Latest posts by Timothy Warner (see all)
- PowerShell Pro Tools: Full-Spectrum PowerShell development in Visual Studio - Thu, Apr 11 2019
- The new Azure PowerShell Az module - Mon, Mar 11 2019
- Configure Active Directory for high accuracy time synchronization - Tue, Mar 5 2019
You and I both know that Microsoft Office 365 consists of a large application suite. Visit the Office 365 admin center, for instance, and view a whopping 10 separate sub-admin centers:
- Exchange: messaging
- Skype for Business: IM and telephony/teleconferencing
- SharePoint: collaboration
- OneDrive: file sharing
- Yammer: collaboration
- PowerApps: code-free cloud application development platform
- Flow: workflow engine
- Azure AD: identity management
- Intune: endpoint management
On one hand the Office 365 administrator needs to manage the different Office 365 services by using separate admin centers. On the other hand, you have (a) your users save enormous data volumes to the Office 365 tenant; and (b) compliance requirements that mean you need to secure, audit, and document the above infrastructure. Whoa—that is a lot of stuff to worry about! Fortunately, the Office 365 development teams gave us the Office 365 Security & Compliance Center.
High-level overview ^
From the Office 365 admin center (https://portal.office.com), open the Admin center menu and select Security & Compliance. The Security & Compliance Center opens in a separate browser tab as shown next. The direct URL to the site is https://protection.office.com.
Before I show you the specific tasks you can perform in the Security & Compliance Center, click Permissions from the navigation bar. You need to understand the following two points about this page, shown in the following screenshot:
- The Security & Compliance Center uses a role-based access control (RBAC) authorization model just like the other Office 365 services use.
- The roles and permissions you assign here grant users permissions only to the Security & Compliance Center.
The use case here is that you could, for example, grant select Legal team users membership to the built-in eDiscovery Manager role, and Compliance team users membership to the Compliance Administrator role. Of course, you can define your own custom roles if you wish.
Next, let me show you some of the more important tasks you can accomplish in the Security & Compliance Center. In this article I'll show you some of them; you should certainly consult the documentation for full information.
Another thing you'll want to do is navigate to Service assurance > Dashboard and give Office 365 your business' geographic location and industry. When you provide Microsoft with that data, Office 365 gives you compliance reports and trust documents customized to your business. Pretty awesome!
NOTE: You need to assign your compliance officers' Office 365 user accounts to the Service Assurance User role in Permissions for them to access the compliance reports.
The alerting function in the Office 365 Security & Compliance Center is a huge value to administrators because it proactively informs us when particular actions occur within the tenant.
What kind of "particular actions," you wonder? Stuff like:
- privilege escalation
- deleted folders and files
- deleted users and groups
- eDiscovery activities
- unusual external user activity
- detected malware/phishing
The New alert policy dialog shown in the next screenshot asks you to pick (a) which activities across the Office 365 services you want to watch; (b) which users, or all users, you need to scope the alert to; and (c) to whom you want to send the alert e-mail messages.
Office 365 sends the alerts to its notification (bell) menu, targeted email addresses, as well as to the View security alerts page in the Security & Compliance Center. The following screenshot shows you what a representative email alert looks like.
Data Loss Prevention (DLP) ^
DLP in Office 365 combines the best parts of Active Directory Rights Management Services (AD RMS) and the Intune device management product. Whereas configuring AD RMS on premises is a giant pain in the you-know-where, configuring DLP in Office 365 is wizard driven and remarkably straightforward.
The heart of DLP is the policy, which I show you in the next screenshot. Depending on your industry and security/compliance requirements, you may need to take special actions on sensitive data like patient records, financial numbers, and so forth.
A DLP policy can cover multiple data sources, such as Exchange Online, SharePoint Online, and OneDrive for Business. You can restrict access to data the policy identifies, including (a) notifying the users of any actions they need to take on the sensitive data; and (b) preventing users from copying, forwarding, and performing other actions on that data.
You can run DLP reports from the Security & Compliance Center by navigating to the Reports > Dashboard page.
Programmatic access ^
Oh, there's so much to see in the Office 365 Security & Compliance Center! Let's finish up by learning how to connect to the center with PowerShell. The bad news is that the Office 365 PowerShell story is a royal, confusing mess. So many modules, so many versions—it's gross.
The good news is that we can actually use PowerShell remoting to establish a direct connection to the Office 365 Security & Compliance Center.
On your Windows 8.1 or Windows 10 administrative workstation, make sure you've temporarily relaxed the system's script execution policy:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Next, let's store our Office 365 global admin credentials:
$cred = Get-Credential
Now we'll create the remote session, storing it in a variable:
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Finally, we'll use implicit remoting to import the remote Office 365 session into our current runspace:
Cool! So now we have access to the Office 365 Security & Compliance Center PowerShell cmdlets. The exported Office 365 cmdlets are stored in a temporary module; you can then run Get-Command to see what's available:
PS C:\> Get-Command -Module tmp_huth43a3.oxz | Select-Object -Property Name | Format-Wide -Column 2
This module is pretty big (148 functions as of this writing), and you can perform most security/compliance tasks using them.
Overall, I found that once you get past your initial learning curve, the Office 365 Security & Compliance Center gives you excellent insight into your tenant. In my experience, managing Office 365 can sometimes feel like a bad game of "Whack a Mole" given how many moving parts there are.
My hope is that the Office 365 product teams will continue the trend of unifying the Office 365 control plane because we all (Microsoft, our business, and we as individuals) are better off for it.