Help CenterSummary of Tenant-Level Services in Microsoft 365 Security and Compliance Licensing
Microsoft 365 provides security and compliance services that apply across the entire organization, known as tenant-level services. These services help maintain a uniform security and compliance framework but can raise questions about licensing when not all users are licensed for specific services. Microsoft provides guidance on how these services can be configured to apply only to licensed users.
1. Information Protection and Governance - This suite helps manage sensitive information throughout its lifecycle.
- Microsoft Purview Information Protection: Provides sensitivity labeling and encryption tools to safeguard sensitive information across emails and documents. Labels can be applied automatically or manually to ensure proper classification and protection.
Tenant-Level Guidance: Sensitivity labels are a tenant-wide service, meaning they are available for all users, but advanced features such as automatic labeling are only available to users who are licensed for Microsoft 365 E5 or an add-on like the Microsoft 365 E5 Information Protection and Governance plan. To ensure compliance, advanced features can be restricted to specific licensed users by defining label policies that apply only to certain user groups.
- Retention and Deletion Policies: These tenant-level policies govern how data is retained or deleted across Exchange, SharePoint, OneDrive, and Teams. Retention policies are essential for meeting regulatory compliance requirements by keeping or deleting data based on custom rules.
Tenant-Level Guidance: Although retention policies can apply tenant-wide, advanced retention features (such as event-based retention and disposition review) are only available to licensed users. You can configure these policies to target only the groups or locations where licensed users reside.
2. Insider Risk Management - A suite of tools designed to manage potential risks originating from internal users.
- Insider Risk Management: This feature helps identify potential insider threats by analyzing activities that might pose a risk, such as unauthorized data transfers or unusual user behavior.
Tenant-Level Guidance: Insider Risk Management can be configured to apply only to specific groups of licensed users by limiting the scope of policies. This ensures that risk detection, investigation, and mitigation actions are only applied to users who are licensed for this service (e.g., those licensed under Microsoft 365 E5 Compliance or Security).
- Communication Compliance: This tool monitors communication channels like email and Microsoft Teams for policy violations, including harassment, data leaks, or regulatory breaches.
Tenant-Level Guidance: Communication compliance can be scoped to licensed users by configuring policies to target specific groups or departments. This ensures that monitoring and alerts are limited to the individuals covered under the appropriate licenses.
3. Compliance Solutions - These tools help organizations meet regulatory obligations and manage legal compliance effectively.
- Microsoft Purview Compliance Manager: A dashboard that tracks an organization’s compliance with industry regulations by providing scorecards and recommended actions to improve the compliance posture.
Tenant-Level Guidance: Compliance Manager is available tenant-wide, but the advanced functionality (like risk assessments and third-party regulatory assessments) can be scoped to licensed users. This ensures that only licensed users (e.g., Microsoft 365 E5 Compliance) can benefit from advanced compliance features.
- Advanced eDiscovery: Enables organizations to find, preserve, and export relevant data for legal or regulatory investigations. It supports data in multiple formats across Microsoft 365 services like SharePoint, Teams, and Exchange.
Tenant-Level Guidance: eDiscovery cases can be scoped to specific custodians or data locations associated with licensed users. This means you can ensure that only the licensed individuals' data is processed under the advanced eDiscovery capabilities.
4. Data Loss Prevention (DLP) - DLP policies are designed to prevent the sharing of sensitive information outside the organization.
- DLP Policies: These policies apply to content across Exchange Online, SharePoint, OneDrive, and Microsoft Teams to prevent sensitive information from leaving the organization or being shared with unauthorized users.
Tenant-Level Guidance: While basic DLP features are available for all users, advanced features (like exact data match or sensitive information types) are only available to licensed users (e.g., Microsoft 365 E5 or the Information Protection and Governance add-on). DLP policies can be scoped to only apply to the data of licensed users by configuring targeted rules that focus on specific user groups or locations.
5. Privileged Access Management - Provides granular control over who can access high-value systems and data, helping to reduce the risk of insider threats and administrative overreach.
- Privileged Access Management: This feature allows for just-in-time access requests and approvals, ensuring that privileged actions are closely monitored and controlled.
Tenant-Level Guidance: Although privileged access management is configured at the tenant level, it can be restricted to apply only to specific groups or roles, ensuring that only users licensed with advanced security features (such as Microsoft 365 E5) can take advantage of these controls.
6. Microsoft Defender for Identity
Microsoft Defender for Identity monitors and responds to identity-based threats by analyzing user activities and entity behaviors from your on-premises Active Directory. It helps detect credential theft, lateral movement, and privilege escalation attempts.
Tenant-Level Guidance: Defender for Identity is a tenant-wide service, meaning it analyzes activities across all users within your tenant. However, advanced identity protection features can be scoped to users licensed with Microsoft 365 E5 Security or equivalent licenses. By configuring policies, you can limit advanced protection to only licensed users.
7. Microsoft Defender for Office 365
Microsoft Defender for Office 365 provides comprehensive protection against email and collaboration-based threats, such as phishing and malware attacks. It includes features like Safe Attachments, Safe Links, and Advanced Threat Protection for emails and files shared within Microsoft Teams, SharePoint, and OneDrive.
Tenant-Level Guidance: While some baseline features may apply to all users, advanced threat protection (such as Safe Attachments and Safe Links) can be scoped to apply only to users with the appropriate licenses, such as Microsoft 365 E5 Security or Defender for Office 365 P2. By defining security policies, you can ensure that only licensed users benefit from these advanced security capabilities.
8. Microsoft Defender for Endpoint
Microsoft Defender for Endpoint provides advanced endpoint detection and response (EDR) capabilities to protect devices from threats such as malware and ransomware. It includes real-time monitoring, threat detection, and automated remediation for endpoint devices.
Tenant-Level Guidance: Defender for Endpoint operates at the tenant level, securing devices across your entire environment. However, advanced endpoint protection features, such as automated investigation and response (AIR) and vulnerability management, are available only to licensed users (e.g., Microsoft 365 E5 Security or Defender for Endpoint P2). By using device groups and policies, organizations can limit these advanced features to only the devices and users with the appropriate licenses.
9. Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps (previously Cloud App Security) is a cloud access security broker (CASB) that provides visibility into cloud apps, controls data flow, and detects threats across cloud environments.
Tenant-Level Guidance: Defender for Cloud Apps is generally a tenant-level service, as it monitors and protects all cloud applications across your organization. However, advanced features like app governance and real-time monitoring can be configured to apply only to licensed users, typically those with Microsoft 365 E5 Security or a standalone Defender for Cloud Apps license.
Conclusion
Tenant-level services in Microsoft 365, especially those related to security and compliance, can have a wide impact across your organization. However, advanced features should be scoped to apply only to licensed users to remain compliant with Microsoft licensing agreements. This can be achieved through careful configuration of policies, labels, and governance tools that target specific groups or individuals within the tenant.
By ensuring proper configuration, organizations can leverage the full power of Microsoft 365’s security and compliance tools while maintaining cost-effectiveness and ensuring that only licensed users benefit from advanced features.