Microsoft Office 365 Compliance

Meet Michael, a Compliance Officer who works closely with his company’s IT team to ensure employees abide by internal policies and regulations set by regulatory bodies. Check out this infographic to see how Michael uses Microsoft Office 365 productivity and collaboration tools in Microsoft Teams across his devices throughout the day to review, define, enforce and report on compliance policies set in Office 365 to safeguard company and consumer data.

Learn about Microsoft Office 365 tools for security and compliance.


Microsoft Office 365 stands tall in overall scope and quality of solution when compared to its rivals. But let’s narrow our focus to just security and compliance features. Microsoft Office 365 is our choice product suite in this arena, especially with higher level plans that offer even more advanced functionality, including enhanced virus and threat protection, security management, and search and investigation options to keep your organization’s shield up and impenetrable.

The depth and breadth of Office 365’s features are robust, sophisticated, and overall, an impressive display of security. So let’s take a look at five security and compliance components that leave Microsoft Office 365 users safe and slack-jawed.


Office 365 truly shines with its user rights management. It’s Security & Compliance Center allows authorized users and admins to perform tasks like device management, data loss prevention, eDiscovery, content retention, and the list goes on. These authorized users and admins can perform only the tasks that are explicitly granted them access.

Permissions in the Security & Compliance Center can be as granular as an organization’s desires and are based on the Role-Based Access Control permissions model. This is the same permissions model that’s used by Exchange, so if you’re familiar with that, granting permissions in the Security & Compliance Center will be a cinch. For example, the global administrator has permission to access all administrative features in the Office 365 suite, including Microsoft Teams. A global admin is the only user who can assign other admin roles. You can have more than one global admin in your organization, but as a best practice, we recommend that only a few people in your company have this role. This will reduce risk to your business by keeping authorized parties low.

Other examples of Office 365 admin roles include billing administrators who can make purchases, manage subscriptions and support tickets, and monitor service health; Exchange administrators, who manage mailboxes and anti-spam policies for your business, using the Exchange admin center; and SharePoint admins who manage the sites, document libraries, lists, and applications on SharePoint Online through the SharePoint admin center. They can also assign other people to be Site Collection administrators and Term Store administrators.

Compliance Admins are especially important as they manage security and compliance policies for an organization, and have permission to the Office 365 admin centerSecurity and Compliance CenterExchange Online Admin Center, and the Azure AD Admin Portal. Similarly, User Management admins reset passwords, monitor service health, add and delete user accounts, and manage service requests. However, the user management admin can’t delete a global admin, create other admin roles, or reset passwords for global, billing, Exchange, SharePoint, Compliance and Skype for Business admins.


Office 365’s threat management tool protects users from both malicious software and attacks against systems and networks. Microsoft applies machine and human analysis to detect advanced threats when a user is under attack; it detects compromised systems and responds when a user is helpless; and it has built-in Microsoft antimalware/antispam protection, offering multi-engine anti-malware scanning to protect incoming, outgoing, and internal messages from malicious software transferred through email.

Users should take advantage of Office 365’s threat management to help control and manage mobile device access to your organization’s data and protect your organization from data loss as well as inbound/outbound messages from malicious software and spam. You can also use threat management to protect your domain’s reputation and to determine whether or not senders are maliciously spoofing accounts from your domain.

Let’s evaluate some of the specifics that keep you safe:

  • Dashboard, threat explorer, and incidents: These panes allow you to manage Office 365 Analytics and threat intelligence.
  • Mail filtering: You can hone and monitor settings to help prevent spam. You can even create, permit, and block lists, determine who is spoofing your domain and why, and configure and view spam filter policies.
  • Outbound spam policy: Set up an outbound spam policy to ensure that your users aren’t sending spam.
  • Anti-malware: Configure anti-malware policies to protect against viruses and spyware traveling to or from your organization in Office 365 with anti-malware. Viruses are malicious software programs that replicate themselves and modify or infect other programs and data on the computer. Viruses spread from one computer to another, often through email. Spyware gathers your personal information, such as login information, and sends it back to its author.
  • DKIM: Intended for more advanced Office 365 administrators, but available to all Office 365 customers, DomainKeys Identified Mail (DKIM) helps ensure that other email systems trust messages that you send from Office 365. DKIM does this by adding a unique digital signature to email messages that you send from your organization to help determine if the email is legitimate.

Now let’s talk “advanced threats.” Advanced threats are combatted by Office 365’s Advanced Threat Protection features including safe attachments and safe links. When safe attachments are enabled, email attachments are opened in a special, isolated environment that is separate from Office 365 before they are sent to recipient inboxes. Safe attachments are designed to help detect malicious attachments even before anti-virus signatures are available. Safe links, on the other hand, help prevent users from following links in email or in Office documents that point to web sites that are recognized as malicious. With Office 365’s Advanced Threat Protection, there’s no need to even break a sweat. It’s got you covered.


The search and investigation features in the Office 365 Security & Compliance Center are great when trying to quickly find content in mailboxes and documents or search audit logs for various types of user and admin activity. The best part of search and investigation is that you can find all content and user activity in just one search—whether it’s in Exchange Online, SharePoint Online, or OneDrive for Business—providing you with unified protection for your Office 365 organization. There are no limits on the number of mailboxes and sites that you can search or the number of searches that can run at the same time.

In terms of log auditing, you can use the Audit log search page to view user and admin activity in your Office 365 organization. You can search for audit log entries for the following types of actions: file, folder, and sharing activity by users in SharePoint and OneDrive for Business; user and admin activity in Exchange, Sway, Power BI for Office 365, Microsoft Teams; site admin activity in SharePoint; and user admin and directory admin activity in Azure Active Directory (the directory service for Office 365).

You can also create eDiscovery cases to manage a group of users who may be involved in a legal investigation. An eDiscovery case allows you to add members to a case, control what types of actions that specific case members can perform, place a hold on content locations relevant to a legal case, and associate multiple Content Searches with a single case. eDiscovery cases are a good way to limit who has access to content searches and search results for a specific legal case in your organization. If your organization has an Office 365 Enterprise E5 subscription, you can use eDiscovery cases to analyze the results of a content search with Office 365  Advanced eDiscovery. This function helps you analyze large, unstructured datasets and reduce the amount of data that is most relevant to a legal case.

You can also use the Productivity App Discovery page to access Advanced Security Management and set up security alerts notifying you of anomalous and suspicious activity. And when you use the Productivity App Discovery, you can use information from your organization’s log files to understand and act on your users’ app usage in Office 365 and other cloud apps. Advanced Security Management requires an Office 365 Enterprise E5 subscription for your organization.


It’s all about sharing knowledge effectively and in the best interest of your company—having your data available when you need it and eliminating it when you don’t. Office 365’s data governance features are nothing short of awesome, allowing you to import data into your Office 365 organization as well as manage the lifecycle of emails and documents with archive and retention features. You can enable or disable a user’s archive mailbox, which provides them with an alternate unlimited-storage location. Keep in mind that while your organization may be required to retain content for a period of time because of compliance, legal, or other business requirements, keeping it longer than required might create unnecessary legal risk. So, creating a system for archiving, retaining, and deleting is critical.

Finally, you can create supervision policies to review internal and 3rd-party communications. Reviewers can use the Supervision add-in for Outlook and Outlook web app to classify these communications, make sure they’re compliant with your organization’s policies, and escalate questionable material if necessary.


Data Loss Prevention (DLP) is a pretty big piece of the security pie. It’s a strategy for making sure that end users don’t send sensitive information outside of your company. It’s critical in Exchange because email communication often includes sensitive data. Thankfully, Office 365’s DLP features make managing sensitive data in emails (as well as SharePoint and OneDrive) a breeze.

DLP policies are simple collections of mail flow rules that contain specific conditions, actions, and exceptions that filter messages and attachments based on their content. DLP policies can use these mail flow rules to detect policy violations and then act on messages in transit. Here’s an example: A mail flow rule can perform deep content analysis through keyword matches, dictionary matches, text pattern matches through regular expressions, and other content examination techniques to detect content that violates your organization’s DLP policies. Or, you can customize the conditions within a policy, such as how many times something has to be found before an action is taken, or the action to take. A key factor in the strength of a DLP solution is the ability to correctly identify confidential or sensitive content that may be unique to your organization.

To make it easy for you to use rules that look for sensitive information, Exchange comes with policy templates that already include some of the sensitive information types.  In addition to the customizable DLP policies and pre-built templates, you can inform email senders when they’re about to violate one of your policies—even before they send a message that contains sensitive information. You do this by configuring Policy Tips, which present a brief note about the possible policy violations.


We are fans of Office 365’s security and compliance features. While GSuite generally offers similar functionality—and we’re happy to work with clients who prefer it—we often recommend Microsoft’s product suite for the reasons listed above. Office 365’s robust and sophisticated security and compliance features are hard to beat and go along way to ensure compliance and your peace of mind.