automatically keep, delete, and store data and records in a compliant manner. Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.

Information and capabilities related to each of these areas are described throughout this lesson.



Describe data classification capabilities of compliance center

Organizations need to know their data to identify important information across the estate and ensure that data is handled in line with compliance requirements. Admins can enable their organization to know its data through data classification capabilities and tools in the Microsoft 365 compliance center, such as sensitive information types, trainable classifiers, content explorer, and activity explorer.

Sensitive information types

With Microsoft 365 compliance center, admins can identify and protect sensitive information types. Sensitive information types have set patterns that can be used to identify them. For example, an identification number in a region/country may be based on a specific pattern, like this:


Microsoft 365 includes many built-in sensitive information types based on patterns that are defined by a regular expression (regex) or a function.

Examples include:

  • Credit card numbers

  • Passport or identification numbers

  • Bank account numbers

  • Health service numbers

Refer to Sensitive information type entity definitions for a listing of available built-in sensitive information types.

Data classification in Microsoft 365 also supports the ability to create custom sensitive information types to address organization-specific requirements. For example, an organization may need to create sensitive information types to represent employee IDs or project numbers.

Trainable classifiers

Trainable classifiers use artificial intelligence and machine learning to intelligently classify your data. They're most useful classifying data unique to an organization like specific kinds of contracts, invoices, or customer records. This method of classification is more about training a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching). Two types of classifier are available:

  • Pre-trained classifiers - Microsoft has created and pretrained many classifiers that you can start using without training them. These classifiers will appear with the status of Ready to use. Microsoft 365 comes with five pretrained classifiers that detect and classify things like resumes, source code, harassment, profanity, and threat (relates to committing violence or doing physical harm).

  • Custom trainable classifiers - Microsoft supports the ability to create and train custom classifiers. They're most useful when classifying data unique to an organization, like specific kinds of contracts, invoices, or customer records.

To get a custom trainable classifier to accurately identify an item as being in a particular category of content, it must first be presented with many samples of the type of content in the category. This feeding of positive samples is known as seeding and is used to create a prediction model for the classifier.

The model gets tested to determine if the classifier can correctly distinguish between items that match the category and items that don't. The result of each prediction is manually verified, which serves as input to improve the accuracy of the prediction model.

After the accuracy score of the model has stabilized, the classifier can be published. Trainable classifiers can then sort through items in locations like SharePoint Online, Exchange, and OneDrive, and classify the content.

NOTE: At this time, classifiers only work with items that are in English and that are not encrypted.

Understand and explore the data

Data classification can involve large numbers of documents and emails. To help administrators to easily derive insights and understanding, the overview section of the data classification pane in compliance center provides many details at a glance, including:

  • The number of items classified as sensitive information and which classifications they are.

  • Details on the locations of data based on sensitivity.

  • Summary of actions that users are taking on sensitive content across the organization.

Administrators can also use the content and activity explorers to gain a deeper understanding and guide their actions.

What is the content explorer?

The content explorer is available as a tab in the data classification pane of compliance center. It enables administrators to gain visibility into the content that has been summarized in the overview pane. Access to content explorer is highly restricted because it makes it possible to read the contents of scanned files. There are two roles that grant access to content explorer:

  • Content explorer list viewer.

  • Content explorer content viewer.

Anyone who wants to access content explorer must have an account in one or both of the role groups.

With content explorer, administrators get a current snapshot of individual items that have been classified across the organization. It enables administrators to further drill down into items by allowing them to access and review the scanned source content that's stored in different kinds of locations, such as Exchange, SharePoint, and OneDrive.

What is the activity explorer?

Activity explorer provides visibility into what content has been discovered and labeled, and where that content is. It makes it possible to monitor what's being done with labeled content across the organization. Admins gain visibility into document-level activities like label changes and label downgrades (such as when someone changes a label from confidential to public).

Admins use the filters to see all the details for a specific label, including file types, users, and activities. Activity explorer helps you understand what's being done with labeled content over time. Admins use activity explorer to evaluate if controls already in place are effective.

Here are a few of the activity types that can be analyzed:

  • File copied to removable media

  • File copied to network share

  • Label applied

  • Label changed

Admins can use more than 30 filters for data including:

  • Date range

  • Activity type

  • Location

  • User

  • Sensitivity label

  • Retention label

The value of understanding what actions are being taken with sensitive content is that admins can see if the controls that they've already put in place, such as data loss prevention policies, are effective or not. For example, if it’s discovered that a large number of items labeled Highly Confidential have suddenly been downgraded to Public, admins can update policies and act to restrict undesired behavior as a response.

Explore Data classification in the compliance center

Watch data classification for information on the various data classification capabilities available in the compliance center.



Describe sensitivity labels

Organizations must protect their data, to safeguard customers and business operations, and to meet compliance standards. Admins can enable their organization to protect its data, through capabilities and tools such as sensitivity labels and policies in Microsoft 365 compliance center.

Sensitivity labels

Sensitivity labels, available as part of information protection in the Microsoft 365 compliance center, enable the labeling and protection of content, without affecting productivity and collaboration. With sensitivity labels, organizations can decide on labels to apply to content such as emails and documents, much like different stamps are applied to physical documents.

Labels are:

  • Customizable: Admins can create different categories specific to the organization, such as Personal, Public, Confidential, and Highly Confidential.

  • Clear text: Because each label is stored in clear text in the content's metadata, third-party apps and services can read it and then apply their own protective actions, if necessary.

  • Persistent. After you apply a sensitivity label to content, the label is stored in the metadata of that email or document. The label then moves with the content, including the protection settings, and this data becomes the basis for applying and enforcing policies.

Each item that supports sensitivity labels can only have one label applied to it, at any given time.

Sensitivity labels can be used to:

  • Encrypt email only or both email and documents. When a document or email is encrypted, access to the content is restricted, so that:

    • It can be decrypted only by users authorized by the label's encryption settings.

    • Remains encrypted no matter where it stays, inside or outside your organization, even if the file is renamed.

    • It's encrypted both at rest (for example, in a OneDrive account) and in transit (for example, an email message as it traverses the internet).

  • Mark the content when Office apps are used. Marking the content includes adding watermarks, headers, or footers. Headers or footers can be added to emails or documents that have the label applied. Watermarks can be applied to documents but not to email.

  • Apply the label automatically in Office apps or recommend a label. Admins choose the types of sensitive information to be labeled. The label can be applied automatically or configured to prompt users to apply the recommended label.

  • Protect content in containers such as sites and groups when this capability is enabled. This label configuration doesn't result in documents being automatically labeled. Instead, the label settings protect content by controlling access to the container where documents are stored.

  • Extend sensitivity labels to third-party apps and services. Using the Microsoft Information Protection SDK, third-party apps can read sensitivity labels and apply protection settings.

  • Classify content without using any protection settings. A classification can be assigned to content (just like a sticker) that persists and roams with the content as it's used and shared. The classification can be used to generate usage reports and view activity data for sensitive content.

Label policies

After sensitivity labels are created, they need to be published to make them available to people and services in the organization. Sensitivity labels are published to users or groups through label policies. Sensitivity labels will then appear in Office apps for those users and groups. The sensitivity labels can be applied to documents and emails. Label policies enable admins to:

  • Choose the users and groups that can see labels. Labels can be published to specific users, distribution groups, Microsoft 365 groups in Azure Active Directory, and more.

  • Apply a default label to all new emails and documents that the specified users and groups create. Users can always change the default label if they believe the document or email has been mislabeled.

  • Require justifications for label changes. If a user wants to remove a label or replace it, admins can require the user to provide a valid justification to complete the action. The user will be prompted to provide an explanation for why the label should be changed.

  • Require users to apply a label (mandatory labeling). It ensures a label is applied before users can save their documents, send emails, or create new sites or groups.

  • Link users to custom help pages. It helps users to understand what the different labels mean and how they should be used.

Once a sensitivity label is applied to an email or document, any configured protection settings for that label are enforced on the content. For example, by choosing encryption settings for a sensitivity label, admins can protect content so that:

  • Only users within the organization can open a confidential document or email.

  • Only users in a specific department can edit and print a document or email, while all other users in the organization can only read it.

  • Users can't forward or copy information from an email.

  • Users can't open a document after a specified date.

Admins can also enable users to label and protect their files using the Windows File Explorer (to label extra file types, and more files simultaneously), by installing the Azure Information Protection unified labeling client on Windows devices.



Describe Data Loss Prevention

Data loss can harm an organization’s customers, business processes, and the organization itself. Organizations need to prevent data loss by detecting risky behavior and preventing sensitive information from being shared inappropriately. Admins can use data loss prevention policies, available in Microsoft 365 compliance center, to help their organization.

Data loss prevention (DLP) is a way to protect sensitive information and prevent its inadvertent disclosure. With DLP policies, admins can:

  • Identify, monitor, and automatically protect sensitive information across Microsoft 365, including:

    • OneDrive for Business

    • SharePoint Online

    • Microsoft Teams

    • Exchange Online

  • Help users learn how compliance works without interrupting their workflow. For example, if a user tries to share a document containing sensitive information, a DLP policy can send them an email notification and show them a policy tip.

  • View DLP reports showing content that matches the organization's DLP policies. To assess how the organization is following a DLP policy, admins can see how many matches each policy has over time.

DLP policies protect content through the enforcement of rules that consist of:

  • Conditions that the content must match before the rule is enforced.

  • Actions that the admin wants the rule to take automatically when content that matches the conditions has been found.

  • Locations where the policy will be applied, such as Exchange, SharePoint, OneDrive, and more.

For example, an admin can configure a DLP policy that helps detect information that's subject to a compliance regulation like the Health Insurance Portability and Accountability Act (HIPAA) across all SharePoint sites and OneDrive for Business. The admin can block the relevant documents from being shared inappropriately.

DLP policies protect information by identifying and automatically protecting sensitive data. Here's some scenarios where DLP policies can help:

  • Identify any document containing a credit card number stored in users’ OneDrive for Business accounts.

  • Automatically block an email containing employee personal information from being sent outside the organization.

A policy can contain one or more rules, and each rule consists of conditions and actions at a minimum. For each rule, when the conditions are met, the actions are taken automatically. Rules can be grouped into one policy, to help simplify management and reporting. The diagram below shows how multiple rules, each with their own conditions and actions, are grouped into a single policy:

Diagram showing how a single policy can consist of multiple rules.

The rules inside the policy are prioritized in how they’re implemented. For example, in the above diagram, rule one will be prioritized before rule two, and so on.

What is endpoint data loss prevention?

Endpoint data loss prevention is how the protection and activity monitoring capabilities of DLP for sensitive content can be extended to Windows 10 devices. Admins can choose to target Windows 10 when creating a DLP policy (after onboarding the devices to Microsoft 365 compliance solutions). Endpoint DLP enables admins to audit and manage activities that users complete on sensitive content, including:

  • Creating an item

  • Renaming an item

  • Copying items to removable media

  • Copying items to network shares

  • Printing documents

  • Accessing items using unallowed apps and browsers

In the activity explorer, you can view information about what users are doing with sensitive content:

The activity explorer show activities monitored through endpoint DLP.

Admins use this information to enforce protective actions for content through controls and policies.

Data loss prevention in Microsoft Teams

Data loss prevention capabilities have been extended to Microsoft Teams chat and channel messages, including messages in private channels. With DLP, administrators can now define policies that prevent users from sharing sensitive information in a Teams chat session or channel, whether it's in a message, or a file. Just like with Exchange, Outlook, SharePoint, and OneDrive for Business, administrators can use DLP policy tips that will be displayed to the user to show them why a policy has been triggered. For example, the screenshot below shows a policy tip on a chat message that was blocked because the user attempted to share a U.S. Social Security Number:

A policy tip is shown in Microsoft Teams so that the user knows why their message was blocked.

The user can then find out more information about why their message was blocked by selecting the “What can I do?” link, and take appropriate action:

The user can find more information about why their message was blocked, and take recommended actions.

With DLP policies, Microsoft Teams can help users across organizations to collaborate securely and in a way that's in line with compliance requirements.



Describe Retention Polices and Retention Labels

Retention labels and policies help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted. Applying retention labels and assigning retention policies helps organizations:

  • Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time.

  • Reduce risk when there's litigation or a security breach by permanently deleting old content that the organization is no longer required to keep.

  • Ensure users work only with content that's current and relevant to them.

When content has retention settings assigned, it stays in its original location. People can continue to work with their documents or mail as if nothing's changed. But if they edit or delete content that's included in the retention policy, a copy is automatically kept in a secure location. The secure locations and the retained content aren't visible to most people. In most cases, people don't even need to know that their content is subject to retention settings.

Retention settings work with the following different workloads:

When using retention policies and retention labels to assign retention settings to content, there are some points to understand about each. Listed below are just a few of the key points. For a more complete list visit Compare capabilities for retention policies and retention labels.

Retention policies

  • Retention policies are used to assign the same retention settings to content at a site level or mailbox level.

  • A single policy can be applied to multiple locations, or to specific locations or users.

  • Items inherit the retention settings from their container specified in the retention policy. If a policy is configured to keep content, and an item is then moved outside that container, a copy of the item is kept in the workload's secured location. However, the retention settings don't travel with the content in its new location.

Retention labels

  • Retention labels are used to assign retention settings at an item level, such as a folder, document, or email.

  • An email or document can have only a single retention label assigned to it at a time.

  • Retention settings from retention labels travel with the content if it’s moved to a different location within your Microsoft 365 tenant.

  • Admins can enable users in the organization to apply a retention label manually.

  • A retention label can be applied automatically if it matches defined conditions.

  • A default label can be applied for SharePoint documents.

  • Retention labels support disposition review to review the content before it's permanently deleted.

Consider the following scenarios. If all documents in a SharePoint site should be kept for five years, it's more efficient to do with a retention policy than apply the same retention label to all documents in that site.

However, if some documents in that site should be kept for five years and others for 10 years, you'd need to apply a policy to the SharePoint site with a retention period of five years. You'd then apply a retention label to the individual item with a retention setting of 10 years.



Describe Records Management

Organizations of all types require a management solution to manage regulatory, legal, and business-critical records across their corporate data. Records management in Microsoft 365 helps an organization look after their legal obligations. It also helps to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be kept, no longer of value, or no longer required for business purposes. It provides the following capabilities:

  • Labeling content as a record.

  • Migrating and managing retention plans with file plan manager.

  • Establishing retention and deletion policies within the record label.

  • Triggering event-based retention.

  • Reviewing and validating disposition.

  • Proof of records deletion.

  • Exporting information about disposed items.

  • Setting specific permissions for record manager functions in the organization.

When content is labeled as a record, the following happens:

  • Restrictions are put in place to block certain activities.

  • Activities are logged.

  • Proof of disposition is kept at the end of the retention period.

To enable items to be marked as records, an administrator sets up retention labels.

The user can find more information about why their message was blocked, and take recommended actions.

Items such as documents and emails can then be marked as records based on those retention labels. Items might be marked as records, but they can also be shown as regulatory records. Regulatory records provide other controls and restrictions such as:

  • A regulatory label can’t be removed when an item has been marked as a regulatory record.

  • The retention periods can’t be made shorter after the label has been applied.

For more information on comparing, use the Compare restrictions for what actions are allowed or blocked section of the documentation.

The most important difference is that if content has been marked as a regulatory record, nobody, not even a global administrator, can remove the label. Marking an item as a regulatory record can have irreversible consequences, and should only be used when necessary. As a result, this option isn’t available by default, and has to be enabled by the administrator using PowerShell.

Common use cases for records management

Microsoft 365’s records management capabilities are flexible. There are different ways in which records management can be used across an organization, including:

  • Enabling administrators and users to manually apply retention and deletion actions for documents and emails.

  • Automatically applying retention and deletion actions to documents and emails.

  • Enabling site admins to set default retain and delete actions for all content in a SharePoint library, folder, or document set.

  • Enabling users to automatically apply retain and delete actions to emails by using Outlook rules.

To ensure records management is used correctly across the organization, administrators can work with content creators to put together training materials. Documentation should explain how to apply labels to drive usage, and ensure a consistent understanding.


Summary and resources

You’ve explored how Microsoft 365 capabilities like data classification, records management, and data loss prevention can help provide information protection and information governance across an organization.

Without these capabilities, an organization's information could be at risk, and it might not be compliant with legal and regulatory standards. However, by using these capabilities, organizations can provide information protection and governance to help avoid the risk of noncompliance.

Now that you’ve completed this lesson, you should be able to:

  • Describe data classification capabilities.

  • Describe records management.

  • Describe data loss prevention.

Learn more

Knowledge check

Multiple choice

Item 1. Which part of the concept of know your data, protect your data, and prevent data loss addresses the need for organizations to automatically retain, delete, store data and records in a compliant manner?

Multiple choice

Item 2. As part of a new data loss prevention policy, the compliance admin needs to be able to identify important information such as credit card numbers, across the organization's data. How can the admin address this requirement?

Multiple choice

Item 3. Within the organization, some emails are confidential and should be encrypted so that only authorized users can read them. How can this requirement be implemented?

Multiple choice

Item 4. Your organization uses Microsoft Teams to collaborate on all projects. The compliance admin wants to prevent users from accidentally sharing sensitive information in a Microsoft Teams chat session. What capability can address this requirement?

Multiple choice

Item 5. Due to a certain regulation, your organization must now keep hold of all documents in a specific SharePoint site that contains customer information for five years. How can this requirement be implemented?




Posts: 108
Topic starter
Joined: 4 years ago



Organizations understand that risks can come from insiders, like contractors, or even employees. There's always a risk that people might share information with competitors after leaving the company. Organizations need to ensure that they’re protected from these kinds of risks.

In this lesson, you’ll learn how Microsoft 365 capabilities like insider risk management, communication compliance, information barriers, privileged access management, and Customer Lockbox can help you protect your organization.

After completing this lesson, you'll be able to:

  • Describe how Microsoft 365 can help organizations identify insider risks and take appropriate action.

  • Describe how Microsoft 365 helps organizations identify, investigate, and remediate malicious and inadvertent activities in your organization.

Describe the Insider Risk Management solution

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities. Insider risk management is available in Microsoft 365 compliance center.

Managing and minimizing risk in an organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors, and are outside an organization’s direct control. Other risks are driven by internal events and employee activities that can be eliminated and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by employees and managers. These behaviors can lead to a broad range of internal risks from employees:

  • Leaks of sensitive data and data spillage

  • Confidentiality violations

  • Intellectual property (IP) theft

  • Fraud

  • Insider trading

  • Regulatory compliance violations

Insider risk management is centered around the following principles:

  • Transparency: Balance user privacy versus organization risk with privacy-by-design architecture.

  • Configurable: Configurable policies based on industry, geographical, and business groups.

  • Integrated: Integrated workflow across Microsoft 365 compliance solutions.

  • Actionable: Provides insights to enable user notifications, data investigations, and user investigations.

Insider risk management workflow

Insider risk management helps organizations to identify, investigate, and address internal risks. With focused policy templates, comprehensive activity signaling across Microsoft 365, and a flexible workflow, organizations can take advantage of actionable insights to help identify and resolve risky behavior quickly. Identifying and resolving internal risk activities and compliance issues with insider risk management in Microsoft 365 is achieved using the following workflow:

The insider risk management workflow.


  • Policies - Insider risk management policies are created using predefined templates and policy conditions that define what risk indicators are examined in Microsoft 365 feature areas. These conditions include how indicators are used for alerts, what users are included in the policy, which services are prioritized, and the monitoring time period.

  • Alerts - Alerts are automatically generated by risk indicators that match policy conditions and are displayed in the Alerts dashboard. This dashboard enables a quick view of all alerts needing review, open alerts over time, and alert statistics for the organization.

  • Triage - New activities that need investigation automatically generate alerts that are assigned a Needs review status. Reviewers in the organization can quickly identify these alerts and scroll through each to evaluate and triage. Alerts are resolved by opening a new case, assigning the alert to an existing case, or dismissing the alert. As part of the triage process, reviewers can view alert details for the policy match, view user activity associated with the match, see the severity of the alert, and review user profile information.

  • Investigate - Cases are created for alerts that require deeper review and investigation of the details and circumstances around the policy match. The Case dashboard provides an all-up view of all active cases, open cases over time, and case statistics for the organization. Selecting a case on the dashboard opens it for investigation and review. This area is where risk activities, policy conditions, alerts details, and user details are synthesized into an integrated view for reviewers.

  • Action - After cases are investigated, reviewers can quickly act to resolve the case or collaborate with other risk stakeholders in the organization.

    • Actions can be as simple as sending a notification when employees accidentally or inadvertently violate policy conditions.

    • In more serious cases, reviewers may need to share the insider risk management case information with other reviewers in the organization. Escalating a case for investigation makes it possible to transfer data and management of the case to Advanced eDiscovery in Microsoft 365.

Insider risk management can help you detect, investigate, and take action to mitigate internal risks in your organization in several common scenarios. These scenarios include data theft by employees, the intentional, or unintentional leak of confidential information, offensive behavior, and more.


Describe communication compliance

Communication compliance in Microsoft 365 compliance center helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers.

Identifying and resolving compliance issues with communication compliance in Microsoft 365 uses the following workflow:

Diagram showing the communication compliance workflow.

  • Configure – in this step, admins identify compliance requirements and configure applicable communication compliance policies.

  • Investigate – admins look deeper into the issues detected when matching your communication compliance policies. Tools and steps that help include alerts, issue management to help remediation, document reviews, reviewing user history, and filters.

  • Remediate – remediate communications compliance issues. Options include resolving an alert, tagging a message, notifying the user, escalating to another reviewer, marking an alert as a false positive, removing a message in Teams, and escalating for investigation.

  • Monitor – Keeping track and managing compliance issues identified by communication compliance policies spans the entire workflow process. Communication compliance dashboard widgets, export logs, and events recorded in the unified audit logs can be used to continually evaluate and improve your compliance posture.

Communication compliance enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, Yammer, or third-party communications in an organization, taking appropriate remediation actions to make sure they're compliant with the organization's message standards.

Some important compliance areas where communication compliance policies can assist with reviewing messages include:

  • Corporate policies - Users have to follow corporate policies like usage and ethical standards in their day-to-day business communications. With communication compliance, admins can scan user communications across the organization for potential concerns of offensive language or harassment.

  • Risk management - Communication compliance can help admins scan for unauthorized communication about projects that are considered to be confidential, such as acquisitions, earnings disclosures, and more.

  • Regulatory compliance - Most organizations are expected to follow some regulatory compliance standards during their day-to-day operations. For example, a regulation might require organizations in the finance sector to review communications of its brokers to safeguard against potential insider trading, money laundering, or bribery. Communication compliance enables the organization to scan and report on these types of communications in a way that meets their requirements.

For a walk-through of the communication compliance capability refer to Communication Compliance: Solution tutorial to identify inappropriate communication and quickly take action.

Communication compliance is a powerful tool, that can help maintain and safeguard your staff, your data and your organization.


Describe information barriers

Microsoft 365 provides organizations with powerful communication and collaboration capabilities. However, an organization might want to restrict communications between some groups to avoid a conflict of interest from occurring in the organization, or to restrict communications between certain people to safeguard internal information. With information barriers, the organization can restrict communications among specific groups of users.

It's important to note that information barriers only support two-way restrictions. One-way restrictions, such as marketing, can communicate with day traders but day traders who can't communicate with marketing are not supported.

Information barriers are policies that admins can configure to prevent individuals or groups from communicating with each other. When information barrier policies are in place, people who shouldn't communicate with other specific users can't find, select, chat, or call those users. With information barriers, checks are in place to prevent unauthorized communication.

Here are some examples of how information barriers can be applied:

  • Education: Students in one school can't look up contact details for students of other schools.

  • Legal: Maintaining confidentiality of data obtained by the lawyer of one client from being accessed by a lawyer for the same firm representing a different client.

  • Professional services: A group of people in a company is only able to chat with a client or specific customer via federation or guest access during a customer engagement.

Information barriers are supported in solutions like Microsoft Teams, OneDrive for Business, SharePoint Online, and more.

Information barriers in Microsoft Teams

In Microsoft Teams, information barrier policies determine and prevent the following kinds of unauthorized communications:

  • Searching for a user

  • Adding a member to a team

  • Starting a chat session with someone

  • Starting a group chat

  • Inviting someone to join a meeting

  • Sharing a screen

  • Placing a call

  • Sharing a file with another user

  • Access to file through sharing link

If the people involved are included in an information barrier policy to prevent the activity, they cannot continue. Potentially, everyone included in an information barrier policy can be blocked from communicating with others in Microsoft Teams. When people affected by information barrier policies are part of the same team or group chat, they might be removed from those chat sessions and further communication with the group might not be allowed.

To learn more about the user experience with information barriers, visit information barriers in Microsoft Teams.



Describe privileged access management

Privileged access management allows granular access control over privileged admin tasks in Microsoft 365. It can help protect organizations from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.

Enabling privileged access management in Microsoft 365 allows organizations to operate with zero standing access. This means that any user who needs privileged access, must request permissions for access, and will receive only the level of access they need just when they need it, and with just-enough access to perform the job at hand. Zero standing access provides a layer of protection against standing administrative access vulnerabilities.

Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow, described below:

  1. Configure a privileged access policy - Configuring an approval policy allows the admin to define the specific approval requirements scoped at individual tasks.

  2. Access request - Users can request access to elevated or privileged tasks. The privileged access feature sends the request to Microsoft 365 for processing against the configured privilege access policy and records the Activity in the Security & Compliance Center logs.

  3. Access approval - An approval request is generated, and the pending request notification is emailed to approvers. If approved, the privileged access request is processed as an approval and the task is ready to be completed. If denied, the task is blocked and no access is granted to the requestor. The requestor is notified of the request approval or denial via email message.

  4. Access processing - For an approved request, the task is processed. The approval is checked against the privileged access policy and processed by Microsoft. All activity for the task is logged in the Security & Compliance Center.

For a detailed walk-through, watch Privileged access management: Tour of scoped, just-in-time controls for granting admin role & task privileges.

Privileged access management (PAM) sounds a lot like Privileged Identity Management (PIM), so what is the difference?

Privileged access management is defined and scoped at the task level, while Azure AD Privileged Identity Management applies protection at the role level with the ability to execute multiple tasks. Azure AD Privileged Identity Management primarily allows managing accesses for AD roles and role groups, while privileged access management in Microsoft 365 applies only at the task level.


Describe customer lockbox

Occasionally, an organization might need Microsoft engineers help to help troubleshoot and fix reported issues. Usually, issues are fixed through extensive telemetry and debugging tools Microsoft has in place for its services. However, some cases require a Microsoft engineer to access the organization’s content to determine the root cause and fix the issue.

Customer Lockbox ensures that Microsoft can't access the content to perform a service operation without explicit approval. Customer Lockbox brings the organization into the approval workflow for requests to access their content.

Customer Lockbox supports requests to access data in Exchange Online, OneDrive for Business, and SharePoint Online. Here’s what the process looks like:

Simplified Customer Lockbox workflow.

  1. Someone at an organization experiences an issue with their Microsoft 365 mailbox, as an example. After the user troubleshoots the issue, but can't fix it, they open a support request with Microsoft Support.

  2. A Microsoft support engineer reviews the service request and determines a need to access the organization's tenant to repair the issue in Exchange Online.

  3. The Microsoft support engineer logs into the Customer Lockbox request tool and makes a data access request that includes the organization's tenant name, service request number, and the estimated time the engineer needs access to the data.

  4. After a Microsoft Support manager approves the request, Customer Lockbox sends the designated approver at the organization an email notification about the pending access request from Microsoft.

  5. The approver signs-in to the Microsoft 365 admin center and approves the request. This step also triggers the creation of an audit record available by searching the audit log. If the customer rejects the request or doesn't approve the request within 12 hours, the request expires, and no access is granted to the Microsoft engineer.

  6. After the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant in Exchange Online, and fixes the customer's issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked.

Because Customer Lockbox follows a formal approval for access control, a common question is how this capability relates to Privileged Access Management, described in the previous topic, that also requires approval for access control. Customer Lockbox allows a level of access control for organizations when Microsoft accesses data. Privileged access management allows granular access control within an organization for all Microsoft 365 privileged tasks.





Knowledge check

Multiple choice

Item 1. The compliance admin for the organization wants explain the importance of insider risk management, to the business leaders? What use case would apply?

Multiple choice

Item 2. To comply with corporate policies, the compliance admin needs to be able to identify and scan for offensive language across the organization. What solution can the admin implement to address this need?

Multiple choice

Item 3. An organization has many departments that collaborate through Microsoft Teams. To comply with business policies, the IT organization needs to make sure that users from one particular department are limited in their access and interactions with other departments. What solution can address this need?

Multiple choice

Item 4. The compliance team wants to control the use privileged admin accounts with standing access to sensitive data, so that admins receive only the level of access they need, when they need it. How can this requirement be implemented?

Multiple choice

Item 5. A customer has identified an issue that requires a Microsoft engineer to access the organization’s content, to determine the root cause, and fix the issue. To protect the organization, the engineer shouldn't be able to access content and perform service operations without explicit approval. What capability can address this requirement?




Summary and resources

There are various capabilities available from Microsoft 365 to help protect organizations from insider risks. Without these capabilities, organizations wouldn’t be protected from insider risk, which could have serious negative financial and reputational consequences. Instead, organizations can prevent this from happening by protecting themselves from insider risk.

Now that you’ve completed this lesson, you should be able to:

  • Describe how Microsoft 365 can help organizations identify insider risks and take appropriate action.

  • Describe how Microsoft 365 helps organizations identify, investigate, and remediate malicious and inadvertent activities.

Learn more

Posts: 108
Topic starter
Joined: 4 years ago




Organizations may need to identify, collect, and/or audit information for legal, regulatory, or business reasons. With today's volume and variety of data, it’s vital that an organization can do this in an efficient and timely manner. Microsoft 365’s eDiscovery and audit capabilities can help organizations to achieve this goal.

In this module, you’ll learn about the eDiscovery capabilities in Microsoft 365.

After completing this lesson, you'll be able to:

  • Describe the purpose of eDiscovery.

  • Describe the capabilities of the content search tool.

  • Describe the core and advanced eDiscovery workflows.

  • Describe the core and advanced auditing capabilities of Microsoft 365.


Describe the purpose of eDiscovery

Sometimes a company may find themselves involved in litigation and they need to find electronic information to be used as evidence.

Electronic discovery or eDiscovery tools, can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, Skype for Business conversations, and Yammer teams. You can search across mailboxes and sites in a single eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites.

If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyze content by using the Advanced eDiscovery solution in Microsoft 365. Microsoft 365 provides the following eDiscovery tools:

  • Content Search

  • Core eDiscovery

  • Advanced eDiscovery

Each of these tools is described in the subsequent topics.


Describe the capabilities of the content search tool

The Content Search eDiscovery tool, accessible from the compliance center in Office 365 or Microsoft 365, enables search for in-place items such as email, documents, and instant messaging conversations in your organization. Search for items is supported in the following services:

  • Exchange Online mailboxes and public folders

  • SharePoint Online sites and OneDrive for Business accounts

  • Skype for Business conversations

  • Microsoft Teams

  • Microsoft 365 Groups

  • Yammer Groups

To have access to the content search page to run searches and preview and export results, an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in the Security and Compliance Center. For more information, visit Assign eDiscovery permissions.

Run a search

To start using the Content Search tool, you must choose content locations to search and configure a keyword query to find specific items. Or the user can just leave the query blank and return all items in the target locations. Examples of some of the capabilities for running a search include:

  • Build search queries and use conditions to narrow your search.

  • Configure search permissions filtering so that an eDiscovery manager can only search for a subset of mailboxes or sites in your organization.

  • Run an ID list search to search for specific mailbox email messages and other mailbox items using a list of Exchange IDs.

  • Search for Teams chat data across on-premises users.

  • View keyword statistics for the results of a search and then refine the query if necessary.

  • Search for third-party data that your organization has imported to Microsoft 365.

  • Preserve Bcc recipients to follow regulatory compliance and eDiscovery requirements that may require organizations to preserve mailbox content, including the ability to search for and reproduce details about all recipients of a message, not just those on the “to” and "cc" list.

Complete actions on content

After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or, if there is an email-based attack, you can delete the results of a search from user mailboxes. You can also use scripts for advanced scenarios. Sometimes you have to do more advanced, complex, and repetitive content search tasks. To help make this easier, Microsoft has created a number of Security and Compliance Center PowerShell scripts to help complete complex content search-related tasks. Some of these scripts include:

  • Search-specific mailbox and site folders (called a targeted collection) when you're confident that items responsive to a case are located in that folder.

  • Search the mailbox and OneDrive location for a list of users.

  • Create, report on, and delete multiple searches to quickly and efficiently identify, and cull search data.

  • Clone a content search and quickly compare the results of different keyword search queries run on the same content locations; or use the script to save time by not having to reenter a large number of content locations when you create a new search.

Content Search is easy to use, but it's also a powerful tool. To learn more, visit the content search overview.


Describe the core eDiscovery workflow

Core eDiscovery in Microsoft 365 provides a basic tool that organizations can use to search and export content in Microsoft 365.

To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Office 365 Security and Compliance Center.

You start by creating an eDiscovery case, which starts from within Microsoft 365 compliance center. When you create a case, you must specify a name for it and optionally define a case number. You can assign members to the case. From that point, the case will be displayed in the eDiscovery page and the user can step through the workflow.

The workflow consists of creating holds, searching for content, and exporting and downloading search results.

The Core eDiscovery workflow.

Create an eDiscovery hold

You can use an eDiscovery case to create a hold to preserve content that might be relevant to the case. You can place a hold on the Exchange mailboxes and OneDrive for Business accounts of people you're investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. When you place content locations on hold, it's preserved until you remove the hold from the content location, or until you delete the hold.

It may take up to 24 hours after you create the hold for it to take effect.

You have two options to scope the content that's preserved:

  • You create an infinite hold where all content in the specified locations is placed on hold. Or you can create a query-based hold where only the content in the specified locations that matches a search query is placed on hold.

  • You can specify a date range to preserve only the content that was sent, received, or created within that date range. Or you can hold all content in specified locations regardless of when it was sent, received, or created.

Search for content in the case

When you've placed a hold, you can create and run searches for content that relates to the case. You start the search from within the home page for that specific case. Searches associated with a case can only be accessed by members assigned to it.

You can specify keywords, message properties such as sent and received dates, or document properties such as file names, or the date a document was last changed. You can use Boolean operators such as AND, OR, NOT, or NEAR. You can also search for sensitive information (for example, social security numbers) in documents, or search for documents that have been shared externally. If you don't specify keywords, all content located in the specified content locations will be included in the search results.

Export content from a case

You can export search results. Mailbox items are downloaded in a PST file or as individual messages. Content from SharePoint, OneDrive for Business sites, copies of native Office documents, and other documents are exported. A Results.csv file that contains information about every item that's exported and a manifest file (in XML format) that contains information about every search result is also exported.

You can export the results of both a single search or results from multiple searches associated with a case.

Close, reopen, and delete a core eDiscovery case

Core eDiscovery cases can be closed when the investigations or legal cases they were supporting have been completed. When a case is closed, any holds associated with it will be turned off. Once turned off, there’s a 30-day grace period (referred to as a delay hold) on the content locations that were on hold. This helps ensure that content isn’t deleted immediately and gives admins the chance to look for and restore any content before it's deleted permanently.

The main difference between an active and closed case is that eDiscovery holds are turned off for a closed case. When you reopen a closed case, any holds that were in place when it was closed, won’t be reinstated automatically. After reopening the case, you’ll need to turn on previous holds. A reopened case will have its status changed from closed to active.

You can delete both active and closed cases. If you delete a case, all searches and exports in that case are also deleted, the case is removed from the list in the Microsoft 365 compliance center. The deleted case can’t be reopened.

If the case you want to delete contains eDiscovery holds, you won’t be able to delete it. You’ll need to delete all the holds linked to the case and try and delete it again.

Interactive guide

As the admin for your organization, you've be asked to help with an ongoing investigation. For example, you need to collect information on whether a user has sent emails about the Winter project that is currently the subject of the investigation. The following interactive click-through demonstrates how you can do this using the Core eDiscovery workflow. Select the link below to get started.

Interactive guide - Explore core eDiscovery



Describe the advanced eDiscovery workflow

The Advanced eDiscovery solution in Microsoft 365 builds on the existing core eDiscovery. This new solution provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's relevant to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.

The built-in workflow of Advanced eDiscovery described below aligns with the Electronic Discovery Reference Model (EDRM), a framework that outlines standards for recovery and discovery of digital data.

The Advanced eDiscovery workflow.

  1. Add custodians to a case. This is the first step after creating a case. Custodians are people who have administrative control of a document or electronic file that could be relevant to the case.

  2. Search custodial data sources for data relevant to the case. After custodians have been added to a case, you can use the built-in search tool to find the custodian locations for data that might be relevant. You do this by using keywords, properties, and conditions to build your search queries, which will return search results that contain data that's likely to be relevant to the case. You can preview search results to quickly verify whether the data is relevant and revise your queries and rerun searches to improve results.

  3. Add data to a review set. After configuring and verifying that a search result has provided you with the right data, you’ll need to prepare your results for review and analysis. You can do this by adding the search results to a review set. Doing this means that items are copied from their location of origin to a secure location in Azure Storage. The data is also reindexed to optimize it for review and analysis. You can also add data to conversation review sets, which will provide you with the capabilities to reconstruct conversations, and enable you to review and export conversations like those in Microsoft Teams.

  4. Review and analyze data in a review set. When your data is in a review set, you’re ready to view and analyze the case data through a wide variety of capabilities and tools such as filters, queries, and tags. The goal of review and analysis is to reduce the data set to what is the most relevant to the case that's being investigated.

  5. Export and download case data. Finally, you can export the data out of Advanced eDiscovery for external review. For example, for an external team of investigators. You export the data out of the review set, and then copy it to a different Azure Storage location. You can then use Azure Storage Explorer to download that data as an export package, to a local device. This export package will contain other components like a summary report, and an error report.

Use Advanced eDiscovery in Microsoft 365 to preserve, collect, review, analyze, and export data that's relevant to your organization's internal and external investigations.




Describe the core audit capabilities in Microsoft 365

The audit functionality in the Microsoft 365 compliance center allows organizations to view user and administrator activity through a unified audit log. For example, did an administrator reset a password? Did a user change a setting for a team in Microsoft Teams? A unified audit log supports the search of many users and/or admin activities across Microsoft 365 services, Dynamics 365, Microsoft Power Apps, Microsoft Power Automate, Power BI, Azure Active Directory, and more. For a detailed listing, visit Search the audit log in the compliance center.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. The length of time that an audit record is kept (and searchable in the audit log) depends on the Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that's assigned to specific users. For core audit capability, the audit record is kept and searchable for 90 days.

Searching the audit log requires the search capability to be turned on, and for the user doing the search to be assigned the appropriate role. The search criteria can be configured based on:

  • Activities

  • Start date and end date

  • Users

  • File, folder, or site

The results of the audit log search, which can be filtered and exported to a CSV file, contain the following information about each event returned by the search:

  • Date: The date and time (in UTC format) when the event occurred.

  • IP address: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address.

  • User: The user (or service account) who completed the action that triggered the event.

  • Activity: The activity completed by the user. This is based on activities configured.

  • Item: The object that was created or modified because of the corresponding activity. For example, the file that was viewed or modified, or the user account that was updated. Not all activities have a value in this column.

  • Detail: Additional information about an activity. Again, not all activities have a value.

A list of results from an audit search.

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search.




Describe Advanced Auditing

Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention that's required to conduct an investigation. Audit log retention provides access to crucial events that help determine the scope of compromise, and faster access to Office 365 Management Activity API.

These capabilities differentiate Advanced Audit from the core audit functionality described in the previous topic and require a Microsoft 365 E5 license, or a Microsoft 365 E3 or Office 365 E3 license with a Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on license.

Long-term retention of audit logs

Advanced Audit keeps all Exchange, SharePoint, and Azure Active Directory audit records for one year. Keeping audit records for longer periods can help with ongoing forensic or compliance investigations. Microsoft now has the capability to keep audit logs for 10 years. The 10-year retention of audit logs helps support long-running investigations and respond to regulatory, legal, and internal obligations.

NOTE: Retaining audit logs for 10 years requires an additional add-on license.

Audit log retention policies

With Advanced Audit, admins can create customized audit log retention policies to retain audit records for durations less than the default of 1 year or up to 10 years (add-on license). Any custom audit log retention policy will take precedence over the default audit retention policy.

Access to crucial events for investigations

Advanced Auditing helps organizations to conduct forensic and compliance investigations by providing access to crucial events, such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help admins and users investigate possible breaches and determine the scope of compromise. Advanced Auditing provides the following crucial events:

  • MailItemsAccessed - The MailItemsAccessed event is a mailbox auditing action that's triggered when mail data is accessed by mail protocols and mail clients. The MailItemsAccessed action can help investigators identify data breaches and determine the scope of messages that may have been compromised.

  • Send - The Send event is also a mailbox auditing action and is triggered when a user does does any of the actions below . Investigators can use the Send event to identify emails sent from a compromised account. The audit record for a Send event contains information about the message. The actual content of the message isn't displayed. However, information such as when the message was sent, the InternetMessage ID, the subject line, and if the message contained attachments, are accessible. This auditing information can help investigators identify information about email messages sent from a compromised account or sent by an attacker.

    • Sends an email message

    • Replies to an email message

    • Forwards an email message

  • SearchQueryInitiatedExchange - The SearchQueryInitiatedExchange event is triggered when a person uses the Search bar in Outlook on the web (OWA) to search for items in a mailbox. Investigators can use the SearchQueryInitiatedExchange event to determine if an attacker may have compromised an account, or tried to access sensitive information in the mailbox. The audit record for a SearchQueryInitiatedExchange event contains information such as the actual text of the search query. By looking at the search queries that an attacker may have made, an investigator can better understand the intent of the email data that was searched for.

  • SearchQueryInitiatedSharePoint - Similar to searching for mailbox items, the SearchQueryInitiatedSharePoint event is triggered when a person searches for items in the SharePoint home site for your organization. Investigators can use the SearchQueryInitiatedSharePoint event to determine if an attacker tried to find (and possibly accessed) sensitive information in SharePoint. The audit record for a SearchQueryInitiatedSharePoint event also contains the actual text of the search query. By looking at the search queries that an attacker may have performed, an investigator can better understand the intent and scope of the file data being searched for.

High-bandwidth access to Office 365 Management Activity API

Organizations that access auditing logs through the Office 365 Management Activity API were previously restricted by throttling limits at the publisher level. This means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers.

With the release of Advanced Audit, Microsoft is moving from a publisher-level limit to a tenant-level limit. The result is that each organization will get their own fully allocated bandwidth quota to access their auditing data. The bandwidth isn't a static, predefined limit but is modeled on a combination of factors, including the number of seats in the organization and the type of Microsoft 365 license (organizations with an E5 license will get more bandwidth than non-E5 organizations).




Knowledge check

Multiple choice

Item 1. A new admin has joined the compliance team and needs access to Core eDiscovery to be able to add and remove members, create and edit searches, and export content from a case. To which role should the admin be assigned?

Multiple choice

Item 2. The compliance team needs to perform more advanced, complex, and repetitive content search tasks. What can enable the team to do more complex search tasks?

Multiple choice

Item 3. The compliance admin has been asked to use Advanced eDiscovery to help a legal team that is working on a case. What is the workflow the admin will use?

Multiple choice

Item 4. The audit team needs to conduct compliance investigations across emails. They need access to crucial events, such as when mail items were accessed, when mail items were replied to and forwarded. What capability can the team use?



Summary and resources

You’ve explored how eDiscovery and audit can help organizations to identify, collect, and/or audit information in a rapid and effective manner to meet legal requirements.

Now that you’ve completed this lesson, you should be able to:

  • Describe the purpose of eDiscovery.

  • Describe the capabilities of the content search tool.

  • Describe the core and advanced eDiscovery workflows.

  • Describe the core and advanced auditing capabilities of Microsoft 365.

Learn more



Posts: 108
Topic starter
Joined: 4 years ago



Azure has the capabilities that admins need to ensure that resources are governed properly, that they're secure, and in line with the organization’s compliance requirements.

In this module, you’ll learn about the resource governance capabilities available for Azure.

After completing this module, you should be able to:

  • Describe some of the resource governance capabilities in Azure.



Describe the use of Azure Resource locks

Before we can describe the use of Azure Resource Manager locks, it is important to first understand what Azure Resource Manager is. Azure Resource Manager is the deployment and management service for Azure. Azure Resources Manager provides a management layer that enables administrators to create, update, and delete resources in an Azure account. Admins can use management features such resource locks to secure resources after deployment.

Resource locks can be used to prevent resources from being accidentally deleted or changed. Even with role-based access control policies in place there is still a risk that people with the right level of access could delete a critical resource. Azure Resource Manager locks prevent users from accidentally deleting or modifying a critical resource, and can be applied to a subscription, a resource group, or a resource. For example, there may be times when an administrator needs to lock a subscription, a resources group, or a resource. A lock would be applied in these situations to prevent users from accidentally deleting or modifying a critical resource.

A lock level can be set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

A resource can have more than one lock. For example, a resource may have a ReadOnly lock and a CanNotDelete lock. When you apply a lock at a parent scope, all resources within that scope inherit that lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Resource Manager locks apply only to operations that happen in the management plane. The locks don't restrict how resources perform their functions. If a lock is applied, changes to the actual resource are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on an Azure SQL Database logical server prevents deletion or modification of the server. However, it doesn't prevent you from creating, updating, or deleting data in the databases on that server.

Interactive guide

A development team in your organization uses an Azure Storage account to store some of their content. As the Azure administrator, you’ve been asked to help ensure that the storage account can’t be deleted. In this interactive demonstration, you’ll lock a storage account, verify the lock works, and then remove the lock. Select the link below to get started.

Interactive guide - Use Azure resource lock to lock resources.




Describe what is Azure Blueprints

Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they're in line with the organization’s compliance requirements. Teams can also provision Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

  • Role Assignments

  • Policy Assignments

  • Azure Resource Manager templates (ARM templates)

  • Resource Groups

Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Azure Blueprints deploys your resources to.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments.

Azure Blueprints helps ensure Azure resources are deployed in a way that's in line with compliance requirements. However, a service like Azure Policy should be used to continuously monitor resources and ensure a continuation with compliance requirements.



Describe Azure policy

Azure Policy is designed to help enforce standards and assess compliance across your organization. Through its compliance dashboard, you can access an aggregated view to help evaluate the overall state of the environment. You can drill down to a per-resource, or per-policy level granularity. You can also use capabilities like bulk remediation for existing resources and automatic remediation for new resources, to resolve issues rapidly and effectively. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.

Azure Policy evaluates all resources in Azure and Arc enabled resources (specific resource types hosted outside of Azure).

Azure Policy evaluates whether the properties of resources match with business rules. These business rules are described using JSON format, and referred to as policy definitions. For simplified management, you can group together multiple business rules to form a single policy initiative. After business rules have been formed, you can assign the policy definition, or policy initiative, to any scope of resources that are supported, such as management groups, subscriptions, resource groups, or individual resources.

Evaluation outcomes

Azure Policy evaluates resources at specific times during the resource lifecycle and the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following events or times will trigger an evaluation:

  • A resource has been created, deleted, or updated in scope with a policy assignment.

  • A policy or an initiative is newly assigned to a scope.

  • A policy or an initiative that's been assigned to a scope is updated.

  • The standard compliance evaluation cycle (happens once every 24 hours).

Organizations will vary in how they respond to non-compliant resources. Here are some examples:

  • Deny a change to a resource.

  • Log changes to a resource.

  • Alter a resource before or after a change.

  • Deploy related compliant resources.

With Azure Policy, responses like these are made possible by using effects, which are specified in policy definitions.

What’s the difference between Azure Policy and Azure role-based access control (RBAC)?

It’s important not to confuse Azure Policy and Azure RBAC. You use Azure Policy to ensure that the resource state is compliant to your organization’s business rules, no matter who made the change or who has permission to make changes. Azure Policy will evaluate the state of a resource, and act to ensure the resource stays compliant.

Azure RBAC focuses instead on managing user actions at different scopes. Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access. If actions need to be controlled, then you would use Azure RBAC. If an individual has access to complete an action, but the result is a non-compliant resource, Azure Policy still blocks the action.

Azure RBAC and Azure Policy should be used together to achieve full scope control in Azure.


Knowledge check

Multiple choice

Item 1. The compliance admin for the organization wants to ensure that users can access the resources they need, but not accidentally delete resources. Which Azure resource lock level can the admin set to ensure that users can read and modify a resource, but can't delete the resource?

Multiple choice

Item 2. Which tool can enable an organization's development team to rapidly provision and run new resources, in a repeatable way that is in line with the organization’s compliance requirements?

Multiple choice

Item 3. As the compliance admin for your organization, you need to ensure that Azure resources meet your organization's business rules? Which Azure capability should you use?


Summary and resources

You’ve seen how admins can use the resource governance capabilities in Azure to ensure that resources for their organization are governed properly, so that they are secure, and in line with the organization’s compliance requirements.

Now that you’ve completed this lesson, you should be able to:

  • Describe some of the resource governance capabilities in Azure.

Learn more