On the pursuit of MS-500 I’ve been exploring resources a little further in depth such as Compliance Manager a part of M365 E3/E5 Services.
Links used for this
compliance.microsoft.com (you’ll login to the “Global Admin”) think of this as your GRC aide in assessments.
Microsoft recently announced changes to the formerly known Microsoft Compliance Center to Microsoft Purview Compliance Portal extending the initial Azure Purview to the Information Protection and Governance Suite.
On the left pane known as the “blade” wie will navigate to Compliance Manager
On this page you should fine the “Compliance Score” think of this as Microsoft Secure Score to help your CSPM (Cloud Security Posture Management) however, this is to help your IT Auditor’s with documentation and a central control plane.
So what does this mean?
Compliance is always at least in my mind a thought with integrating security from the start, why is this? Well just about every organization operates in regulatory segments of business such as finance, healthcare, and government.
You’ll notice like anything that goes into management in security it is dynamic and consistently being tested/assessed.
Microsoft Purview can assist your team by doing assessments that are automated with some “premium” but most notable ones are “free” a part of your licensing, you can then run the assessment and find any findings that are relevant to your organization.
Let’s explore the “Improvement Actions” tab
As you can see the “Export” feature is to download these findings in a .csv and additional filters that can be applied so i’ll expand the first one for simplicity.
As you can see this outlines on the left pane the overview and details relevant to your organization on the “Documents” you’ll see a 0 notating no documents you currently have are affected by this or found with this finding.
What makes this tool powerful is the breath of clarity in defining the implementation status, the implementation plan, documents you can attach, and testing.
Lets take a look at Standards and Regulations
As you can see I’ve expanded the Data Protection Baseline this includes a control id, control family, and regulation.
Anyone exposed to GRC documentation is everything, you’ll need references for the control your mapping to along with relevant control family and regulation it applies to. This can assist on you on that journey of maintaining compliance but as well show you how the implementation looks.
As I navigate back to the implementation tab this is where I’m going to click the See Implementation details
I’m going to add this out of scope for demonstration purposes
You’ll click save so this control will stop showing up in the improvement action tab once it updates.
While this is just a quick overview of Microsoft Purview Compliance portal there is much more to show this is just a quick post on exploring the portal and exercising the domains illustrated in Microsoft 365 Security Administrator track.