NYES Digital Support


Office 365 Security and Compliance Features

Office 365 has numerous Security and Compliance features that you can use to keep your data safe and comply with data privacy and governance regulations. Many of these features are available as standard, bundled into the free Office 365 Education subscription. Others are available at an extra cost, and can be easily added for those users that might need them. The tables below summarise the features that are available, along with a couple of extra features that aren’t directly related to Office 365 Security and Compliance, but are worth mentioning in this conversation. Read on to find out more.


Standard Office 365 Education – Free (A1 Subscription)

This table summarises those security and compliance features that come as standard with the free Office 365 Education subscription. Obviously many of the features, while available for free, will require appropriate configuration within the Office 365 Security and Compliance Administration area before they can be properly used. Click on the links in the feature column to view Microsoft’s detailed explanations about each item, including how to configure and use them.



Threat management

Threat management can help protect inbound and outbound messages from malicious software. Threat management can also be used to protect you from spam, protect your domain’s reputation and to determine whether or not senders are maliciously spoofing accounts from your domain.

This feature is basically on by default and is just a demonstration of how Office 365 provides you with a very good and secure e-mail system out of the box.

  • Monitor for spam being sent out from your network, block if required and get a notification about this activity. 
  • Turn on the blocking of certain attachments – filter for certain user groups if needed.
  • Setup block lists and allow lists (sender, domain and IP). Also block for e-mail written in certain languages or from certain countries.
  • Set up notifications if malware is detected.
  • DKIM – You can enable to help others know that messages have genuinely come from you.

Mobile device management

Prevent users from accessing Office 365 unless their device is managed by Office 365 MDM. Can be applied to Android, iOS, and Windows Phone 8.1+ as well as Windows 10 devices that have been joined to Azure AD and enrolled in MDM.

Gives you the ability to:

  • require encryption on the device,
  • require a password or PIN,
  • stop jailbroken devices from having access
  • wipe devices if they are lost or stolen, including a selective wipe.

You don’t have to setup a policy to be able to wipe a device – so long as it is seen as being managed you can wipe. A policy just allows you to force conditions that must be met before allowing access. 

Data loss prevention

 Identify, monitor, and automatically protect sensitive information across Office 365. It works across SharePoint, OneDrive and Exchange Online.

  • Built in rules make it easy to get going
  • Advanced editing allows for bespoke rule creation for your organisation.
  • Allows you to just warn users, which can work well as a method of educating users without necessarily stopping them from working.
  • You can block sharing with users outside of the organisation, while allowing sharing internally.
  • View reports to see how your organisation is complying with your DLP policies.


You can also use in conjunction with labels (See Data Governance below). However, DLP will not work using labels in e-mail.

Data Governance

Set retention policies on your data across SharePoint, OneDrive and Exchange Online to ensure that content is retained as long as it is needed but no longer than that. A single retention policy can cover your entire organization. If versioning is turned on for your document libraries, then all versions of a document will be retained. Versioning is now on by default for Office 365.

You can also turn on mailbox archiving, which when combined with auto-expanding archiving, means that users have unlimited e-mail storage. When archive mailboxes are enabled, an archive policy will automatically move messages from a user’s primary mailbox to their archive mailbox after a specified period. 

In addition, you can use labels to implement a file plan by classifying data across your organization for governance, and then enforcing retention rules based on that classification. Labels on their own can be a very powerful feature, by allowing staff to simply label their documents and e-mail so others can handle according to any written school policies.

Search and Investigation including eDiscovery

Quickly find content in mailboxes and documents or search audit logs for various types of user and admin activity. By making sure auditing is turned on you can track pretty much everything that has happened in Office 365. 

The eDiscovery element is for legal cases, and pulls the content search tool into a more managed area so only certain people have permission to access content and results. This allows you to put a legal hold on certain mailboxes and other content locations.

Office 365 Secure Score

Secure Score analyses your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security. Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365.

Service Assurance

Service Assurance provides information about how Microsoft maintains the security, privacy and compliance of Office 365. Use the Audited Controls, Compliance Reports, and Trust Documents features to perform your own risk assessment and gain confidence that Office 365 meets the security and regulatory requirements of your organization.

Compliance Manager

Compliance Manager helps with 3 key aspects:

  • Enables you to perform real-time risk assessment on Microsoft cloud services
  • Provides actionable insights to improve your data protection capabilities
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools

Can be accessed at https://servicetrust.microsoft.com/

Office 365 Education A5 – £7.00 user/per month (for faculty and staff)

The features listed in this table are available at extra cost.



Cloud App Security

Office 365 Cloud App Security gives you insight into suspicious activity in Office 365 so you can investigate situations that are potentially problematic and, if needed, take action to address security issues. With Office 365 Cloud App Security, you can do all of the following:

  • See how your organization’s data in Office 365 is accessed and used
  • Define policies that trigger alerts for atypical or suspicious activities
  • Suspend user accounts exhibiting suspicious activity
  • Require users to log back in to Office 365 apps after an alert has been triggered

Advanced threat management

Office 365 hosts one of the largest enterprise email services and productivity suites in the world, and manages content created on millions of devices. In the course of protecting this information, Microsoft has built a vast repository of threat intelligence data, and the systems needed to spot patterns that correspond to attack behaviours and suspicious activity. Office 365 Threat Intelligence is a collection of these insights used in analysing your Office 365 environment to help you find and eliminate threats, proactively. Threat Intelligence appears as a set of tools and dashboards in the Security & Compliance Centre to understand and respond to threats.

Advanced data governance

Advanced data governance allows you to retain important information and delete unimportant information by classifying information based on a retention or deletion policy or both. It includes intelligent/automated actions such as recommending policies; automatically applying labels to data; applying labels based on sensitive data types or queries; and use of smart import filters. It also includes the Supervision feature for reviewing employee communications for security and compliance purposes.

Advanced eDiscovery

Office 365 Advanced eDiscovery builds on the existing set of eDiscovery capabilities in Office 365. For example, you can use the Search feature in the Office 365 Security & Compliance Center to perform an initial search of all the content sources in your organization to identify and collect the data that may be relevant to a specific legal case. Then you can perform analysis on that data by applying the text analytics, machine learning, and the Relevance/predictive coding capabilities of Advanced eDiscovery. This can help your organization quickly process thousands of email messages, documents, and other kinds of data to find those items that are most likely relevant to a specific case. The reduced data set can then be exported out of Office 365 for further review.

Customer Lock Box

Office 365 Customer Lockbox feature which will help a customer to control how a Microsoft support engineer is going to access customer data during a scenario where customers have raised a support request to investigate some service issues related to customers Office 365 tenant.

Office 365 Customer Lockbox allows the customer to Approve or Reject access request made by the Microsoft Support engineers to access customer data. If customers give access by Approving the request, Microsoft Support Engineers will be able to access the data to help customers resolve issues if they deem necessary.

Other Microsoft 365 features that relate to Security and Compliance

Beyond the above Security and Compliance features in Office 365, the following are also of great use when looking to improve data security. These features are also available for free as part of the standard Office 365 education subscription.

Windows 10 BitLocker Encryption – If a device is lost or stolen make sure no one can gain access to the data by encrypting it. And by joining Windows 10 devices directly to Office 365 the bit locker recovery keys are stored automatically in Office 365 for you. That means you can’t accidentally lose access to the data on the hard drive, for example if the user forgets their password. Encryption is one of the main technology solutions that GDPR recommends.

Multi-factor Authentication – Provide an extra level of protection to Office 365 by requiring your users to provide an extra step of authentication when logging in. This can be as simple as entering a code sent in a text message or responding to a notification on a mobile phone, and means that a user’s account is still safe even if their password is guessed.