There are currently three separate admin consoles in Microsoft 365 for administrators to view or configure security and compliance policies, alerts, and reports.  Believe it or not, this is down from four at the peak of just-tell-me-where-to-go-to-do-this.  This doesn’t even include consoles such as Microsoft Cloud App Security (MCAS).  The direction things are heading is good, as I’ll explain in this blog, but the situation does highlight Microsoft’s relatively new culture and position of continual small updates rather than delivering fully finished products.

First to be introduced, at the end of 2015, was the Office 365 Security & Compliance Centre (SCC) which is still the most feature-rich and available at protection.office.com.

It very quickly became the central location for administrators to configure things like Office 365 ATP and eDiscovery.  SCC remains the only place some settings – like Office 365 ATP – can be configured.  In 2018, a Microsoft 365 Security & Compliance Centre was introduced at protection.microsoft.com, looking much like SCC but intending to scope not just Office 365 but Microsoft 365 (ie, include EMS management that was part of M365 but not O365 – AIP, etc).  This one was short-lived – Microsoft announced its retirement less than one year later in favour of two separate portals.

In early 2019, the Microsoft 365 Security Centre at security.microsoft.com and the Microsoft 365 Compliance Centre at compliance.microsoft.com were deployed.  The intention was to split the existing experience by how large enterprises typically structure themselves with separate security (Security Centre) and data management (Compliance Centre) teams.  Owning a single license to their services opens them up.

The fundamental direction of the Microsoft 365 Security Centre is the administration point for Microsoft Threat Protection (MTP).  MTP is the subset of all M365 E5 and ATP security products and the message from Microsoft if they’re trying to unify their end-user service management here.

Progress is slow: the main piece of configuration you can do, at time of writing, is for sensitivity labels; almost everything else redirects you to the SCC.  However, soon expect things like O365 ATP to show up.  The focus is the end-user security estate, and there is an Azure equivalent for the infrastructure estate: Azure Security Centre.  Above all this sits (or can sit) Microsoft’s SIEM – Sentinel.

The Microsoft 365 Compliance Centre focuses more on information/data controls and compliance/regulation posture.  You can create policies for Data Loss Prevention (DLP) and retention, and view the compliance score metrics.  Again, progress is slow at making this the location for compliance – many policy configurations, such as alerts, just redirect you to the SCC.

One of the design choices I find interesting is the idea of the Solutions Catalog.  This is a top-level link you visit in the Compliance Centre, and within it, you find links to features like Insider Risk Management and Records Management.  It explains them with overview, benefits, Ignite videos, and requirements – all quite nice.  When you’ve reviewed that, it’s just another click to actually open the solution, or you can go straight to it from the home page too.

To summarise:

  • Office 365 Security & Compliance (SCC)
    • The original consolidated portal and now primarily for O365 services such as O365 ATP
  • Microsoft 365 Security Centre
    • Microsoft Threat Protection services such as AIP sensitivity labels
    • A lot just redirects to SCC for now
    • Simplication: where you go to stop the bad actors getting into or damaging your environment and data… when it’s finally moved from the SCC
  • Microsoft 365 Compliance Centre – for information/data controls such as retention and DLP
    • For information/data controls such as retention and DLP
    • Simplication: where you go to control what happens with your environment and data