Is your organization asking the following data compliance and data management questions?
- Is there a more efficient method of managing compliance across my tenant?
- How can I give non-admins access to perform compliance activities without providing them admin rights?
- Can I search through all data in my tenant without setting up an eDiscovery site and cases?
- Can I easily view all users with archiving enabled, or can I bulk enabledisable archiving without PowerShell?
- What if I do not want to wipe all the data from my users’ personal mobile devices?
- My organization has been subpoenaed to provide mailbox data. Do I really need to configure and setup sites in SharePoint for eDiscovery?
- I require mobile device management, but the Exchange Online mobile device policy doesn’t cut it, and I do not want to purchase Intune or other 3rd party solutions. Are there any other built-in options?
- I have tons of mail data in a third party archiving solution or PSTs dispersed throughout my organization. How can I get this data into Office 365 securely?
- I want to migrate entire file shares, maybe even an entire file server into SharePoint Online. Is there a relatively easy and secure method available?
If so, Microsoft Office 365 Compliance Center has your answers.
Microsoft understands organizations require comprehensive features to manage and secure the data imported and created in Office 365. With that said, let’s take a look at why, in my opinion, it is one of the most important updates and features added to Office 365.
Compliance Tasks Have Never Been Easier
The Office 365 Compliance Center consolidates the core compliance-related features administrators use to manage and secure their tenant data across Office 365, Exchange Online, and SharePoint Online. You may recognize some functions in this new management portal. Microsoft has moved and will continue to move features into this console from their respective services; for example, archiving and retention from Exchange Online.
The new center makes the sometimes dreaded compliance tasks easier to access and manage. Global admins in Office 365 can access the compliance center through the Office 365 Admin portal, the link is located under the Admin heading in the navigation page. It is also accessible via a dedicated link: https://compliance.protection.outlook.com, which can be accessed by your non-technical workers without having to grant administrative rights to your entire tenant.
Permissions in the Office 365 Compliance Center
One of the key components which makes access to and management of the Compliance Center an almost enjoyable experience is the inclusion of the Role Based Access Control (RBAC) permissions model. RBAC allows you to grant task-specific permissions to users. These permissions will allow the user to access the compliance center directly and perform only their assigned administrative responsibilities.
It is important to note that the RBAC permissions in the Compliance Center are specific only to this console, and membership does not carry over to other Office 365 services. Also, some of the Compliance Center features require additional permissions to be assigned in the respective service. For example, to manage Retention, a user must also be added to the Compliance or Records RBAC group in Exchange Online. As always, you want to assign the least amount of privileges required for a user to perform their administrative tasks. Below is a table listing the different administrative roles, their inherited roles, and a description to help you determine where to add your compliance officers.
||Organization Configuration, View-Only Audit Logs, View-Only Recipients
||Manages settings for the core compliance features; DLP, device management, reports, auditing, etc.
||Case Management, Compliance Search, Export, Hold, Preview, Review
||Can perform searches against and place on hold mailboxes, SharePoint Online sites, and OneDrive for Business content. Can access the new Compliance Share feature.
||Audit Logs, Organization Configuration, Role Management, Search And Purge, View-Only Audit Logs, View-Only Recipients
||Can add or remove permissions to Compliance Center features. Manges settings for the core compliance features; DLP, device management, reports, auditing, etc. Members of the Office 365 Global Admins RBAC group are automatically added this group
||Can perform analytics on assigned documents using the soon to arrive tool, Zoom
What Can I Accomplish in the Office 365 Compliance Center?
Not sold yet on the new Compliance Center just by the easier management of permissions and access? Let’s walk through some of the readily available and most used features in the console; I’m sure there’ll be a few items that will make you a fan.
Mail archiving is a service that has been available since Exchange 2010 SP2, so it’s not a new feature by any means. However, the management tasks available in the Compliance Center make managing the service a super simple administrative task.
View full-size image
- Easily view which users have mail archiving enabled or disabled
- Enable or disable archiving one user at a time or in bulk
- Quick view of a user’s mailbox usage stats
Unlike Archiving, this feature is not another management tool for similar services already available in Exchange Online; mobile device access rules and mobile device mailbox policies. In actuality, the mobile device management policies will take precedence and override any mobile device policies currently configured through Exchange Online in your tenant—something to keep in mind before deploying to your users. The features available through this service leverage Microsoft Intune and Microsoft Azure Active Directory, and are available at no added cost to all commercial Office 365 plans.
Below is a limited comparison list of mobile device controls available in Office 365 via mobile device management and Exchange Online:
||Mobile Device Management (MDM)
|Restrict access to email
|Require the use of a password on device
|Require encryption on device
|Exclude users from access restrictions
|Perform remote wipe
|Device enrollment required
|Restrict access to documents
|Restrict jailbroken devices
|Managed email profiles
|Advanced system, application, and device settings
|Perform selective wipe
eDiscovery is another service which is already well incorporated into Microsoft services; in Office 365 eDiscovery can be used to search and place data in mailboxes, SharePoint Online sites, and OneDrive for Business locations on hold. These searches or cases can be used to preserve data indefinitely and also export it from your tenant when required for legal reasons.
In the not so distant past, in order to allow your non-admin compliance officers or HR team access to eDiscovery, you were required to manually create an eDiscovery Center in SharePoint Online. This site had to be configured correctly with the necessary permissions and connectivity to Exchange Online. Not anymore; the first time an administrator accesses the eDiscovery feature through the Compliance Center, the eDiscovery Center is automatically created and configured for you. Your only next step is to assign users to the eDiscoveryManager RBAC group to allow access.
The retention Compliance Center feature gives administrators granular control to the life cycle of data in their tenant. Through this feature, administrators can create and manage retention tags and retention polices for mailboxes, as well as document deletion policies for SharePoint Online and OneDrive for Business. These policies are located in the Deletion section as they determine how long data should be present in your tenant before being acted upon.
There is also a Preserve section available in the Retention feature; preservation polices allow you to keep data across your tenant for a specified amount of time (think query-based in-place holds).
This is one of the newer features to come to the Compliance Center and it is a highly welcomed addition for administrators or IT consultants, especially individuals carrying out the actual migrations to Office 365. Import allows administrators to do just that—import mail data from PST files to Exchange Online mailboxes, as well as import files from network shares or on-premises SharePoint libraries into SharePoint Online.
The data can be uploaded directly to Office 365 over your network, or it can be transferred onto hard drives and shipped to Microsoft data centers. You no longer have to deal with third party data ingestion tools, or worse yet, manually copying data using Outlook or a File Explorer session which constantly times out.
Some of the key aspects of the Import service are:
- Import PST mail data directly to specified users
- Import mail data to a user’s primary mailbox or archive mailbox
- Importing PSTs into a user’s archive mailbox allowing for an unlimited amount of data
- Files can be imported from network file shares or on-premises SharePoint libraries
- Share permissions can be maintained when importing files to SharePoint Online
- Network uploads are performed using command line tools, the Microsoft Azure AZCopy Tool and the SharePoint Online Management Shell
- Network uploads can be secured by using HTTPS
- All drives shipped to Microsoft must be prepared with the Microsoft Azure Import/Export Tool
- Drive shipping accepts only the common 3.5 inch SATA II/III drives
- Drives require the common NTFS formatting
- Only drives up to 4TB are supported
- All drives shipped to Microsoft must be encrypted using the provided BitLocker encryption keys
- BitLocker encryption keys are uploaded directly through the Compliance Center and not available to anyone
- If an extra layer of encryption is required, O365Protect can be used to encrypt data
- Destination of data is specified via “PST to user” and “file to location” CSV mapping files
- Data is temporarily ingested and stored in a secure and unique Azure storage space
- Azure Storage Explorer can be used to view the contents of your tenants dedicated storage location
- As of this writing, this service is free for all valid Office 365 tenants