Microsoft Purview- Paint By Numbers Series (Part 9c) - Compliance Manager - Improvement Actions
Before we start, please note that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate them in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.
Document Scope
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through using Compliance Manager to run Improvement Actions based on what an assessment is indicating.
Out-of-Scope
This document does not cover any other aspect of Microsoft E5 Purview, including:
- Data Classification
- Information Protection
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices
- Data Lifecycle Management (retention and disposal)
- Records Management (retention and disposal)
- eDiscovery
- Insider Risk Management (IRM)
- Priva
- Advanced Audit
- Microsoft Cloud App Security (MCAS)
- Information Barriers
- Communications Compliance
- Licensing
It is presumed that you have a pre-existing understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
For details on licensing (i.e. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
Overview of Document
This document 1) walk you through different ways to reach the Improvement Actions section of an assessment and 2) then how to apply recommended Improvement Actions.
- Decision Trees for getting to a Control’s Improvement actions.
- 3 ways to access Improvement actions
- Review of the 5 tabs within any particular Improvement action.
- Technical Improvement action
- Documentational Improvement action
Use Case
An administrator wants to apply Improvement Actions to their tenant based-on an assessment that has been run previously, for example the one run in Part 9b of this blog series.
Definitions
- Actions– the things that need to be done to mark a Control as completed and
- Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment.
- Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world.
- Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.
- Controls – the various requirements in your tenant that must be met to meet a part of an assessment.
- Control Family – a group of Controls.
- Microsoft Actions – These are actions that Microsoft has performed inside of your tenant to help it meet a specific assessment.
- Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment
- Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment/certification/regulation.
- Overview – This allows you to view the specific control, it’s status, scope, actions, needed, etc.
- Implementation – This will explain what you need to do in your tenant to meet this control. It will also give you and update on the Implimentation status and data
- Testing – here you can alook at your Control testing history.
- Standards and Regulations – This will reference which regulations and/or certifications are relevent to this Control.
- Documentation – This is where you can place your documentation around this specific Control. This is done via the Add Evidence button.
- Technical Improvement action – This is not an official Microsoft term, but is one that I will use in this document to differentiate an Improvement action that requires the configuration of your tenant or Azure cloud.
- Documentational Improvement action – This is not an official Microsoft term, but is one that I will use in this document to differentiate an Improvement action that requires action or documentation outside of your tenant or Azure cloud.
Notes
It is IMPORTANT to know that your Compliance Score will not increase until AFTER the testing of your Improvement action.
Pre-requisites
It is recommended you read the official Microsoft documentation on Compliance Manager and Parts 9a-9b of this blog series.
It is also recommended you run a Data Protection Baseline and the GDPR for Microsoft Tenant assessments. This will help you to run the Improvement actions in this blog entry.
You will need administrative rights on aad.portal.azure.com.
“Decision Trees” to get to Improvement Actions
There are 3 ways that you can access Improvement actions section. Let us take a moment to look at how you can get to a Control’s Improvement action(s). Here are the 3 paths you can take:
- From within core Compliance Manager, go to the Improvement actions tab -> (Specific) Improvement Action you want to run.
- From within your assessment, go to the Control (tab) -> Controls Family –> Controls -> Implementation
- From within your assessment, go to the Your Improvement Actions (tab) -> (Specific) Improvement Actions –> Controls -> Implementation
See the diagram below for how these two “decision trees” appear visually.
Below, we will walk through each of these “decision trees”.
Improvement Actions – an Overview
Once you are in a specific Improvement action, you will see 5 tabs across the top. Here is what each of the tabs do, plus a visual diagram of those same tabs and what they do.
- Overview – This allows you to view the specific control, it’s status, scope, actions, needed, etc.
- Implementation – This will explain what you need to do in your tenant to meet this control. It will also give you and update on the Implimentation status and data
- Testing – here you can alook at your Control testing history.
- Standards and Regulations – This will reference which regulations and/or certifications are relevent to this Control.
- Documentation – This is where you can place your documentation around this specific Control. This is done via the Add Evidence button.
Accessing Improvement Actions – Option #1
The first way to arrive at this Improvement actions page is as follows:
- Go to Compliance Manager -> Improvement actions
- On the bottom, you will find the list of all Improvement Actions. Click on one.
- You will then land on the Improvement actions page.
- We will cover what each of these tabs in the 5 “tab” sections below. After that, we will detail how to run these Improvement Actions in the sections labeled Technical Improvement Action and Documentational Improvement actions.
Accessing Improvement Actions – Option #2
The second way to arrive at this Improvement actions page is as follows:
- Go to Compliance Manager -> Assessments – (Specific) Assessment (in this case Data Protection Baseline)
- On the right side, click on the Controls tab and at the bottom select an Improvement action
- Scroll down to the Control title section, and select your specific Control Family and (Specific) control
- This will take you to the page for your Improvement actions and Microsoft’s Improvement actions. You do not need to worry about the Microsoft Improvement actions as they will be maintained by Microsoft inside your tenant. Below Improvement actions, click a your (specific) Improvement action you want to take.
- You will then land on the Improvement actions page.
6. We will cover what each of these tabs in the 5 “tab” sections below. After that, we will detail how to run these Improvement Actions in the sections labeled Technical Improvement Action and Documentational Improvement actions.
Accessing Improvement Actions – Option #3
The second way to arrive at this Improvement actions page is as follows:
- Go to Compliance Manager -> Assessments – (Specific) Assessment (in this case Data Protection Baseline)
- On the right side, click on the Your Improvements actions tab and at the bottom select an Improvement action
- You will then land on the Improvement actions page.
- We will cover what each of these tabs in the 5 “tab” sections below. After that, we will detail how to run these Improvement Actions in the sections labeled Technical Improvement Action and Documentational Improvement actions.
5 Improvement action Tabs
Overview (tab)
On the left-side you will find the Overview tab. This will show of this specific Improvement action you are trying to run, its status, scope, action needed, etc.
- At the bottom of the Overview tab you will also see an item labeled Assign action. As you might expect, this will allow you to assign a specific user to implement this control (ex. Bob Smith or Jane Young). This will then be tracked inside the Overview tab.
- Testing Source can be select below the Assign action button. For more information Testing Sources, see this link Working with Improvement Actions which is in the Appendix and Links section below. Here are a few excerpts from the official docuemtation to help you understand at a fundamental level.
“For those improvement actions that can be automatically tested, you'll see the Automatic option for testing source. Compliance Manager will detect signals from other compliance solutions you've set up in your Microsoft 365 environment, as well as any complementary actions that Microsoft Secure Score also monitors.”
“Automatic testing is on by default for all eligible improvement actions. You can adjust these settings to automatically test only certain improvement actions, or you can turn off automatic testing for all actions.
“When you select Parent as the testing source for an improvement action, you'll choose another action to which your action will be linked. Your action in effect becomes the "child" to the action that you designate as the "parent." When you designate a parent for an improvement action, that action will inherent the implementation and testing details of the parent action. Any time the parent action's status changes, the child's status will inherit those changes. The child action will also accept all evidence in its Documents tab that belong to the parent action, which could override any data that previously existed in the child action's Documents.”
- You can now move to the Implementation tab.
Implementation (tab)
On the right, you will see 4 tabs. We will start with the Implementation tab. This tab explains what you need to do in your tenant to meet this control.
You can now move to the Testing tab.
Testing (tab)
Now let us look at the Testing tab. Here you can look at your Control testing history.
Again, it is IMPORTANT to know that your Compliance Score will not increase until AFTER the testing of your Improvement action.
At this point there is nothing to be done on this tab, but you can revisit this tab after you have started to implement your actions and testing. Proceed to the next section.
Standards and Regulations (tab)
Next, we will look at the Standards and Regulations tab. This will reference which regulations and/or certifications are relevant to this Control. This can help you know if the Improvement action will “check off” one regulation/certification need, or multiples.
Let is move to the final tab on Documentation.
Documents (tab)
Lastly, we will look at the Documentation tab. This is where you can place your documentation around this specific Control. This is done via the Add Evidence button. You can upload your spreadsheets, corporate documentation, update regulation documentation and anything else you might deem relevant for this Improvement action.
Let is now move to the 2 types of Improvement action. We will start with the Technical Improvement action.
Technical Improvement action
For this we will enable self-service password reset as our technical Control. You can take any of the “decision tree” paths mentioned above open this Improvement Action.
- Go to Compliance Manager -> Improvement actions.
- On the right side you will find a search field. Enter “Enable self” and click search.
- It will give you the following results similar to the following.
- Click on enable self-service password reset. You will then land on Implementation action.
- Go to the Implementation tab and scroll down to How to Use Microsoft Solutions to Implement. Here it will tell you how to enable this Improvement action.
- After you’ve reviewed that documentation, scroll back up to Launch Now and click it.
- You will be taken to the website aad.portal.azure.com.
- At this point you can implement the information the steps that you read earlier.
- Once done, this Improvement action will show as Implemented.
Documentational Improvement action
For this we will adhere to defined retention periods as our technical Control. You can take any of the “decision tree” paths mentioned above open this Improvement Action.
- Go to Compliance Manager -> Improvement actions.
- On the right side you will find a search field. Enter “adhere” and click search.
- It will give you the following results similar to the following.
- Click on adhere to defined retention periods. You will then land on Implementation action.
- Go to the Implementation tab and scroll down to How to Implement. Here it will tell you how to enable this Improvement action.
- Since there are no technical actions to perform in your demo tenant scroll down to Implementation notes and click Edit implementation details.
- You will them be able to inter information relevant to this Improvement action.
- Here you can change the Implementation status, data and notes.
- Make changes to this field as desired and click Save.
- You can also add documentation relevant to this Implementation action on the Documents page by clicking Add evidence. At this point you can implement the information the steps that you read earlier.
- Once done, this Improvement action will show as Implemented.
We are now done with this basic walkthrough of the Improvement actions and how to implement them. For a better understanding of Improvement actions, please read the official documentation, some of which are listed in the Appendix and Links as well as run assessments in your test tenant.
Appendix and Links
Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.