How to Use Built-In Security for Microsoft 365

1. Open a browser and go to office.com (or office365.com if that’s your muscle memory).
2. Sign in with your admin account.
3. On the left-hand menu, click Admin to open the Microsoft 365 admin center.

If you don’t see the Admin tile at all, you probably don’t have the right role assigned (for example, you might be a regular user or only have limited admin rights). In that case, you’ll need to work with your global admin or security admin to get appropriate permissions.

Inside the admin center, click Show all in the left navigation. This expands into a list of specialized admin centers, including:

• Security
• Compliance
• Azure Active Directory / Entra ID
• Exchange, SharePoint, etc.

From a microsoft 365 compliance and security perspective, these are the key reasons the admin center matters:

• It’s where you manage identities and access (users, groups, roles) – the foundation of any m365 security assessment.
• It’s your jumping-off point to the Microsoft 365 Defender and Compliance (Purview) portals.
• It shows global health and licensing, which affects what security and compliance features you can actually use.

To be honest, many organizations skip straight to individual portals and forget the admin center as the “map.” Don’t. When you’re preparing for a m365 security audit, being able to quickly demonstrate where security features are configured across your tenant makes the conversation much smoother.

From the Microsoft 365 admin center:

1. Click Show all in the left menu.
2. Select Security.

This will open the Microsoft 365 Defender portal. Depending on licensing, some advanced features may be greyed out, but you should still see:

• Microsoft Secure Score
• Threat & vulnerability information
• Alerts and incidents (if you have Defender plans)

Secure Score is particularly important if you’re building toward microsoft 365 compliance automation or just want a more systematic m365 security assessment.

Secure Score gives you a percentage-based metric of how well your tenant is configured according to Microsoft’s recommended security controls.

Here’s how to use it effectively:

1. Review your overall score – This becomes your baseline for internal reporting and for any future m365 security audit prep.
2. Open improvement actions – Each recommendation tells you:

• What to enable or change (e.g., enable MFA for all users)
• How many points you gain by implementing it
• Implementation details and sometimes direct links to the relevant settings

3. Prioritize quick wins – Focus first on actions that:

• Have a high impact (lots of points)
• Are low friction for your users (e.g., admin-only changes, logging, basic hardening)

For example, enabling modern authentication, disabling legacy protocols, or requiring MFA for admins are often fast changes with a big impact on your m365 security audit readiness.

It’s not a cis benchmark microsoft 365 assessment by itself, but Secure Score is an excellent early indicator that your configuration is at least broadly aligned with good practice.

From office.com or the admin center:

1. Select Compliance (sometimes labeled Microsoft Purview).
2. You may land on an older-style portal first – if you see a banner about the portal being retired, click Go to new portal.

This brings you into the newer Microsoft Purview experience, which is where most modern microsoft 365 compliance features live.

On the main page, click View all solutions. This is where people often get surprised – there are a lot of tiles and apps here:

• Data lifecycle management / Records management
• Information protection & sensitivity labels
• Audit
• Insider risk management
• Compliance Manager
• Privacy (Priva)

Some capabilities require additional licensing (often E5 or add-ons), but even on E3 you can access a decent set of tools that help build your m365 compliance checklist.

A few core capabilities matter for most organizations:

1. Audit

• Lets you search audit logs for user and admin activities.
• Critical for microsoft 365 audit preparation and incident investigation.
• You can show auditors concrete evidence of who did what, where, and when.

2. Records management & retention

• Configure retention policies and retention labels to control how long data is kept or deleted.
• Supports legal, regulatory, and internal policy requirements.
• Practical for aligning with standards like ISO 27001 or SOC 2 that expect formal data lifecycle control.

3. Compliance Manager

• Gives you a structured view of your compliance posture against selected standards and regulations.
• You can choose templates that align (roughly) with frameworks like GDPR, ISO 27001, and more.
• It breaks requirements down into controls with detailed implementation guidance and status.

Compliance Manager isn’t the same as a cis microsoft 365 foundations benchmark implementation, but in my experience it pushes you toward similar behaviors: consistent configuration, documented controls, and traceability.

This is where teams start asking about microsoft 365 compliance automation tools – because manually tracking all of this across 100+ controls quickly gets messy.

Within the portals you’ve already opened, you’ll often see links to Microsoft Entra. This is effectively the evolution of Azure Active Directory, plus some extra functionality.

Key areas relevant to a m365 security assessment:

• User and group access – Who can access what, in which apps.
• Conditional Access – Policies like “require MFA when outside our country” or “block legacy authentication.”
• Permissions management and identity governance – For more advanced scenarios where you need tight control over privileged access and access reviews.

From an audit perspective, Entra settings answer questions like:

• How do you enforce strong authentication?
• How do you manage administrative roles and least privilege?
• How do you control external and guest access?

These are classic topics in how to prepare for microsoft 365 security audit conversations.

In the Purview area, you may also see Priva, which focuses on:

• Identifying and managing personal data (PII)
• Supporting privacy risk management

Depending on your licensing, Priva can help you get more visibility into who is accessing personal data and where it lives, which is increasingly important for regulations like GDPR.

Another often overlooked resource is the Microsoft Service Trust Portal:

• It provides formal documentation about Microsoft’s own compliance, security controls, and certifications for Microsoft 365 and Azure.
• You can access documents for frameworks like FedRAMP, ISO, SOC reports, and more.
• These “inherited controls” are very useful during audit prep – you can show that certain physical, infrastructure, or platform controls are handled by Microsoft rather than your internal team.

This is crucial when you want to align your microsoft 365 compliance posture with external frameworks. Instead of reinventing the wheel, you inherit what Microsoft already implements and focus on what you actually configure in your tenant.

If you’re aiming at something more robust – like aligning with the cis benchmark microsoft 365, SOC 2, ISO/IEC 27001, or NIST CSF – you’ll quickly find that:

• There are dozens to hundreds of configuration points to track.
• Settings change over time (sometimes by accident, sometimes because of new features).
• You may have multiple admins, multiple sites, and multiple tenants making changes.

This is where automated m365 compliance assessment becomes less of a “nice to have” and more of a survival requirement.

The CIS Microsoft 365 Foundations Benchmark alone defines 129 controls. Doing a one-off m365 security audit against those is tough. Doing it quarterly or continuously without automation is, frankly, unrealistic in most organizations.

So, a reasonable path is:

1. Use Microsoft’s built-in portals (Defender, Purview, Entra) to set your baseline.
2. Decide which external frameworks really apply to you – CIS, NIS2, ISO 27001, HIPAA, PCI DSS, etc.
3. Layer specialized automation on top that can:

• Continuously check your tenant against those benchmarks
• Alert you to configuration drift
• Produce audit-ready reports instead of screenshots.

One practical example of this kind of automation is ConfigCobra, which is focused purely on automated cloud compliance for Microsoft 365.

It’s designed for teams that want a structured, repeatable way to:

• Continuously assess Microsoft 365 against the CIS Microsoft 365 Foundations Benchmark (129 controls, Level 1 and Level 2 profiles).
• Run scheduled assessments (daily, weekly, monthly) instead of ad-hoc checks.
• Detect configuration drift when settings silently change over time.
• Map CIS controls to multiple standards – NIS2, HIPAA, PCI DSS, ISO/IEC 27001, NIST CSF, and others.
• Generate PDF reports with evidence and remediation guidance that are ready to hand to auditors.
• Support collaboration via role-based access control so security, IT, and compliance teams can all work from the same view.

If you’re trying to become or stay cis certified microsoft 365 aligned, a tool like this essentially turns the cis benchmark microsoft 365 guide from a static PDF into a living, automated checklist. It doesn’t replace the Microsoft portals we walked through, but it connects the dots and keeps everything monitored.

You can explore ConfigCobra, including its Free Trial and paid plans, here: https://configcobra.com/compliance