Plan for Microsoft Purview compliance and risk management solutions - DoD deployments

This guidance is for IT pros who are driving deployments of Office 365 in US Federal Government entities or other entities that handle data that’s subject to government regulations and requirements, where the use of Microsoft 365 Government – DoD is appropriate to meet these requirements.

Note

If your organization has already met the Microsoft 365 Government – DoD eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.

Step 1. Determine whether your organization needs Microsoft 365 Government - DoD and meets eligibility requirements

The Microsoft 365 Government - DoD environment complies with US Government requirements for cloud services.

In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government – DoD:

  • Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
  • Your organization’s customer content is stored within the United States.
  • Access to your organization’s customer content is restricted to screened Microsoft personnel.
  • Microsoft 365 Government - DoD complies with certifications and accreditations that are required for US public sector customers.

You can find more information about the Microsoft 365 Government - DoD offering for US Government customers at Office 365 Government plans, including eligibility requirements.

The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.

Tip

You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.

Decision points:

  • Decide whether Microsoft 365 Government - DoD is appropriate for your organization.
  • Confirm that your organization meets eligibility requirements.

Note

Microsoft 365 Government - DoD is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.

Step 2. Apply for Microsoft 365 Government - DoD

Having decided that this service is right for your organization, start the process of applying for this service.

Step 3. Understand Microsoft 365 Government - DoD default security settings

We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.

Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government - DoD security settings, resolving to first understand the impact of any changes you might make.

Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – DoD1

To meet the requirements of our government cloud customers, there are some differences between Microsoft 365 Government - DoD and enterprise plans. Refer to the following table to see which features are available. See here for the latest compliance product updates published on Microsoft 365 roadmap.

Area  Feature  DoD Status 
Data protection 
Sensitive information types  Exact data match  Available 
Named entities sensitive information types and policy authoring templates In development 
Sensitivity labeling  Unified labeling client and scanner Available 
Application of a "default label" to an unlabeled file uploaded to a SharePoint Online document library In development
Apply default label policies to ensure documents being edited In development
Automatic classification and labeling for Exchange Online, SharePoint Online, and OneDrive  Available
Automatic classification and labeling for Office apps (Word, Excel, PowerPoint, Outlook) across platforms (Web, Android, iOS, Windows, and Mac)  Available 
Automatic classification and labeling for Office clients (Mobile)  On engineering backlog 
Automatic classification and labeling for Teams, Microsoft 365 Groups, SharePoint sites  Available 
Auto-labeling policies support overwriting manual label and encrypting mail received from any organization  Available 
Automatic classification and labeling for Teams, Microsoft 365 Groups, and SharePoint sites  Available 
Auto-labeling policies support overwriting manual label and encrypting mail received from any organization Available 
Co-authoring on Microsoft Purview Information Protection encryption documents Available 
Enhanced simulations and location support for auto-labeling in SharePoint Online and OneDrive for Business Available 
Extend built-in sensitivity labels to assets in Azure with Microsoft Azure Purview In development 
Granular conditional access policies via "Sensitivity labels" for SharePoint Online sites On engineering backlog 
Mandatory labels  Available 
Manual labels  Available 
New conditions for auto-labeling in Exchange Online In development 
PDF files encrypted with sensitivity label can be search and eDiscovered On engineering backlog
Analytics Data classification analytics: Overview and Content Explorer Available
Auditing and analytics in Office apps Available
Activity explorer includes Power BI sensitivity label data Available
Activity explorer built-in filters Available
Activity explorer user experience improvements In development
Activity explorer Power BI sensitivity label data Available
Activity explorer security reader role updated Available
Content explorer includes Teams data In development
Machine learning classifiers with auto labeling on Office apps/client side Available
Encryption Microsoft Purview Message Encryption (E3)  Available
Microsoft Purview Customer Key Available
Customer Key: Data-at-rest encryption for Microsoft 365  Available
Customer Key: SharePoint Online and OneDrive for Business Available
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle Available
Microsoft Purview Double Key Encryption  Available
Exchange Online service encryption using Microsoft Managed keys Available 
Microsoft Purview Data Loss Prevention Alerts dashboard and alerting experience Available
Data surfaced in Activity Explorer Available
Endpoint data loss prevention  Available
Files (SPO/ODB) and email  Available
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) integration Available
On-premises scanner Available
Solution overview page  Available
Teams chat and channel conversations Available
Data Lifecycle Management & Records Management
Microsoft Purview Data Lifecycle Management (formerly Information Governance) Adaptive scopes for retention and labeling policies  Available
Apply retention label action at end of retention period On engineering backlog
Apply default retention labels for SharePoint, OneDrive for Business libraries, folders, and document sets; Exchange inboxes; and Office 365 Groups Available
Configure option to block the ability to edit metadata for records In development
Disable unlocking of records In development
Email Archiving Available
Import PST Available
Manual non-record retention labels Available
Preservation lock Available
Retention improvements for SharePoint Online and OneDrive for Business Available
Retention label deletion behavior change in SharePoint Available
Retention policies to entire organization; specific locations or users; automatically based on specific condition (for example, keywords or sensitive information); and based on an event Available
Retention policies for Teams  (chat) Available
Retention policies for Teams meeting recording Available
Retention policies for Teams private channels Available
Records management Ability to delete a record label Available
Allow record label to start "unlocked" for manual records declaration In development
Apply a record label manually Available
Apply default record labels for SharePoint, OneDrive for Business libraries, folders, and document sets; and Office 365 groups Available
Apply record policies automatically based on specific conditions (for example, keywords or sensitive information); and based on an event Available
Apply record policies automatically with trainable classifiers In development
Disable unlocking of records Available
Disposition review Available
File plan manager Available
Multi-stage disposition review Rolling out
Outlook client support for Records Management Available
Power Automate integration On engineering backlog
Proof of disposal Available
Records versioning Available
Regulatory records Available
Risk management 
Microsoft Purview Customer Lockbox Customer Lockbox Available
Microsoft Purview Communication Compliance Ability to set a retention period for a Communication Compliance policy On engineering backlog
Access alerts; notice templates; communication policy dashboard Available
Analyze Teams chat data of users with on-prem mailbox Available
Automatically monitor all Teams a user is a member of Available
Conflict of interest template Available
Create customer policies, 3 pre-configured Available
Data loss prevention policy recommendation Available
Day zero insights On engineering backlog
Detect adult content Available
Detect customer complaints In development
Detects repeat code of conduct violation over time Available
Discrimination classifier Available
Escalate for investigation for eDiscovery (Premium)  Available
Exchange and Teams support Available
Expanded Optical Character Recognition to support handwritten and printed text In development
Message details reports On engineering backlog
Modern attachments: Analyze linked content from SharePoint Online and OneDrive for Business In development
Policy health check and ability to pause policy In development
Power Automate integration On engineering backlog 
Remove a Teams message from the Teams chat or channel Available
Sensitive information types per location report Available
Support for more granular permissions Available
Supports seven languages for the threat, targeted harassment, and profanities classifiers Available
Support for Teams, Exchange, and ability to remove Teams message Available
Tagging improvements Available
Teams conversation context Available
Translate content during investigation Available
Microsoft Purview Information Barriers Information barriers Available
Admin experience: Segments and policies landing page Rolling out
Microsoft Purview Insider Risk Management Ability to export alerts Available
Activity explorer data surfaced Available
Analytics Public Preview
Case dashboard Available
Content Explorer enhancements Available
Data leaks by disgruntled users In development
Data theft by departing users Available
Data leaks by priority users  Public Preview
Enhanced support for domains In development
Escalate for investigation for eDiscovery (Premium)  Available
Export alerts enhancements In development
General data leaks Available
General security policy violations In development
Increased set of first party indicators In development
Indicators for security policy violation In development
Indicators for Microsoft Defender for Endpoint alerts In development
Indicators for Office (Teams, SharePoint sites, email messaging) Available
Indicators for Windows 10 endpoints activity Available
Intelligent support for domain settings Available
Microsoft Defender for Endpoint alerts In development
Microsoft Teams integration Public Preview
Native triggers (new signals, indicator selection, customization and Activity Explorer Rolling out
Office indicators for Teams, SharePoint sites, email messaging Available
Policy customization, policy health check and enhanced policy creation wizard Available
Policy templates for data leaks by disgruntled users Public Preview
Policy templates for data leaks by priority users Public Preview
Policy templates for general security policy violations In development
Policy templates for security policy violations by priority users, departing users, disgruntled users In development
Power Automate integration In development 
Priority user groups Public Preview
Recognizes device indicators Public Preview
Security policy violations by departing users In development
Security policy violations by disgruntled users In development
Security policy violations by priority users In development
ServiceNow template for Power Automate Public Preview 
Supports native triggers for Azure Active Directory account deletion Available
Triage and investigation improvements In development
User activity reports Public Preview
“Watch the watchers” audit trail Available
eDiscovery (Standard) Auditing  Available
Case management  Available
Compliance boundaries for OneDrive for Business  Available
Export  Available
In-place preservation  Available
Native export  Available
RMS decryption  Available
Search  Available
Microsoft Purview Compliance Portal expanded support to search and export items in SharePoint and OneDrive for Business Recycle bin  Available
eDiscovery (Premium) Advanced processing Available
Case limits enhancements In development
Collect and review encrypted content in SharePoint and/or OneDrive for Business Available
Collection of Teams conversation as transcript In development
Communications templates and issuing officer settings Rolling out
Custodian to workload mapping Available
Custodian communications Available
Dashboard Available
Data purge capabilities for Microsoft Teams In development
Deep crawling/indexing Available
Double byte character support (Chinese, Japanese, Korean) Available
Email threading Available
Enhanced import custodians wizard experience Rolling out
Export (download, export, add to another view set) Available
Filtering Available
Graph API's In development
Historical versions In development
Hold optimizations In development
Hold reports In development
Identify Teams as data sources In development
Legal hold for Teams private channels messages Available
Compliance Portal expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin  In development
Near duplicate identification Available
New predictive coding module On engineering backlog
Non-custodial data sources Available
Non-Office 365 ingestion Available
Predictive coding Available
Processed export with load file Available
Redactions Available
Review sets Available
Review data (query data, smart tags, dashboard) and annotate (redact) Available
Search Term report Available
Single item error remediation Available
Support PST export Available
Supporting linked content from OneDrive and SharePoint Online (modern attachments) Available
Support Teams reactions In development
Tagging Available
Tenant reports Available
Themes Available
Viewers Available
Audit (Standard) Audit (Standard) Available
Audit (Premium) Access to crucial events (for example, MailItemsAccessed)  Available
Audit retention dashboard Available
Audit search enhancements On engineering backlog
Increased bandwidth to management activity API  Available
Legal hold for Teams private channels messages  Available
Log retention (1 year)  Available
Longer term retention on audit logs (10 years)  Available
Mail forward and mail send events  Available
Microsoft 365 Defender portal and Compliance Portal  Available
Search term events in Exchange Online and SharePoint Online  Available
Compliance posture
Compliance Management Compliance Portal Available
Microsoft Purview Compliance Manager  Available
Alerts and notifications In development
Continuous compliance assessments Rolling out
Out-of-the-box assessments for non-Microsoft 365 assets Available
Recommended engine for bulk assessment creation In development
Double byte character support Available
Microsoft Defender for Cloud Apps Available
Ecosystem
Microsoft Purview Data Connectors  First-party data connectors: HR  Available 
First-party data connectors: HR 1.2  Available  
First-party data connectors: Physical badging  Available  
Graph APIs for eDiscovery (Premium)  In development
Graph APIs for Records Management In development
Graph APIs for Teams export data In development
Privacy
Privacy management Microsoft Priva Privacy Risk Management In development
Microsoft Priva Subject Rights Requests In development

1 Identified status is subject to change as project plans and priorities are reevaluated.

Decision point: Decide whether the compliance features meet your organization's needs.