Microsoft 365 guidance for security & compliance

For the purposes of this article, a tenant-level service is an online service that is activated in part or in full for all users in the tenant (standalone license and/or as part of a Microsoft 365 or Office 365 plan). Appropriate subscription licenses are required for customer use of online services. To see the options for licensing your users to benefit from Microsoft 365 compliance features, download the Microsoft 365 Comparison table for Enterprise and Frontline Workers Plans or the Microsoft 365 Comparison table for Small and Medium Business Plans.

For detailed plan information on subscriptions that enable users for Microsoft 365 compliance features and are currently available in European Economic Area (EEA) countries and Switzerland see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.

Some tenant services aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

Microsoft Entra ID Governance

Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It uses entitlement management, access reviews, privileged identity management, and terms-of-use policies to ensure that the right people have the right access to the right resources.

How do users benefit from the service?

Microsoft Entra ID Governance increases users' productivity by making it easier to request access to apps, groups, and Microsoft Teams in one access package. Users can also be configured as approvers, without involving administrators. For access reviews, users can review memberships of groups with smart recommendations to take action on regular intervals.

Which licenses provide the rights for a user to benefit from the service?

The Microsoft Entra ID Governance capabilities are currently available in Microsoft Entra ID Governance and Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2. These two products provide the rights for as many users as there are purchased seats to have the identity governance capabilities. Microsoft Entra ID Governance requires that the tenant also has an active subscription to Microsoft Entra ID P1 (formerly known as Azure Active Directory Premium P1) or Microsoft Entra ID P2 (formerly known as Azure Active Directory Premium P2) or a subscription that includes Microsoft Entra ID P1 or P2. Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2 requires that the tenant also have an active subscription to Microsoft Entra ID P2 or a subscription that includes Microsoft Entra ID P2.

How is the service provisioned/deployed?

Microsoft Entra ID Governance features are enabled at the tenant level but implemented per user. For information about Microsoft Entra ID Governance, see What is Microsoft Entra ID Governance?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should ensure that they have enough seats of Microsoft Entra ID Governance for all employees in scope of or benefiting from Microsoft Entra ID Governance features, including access packages, access reviews, lifecycle workflows and privileged identity management. For instructions on how to scope Microsoft Entra ID Governance deployments, see:

Microsoft Entra ID Protection

Microsoft Entra ID Protection is a feature of the Microsoft Entra ID P2 plan that lets you detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

How do users benefit from the service?

SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5, Enterprise Mobility & Security A5/E5/G5, Microsoft 365 A5/E5/F5/G5 Security and Microsoft 365 F5 Security & Compliance

For details on capabilities included in the different plans available, see What is Microsoft Entra ID Protection?

How is the service provisioned/deployed?

By default, Microsoft Entra ID Protection features are enabled at the tenant level for all users within the tenant. For information about Microsoft Entra ID Protection, see What is Identity Protection?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Microsoft Entra ID Protection by assigning risk policies that define the level for password resets and allowing access for licensed users only. For instructions on how to scope Microsoft Entra ID Protection deployments, see How to configure and enable risk policies.

Compliance Program for Microsoft Cloud

Compliance Program for Microsoft Cloud is designed to offer personalized customer support, education, and networking opportunities. By joining the program, customers will receive the unique chance to engage directly with regulators, industry peers and Microsoft experts in the areas of security, compliance, and privacy. This program replaces the existing Financial Services Industry (FSI) Compliance Program created in 2013.

Who can access the Compliance Program for Microsoft Cloud?

The Compliance Program for Microsoft Cloud is available for organizations with Microsoft 365 and Office 365 licenses.

Customers who are currently enrolled in the FSI Compliance Program will need to purchase a subscription for the new Compliance Program for Microsoft Cloud. For more information, see Compliance Program for Microsoft Cloud.

How do users benefit from the service?

Enterprise organizations that are looking to Microsoft to assist them in their cloud journey, such as risk assessors, compliance officers, internal auditors, privacy officers, regulatory Affairs/Legal, CISOs will benefit from this service. The following are example scenarios of available benefits that customers can receive:

  • Ongoing risk and compliance assistance for risk assessments to onboard to and use Microsoft cloud services.
  • Support of Microsoft and customer-managed controls for Microsoft cloud services.
  • Assistance with internal audits, regulators, or a board level approval of using third-party cloud services.
  • Support with ongoing technical questions related to complex risk and compliance requirements in using our cloud services.
  • Direct assistance in filling out a fixed number of customer risk and compliance questionnaires.
  • A connection to regulators and industry experts to help solve questions with their compliance journey.

How is the service provisioned/deployed?

By default, the Compliance Program for Microsoft Cloud is enabled at the tenant level for all users that benefit from the service. For more information, see Compliance Program for Microsoft Cloud.

Microsoft Defender for Business

Microsoft Defender for Business is an endpoint security solution designed for small and medium-sized businesses (up to 300 employees). Defender for Business is available as a standalone solution and is also included as part of Microsoft 365 Business Premium. With this endpoint security solution, small and medium-sized business (SMB) organization devices are better protected from ransomware, malware, phishing, and other threats.

For more information, see Microsoft Defender for Business.

Which licenses provide the rights for users to benefit from the service?

Microsoft Defender for Business is included as part of the Microsoft 365 Business Premium subscription plan.

A standalone version of Defender for Business is also available as an option for small and medium business (SMBs) with up to 300 employees. To learn more, see How to get Microsoft Defender for Business.

How do users benefit from the service?

The addition of Microsoft Defender for Business into Microsoft 365 Business Premium strengthens Business Premium’s existing productivity and security offering by adding cross-platform endpoint protection and sophisticated ransomware defenses with technologies like endpoint detection and response and automated investigation and remediation.

The standalone version of Defender for Business provides the option for small and medium businesses with up to 300 employees to get enterprise-grade endpoint security technology at an affordable price.

How is the service provisioned/deployed?

If you have Microsoft 365 Business Premium, you can access Defender for Business via the Microsoft Defender portal.

By default, Microsoft Defender for Business features are enabled at the tenant level for all users within the tenant. For information on how to set up and configure Defender for Business, see Microsoft Defender for Business documentation | Microsoft Docs.

What is the Defender for Business servers add-on for Microsoft Defender for Business?

Microsoft Defender for Business servers provides endpoint security for Windows and Linux Servers for small and medium-sized businesses. The Defender for Business servers experience delivers the same level of protection for both clients and servers within a single admin experience inside of Defender for Business, helping you to protect all your endpoints in one location.

For more information, see Get Microsoft Defender for Business servers | Microsoft Learn.

Note that the maximum quantity/seat cap is 60 licenses per customer for Defender for Business servers. If customers require more than 60 server licenses, please see Microsoft Defender for Servers.

Which licenses provide the rights for a user to benefit from the service?

Defender for Business servers is available as an add-on to organizations with:

  • Microsoft Defender for Business (standalone)
  • Microsoft 365 Business Premium

Customers are required to have at least one license of Microsoft 365 Business Premium or Microsoft Defender for Business to purchase and use Microsoft Defender for Business servers.

Review the Microsoft Defender for Business FAQ for more information and links to more resources.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) solution that gives customers flexibility in how to implement core capabilities and supporting multiple types of deployment. Microsoft Defender for Cloud Apps is a user-based subscription service. Each license is a per user, per month license and can be licensed as a standalone product or as part of multiple licensing plans, as listed below.

Which licenses provide the rights for a user to benefit from the service?

Microsoft Defender for Cloud Apps is available as a standalone license and is also available as part of the following plans:

  • Enterprise Mobility + Security E5
  • Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/F5 Information Protection and Governance

Microsoft Entra ID P1 or P2 provides the rights for a user to benefit from the Discovery capabilities that are included as part of Defender for Cloud Apps.

To benefit from the Conditional Access App Control capabilities in Defender for Cloud Apps, users must also be licensed for Microsoft Entra ID P1, which is included in Enterprise Mobility + Security F1/F3/E3/A3/G3, Enterprise Mobility + Security E5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5/F5 Security and Microsoft 365 F5 Security & Compliance.

To benefit from automatic client-side labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, and Microsoft 365 E5/F5 Information Protection and Governance.

Note: Automatic server-side labeling requires Information Protection for Office 365 - Premium licenses (MIP_S_CLP2 or efb0351d-3b08-4503-993d-383af8de41e3). For reference, see Product names and service plan identifiers for licensing.

How is the service provisioned/deployed?

By default, app governance is enabled at the tenant level for all users within the tenant. For more information, see App governance in Microsoft 365 and Get Started with App Governance.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Microsoft Defender for Cloud Apps deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped deployment.

What is app governance?

App governance is a security and policy management capability designed for OAuth-enabled apps registered on Microsoft Entra ID. It delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions.

Which licenses provide the rights for a user to benefit from this capability?

As of June 1, 2023, App governance is included in Microsoft Defender for Cloud Apps and product offers that include Defender for Cloud Apps:

  • Microsoft Defender for Cloud Apps (standalone)
  • Enterprise Mobility + Security E5/A5
  • Microsoft 365 E5/A5
  • Microsoft 365 Security E5/A5/F5
  • Microsoft 365 Compliance E5/A5/F5
  • Microsoft 365 E5/A5 Information Protection and Governance
  • Microsoft 365 F5 Security + Compliance

For more information, see App governance in Microsoft 365

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an endpoint security solution that includes:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction capabilities
  • Behavioral based and cloud-powered next generation protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

For more information, see Microsoft Defender for Endpoint.

Which licenses provide the rights for users to benefit from the service?

Microsoft Defender for Endpoint Plan 1 (P1)

Microsoft Defender for Endpoint P1 delivers core endpoint protection capabilities such as next generation anti-malware, attack surface reduction rules, device control, endpoint firewall, network protection and more. For details, see Microsoft Defender for Endpoint Plan 1 and Plan 2.

Microsoft Defender for Endpoint P1 is available as a standalone user subscription license and as part of Microsoft 365 E3/A3/G3.

Microsoft Defender for Endpoint Plan 2 (P2)

Microsoft Defender for Endpoint P2 delivers comprehensive endpoint protection capabilities including all the capabilities of Microsoft Defender for Endpoint P1 with additional capabilities such as endpoint detection and response, automated investigation and remediation, threat and vulnerability management, threat intelligence, sandbox, and Microsoft threat experts. For details, see Microsoft Defender for Endpoint documentation.

Microsoft Defender for Endpoint P2, is available as a standalone license and as part of the following plans:

  • Windows 11 Enterprise E5/A5
  • Windows 10 Enterprise E5/A5
  • Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security & Compliance

Microsoft Defender for Endpoint Server

Microsoft Defender for server is optimized for traditional on-prem server workloads, but also supports Windows and Linux servers. A separate license required for each Operating System Environment (OSE), for servers or virtual machines.​

Microsoft Defender for IoT – Enterprise IoT security

Microsoft Defender IoT – Enterprise IoT security integrates with Microsoft Defender for Endpoint to discover, continuously monitor, and manage vulnerabilities across your enterprise IoT devices from a single experience.

Microsoft Defender for IoT – Enterprise IoT security included with Microsoft 365 E5 and Microsoft 365 E5 Security subscriptions

Microsoft Defender IoT – Enterprise IoT security is included in Microsoft 365 E5 and Microsoft 365 E5 Security subscriptions. Customers with these subscriptions are entitled to Microsoft Defender IoT – Enterprise IoT security coverage for up to 5 eIoT devices per eligible user license.

Microsoft Defender for IoT – Enterprise IoT security per device add-on

Microsoft Defender IoT – Enterprise IoT security per device add-on is available for customers who have Microsoft Defender for Endpoint P2, or a subscription that includes Microsoft Defender for Endpoint P2:

  • Microsoft 365 A5/E5
  • Microsoft 365 A5/E5/F5 Security
  • Microsoft 365 F5 Security and Compliance
  • Windows 10/11 Enterprise A5/E5.

The Microsoft Defender IoT – Enterprise IoT security per device add-on license covers one eIoT device per license.

For more details, see Enable Enterprise IoT security in Microsoft 365 with Defender for Endpoint - Microsoft Defender for IoT | Microsoft Learn.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability management is available as a standalone user subscription license and as an add-on for Microsoft Defender for Endpoint Plan 2 customers.

Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.

Defender Vulnerability Management standalone: Customers who do not have Defender for Endpoint Plan 2 can complement their endpoint detection and response (EDR) solution with the Defender Vulnerability Management standalone to meet their vulnerability management program needs.

Defender Vulnerability Management add-on: Microsoft Defender for Endpoint Plan 2 includes vulnerability management capabilities that can be enhanced by adding new advanced vulnerability management tools included with the Microsoft Defender Vulnerability Management add-on.

Microsoft Defender Vulnerability Management add-on to Microsoft Defender for Endpoint for servers: Provides premium vulnerability management capabilities for customers with Microsoft Defender for Endpoint for servers.

Microsoft Defender for Servers Plan 1 and Defender for Servers Plan 2 also includes access to vulnerability management capabilities.

For more information, see Microsoft Defender Vulnerability Management | Microsoft Learn and Compare Microsoft Defender Vulnerability Management plans and capabilities | Microsoft Learn.

What licenses provide the rights for a user to benefit from the service?

Microsoft Defender Vulnerability is available as a standalone user subscription license for commercial, education and government cloud customers.
Defender Vulnerability Management is available as an add-on to organizations with:

  • Microsoft Defender for Endpoint Plan 2 (standalone)
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Security
  • Microsoft 365 F5 Security and Compliance add-on
  • Windows 11 Enterprise E5/A5/G5
  • Windows 10 Enterprise E5/A5/G5

Microsoft Defender Vulnerability Management add-on to Microsoft Defender for Endpoint for servers is available to organizations with Microsoft Defender for Endpoint for servers. For details on included capabilities, see Compare Microsoft Defender Vulnerability Management plans and capabilities | Microsoft Learn.

Microsoft Defender for Identity

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats. Microsoft Defender for Identity is a per user subscription license.

How do users benefit from the service?

SecOp analysts and security professionals benefit from the ability of Microsoft Defender for Identity to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Microsoft Defender for Identity.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users provide the rights to benefit from Microsoft Defender for Identity.

How is the service provisioned/deployed?

Microsoft Defender for Identity features are enabled at the tenant level for all users within the tenant. For information on configuring Microsoft Defender for Identity, see Create your Microsoft Defender for Identity instance.

How can the service be applied only to users in the tenant who are licensed for the service?

Some tenant services, such as Microsoft Defender for Identity, aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. Microsoft Defender for Office 365 also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

How do users benefit from the service?

Microsoft Defender for Office 365 protects users from sophisticated attacks such as phishing and zero-day malware. For the full list of services provided in Plan 1 and Plan 2, see Microsoft Defender for Office 365.

Which licenses provide the rights for a user to benefit from the service?

Microsoft Defender for Office 365 Plans 1 and 2, Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft 365 F5 Security & Compliance, and Microsoft 365 Business Premium provide the rights for a user to benefit from Microsoft Defender for Office 365.

This quick reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.

Microsoft Defender for Office 365 Plan 1 vs. Plan 2 Cheat Sheet

Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection capabilities:
  • Safe Attachments
  • Safe Links
  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
  • Anti-phishing protection in Defender for Office 365
  • Real-time detections
Defender for Office 365 Plan 1 capabilities
--- plus ---
Automation, investigation, remediation, and education capabilities:
  • Threat Trackers
  • Threat Explorer
  • Automated investigation and response
  • Attack simulation training

For more information, go to Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection - Office 365 | Microsoft Docs.

How is the service provisioned/deployed?

By default, Microsoft Defender for Office 365 features are enabled at the tenant level for all users within the tenant. For information on configuring Microsoft Defender for Office 365 policies for licensed users, see Microsoft Defender for Office 365.

Information Protection: Microsoft Purview Advanced Message Encryption

Microsoft Purview Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Purview Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5/G5 Information Protection and Governance provide the rights for a user to benefit from Advanced Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Advanced Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Advanced Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Information Protection: Microsoft Purview Message Encryption

Microsoft Purview Message Encryption is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a subscription to view encrypted messages or send encrypted replies.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Office 365 Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 F3/E3/A3/G3/E5/A5/G5 and Microsoft Business Premium
  • Office 365 A1/E3/A3/G3/E5/A5/G5
  • Azure Information Protection Plan 1 also provides the rights for an organization to benefit from Office 365 Message Encryption when added to the following plans: Exchange Online Kiosk, Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F3, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1

How is the service provisioned/deployed?

Admins create and manage Office 365 Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Office 365 Message Encryption capabilities, see Set up new Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Office 365 Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages.

Microsoft Priva

For more information, see Microsoft Priva.

Privileged access management in Office 365

Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. After enabling PAM, to complete elevated and privileged tasks, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound.

How do users benefit from the service?

Enabling PAM lets organizations operate with zero standing privileges. Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5 Insider Risk Management provide the rights for a user to benefit from PAM.

How is the service provisioned/deployed?

By default, PAM features are enabled at the tenant level for all users within the tenant. For information on configuring PAM policies, see Get started with privileged access management.

How can the service be applied only to users in the tenant who are licensed for the service?

Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users.

Microsoft Purview Audit

For more information, see Microsoft Purview service description

Microsoft Purview Communication Compliance

For more information, see Microsoft Purview service description

Microsoft Purview Compliance Manager

Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments for common industry and regional standards and regulations.
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Who can access Compliance Manager?

Compliance Manager is available to organizations with Office 365 and Microsoft 365 licenses, and to US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) customers. Assessment availability and management capabilities depend on your licensing agreement.

What are premium templates?

Premium templates are an add-on value for Compliance Manager and help:

  • Translate complex regulatory requirements to specific controls
  • Suggest recommended improvement actions
  • Provide quantifiable measure of compliance against regulations

Compliance Manager has 300+ premium assessments that customers can use to assess their compliance with a wide range of global, regional, and industrial regulations and standards.

Any customer with a subscription that includes Microsoft Exchange Online license may purchase Compliance Manager premium templates.

Which premium templates are available?

Here is the list of premium templates.

Which templates are included by default (free of cost)?

Some assessments are included as part of Compliance Manager and the type of customer license. See the table below and frequently asked questions for details:

License Type Assessment Templates (included by default)1
  • Microsoft 365 or Office 365 A1/E1/F1/G1
  • Microsoft 365 or Office 365 A3/E3/F3/G3
  • Data Protection Baseline
  • Microsoft 365 or Office 365 A5/E5/G5
  • Microsoft 365 A5/E5/F5/G5 Compliance
  • Microsoft 365 A5/E5/F5/G5 eDiscovery and Audit
  • Microsoft 365 A5/E5/F5/G5 Insider Risk Management
  • Microsoft 365 A5/E5/F5/G5 Information Protection and Governance
  • Choice of any 3 premium templates2
  • Data Protection Baseline
  • CMMC Level 1-5 (only available for G5)
  • Custom Assessments

1 Templates that correspond to a regulation will now all be grouped together and treated as a single template. For example, CMMC - Level 1, and CMMC - Level 2 will now be counted as one template. You won't need to purchase multiple templates for the same regulation when that regulation has multiple levels or versions.
2 All users need to be licensed.

Microsoft Purview Customer Lockbox

For more information, see Microsoft Purview service description

Microsoft Purview Data Connectors

Microsoft provides third-party data connectors that can be configured in the Microsoft Purview compliance portal. For a list of data connectors provided by Microsoft, see the Third-party data connectors table. This table also summarizes the compliance solutions that you can apply to third-party data after you import and archive data in Microsoft 365, and links to the step-by-step instructions for each connector.

How do users benefit from the service?

The primary benefit of using Data Connectors (formerly named Microsoft 365 Data Connectors) to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft Purview solutions to the data after it's been imported. This helps ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization.

Which licenses provide the rights for a user to benefit from the service?

The following licenses provide the rights for a user to benefit from Data Connectors:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection & Governance
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Insider Risk Management
  • Microsoft 365 E5/A5/F5/G5 eDiscovery and Audit
  • Office 365 E5/A5/G5

For data connectors in the Microsoft Purview compliance portal that are provided by a Microsoft partner, your organization will need a business relationship with the partner before you can deploy those connectors.

How is the service provisioned/deployed?

Connectors are configured using the Microsoft Purview compliance portal and Connector Catalog.

How can the service be applied only to users in the tenant who are licensed for the service?

Data Connectors services are a tenant-level value. Every user intended to benefit from this service must be licensed.

Microsoft Purview Data Lifecycle Management & Microsoft Purview Records Management

Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance) and Microsoft Purview Records Management provide you with tools and capabilities to retain the content that you need to keep and delete the content that you do not need. Often organizations retain and delete content to meet compliance and data regulatory requirements. Deleting content that no longer has business value also helps you manage risk and liability.

Both Data Lifecycle Management and Records Management use retention policies, retention labels, and retention label policies to enforce retention and deletion settings. Additionally, this area includes email archiving functionality.

Licensing for retention policies

For organization-wide, location-wide, or include/exclude retention policies, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3, Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3

If the retention policy location is an Exchange mailbox, then the following licenses also provide user rights:

  • Exchange Plan 2
  • Exchange Online Archiving

If the retention policy location is SharePoint or OneDrive for Business, the following licenses also provide user rights:

  • SharePoint Plan 2

If the retention policy location is Microsoft Teams chats, channels, or private channels, then the following licenses also provide user rights. The retention or deletion period must be more than 30 days for the plans that are underlined:

  • Microsoft 365 E5/G5/A5/E3/G3/A3/F3/F1, Business Basic, Business Standard, and Business Premium
  • Office 365 E5/G5/A5/E3/G3/A3/F3/E1/G1
  • Microsoft 365 F5 Compliance and Microsoft 365 F5 Security and Compliance add-on plans

If the retention policy uses an adaptive policy scope, then one of the following licenses is required to provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

If the retention policy applies to Microsoft 365 Copilot interactions, the following licenses provide user rights:

  • Microsoft 365 E3/E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Information Protection and Governance + Microsoft 365 Copilot

Licensing for retention labels

For retention label creation, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

The following retention label creation settings:

  • Start the retention period based on an event type
  • Trigger a disposition review at the end of the retention period
  • During the retention period mark items as a record or a regulatory record
  • After the retention period, automatically change the retention label,

require these specific licenses to provide users rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

Licensing for retention label policies

Retention labels are applied to files and emails in one of three ways:

  • Publishing labels so they are available to end users for manual labeling.
  • Auto-applying them through retention label policy configuration.
  • Through other application methods such as default labels.

To publish retention labels, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

If the publishing location is an Exchange mailbox, then Exchange Online Plan 1 and Plan 2 licenses provide user rights.

If the publishing location is SharePoint Online or OneDrive, SharePoint Online Plan 1 and Plan 2 licenses provide user rights.

The following deployment methods for retention labels require specific licensing:

  • Auto-apply to content that contains sensitive information
  • Auto-apply to content that contains specific words, phrases, or properties
  • Apply a default retention label to a SharePoint document library, folder, or document set
  • Using an adaptive policy scope in the retention label policy

The following licenses provide user rights for those deployment methods:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To auto-apply retention labels using a trainable classifier, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

Other retention label application methods

To apply a label using an Outlook rule or an Outlook default folder policy, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

To apply a retention label using a SharePoint Syntex model, the following licenses provide user rights. Additionally, you will need to purchase the appropriate SharePoint Syntex licenses.

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To use the file plan to maintain retention labels, including import and export, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To use adaptive policies scopes to dynamically target Microsoft Copilot for Microsoft 365 interaction retention policies to specific users and/or retain the exact version of a document shared in a Microsoft 365 Copilot interaction, the following licenses provide user rights:

  • Microsoft 365 E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft 365 E5 Information Protection and Governance + Microsoft 365 Copilot

Email archiving

To bulk-import PST files to Exchange Online mailboxes, the following licenses provide user rights:

  • Exchange Online P2
  • Microsoft 365 E5/A5/G5/E3/A3/G3
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3

To enable an archive mailbox and auto-expanding archive, the following licenses provide user rights:

  • Archive mailbox limited to 50 GB
    • Exchange Online Plan 1
    • Office 365 E1
  • Archive mailbox limited to 1.5 TB
    • Exchange Online Archiving
    • Exchange Online Plan 2
    • Microsoft 365 E5/A5/G5/E3/A3/G3
    • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
    • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
    • Office 365 E5/A5/G5/E3/A3/G3
    • Microsoft 365 Business Premium

Which users need a license?

Any user benefiting from the service requires a license. For more information about service terms & conditions, see Product Terms. Here are examples of users benefiting from the service:

  • Users with the following assigned roles found in the Microsoft Purview compliance portal: disposition management, Record Management, Retention Management, View-Only Record Management, View-Only Retention Management.

  • SharePoint site owners and members when a retention policy or retention label policy is used on the site. Site visitors do not need a license.

  • Microsoft 365 Group owners and members when a retention policy or retention label policy is used on the site, mailbox, or Teams messages.

  • For user mailboxes, the user must have the required license assigned.

  • Users, SharePoint sites, and Microsoft 365 Groups included in an adaptive policy scope.

For many features, a shared or resource mailbox does not need a license assigned. For features requiring one of the following licenses, a shared, or resource mailbox does need a license assigned to provide usage rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

Inactive mailboxes do not require a usage license.

Additionally, shared mailboxes are limited to 50 GB without the need for an Exchange add-on. To increase the size limit to 100 GB, the shared mailbox requires Exchange Online Plan 2 or Exchange Online Archiving + Exchange Online Plan 1.

Microsoft Purview Data Loss Prevention: Endpoint Data Loss Protection (DLP)

Organizations can use Microsoft Purview Data Loss Prevention (DLP) to detect activity on items determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see Learn about data loss prevention.

Endpoint data loss prevention (Endpoint DLP) extends the activity detection and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection & Governance

How is the service provisioned/deployed?

For more information, see Get started with Endpoint data loss prevention - Microsoft Purview (compliance) | Microsoft Docs and Learn about data loss prevention - Microsoft Purview (compliance) | Microsoft Docs.

Using the Microsoft Purview compliance portal, Endpoint DLP policies can be scoped to users logging into onboarded devices. Policies are evaluated when a scoped user logs onto an onboarded device. Please review the Microsoft Endpoint DLP interactive guide for devices for more details.

Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud, which prevents third-party access as long as the key remains in control of the users. Users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, and EMS E5 provide the rights for a user to benefit from Double Key Encryption.

The following licenses provide the rights to apply Double Key encryption (DKE) to prevent Copilot access to sensitive data:

  • Microsoft 365 E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft 365 E5 Information Protection and Governance + Microsoft 365 Copilot

How is the service provisioned/deployed?

Double Key Encryption supports the desktop version of Microsoft Office for Windows.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions.

Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business

With Microsoft Purview Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business (formerly named Microsoft Office 365 Data Loss Prevention), organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5/E3/A3/G3, Microsoft 365 Business Premium, SharePoint Online Plan 2, OneDrive for Business (Plan 2), Exchange Online Plan 2
  • Office 365 E5/A5/G5/E3/A3/G3
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), include users, and exclude users in the Microsoft Purview compliance portal.

Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Teams

With DLP for Teams, organizations can block chats and channel messages that contain sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

Which users benefit from the service?

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

How do users benefit from the service?

Senders benefit by having sensitive information in their outgoing chat and channel messages inspected for sensitive information, as configured in the organization's DLP policy.

How is the service provisioned/deployed?

By default, Teams chat and channel messages are an enabled Location (workload) for these DLP features for all users within the tenant. To enable Data Loss Prevention for Teams, the “Microsoft Communications DLP” service must be selected under one of the above licenses in the Microsoft 365 Administration portal. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Microsoft Purview compliance portal.

Microsoft Purview Data Loss Prevention: Graph APIs for Teams Data Loss Prevention (DLP) and for Teams Export

These APIs let developers build Security and Compliance apps that can “listen” to Microsoft Teams messages in near-real time or export teams messages in 1:1/group chat or Teams channels. These APIs enable DLP and other Information Protection and Governance scenarios for both customers and ISVs. Additionally, Microsoft Graph Patch API allows applying DLP actions to Teams messages.

How do users benefit from the service?

Data loss prevention (DLP) capabilities are widely used in Microsoft Teams, particularly as organizations have shifted to remote work. If your organization has DLP, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.

Information protection and governance capabilities are widely used in Microsoft Teams, particularly as organizations have shifted to remote work. With Teams Export API, data can be exported to a third-party eDiscovery or Compliance Archiving application to ensure compliance practices are met.

Which licenses provide the rights for a user to benefit from the service?

  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

How is the service provisioned/deployed?

API access is configured at the tenant level. To enable Microsoft Graph APIs for Teams DLP, the “Microsoft Communications DLP” service must be selected under one of the above licenses in the Microsoft 365 Administration.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Graph APIs for Teams DLP and Teams Export provide a tenant-level value. Every user intended to benefit from this service must be licensed. As an added value, we are adding seeded capacity per licensed user, calculated per month, and aggregated at the tenant level. For usage beyond the seeded capacity, app owners will be billed for API consumption.

For more information on the seeded capacity and consumption fees, see Graph requirements for accessing chat messages.

Microsoft Purview eDiscovery

For more information, see Microsoft Purview service description

Microsoft Purview Information Barriers

Information Barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you should not be communicating with, you won't find that user in the people picker.

How do users benefit from the service?

Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. Information barriers policies can be defined to prevent certain segment of users from communicating with each or allow specific segments to communicate only with certain other segments. For more information on defining information barrier policies, see Define information barrier (IB) policies. While defining IB Policy (Block or Allow), users belonging to segments defined under "Assigned Segments" require licenses. Here are two sample scenarios: 

Scenario Who requires a license?
1. IB Block Policy - Two groups (Group 1 and Group 2) cannot communicate with each other (that is, Group 1 users are restricted from communicating with Group 2 users, and Group 2 users are restricted from communicating with Group 1 users.)

Examples:

New-InformationBarrierPolicy-Name"Group1-Group2" -AssignedSegment"Group1"-SegmentsBlocked"Group2"

New-InformationBarrierPolicy-Name"Group2-Group1" -AssignedSegment"Group2"-SegmentsBlocked"Group1"
Users in both Group 1 and Group 2
2. IB Allow Policy - Three groups (Group 1, Group 2 & Group 3) are allowed to talk only with Group 4 and Group 5.

Examples:

New-InformationBarrierPolicy-Name"Group1-Group4 Group5" -AssignedSegment"Group1"-SegmentsAllowed"Group4,Group5"

New-InformationBarrierPolicy-Name"Group2-Group4 Group5" -AssignedSegment"Group2"-SegmentsAllowed"Group4,Group5"

New-InformationBarrierPolicy-Name"Group3-Group4 Group5" -AssignedSegment"Group3"-SegmentsAllowed"Group4,Group5"
Users in Group 1, Group 2 & Group 3

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/G5/A5/A3/A1
  • Office 365 E5/A5/A3/A1
  • Microsoft 365 E5/F5 Compliance
  • Microsoft 365 E5/G5/A5 Insider Risk Management
  • Microsoft 365 F5 Security + Compliance
  • Office 365 E3 + Enterprise Mobility & Security E3 + E5 Compliance
  • Office 365 E3 + Enterprise Mobility & Security E3 + Insider Risk Management
  • Office 365 Advanced Compliance add-on (no longer available for new subscriptions)

How is the service provisioned/deployed?

Admins create and manage information barrier policies by using PowerShell cmdlets in the Microsoft Purview compliance portal. Admins must be assigned the Microsoft 365 Enterprise Global Administrator, Office 365 Global Administrator, or Compliance Administrator role to create an information barrier policy. By default, these policies apply to all users in the tenant. For more information about information barriers, see Information barriers in Microsoft Teams.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Microsoft Purview compliance portal. For more information, see Information barriers in Microsoft Teams.

Microsoft Purview Information Protection: Customer Key

With Customer Key (formerly named Customer Key for Microsoft 365), you control your organization's encryption keys and configure Microsoft 365 to use them to encrypt your data at rest in Microsoft data centers. In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. Customer Key provides data-at-rest encryption support for multiple Microsoft 365 workloads through Microsoft 365 Data-At-Rest Encryption Service. In addition, Customer Key provides encryption for SharePoint Online and OneDrive for Business data as well as Exchange Online mailbox level encryption.

How do users benefit from the service?

Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, 365 F5 Security & Compliance, Microsoft 365 E5/A5/G5/F5 Information Protection and Governance, and Office 365 E5/A5/G5 provide the rights for a user to benefit from Customer Key. To get the full benefit of Customer Key, you must also have a subscription for Azure Key Vault.

How is the service provisioned/deployed?

The Set up Customer Key article describes the steps you need to follow to create and configure the required Azure resources and then provides the steps for setting up Customer Key.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft 365 data-at-rest service that provides multi-workload encryption support is a tenant level service. Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service. For Exchange Online mailbox level encryption, the user mailbox needs to be licensed to assign a data encryption policy.

Microsoft Purview Information Protection: Data classification analytics: Overview Content & Activity Explorer

Data classification analytic capabilities are available within Microsoft Purview compliance portal. Overview shows the locations of digital content and most common sensitive information types and labels present. Content Explorer provides visibility into amount and types of sensitive data and allows users to filter by label or sensitivity type to get a detailed view of locations where the sensitive data is stored. Activity Explorer show activities related to sensitive data and labels, such as label downgrades or external sharing that could expose your content to risk.

Activity Explorer provides a single pane of glass for admins to get visibility about activities that are related to sensitive information that is being used by end users. These data include label activities, data loss prevention (DLP) logs, auto-labeling, Endpoint DLP and more.

Content Explorer provides admins the ability to index the sensitive documents that are stored within supported Microsoft 365 workloads and identify the sensitive information that they are storing. In addition, Content Explorer helps identify documents that are classified with sensitivity and retention labels.

How do users benefit from the service?

Information protection and compliance admins can access the service to get access to these logs and indexed data to understand where sensitive data are stored, and which activities are related to this data and performed by end users.

Which licenses provide the rights for a user to benefit from the service?

Licensed users of Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5/G5 Information Protection & Governance and Office 365 E5 can benefit from Microsoft 365 data classification analytics.

Microsoft 365 E3/A3/G3 and Office 365 E3/A3/G3 allow users to benefit from Content Explorer data aggregation only.

How is the service provisioned/deployed?

By default, Overview Content and Activity Explorer features are enabled at the tenant level for all users within the tenant. For information on configuring data classification analytics for licensed users, see:

How can the service be applied only to users in the tenant who are licensed for the service?

This feature needs to be scoped for users who actively use the solution within Microsoft Purview compliance portal.

Microsoft Purview Information Protection: Double Key Encryption

Double Key Encryption (formerly named Double Key Encryption for Microsoft 365) lets you protect your highly sensitive data to meet specialized requirements and maintain full control of your encryption key. Double Key Encryption uses two keys to protect your data, with one key in your control and the second key stored securely by Microsoft Azure. To view the data, you must have access to both keys. Since Microsoft can access only one key, your key and also your data are unavailable to Microsoft, ensuring that you have full control over the privacy and security of your data.

How do users benefit from the service?

Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud, which prevents third-party access as long as the key remains in control of the users. Users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, and EMS E5 provide the rights for a user to benefit from Double Key Encryption.

How is the service provisioned/deployed?

Double Key Encryption supports the desktop version of Microsoft Office for Windows.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions.

Microsoft Purview Information Protection: Sensitivity labeling

Information Protection helps organizations discover, classify, label, and protect sensitive documents, emails and meetings, and groups and sites. Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

How do users benefit from the service?

Users benefit by having the ability to create, manually apply or automatically apply sensitivity labels, and consume content that has sensitivity labels applied.

Which licenses provide the rights for a user to benefit from the service?

For manual sensitivity labeling, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium/OneDrive for Business (Plan 2)
  • Enterprise Mobility + Security E3/E5
  • Office 365 E5/A5/E3/A3
  • AIP Plan 1
  • AIP Plan 2

For manual sensitivity labeling for scheduled meetings, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft E5/A5/G5/F5 Information Protection and Governance
  • Microsoft 365 F5 Security & Compliance
  • Office 365 E5/A5

For manual sensitivity labeling for Teams online meetings, the following additional licenses provide user rights:

  • Microsoft 365 E5/A5/G5 + Teams Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance + Teams Premium
  • Microsoft E5/A5/F5/G5 Information Protection and Governance + Teams Premium
  • Microsoft 365 F5 Security & Compliance + Teams Premium
  • Office 365 E5/A5 + Teams Premium

For inheriting labels from input to output for Microsoft 365 Copilot, the following additional licenses provide user rights:

  • Microsoft 365 E3/E5 + Microsoft 365 Copilot

For sensitivity labels for content generated by Microsoft 365 Copilot, the following additional licenses provide user rights:

  • Microsoft 365 E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Information Protection and Governance + Microsoft 365 Copilot

For both client and service-side automatic sensitivity labeling, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft E5/F5 Compliance
  • Microsoft F5 Security & Compliance
  • Microsoft 365 E5/A5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

For client-side automatic sensitivity labeling only, the following license provides user rights:

  • Enterprise Mobility + Security E5/A5/G5
  • AIP Plan 2

To apply and view sensitivity labels in Power BI and to protect data when it's exported from Power BI to Excel, PowerPoint, or PDF, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium
  • Enterprise Mobility + Security E3/E5
  • AIP Plan 1
  • AIP Plan 2

To apply a default sensitivity label to a SharePoint document library, the following licenses provide user rights:

For applying conditional access policies via authentication context to SharePoint sites using sensitivity labels, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5 Information Protection and Governance
  • Office 365 E5/A5/G5

Note

You can also apply conditional access policies via authentication context to SharePoint sites directly via Set-SPOSite PowerShell cmdlet and the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/F5 Compliance
  • Microsoft 365 E5 Information Protection and Governance
  • Office 365 E5/A5/G5
  • Microsoft Syntex - SharePoint Advanced Management

To learn more about these capabilities, see Conditional access policy for SharePoint sites and OneDrive - SharePoint in Microsoft 365 | Microsoft Learn.

For information on how a user can benefit from the AIPService PowerShell module to administer the Azure Rights Management protection service for Azure Information Protection, see Azure Information Protection.

Note

In addition to the licensing information above:

  • A standard/Plan 1 license must be assigned in addition to the premium/P2 license for users to have access to sensitivity labeling for Information Protection for Office 365 and AIP, even if the premium licenses/Plan 2 are assigned. For example, if Information Protection for Office 365 Premium is assigned to a user, that user must also have Information Protection for Office 365 Standard assigned for sensitivity labeling to be available. And if AIP P2 is assigned to a user, that user must also have AIP P1 assigned.
  • Power BI is included with Microsoft 365 E5/A5/G5; in all other plans, Power BI must be licensed separately.
  • For user benefit information regarding automatic classification based on Machine Learning, (trainable classifiers), see Information Governance and/or Records Management.
  • Sensitivity button (MIP) isn’t supported or won’t be available for Device Based Licensing for Office 365 Apps.

How is the service provisioned/deployed?

By default, information protection features are enabled at the tenant level for all users within the tenant. For information on configuring policies for licensed users, see Activating Azure Rights Management.

How can the service be applied only to users in the tenant who are licensed for the service?

Except when using the Microsoft Purview information protection scanner (formerly known as AIP scanner and accessible now via the Purview Compliance Portal) feature, policies can be scoped to specific groups or users and registries can be edited to prevent unlicensed users from running classification or labeling features.

For the Microsoft Purview information protection scanner feature, Microsoft does not commit to providing file classification, labeling, or protection capabilities to users who are not licensed.

For more information, see:

Microsoft Purview Insider Risk Management

For more information, see Microsoft Purview service description

Insider Risk Management Forensic Evidence

What is the forensic evidence add-on for Insider Risk Management?

Forensic evidence is an opt-in, capacity add-on feature in Microsoft Purview Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in.

Which license provides the rights for a customer to benefit from the service?

Forensic evidence add-on for Insider Risk Management is available for organizations with Microsoft 365 E5/G5, Microsoft 365 E5/G5 Compliance, or Microsoft 365 E5/G5 Insider Risk Management licenses.

Customers can purchase the forensic evidence add-on in units of 100 GB per month. The purchased capacity will be metered based on forensic evidence ingestion at the tenant level for the users scoped in forensic evidence policies configured by admins.

How can customers access the service?

Customers can access the service in the Microsoft Purview compliance portal. You can learn more about forensic evidence in our technical documentation.