Formerly known as Office 365 Security and Compliance Center.
Welcome back for the second post in this series on permissions in Office 365/Microsoft 365. In the previous post, I presented some best practices around Admin roles that can be used to target Microsoft 365 workloads such as Exchange Online, Microsoft Teams or SharePoint Online.
In this post, we will specifically discuss how to access the modern security and compliance portals—Microsoft 365 Defender and Microsoft Purview Compliance Portal—including AI-powered and Copilot-enhanced capabilities. We’ll also highlight the key roles used to manage permissions from a security/compliance perspective and explore how advanced features like threat detection and data governance are now integrated across the platform.
The Modern Microsoft 365 Security and Compliance Centers and How to Access
Microsoft has significantly transformed these portals since the original version of this blog, so it’s the perfect time to revisit them. The Security and Compliance Center is now fully deprecated. Microsoft has moved all workloads into modern portals for all security and compliance operations, so protection.office.com should no longer be bookmarked or used for new configurations.
Modern Security and Compliance Portals
Microsoft now provides two fully modernized portals for all security and compliance operations:
Microsoft 365 Defender Options
Microsoft 365 Defender (security.microsoft.com):This is the portal for all security operations related to email and collaboration protection in Microsoft 365.
Key capabilities:
- Advanced anti-phishing with AI-powered analysis
- Safe Links and Safe Attachments with real-time detonation
- Intelligent policy recommendations powered by Copilot
- Attack simulation training and anomaly detection
- Threat analytics and trending insights
- Automatic attack disruption for email, identity and endpoints
- Real-time threat interception across the attack chain
- Reduced dwell time and impact of breaches
- AI-powered threat investigation and response
- Natural language threat query support
- Automated incident summarization
- Microsoft Threat Intelligence integration
- Zero-day vulnerability tracking
- Nation-state and threat actor attribution
This solution can reduce or replace some third-party services like Mimecast or Barracuda, depending on your licensing and requirements.
Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security (MCAS)): Now integrated directly into the Defender portal.
Key capabilities:
- Comprehensive cloud app inventory and risk assessment
- Real-time app usage analytics
- Unsanctioned SaaS application detection
- App permission analysis and policy enforcement
- Insider risk monitoring for app activity
- Automated app quarantine for suspicious permissions
- Session-based access policies
- Data protection for cloud app
- Real-time content inspection and blocking
- Continuous threat detection and response
- Insider risk alerts during sessions
- Adaptive access policies based on risk
- AI-powered app risk analysis
- Automated compliance recommendations
This can replace (Cloud Access Security Broker) CASB tools, such as Cisco Umbrella and Netskope.
Microsoft continues to expand advanced threat hunting, correlation-based incidents and automated investigation and response across its security and compliance ecosystem.
Microsoft Purview Compliance Portal (compliance.microsoft.com)
The Microsoft Purview Compliance Portal is the home for governance, data protection, compliance, auditing and records management.
Key capabilities:
Data Classification and Discovery (Enhanced)
- AI-Powered Sensitive Information Discovery
- Machine learning-based pattern detection
- Stale/dark data identification
- Automated classification recommendations
- Unified Data Maps
- Enterprise-wide data topology visualization
- Data lineage tracking across systems
- Cross-cloud data asset discovery
- Advanced Classifiers
- Pre-built industry-specific classifiers
- Custom trainable classifiers with AI learning
- Continuous classification updates
Sensitivity Labels (Manual, Auto and Copilot-Assisted)
- Dynamic encryption based on recipient sensitivity
- Restrict sharing and block downloads with audit trails
- Auto-labeling powered by Copilot AI recommendations
Please note: Automatic labeling may require E5 or E5 Compliance licensing
Insider Risk Management
- AI-Powered Risk Detection
- Advanced anomaly detection algorithms
- Behavioral risk scoring
- Insider threat indicators
- Integrated Alert System
- Cross-workload signal correlation
- Priority alert scoring
- Automated response recommendations
Data Lifecycle Management
- Records Management
- Automated retention and deletion policies
- Record disposition workflows
- Compliance with regulatory requirements (GDPR, HIPAA, SOC 2, etc.)
- Retention Policies
- Intelligent retention recommendations
- Teams, SharePoint and Exchange lifecycle management
- Adaptive scopes for precise policy application
eDiscovery (Standard and Premium)
- eDiscovery Premium with AI Enhancements
- Advanced search with relevance scoring
- AI-powered review set analytics
- Predictive coding models
- Privilege and relevance model integration
- Cross-workload data correlation
- eDiscovery Standard
- Content search and hold capabilities
- Export with metadata
- Compliance with legal discovery requirements
Compliance Templates and Assessment
Pre-configured controls for major frameworks (GDPR, NIST, ISO 27001, SOC 2, HIPAA, and more)
- Microsoft Compliance Manager
- Continuous regulatory assessment updates
- AI-powered improvement action recommendations
- Integration with Defender and Purview signals
- Automated compliance scoring
- Modern UI with Copilot-assisted insights
Data Governance
- Business Process Governance
- Process mapping and control documentation
- Automated compliance monitoring
- Real-time governance dashboards
Licensing Considerations
Many visible features may not be available without proper licensing (E5, E5 Security, E5 Compliance or add-ons), such as:
Feature Availability by License
- E5 / E5 Security / E5 Compliance: Full access to Defender and Purview advanced features
- E3 + Add-ons: Subset of capabilities with targeted add-ons
- AI-Powered Features (Copilot in Defender, advanced eDiscovery, Insider Risk): Requires E5 or premium add-ons
- Automatic Labeling and Advanced Classification: Requires E5 Compliance or add-on licensing
Critical: Confirm your organization’s licensing before enabling advanced features, as feature availability has expanded significantly with AI-powered capabilities. My recommendation is to:
- Get a solid understanding of what services your Microsoft licenses currently include.
- Next, identify what other third-party tools you are currently paying for. You might already be paying for Defender for Office 365, but also paying for a third-party email filtering service, which would give you the opportunity to consolidate and cut costs.
- While these portals provide a large amount of valuable data, you need to ensure your processes include automation, notifications and investigations for sensitive actions within your tenant(s). All too often, data is compromised within a tenant, but organizations are unaware of such actions taking place until it is too late. Make sure to set up appropriate controls as preventive measures.
- Implement eDiscovery and Retention Best Practices
- Activate retention policies to meet regulatory requirements
- Use eDiscovery Premium for complex investigations (with AI-powered relevance models)
- Enable Insider Risk Management for behavioral threat detection
- Leverage AI-Powered Recommendations
- Use Copilot-assisted threat investigations in Defender
- Enable automated compliance recommendations in Compliance Manager
- Let AI help with sensitivity label recommendations
Best Practices to Manage Permissions
In Microsoft’s modern security and compliance ecosystem, with Microsoft Entra ID as the identity foundation alongside Microsoft 365 Defender and Microsoft Purview, permissions still function in two layers.
A role group includes a set of multiple permission types that would allow a specific user to perform all their required activities. For example, a Global Reader must be able to view audit logs, act as a Security Reader and access View Only DLP Compliance Management to perform an audit.
A role is a specific level of permissions that a user can be granted (e.g., View-Only Audit Logs, View-Only Device Management, etc.).
Role groups for compliance workloads are now managed in Microsoft Purview → Settings → Roles and Scopes, while security role groups are managed in Microsoft 365 Defender.
My recommendation is to first assign users directly into a role group. Once users are assigned to a role group, they inherit the permissions required to perform their responsibilities.
Given the extensive list of role groups, I have highlighted the most common types you may want to leverage below:
| Role group | Description |
| Compliance Administrator | Members can manage compliance configurations including, DLP, records management, retention policies, audit and reporting. This role is now fully managed in Microsoft Purview → Roles and Scopes and supports scoped admin assignments (site-level, label-level, etc.) Includes access to AI-powered compliance recommendations and Copilot-assisted compliance insights |
| Data Investigator | Members can perform searches on mailboxes, SharePoint sites and OneDrive accounts. This role now includes access to Advanced Purview eDiscovery (Premium) signal integrations (Defender alerts, Insider Risk indicators). Enhanced search capabilities with AI-powered relevance scoring and cross-workload data correlation. |
| eDiscovery Manager | Members can perform searches and place holds on mailboxes, SharePoint Online sites and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case and access case data in Advanced eDiscovery.
An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can: – View all eDiscovery cases in the organization. Update: eDiscovery Premium now includes AI-assisted review workflows, cross-workload signal correlation, and automated compliance recommendations. |
| Global Reader | Members have read-only access to reports and alerts and can see all the configuration and settings across the security and compliance ecosystem.
Global Reader now includes unified visibility across Microsoft Defender, Purview, and Entra ID with a consolidated dashboard view. Can access: – Security alerts and incident summaries. |
| Organization Management | Members can control permissions for accessing features in the Security and Compliance Center, manage device management settings, configure data protection and manage reports and preservation.
This role group now appears as “Organization Management (Legacy)” in many tenants as Microsoft transitions permissions into Purview and Defender role-based models. Users who are not global administrators must be Exchange administrators to manage devices under Basic Mobility and Security for Microsoft 365. Global admins are automatically added to this role group. |
| Quarantine Administrator | Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP.
Quarantine controls are now located in Microsoft Defender → Email and Collaboration → Review with enhanced filtering and bulk release capabilities powered by AI categorization |
| Security Administrator | Members have access to several security features of the Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health and Security and Compliance Center.
By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security and Compliance Center (membership or roles), those changes apply only to the Security and Compliance Center and not to any other services. This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health and Security and Compliance Center. Note: Role group edits in Microsoft 365 Defender apply only to Defender services. |
The full list of role groups can be found here.
Key Takeaways
These two posts on cloud permissions highlight the breadth of administrative options available across Microsoft’s modern security and compliance platform.
We typically see organizations leverage both sets of roles: Microsoft 365 Roles for their IT administrators who manage specific services and Microsoft 365 Security/Compliance roles for those responsible for security or legal functions. These roles are now enhanced with AI-powered and Copilot-enhanced features that make permission management and threat response more intelligent.
- Microsoft's platform consolidation is largely complete (Defender, Purview, Entra ID)
- AI-powered features are now integral to security and compliance operations
- Insider Risk Management and advanced eDiscovery Premium are essential for modern organizations
- Proper licensing and role assignment are critical to leveraging these capabilities
- Automation and monitoring are no longer optional; they're essential for threat prevention
Scaling Permissions as Your Organization Grows
A small business will typically provide elevated rights to all Microsoft services to its IT Admins and may not need to touch the Security and Compliance Roles. However, as your company grows, more people will need to manage your Microsoft environment. To assist with this, it is best to segment your permissions by splitting service management into multiple people (and keeping your number of Global Admins to a minimum) and by having different users be responsible for Compliance work, eDiscovery requests, etc. Finally, use Copilot-assisted recommendations to optimize your permission structure
By following these best practices and leveraging the modern Microsoft security and compliance ecosystem, your organization can achieve comprehensive protection with appropriate role-based access controls.
Authors: Swati Raj | [email protected] and Max Herve | [email protected]
Contact Us
Know what your security goals are but don’t know where to start? Reach out to Withum’s Digital Workplace Solutions Team to get you started and get you going!
