Improve Your Tenant’s Compliance with Microsoft Purview Compliance Manager
The features of Purview that we’ve discussed so far in this series — Content Explorer, Search, Data Loss Prevention, Sensitivity Labeling, and Data Retention—are all foundational tools to help better secure and govern data in your Microsoft 365 tenant. Today, we are going to look at a Purview feature that will help measure how well those controls are working alongside your general tenant security configuration, written policies, and operational processes.
The Purview blog series can be found here:
Purview Compliance Manager gives you the ability to run a compliance assessment against your tenant and compare it to the regulatory and security frameworks that are relevant to your organization. In addition to evaluating the technical controls in place, these assessments also include policy and operational requirements that you should follow as part of your compliance effort for your selected frameworks.
As of August 2023, there are 368 assessments available in Compliance Manager covering all kinds of industry, national, and state regulations, along with frameworks. The Microsoft Data Protection Baseline assessment is included at the E3 license level. Three premium assessments such as PCI, HIPAA, or state privacy regulations are included with the various E5 Compliance add-ons or full E5 licensing. (Premium assessments can also be added to an E3 subscription a la carte for an additional monthly cost.)
Today I will show a basic walkthrough of how to use Purview Compliance Manager to perform an assessment to compare a Microsoft 365 tenant to both the included Microsoft Data Protection Baseline assessment available to E3 customers (based on a combination of NIST, ISO, FedRAMP, GDPR, and Microsoft’s own Zero Trust requirements) and PCI DSS v 4.0, which is a premium assessment.
Configure the Assessments
First, I need to configure the assessments that I would like to run against my tenant. From the Compliance Manager overview page, click Assessments:
Click on Add Assessment:
Click Select Regulation, search for the term Baseline, then select the Data Protection Baseline assessment (available at both E3 and E5 license levels):
Name the assessment and add it to the default group, and use the default services:
And create the assessment:
Once the assessment is created, you should see a screen like the one below.
If you have an E5 license or the E5 Compliance add-ons, you can repeat this process to also add the PCI assessment (listed as a premium assessment). I won’t show those screens here, but the process is exactly the same, save for selecting the PCI DSS 4.0 Assessment template.
Managing Improvement Actions
Now that the assessments are configured and running, let’s have a look at what they have found and walk through the basic features of Compliance Manager, starting under the Assessments menu:
Click on the Data Protection Baseline Assessment to see details specific to this assessment’s findings. Note the description of the assessment (outlined in red) and both your points and Microsoft managed points (outlined in blue):
The point values outlined in blue indicate how many of the assessment’s requirements have been fulfilled. Each requirement (or Action) is worth a certain number of points, with more important controls having a higher value. The Actions that Microsoft has taken through their management of your tenant and the Microsoft 365 platform in general are listed here as 11,885 out of a possible 12,308. The points for the customer configurable requirements are a lowly 401 out of 12,308. Looks like we have some work to do to secure this tenant!
Clicking through the Your Improvement Actions menu, we see the beginning of an extensive list of 869 items that need to be configured and/or documented that the Compliance Manager assessment requires. There are filters you can use to start sorting the actions based on various criteria.
I will click the Action titled, “Apply sensitivity labels to protect ePHI” to see its details, including the Microsoft description of the recommended action, links to relevant documentation, and a “Launch Now” button. This button will take you to the administrative page where you would set up a sensitivity label in Purview. The “Edit Implementation Details” button will take you to screens that will allow you to mark whether this control has been implemented or is out of scope, the date of implementation, etc.
I have updated the implementation details above. Since I marked this as “Implemented,” Compliance Manager will add 27 points to our tenant’s compliance score for this assessment and any others that require this same control to be in place. Only 868 to go….
Some of the technical configuration Actions are tested by Compliance Manager automatically, but others need to be updated manually so that the compliance score accurately reflects the controls and policies you do have in place and is reflected in the Compliance Score. This requires a bit of manual effort at first, but once the manual update is complete, you can use Compliance Manager to track any changes or improvements going forward.
While you can make updates through the portal as I have shown above, you can also export the Actions into a spreadsheet using the “Export Actions” at the top of the screen (shown below).
This spreadsheet has tabs that correspond with the menus on the Assessment screen so that you can quickly sort and update the Actions in the spreadsheet, then import the updated spreadsheet back into the Compliance Manager portal. Microsoft has detailed instructions on how to do this here: Update improvement actions and bring compliance data into Microsoft Purview Compliance Manager | Microsoft Learn. This method makes it quite a bit easier to do mass updates since it can be done in one file that is easy to edit, especially as you make your first pass through the controls and need to update many at once. Make sure to follow the guidelines on the spreadsheet tab called “How to Update Actions” when making updates so you follow the proper syntax and formatting requirements.
Assessment Template Updates
The assessment templates provided by Microsoft through the Compliance Manager portal are updated periodically as regulations change or new features are added to the Microsoft 365 service that can help further secure your data. These updates will appear in the portal, along with release notes on what has changed, and the resulting impact to your compliance score. You will need to accept the changes offered before Compliance Manager applies the updated assessment.
Through the Manage User Access menu, Compliance Manager offers the ability to assign Actions to other people so you can divide and conquer that initial update effort or assign Actions to others based on their expertise.
Like all the other features in Purview, there are granular access controls through role groups so you can tailor access to Compliance Manager for people on your Compliance or Audit teams. Read-only and Edit privileges are available.
Email alerts can be configured to notify the people you select about compliance score changes, Action updates, or other control changes so you can monitor Compliance Manager activity and respond to unexpected changes.
As of this writing, Salesforce and Zoom connectors are in preview. These connectors will be able to bring Zoom and Salesforce information into your tenant so that Compliance Manager can evaluate controls on those platforms that impact your regulatory or security compliance.
No Time Like the Present…
If you are at an E3 license level, you have access to Compliance Manager today. I encourage you to configure it and set up the baseline assessment so you can get an overview of your security and compliance posture today and obtain an understanding of what configuration or policies matter most in improving it. Compliance Manager is an easy way to start evaluating the controls you have in place today, identify what you should have, and give you a place to document and measure your progress over time. As I mentioned earlier, spend some time documenting what you have today, and then focus on the 27-point items that are low-hanging fruit so you can make some measurable progress. The rest of the control recommendations should then dovetail into your technology roadmap as “must do” or “should do” items. More information on building an effective roadmap is here.
Compliance Manager sometimes gets a little lost among all the Purview features, but it is a powerful tool to help make impactful changes in your tenant security posture. I covered the basics here, but my colleagues and I help people with Compliance Manager and Purview all the time. Let us know if you want some help diving into the solution further!
Interested in ensuring your environment is compliant with all rules and regulations?
Contact our team of experts to get started with Purview today!