Confused by all the different security and compliance centers?

I logged into one of my tenancies earlier this week to discover that new Microsoft 365 security center and the new Microsoft 365 compliance center are now available. Given that in most organisations the responsibility for securing the platform is typically quite distinct from the job of data governance, I personally see this change as a good step forward.

However, at the current point in time, these new additions might leave many confused about the current security and compliance offerings provided by Microsoft – something I’m hopeful that this post will help to clarify.

Somewhat confusingly, there are currently four* separate Microsoft admin centers that allow organisations to control their security and compliance:

Center URL Introduced Current Licence
Office 365 Security & Compliance Center https://protection.office.com December 2015 Yes Office 365:

Business Essentials

Business Premium

E1, E3, E5

Microsoft 365 Security & Compliance Center https://protection.microsoft.com April 2018 Planned for retirement Microsoft 365:

E3, E5

Microsoft 365 security center https://security.microsoft.com March 2019 Yes Microsoft 365:

E3, E5

Microsoft 365 compliance center https://compliance.microsoft.com March 2019 Yes Microsoft 365:

E3, E5

NB, Microsoft 365 licenses are not the same as Office 365 licences.

Office 365 Security & Compliance Center

Back in December 2015 Microsoft decided to amalgamate a raft of security features, including Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) with their existing Office 365 Compliance Center, to form the unified Office 365 Security and Compliance Center. The idea was to provide a centralised portal for controlling governance and mitigating threats within Office 365.

Since launch the portal has grown from strength to strength, benefiting from an avalanche of new features over the past few years, including Advanced Data Governance, Content Search and Advanced eDiscovery.

Microsoft make it clear that despite the arrival of the new Microsoft 365 centers “you will still be able to configure and manage your Office 365 settings within your existing Security & Compliance Center” 1 . However, I personally wouldn’t be overly surprised if we saw the Office 365 Security & Compliance Center split into two separate applications at some point in the future.

Microsoft 365 Security & Compliance Center

Almost exactly a year ago, the Microsoft 365 Security & Compliance Center was launched. It expanded upon the unified administration experience provided by the Office 365 Security & Compliance Center, to include protection for Windows 10 and Enterprise Mobility + Security (in addition to Office 365).

Microsoft has announced that they “plan to retire the former Microsoft 365 Security & Compliance Center” 1 , replacing it with the new Microsoft 365 security center and Microsoft 365 admin center. Hence, from this point forwards, organisations working with the Microsoft 365 Security & Compliance Center will need to transition using the new Microsoft 365 centers.

The new Microsoft 365 security center & Microsoft 365 compliance center

Only just released (late March 2019), the two new centers offer a clear distinction between threat prevention and ensuring reglatorory compliance.  For me, this makes a huge amount of sense, as most organisations I’ve worked have seen digital security an IT responsibility, whereas information retention and compliance are in the remit of the Information Management team.

The new centers both provide modern interfaces, with new oversight dashboards to help identify potential issues. Take for example the Microsoft 365 compliance center, which splits its home page into three sections, allowing you to ‘Assess’, ‘Protect’, and ‘Respond’ to activity and risks:

The two new centers both require Microsoft 365 licences (E3/E5) to access – so not all of you will see these new portals.

At this point in time, the new compliance centers are still being extended. As such, they currently rely on functionality hosted elsewhere. For example, the Microsoft 365’s interestingly named ‘Hunting’ page, currently provides three ‘Start Hunting’ buttons which take admins to the following portals:

  • Office 365 Security & Compliance Center’s Threat Management Explorer
  • Windows Defender Security Center
  • Azure Advanced Threat Detection

Certainly, right now, I can see that much, but not all, of the functionality provided by the Office 365 Security & Compliance Center has found its way into the new centers. Once they are more mature, I will likely write a blog to compare functionality, but by way of an example, I’ll leave you with the following images comparing certain parts of the menus:

Footnote

* Well, I say that there are only 4 admin centers covering security and compliance, but actually the picture is somewhat more complex. We currently have multiple other applications to consider, from Compliance Manager, through the Azure Security Center, Intune and Cloud App Security etc. I’m expecting to see many of the functions provided by the disparate admin portals being merged under the umbrellas of the new Microsoft 365 security center and Microsoft 365 compliance center in the future.

References

1 Overview of the new Microsoft 365 security center and Microsoft 365 compliance center: https://docs.microsoft.com/en-us/office365/securitycompliance/microsoft-security-and-compliance, “The new Microsoft 365 security center and Microsoft 365 compliance center are now generally available”,  accessed 05/04/2019
2 Want to know what you get with an E1, E3 or E5 licence within the Security and Compliance Center? This is the best source to turn to: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center “Office 365 Security & Compliance Center”, accessed 05/04/2019