This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Manage Data Privacy Regulation Compliance” section:
- Administer Compliance Manager
- Review Compliance Manager reports
- Create and perform Compliance Manager assessments and action items
Administer Compliance Manager
Compliance Manager in Microsoft 365 is a fantastic tool to help us assess risk and improvement actions within our tenancy. In some previous posts we’ve touched on different aspects of Compliance Manager but here we will focus on how we can manage it as a whole. Compliance Manager is located in the Microsoft 365 Compliance Center under the “Compliance Manager” Section. From here we see the familiar dashboards we’ve look at a few times in this series.
We will look at assessments and reports individually in the next couple of sections but for now, click the “Compliance Manager Settings” button at the top right of the page to access the Compliance Manager administration section.
In this section, we have two areas we can configure. The first is the “Automated Testing” settings which allows us to control is Microsoft 365 will assess improvement actions automatically to determine if they are completed or outstanding. We can set this to:
- Turn on for all improvement actions – All improvement actions will be automatically tested for compliance
- Turn off for all improvement actions – No improvement actions will be tested automatically
- Turn on per improvement action – We can specify which improvement actions we want to be automatically tested
The default setting is turned on for all improvement actions and in 90% of cases this is fine, however if you have a complex environment with third party systems mitigating the risk of some of the actions, this can be adjusted to prevent false positives, remember – Microsoft 365 can only see it’s own configuration!
The other section we can control is managing user history. This section allows us to export a report of improvement actions and activity associated with a particular user, for instance if we assign an improvement action to a particular user and they then work on the action, we can export a report of what they have done. This data can be cleared using the “Delete history” option.
We can also choose to reassign all actions assigned to a particular user from this page. We will look at assigning actions in the next section.
Review Compliance Manager Reports
Within Compliance Manager, there is a lot of information available to us through reports on Improvement Actions and Solutions (we will look at assessments and assessment reports in the next section). To access Improvement Actions, select it from the top menu of Compliance Manager. Here we see a filterable list of potential improvements we can make based on assessments we have in place.
We can use the filters at the top of the page to narrow down the are or status of a particular action and then click on it to see more detail about it. Below we can see the action item for Enabling Self-Service Password Reset.
If the action is available and selected for automatic testing, we will see the current test status on the “Testing” page.
The “Standards and Regulations” page gives us information about the source control(s) of the action item based on the assessments we have in place.
Finally on the “Documents” section we can add any documentation to support the implementation of the particular action item.
Next, on the “Solutions” tab, we can see a list of technologies available to us to help protect out environment and a measure of the “Score” we have in each, this is essentially a numeric value assigned based on how many items we have implemented
Select the “Open” option beside each one to navigate to the respective Admin Center for that tool while clicking on the “Remaining Actions” column, will navigate back to the Improvement Actions page with a filter in place for the specific solution you selected.
Create and Perform Compliance Manager Assessments and Action Items
We can use assessments in Compliance Manager to compare our configuration against a host of preconfigured baselines. This works great as a validation tool and for gap analysis. To create an assessment, navigate to the “Assessments” tab of Compliance Manager and select “Add Assessment”. On the first page, select a template baseline to include, for this example, we’ll select EU GDPR but there are a wide range to choose from.
Next, give the assessment a name and assign to an assessment group. If a group doesn’t already exist we can create one.
Finally, review the assessment and then click “Create Assessment”.
Once the assessment is created, open it from the assessments page and we see the assessment dashboard. This shows us a breakdown of our alignment “Progress” against the baseline and the relevant improvement actions.
We can view the controls that we need to comply with based on the regulation the template is based on.
We can view the relevant Improvement Actions
And we can see the actions that Microsoft has taken to ensure that actions that lie with them are covered.
Finally, we can click the “Generate Report” button to export the results of the assessment and controls to Excel for distribution.
In this post we have looked deeper into the Microsoft 365 Compliance Manager, looking at Solutions, Assessments and Improvement Actions. Compliance Manager is a fantastic tool to have available and provides a lot of guidance in Microsoft 365 Compliance which can be quite deep as we have seen over the course of this series. For more information on Compliance Manager, check out the below links.