Table of Contents
Plan for regulatory compliance in Microsoft 365
It now works with Microsoft Defender for Cloud to assess compliance across Microsoft 365, Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). This means you can see your entire compliance posture in one place, with cloud-specific guidance to help you meet regulations. Compliance Manager even tracks configurations in Azure and provides recommendations for non-Microsoft services.
| Feature | Description |
|---|---|
| Compliance Score | A percentage that reflects your progress towards meeting key data protection standards and regulations. |
| How it’s calculated | Points are awarded for completing improvement actions. Points from Microsoft actions (managed by Microsoft) are also included. |
| Initial Score | Based on the Microsoft 365 data protection baseline, a set of controls that includes common industry regulations and standards. |
| How the Baseline Score is determined | Compliance Manager checks your existing Microsoft 365 solutions and gives you an initial assessment based on your current privacy and security settings. |
| How the Score becomes more meaningful | As you add assessments that are relevant to your organization, your score becomes more specific to your needs. |
| Categories | Shows the percentage contribution of each data protection category (e.g., “protect information” or “manage devices”) to your overall score. |
| Assessments | Shows the percentage of progress you’ve made in managing assessments for specific compliance and data protection standards (e.g., GDPR or NIST 800-53). |
The services listed below can be assessed by Compliance Manager:
- Microsoft 365
- Microsoft Azure cloud services
- Google Cloud Platform
- Amazon Web Services
In addition, Compliance Manager provides a universal version of regulatory templates that allows you to track compliance with any unsupported service through manual implementation and testing.
See here for the supported regulations
Create and manage assessments
Microsoft is making changes to how you create custom assessments. While they finalize these improvements, creating or customizing templates is temporarily unavailable. If you already have custom assessments, you can still use them and manage their action data. Once the new process is ready, Microsoft will publish updated instructions.
Only users who hold a Global Administrator, Compliance Manager Administration, or Compliance Manager Assessor role can create and modify assessments.
The Assessments page shows all your compliance efforts. It influences your score (more assessments = more details considered) and highlights areas needing improvement (via the Improvement Actions page).
- Track All Assessments: See all your compliance assessments in one place.
- Impact on Score: More assessments refine your overall compliance score.
- Improvement Actions: New assessments may reveal areas needing improvement.
- Active Regulations: Check how many regulations you’re using for assessments.
- Assessment Details:
- Name
- Status (Complete, Incomplete, Not Started, In Progress)
- Progress (%)
- Your Actions Taken
- Microsoft Actions Taken
- Group
- Product
- Regulation
Open new Purview portal from https://purview.microsoft.com/compliancemanager/assessmentspage
Click “Add assessment” to launch the creation wizard.
Select “Select regulation” to pick a regulatory template for your assessment.
Enter a unique name for your assessment and assign it to a group (existing or newly created). You can also copy data from an existing group for efficiency.
Choose which services this assessment applies to using the “Select services” button.
Double-check all your selections and make any edits. Once everything looks good, click “Create assessment” to finalize your custom assessment.
If you need to Edit the assessment, you can open the assessment and under three dots, choose edit.
You can also Manage user access under the assessment
Interpret and manage improvement actions
Compliance Manager provides options for how to test improvement actions. On the improvement action’s details page, the Testing type status in the top information bar shows how the action is tested. From here you can choose how you want the action to be tested: Manual or Automatic.
Automatically
| Automation Type | Description | Benefits |
|---|---|---|
| Built-in | Integrates with other Microsoft Purview solutions (DLP, Information Protection, etc.) and Microsoft Priva (preview) to automatically test relevant improvement actions. | Simplifies testing by leveraging existing functionalities of connected Microsoft solutions. |
| Microsoft Secure Score | Utilizes signals from complementary improvement actions monitored by Microsoft Secure Score for continuous control assessment. Awards points for successful actions, impacting your overall compliance score. | Streamlines testing and rewards progress towards compliance goals. |
| Microsoft Defender for Cloud | Enables continuous monitoring across Microsoft and non-Microsoft cloud services (Azure, AWS, GCP) at the subscription level. Aggregates individual scores for a comprehensive assessment. | Provides detailed insights into implementation and testing results across various cloud environments. |
| Connectors (Future Release) | Planned connectors for services like Salesforce and Zoom will facilitate automated testing beyond the Microsoft ecosystem. | Extends automation capabilities to non-Microsoft services, simplifying compliance management across platforms. |
Manually
Improvement actions set for manual testing are actions that you manually test and implement. You set the necessary implementation and test status states, and upload any evidence files on the Evidence tab. For some actions, this is the only available method for testing improvement actions
You can update the improvement actions manually
How to use manual actions
Once you open the improvement actions, you will the detailed tasks to take and if the actions is technical, you will see launch now.
Once done, you need to provide evidence that you really did the task.
Create and manage alert policies for assessments
Users must hold the Security reader role in Microsoft Entra ID in order to access the Alerts and Alert policies pages in Compliance Manager. Additional security and Compliance Manager roles are needed to work with alerts and alert policies.
Permissions
| Role | Can create and edit policies | Can edit alerts |
|---|---|---|
| Compliance Manager Administration | Yes | Yes |
| Compliance Manager Assessor | Yes | Yes |
| Compliance Manager Contributor | Yes | Yes |
| Compliance Manager Reader | No | No |
| Global administrator | Yes | Yes |
Alert event types
| Alert Event Type | Description |
|---|---|
| Score Change | Triggers when the points awarded for an improvement action increase or decrease due to configuration changes. |
| Assignment Change | Alerts on assigning, reassigning, or unassigning an improvement action to a user. |
| Implementation Status Change | Notifies when a user updates the implementation status of an improvement action. |
| Test Status Change | Alerts on changes to the testing status of an improvement action. |
| Evidence Change | Triggers when a user uploads or removes evidence documents for an improvement action. |
Go to the “Alert policies” page and click “+Add” to launch the wizard
Choose the events that trigger your alert (assignment change, evidence change, etc.). Select “Add sub-conditions” to further refine your criteria. Click “Next” when finished.
Define Alert Response:
- Set the severity level (low, medium, high).
- Choose email notification frequency (every match, or a threshold within a timeframe).
- Click “Next” after selections.
Select Alert Recipients:
- Choose additional users to receive alert emails besides the default (policy creator).
- Click “+Select recipients” and pick users from the list. Click “Add recipients” then “Next.”
Review and Create: Double-check your settings, then click “Create policy” to finalize.
Note! Allow up to 24 hours for new or updated policies to start generating alerts.
Closure
The services listed below can be assessed by Compliance Manager:
- Microsoft 365
- Microsoft Azure cloud services
- Google Cloud Platform
- Amazon Web Services
Microsoft is making changes to how you create custom assessments. While they finalize these improvements, creating or customizing templates is temporarily unavailable.
- Track All Assessments: See all your compliance assessments in one place.
- Impact on Score: More assessments refine your overall compliance score.
- Improvement Actions: New assessments may reveal areas needing improvement.
- Active Regulations: Check how many regulations you’re using for assessments.
- Assessment Details:
- Name
- Status (Complete, Incomplete, Not Started, In Progress)
- Progress (%)
- Your Actions Taken
- Microsoft Actions Taken
- Group
- Product
- Regulation
Compliance Manager provides options for how to test improvement actions. On the improvement action’s details page, the Testing type status in the top information bar shows how the action is tested. From here you can choose how you want the action to be tested: Manual or Automatic.
Users must hold the Security reader role in Microsoft Entra ID in order to access the Alerts and Alert policies pages in Compliance Manager. Additional security and Compliance Manager roles are needed to work with alerts and alert policies.
Allow up to 24 hours for new or updated policies to start generating alerts.
Link to main post
RSS - Posts