-
Book Overview & Buying
-
Table Of Contents
-
Feedback & Rating

Microsoft 365 Security and Compliance for Administrators
By :

More than a decade ago, Microsoft introduced Office 365, a software as a service (SaaS) offering, as a natural evolution from the very popular business productivity suite. The suite, or the bundle, consisted of core productivity desktop-based applications such as Outlook, Word, Excel, PowerPoint, OneNote, and Access, including server-based services such as SharePoint, Exchange, and Skype for Business.
It became obvious that productivity encompasses and needs more than just productivity tools. That led to a logical move by Microsoft to include more essential products and services and bring together Windows and Enterprise Mobility + Security (EM+S) to form Microsoft 365.
Microsoft 365 is a name for Microsoft’s cloud-based service, that is, a collection of cloud-based services with common denominators including enhanced user productivity, efficient collaboration, and communication, while keeping data and devices secure wherever they are, whether that be in the office, at home, or on the go.
One of the main benefits of Microsoft 365 is that it allows users to access their files and applications from anywhere on any device. This is made possible through the integration of cloud-based services such as OneDrive, which allows users to store and share files online. This means that users can access their files from a desktop computer, laptop, tablet, or smartphone, as long as they have an internet connection.
Another benefit of Microsoft 365 is the ability to collaborate and communicate with others in real-time. Applications such as SharePoint and Teams allow users to share and co-author documents, as well as participate in virtual meetings and chat with their colleagues. This makes it easy for teams to work together, regardless of their physical location.
In addition to the productivity and collaboration features, Microsoft 365 also includes security and compliance tools to help protect users’ data and ensure compliance with regulatory requirements. For example, it uses machine learning and behavioral analysis to detect and block malicious emails, links, and files, and can also help to identify and respond to security threats in near real-time. Among many features that Microsoft 365 offers is Data Loss Prevention (DLP), which helps to prevent sensitive data from being shared or leaked. DLP is just one of the numerous Microsoft 365 security features; we will take a closer look and learn more about them later in the book.
In terms of compliance, Microsoft 365 includes several features to help organizations meet regulatory requirements. For example, it includes eDiscovery, which allows administrators to search for and export data from email, SharePoint, and Teams to comply with legal and regulatory requests. Additionally, it also includes retention and archiving capabilities, which allow organizations to retain and archive data for compliance purposes.
In general, Microsoft 365 is a comprehensive solution for businesses and individuals looking to increase their productivity, collaboration, and communication while also ensuring the security of their data. With its range of applications and services, it provides users with everything they need to work effectively, whether they are in the office or working remotely.
As a subscription-based service, Microsoft 365 offers subscription plans and bundles tailored for personal use, small businesses, enterprises, schools, educational and governmental users, and more.
While classic Office applications such as Word, Excel, Outlook, and PowerPoint are available as a one-time purchase via Office Home & Business 2021 or Office Home & Student 2021, these do not include some popular capabilities and products such as cloud storage or Microsoft Teams.
There are four fundamental Microsoft 365 plans groups, each containing two or more Microsoft 365 plans:
Other Microsoft 365 and Office 365 offers include plans specifically suited for governments, education (academic institutions), nonprofit organizations, the US government, and 21Vianet-operated areas (China).
Microsoft 365 is comprised of three components, and each component has its own tier, such as E3, F3, or A3, with different capabilities included:
Microsoft 365 comprises many products and features, such as the web, mobile, and desktop versions of Word, Excel, PowerPoint, and Outlook, advanced security, tools to create personalized documents, cyber threat protection, and access and data control features. Depending on organizational size, Microsoft has gathered and included a variety of products in different product packages, or plans, and we will introduce the most important and most prevalent ones.
Products and features
While products included in Microsoft 365 plans have many features, we have put an emphasis on security and compliance capabilities. That means we deliberately have not included tables and descriptions of all features, with the intention of preserving readability, decluttering the book content, and focusing on security and compliance-related products.
Microsoft 365 Business plans are specifically adapted to the needs of small and medium businesses, for up to 300 users. If your organization has a need to license more than 300 users, you need to consider using Microsoft 365 Enterprise licenses.
The following table shows you the security and compliance capabilities and features of Microsoft 365 user subscription suites for small and medium-sized businesses:
Microsoft 365 Suites for Small and Medium-Sized Businesses |
|||
Basic |
Standard |
Premium |
|
Threat Protection |
|||
Microsoft Defender for Business |
• |
||
Microsoft Defender Exploit Guard |
• |
||
Microsoft Defender Credential Guard |
• |
||
BitLocker and BitLocker To Go |
• |
||
Windows Information Protection |
• |
||
Microsoft Defender for Office 365 Plan 1 |
• |
||
Identity and Access Management |
|||
Microsoft Entra ID 1 |
• |
||
User provisioning |
• |
||
Cloud user self-service password change |
• |
• |
• |
Cloud user self-service password reset |
• |
• |
|
Hybrid user self-service password change/reset with on-premises write-back |
• |
||
Conditional Access |
• |
||
On-premises Active Directory sync for single sign-on (SSO) |
• |
||
Windows Hello for Business |
• |
||
Cloud Access Security Broker |
|||
Microsoft Defender for Cloud Apps Discovery |
• |
||
Information Protection |
|||
Azure Information Protection |
Plan 1 |
||
Manual, default, and mandatory sensitivity labeling in Office 365 |
• |
||
Manual labeling with the AIP app and plugin |
• |
||
Data Loss Prevention (DLP) for emails and files |
• |
||
Basic Message Encryption |
• |
||
Data Lifecycle Management |
|||
Manual retention labels |
• |
||
Basic org-wide or location-wide retention policies |
• |
||
Teams message retention policies |
• |
• |
• |
eDiscovery and Auditing |
|||
Content Search |
• |
• |
• |
Litigation Hold |
• |
||
Audit (Standard) |
• |
• |
• |
Security and Compliance |
|||
Microsoft 365 Information Protection and Governance |
+1 |
+1 |
+ |
Microsoft 365 E5 Insider Risk Management |
+ |
+ |
+ |
Microsoft 365 E5 eDiscovery and Audit |
+ |
+ |
+ |
Microsoft Defender for Business |
+ |
+ |
• |
Microsoft Defender for Business servers add-ons for Microsoft Defender for Business |
+5 |
+5 |
+5 |
Microsoft Defender for Identity |
+ |
+ |
+ |
Microsoft Defender for Office 365 Plan 1 |
+ |
+ |
• |
Microsoft Defender for Office 365 Plan 2 |
+ |
+ |
+ |
Microsoft Defender for Cloud Apps |
+ |
+ |
+ |
App governance add-on for Microsoft Defender for Cloud Apps |
+2 |
+2 |
+2 |
Microsoft Defender for Endpoint Plan 1 |
+ |
+ |
+ |
Microsoft Defender for Endpoint Plan 2 |
+ |
+ |
+ |
Premium Assessments add-on for Compliance Manager3 |
+ |
+ |
+ |
Microsoft Entra ID 1 |
+ |
+ |
• |
Microsoft Entra ID 2 |
+ |
+ |
+ |
Microsoft Intune Plan 1 |
+ |
+ |
• |
Microsoft Intune Plan 2 |
+4 |
+4 |
+ |
Microsoft Intune Suite |
+4 |
+4 |
+ |
Microsoft Intune Remote Help |
+4 |
+4 |
+ |
Microsoft Purview Data Loss Prevention (for email and files) |
+ |
+ |
• |
Exchange Archiving |
+ |
+ |
• |
Table 1.1 – Microsoft 365 Suites for small and medium-sized businesses
For the current list of features in Microsoft 365 Business plans, see the following page: https://www.microsoft.com/en/microsoft-365/business/compare-all-microsoft-365-business-products-d?market=af
Here is what the different symbols in the table mean:
Microsoft 365 for Enterprise plans represent a suite of products bundled and tailored specifically for the enterprise market, with some unique capabilities relevant to organizations with a larger employee base.
Microsoft 365 for Enterprise suites contain solutions and products designed for and targeted primarily at large organizations, although small businesses or medium-sized businesses can take advantage of these more advanced security, compliance, and productivity solutions as well.
Local and productivity services include content and productivity applications such as Microsoft 365 Apps for Enterprise with enterprise deployment and update options, Exchange Online, SharePoint Online, Skype for Business, Microsoft Teams, and Yammer, including simplified and advanced deployment, management, and servicing options such as Windows Enterprise deployment with an upgrade in place and Autopilot, plus auto-enrollment of Windows PCs and devices.
Security options comprise possibilities that span operating systems, device management, and advanced security services and include identity and access management, information protection, threat protection, and security management products and features such as Microsoft Defender for Office 365, SharePoint and Exchange Online access policies, Azure Information Protection (AIP), Microsoft 365 DLP policies, Microsoft Defender for Endpoint, Windows Hello for Business, Windows Information Protection (WIP), Microsoft Intune, device-based Conditional Access policies, Microsoft Entra ID Privileged Identity Management (PIM), Advanced Threat Analytics (ATA), Microsoft Defender for Identity, and Microsoft Cloud App Security Azure Multi-Factor Authentication.
Note
Microsoft stopped developing WIP from July 2022. WIP will still work on the Windows versions that support it, but it will not get any new features or updates. Future Windows versions will not have WIP. Microsoft suggests that you use Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention for your data protection needs. Purview makes it easier to set up and offers more advanced capabilities.
When customers and information technology professionals think about Microsoft 365 Enterprise plans, they usually refer to two major plans:
Though there are, of course, more than two Microsoft 365 plans, some that even Microsoft sometimes likes to classify as plans with Enterprise-like features:
For Microsoft 365 Enterprise plans customers, several add-ons are available:
Companies who want to bring their security posture to a higher level can decide to invest in EM+S suites, which include advanced identity and access management, endpoint management, and information protection products.
Conveniently, the following tables compare Microsoft 365 E3, E5, E5 Security, and E5 Compliance plans along with EM+S E3 and E5 plans and show their characteristics.
The following table shows the comprehensive information protection, data loss prevention, and threat protection capabilities in Microsoft 365, including a list of numerous products carrying the Microsoft Defender name:
Microsoft 365 |
Enterprise Mobility + Security |
|||||
E3 |
E5 |
E5 Security1 |
E5 Compliance1 |
E3 |
E5 |
|
Information Protection |
||||||
Azure Information Protection Plan 1 |
• |
• |
||||
Azure Information Protection Plan 2 |
• |
• |
• |
|||
Manual, default, and mandatory sensitivity labeling in Microsoft 365 apps |
• |
• |
• |
• |
||
Automatic sensitivity labeling in Microsoft 365 apps |
• |
• |
• |
|||
Manual labeling with the AIP app and plugin |
• |
• |
• |
• |
||
Automatic labeling in the AIP plugin |
• |
• |
• |
|||
Default sensitivity labels for SharePoint document libraries |
• |
• |
||||
Automatic sensitivity labels in Exchange, SharePoint, and OneDrive |
• |
• |
||||
Sensitivity labels based on machine learning/trainable classifiers/exact data match |
• |
• |
||||
Sensitivity labels for containers in Microsoft 365 |
• |
• |
||||
Basic message encryption |
• |
• |
•2 |
•2 |
||
Advanced message encryption |
• |
• |
•2 |
|||
Customer Key |
• |
• |
||||
Personal Data Encryption |
• |
• |
||||
Data Loss Prevention (DLP) |
||||||
DLP for emails and files |
• |
• |
||||
DLP for Teams chat |
• |
• |
||||
Endpoint DLP |
• |
• |
||||
Threat Protection |
||||||
Microsoft Defender Antimalware |
• |
• |
||||
Microsoft Defender Firewall |
• |
• |
||||
Microsoft Defender Exploit Guard |
• |
• |
||||
Microsoft Defender Credential Guard |
• |
• |
||||
BitLocker and BitLocker To Go |
• |
• |
||||
Microsoft Defender for Endpoint Plan 1 |
• |
• |
||||
Microsoft Defender for Endpoint Plan 2 |
• |
• |
||||
Microsoft Defender for Identity |
• |
• |
• |
|||
Microsoft Defender for Office 365 Plan 2 |
• |
• |
||||
Microsoft Defender Application Guard for Edge |
• |
• |
||||
Microsoft Defender Application Guard for Office |
• |
• |
||||
Safe Documents |
• |
• |
||||
Cloud Access Security Broker |
||||||
Microsoft Defender for Cloud Apps Discovery |
• |
• |
• |
• |
||
Microsoft Defender for Cloud Apps |
• |
• |
• |
• |
||
Office 365 Cloud App Security |
• |
• |
• |
Table 1.2 – Microsoft 365 plans Information Protection, DLP and Threat Protection features
This table shows the broad identity and access management, as well as endpoint and application management, capabilities available in Microsoft 365 suites:
Microsoft 365 |
Enterprise Mobility + Security |
|||||
E3 |
E5 |
E5 Security1 |
E5 Compliance1 |
E3 |
E5 |
|
Identity and Access Management |
||||||
Microsoft Entra ID P1 |
• |
• |
||||
Microsoft Entra ID P2 |
• |
• |
• |
|||
User provisioning |
• |
• |
• |
• |
• |
|
Cloud user self-service password change |
• |
• |
• |
• |
• |
|
Cloud user self-service password reset |
• |
• |
• |
• |
• |
|
Hybrid user self-service password change/reset with on-premises write-back |
• |
• |
• |
• |
• |
|
Advanced security reports |
• |
• |
• |
• |
• |
|
Multifactor authentication |
• |
• |
• |
• |
• |
|
Conditional Access |
• |
• |
• |
• |
• |
|
Risk-based Conditional Access/Identity Protection |
• |
• |
• |
|||
PIM |
• |
• |
• |
|||
Access reviews |
• |
• |
• |
|||
Entitlement management |
• |
• |
• |
|||
Microsoft 365 Groups |
• |
• |
||||
On-premises Active Directory sync for SSO |
• |
• |
• |
• |
||
DirectAccess supported |
• |
• |
||||
Windows Hello for Business |
• |
• |
||||
Microsoft ATA |
• |
• |
• |
• |
||
Endpoint and Application Management |
||||||
Microsoft Intune Plan 1 |
• |
• |
• |
• |
||
Mobile Device Management |
• |
• |
• |
• |
||
Mobile Application Management |
• |
• |
• |
• |
||
Windows Autopilot |
• |
• |
•3 |
•3 |
||
Group Policy support |
• |
• |
||||
Cloud Policy service for Microsoft 365 |
• |
• |
||||
Shared computer activation for Microsoft 365 apps |
• |
• |
||||
Endpoint analytics |
• |
• |
• |
• |
||
Cortana management |
• |
• |
Table 1.3 – Microsoft 365 plans IAM, and Endpoint and Application Management features
Thorough insider risk management, governance, and records management, together with discovery and auditing features in Microsoft 365 are listed in the following table:
Microsoft 365 |
Enterprise Mobility + Security |
|||||
E3 |
E5 |
E5 Security1 |
E5 Compliance1 |
E3 |
E5 |
|
Data Lifecycle Management |
||||||
Manual retention labels |
• |
• |
• |
• |
||
Basic org-wide or location-wide retention labels |
• |
• |
||||
Rule-based automatic retention policies |
• |
|||||
Machine learning-based retention |
• |
|||||
Teams message retention policies |
• |
• |
||||
Records management |
• |
|||||
eDiscovery and Auditing |
||||||
Content search |
• |
• |
||||
eDiscovery (Standard) (including Hold and Export) |
• |
• |
||||
Litigation hold |
• |
• |
||||
eDiscovery (Premium) |
• |
|||||
Audit (Standard) |
• |
• |
||||
Audit (Premium) |
• |
|||||
Insider Risk Management |
||||||
Microsoft Purview Insider Risk Management |
• |
|||||
Communication Compliance |
• |
|||||
Information Barriers |
• |
|||||
Customer Lockbox |
• |
|||||
Privileged access management |
• |
Table 1.4 – Microsoft 365 plans DLM, eDiscovery, and IRM features
Here is what the different symbols in the table mean:
Along with product and feature placement into suites and plans, it is important to know that if you have already purchased a plan license, there is a possibility to acquire a license for a product or a feature as a separate license. That way, flexible options exist to tailor and adjust licensing options and product licensing tightly to your company’s requirements and needs. Additionally, licensing is available as a monthly subscription, as well as a yearly commitment, enabling you to save additional costs.
Microsoft 365 plans include additional options as add-ons, where this table displays add-on subscriptions for E3 and E5 plans:
Microsoft 365 Add-On Subscriptions |
||
E3 |
E5 |
|
Microsoft 365 E5 Security |
+ |
• |
Microsoft 365 E5 Compliance |
+ |
• |
Microsoft 365 E5 Information Protection and Governance |
+ |
• |
Microsoft 365 E5 Insider Risk Management |
+ |
• |
Forensic evidence add-on for Insider Risk Management |
N/A |
• |
Microsoft 365 E5 eDiscovery and Audit |
+ |
• |
Microsoft Defender for Identity |
+ |
• |
Microsoft Defender for Office 365 Plan 1 |
+ |
• |
Microsoft Defender for Office 365 Plan 2 |
+ |
• |
Microsoft Defender for Cloud Apps |
+ |
• |
App governance add-on for Microsoft Defender for Cloud Apps |
+1 |
+ |
Microsoft Defender for Endpoint Plan 1 |
• |
• |
Microsoft Defender for Endpoint Plan 2 |
+ |
• |
Microsoft Defender Vulnerability Management |
+2 |
+ |
Premium Assessments add-on for Compliance Manager3 |
+ |
+ |
Priva Privacy Risk Management |
+ |
+ |
Priva Subject Rights Requests |
+ |
+ |
Compliance Program for Microsoft Cloud |
+ |
+ |
Microsoft Purview Data Loss Prevention (for email and files) |
• |
• |
Exchange Archiving |
• |
• |
Microsoft Entra ID P1 |
• |
• |
Microsoft Entra ID P2 |
+ |
• |
Microsoft Intune Plan 1 |
• |
• |
Microsoft Intune Plan 2 |
+ |
+ |
Microsoft Intune Suite |
+ |
+ |
Microsoft Intune Remote Help |
+ |
+ |
10-year audit log retention |
N/A |
+ |
Table 1.5 – Add ons for Microsoft 365 E3 and E5 plans
Here is what the different symbols in the table mean:
Microsoft has provided flexible licensing options and plans tailored to a variety of business, academic, and not-for-profit users, as well as individual licensing options. However, you should always check the current plans, products, features, characteristics, and prices whenever considering purchasing licenses for plans and products.
Microsoft 365 and Office 365 service descriptions
For an up-to-date and very detailed overview of Microsoft 365 and Office 365 service descriptions, please visit the official Microsoft page at https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-service-descriptions-technet-library.
Microsoft 365 is licensed on a User Subscription License (USL) principle, where each user that accesses Microsoft 365 services and/or software requires a license or a USL. If you meet the prerequisites for a plan, you can use any combination of Microsoft 365 plans.
Licensing Program is the name of a channel through which you can purchase Microsoft 365 licenses, and there are several Licensing Programs where you can obtain a license. One way is through Microsoft Volume Licensing (VL) where several options are available for commercial customers:
Additional channels, for customers with cloud-only deployments, Microsoft 365 is also available via the following services:
Microsoft 365 F1/F3 and E3/E5 are available through the Enterprise Enrollment or Enterprise Subscription Enrollment as a full user subscription license. Microsoft 365 E3/E5 is also available as an add-on license, or a “From SA” USL. (SA stands for Software Assurance)
Here is the comparison table for different licensing options:
License |
Who the license is for |
Can be ordered |
Microsoft 365 Full USL |
New Enterprise Agreement/Enterprise Agreement subscription customers Existing Enterprise Agreement/Enterprise Agreement subscription customers who are in one of two positions: Customers who are not currently licensed Customers who want to license net new users |
Mid-term Anniversary Renewal |
Microsoft 365 Add-on |
Existing Enterprise Agreement/Enterprise Agreement subscription customers who are in one of the following positions: Customers who are currently paying for Licenses and Software Assurance (L+SA) Customers who want to license some or all existing users for the enterprise platform Customers who want to maintain on-premises use rights |
Mid-term Anniversary Renewal |
Microsoft 365 “From SA” US |
Existing Enterprise Agreement/Enterprise Agreement subscription customers who are in one of the following positions: Customers who have fully paid licenses Customers who are currently paying for Software Assurance only Customers who want to license existing users |
Anniversary Renewal (recommended) |
Table 1.6 - Comparing different licensing options
Microsoft 365 users are entitled to on-premises rights to Productivity Servers and Office Professional Plus when purchasing through EA/EAS enrollment, but not when purchasing through Microsoft Customer Agreement or Web Direct, on the following terms:
The Productivity Server right includes the following features:
Office Professional Plus includes the following features:
Note
Microsoft 365 E3 and E5 USL license a user for access to Windows Server but do not include a license for the Windows Server product itself.
After reviewing licensing and product options for a variety of Microsoft 365 plans, products, and features, we are now ready to explore products in Microsoft 365 related to security, protection, and governance.
Change the font size
Change margin width
Change background colour