What's new in Microsoft 365 compliance

Whether it be adding new solutions to the Microsoft 365 compliance center, updating existing features based on your feedback, or rolling out fresh and updated documentation, Microsoft 365 helps you stay on top of the ever-changing compliance landscape. Take a look below to see what’s new in Microsoft 365 compliance today.

Note

Some compliance features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, try adding yourself to targeted release.

Tip

Interested in what's going on in other admin centers? Check out these articles:

And visit the Microsoft 365 Roadmap to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.

September 2021

App governance

Auditing

  • Turn auditing on or off added new section about how changes to the auditing status in an organization are themselves audited; this means that audit records are logged when auditing is turned on or turned off; you can search the Exchange admin audit log for these audit records

Communication compliance

Compliance offerings

Compliance & service assurance

  • Service assurance quarterly review content updates for certifications and statements of applicability
    • Data-bearing device destruction
    • DDOS attacks

Data connectors

eDiscovery

  • Use the KQL editor to build search queries public preview of a new way to create search queries in Content search, Core eDiscovery, and Advanced eDiscovery; the KQL editor provides autocompletion for supported searchable properties and conditions and displays lists of supported values for standard properties and conditions; the KQL editor also provides error detection and suggestions for fixes of potential errors in search queries

Information barriers

Insider risk management

Retention and records management

  • Multi-staged disposition review is now generally available (GA), with new auditing events. Multi-staged disposition review lets you specify up to five consecutive stages of disposition review for a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders.
  • Private channels for Teams retention policies is now generally available (GA).

Sensitivity labels

  • Co-authoring and AutoSave is now generally available (GA) for Windows (minimum version of 2107 from Current Channel or Monthly Enterprise Channel) and macOS (minimum version of 16.51).
  • Rolling out for Office apps that use built-in labels: The default label setting now supports existing documents as well as new documents. This change in behavior provides parity with the Azure Information Protection unified labeling client. For more information about the rollout per app and minimum versions, see the capabilities table for Word, Excel, and PowerPoint.
  • Container labels now support default sharing link settings by using PowerShell advanced settings.
  • The capabilities tables that list the minimum supported versions for built-in labeling now have versions for Current Channel, the Monthly Enterprise Channel, and the Semi-Annual Enterprise Channel.

August 2021

App governance

Communication compliance

Compliance & service assurance

  • Service assurance has been updated with quarterly review content updates for certifications and statements of applicability:
    • Architecture
    • Audit logging
    • Encryption and key management
    • Identity and access management
    • Microsoft 365 access management
    • Network security
    • Privacy
    • Resiliency and continuity
    • Risk management
    • Security development and operation
    • Security monitoring
    • Supplier management
    • Vulnerability management

Data Loss Prevention

Insider risk management

Retention and records management

Sensitivity labels

  • Enhancements to auto-labeling policies that include higher supported numbers for sites and policies, support for all OneDrive and SharePoint sites and the ability to select available SharePoint sites instead of having to enter each site by URL, and simulation improvements.
  • Auto-labeling in Office apps as a sensitivity label setting now supports Exact Data Match (EDM).
  • Default labels are now extended to Power BI (in preview).
  • Auditing events for Outlook on the web that surface in activity explorer are now fully rolled out, which means that user activity for built-in labels is now available for all Office apps across all platform.
  • The supported capabilities tables have a new footnote for Windows to clarify that the minimum versions are for the Current Channel, and a tip to more easily compare older versions that omit leading zeros against newer versions.

July 2021

Advanced eDiscovery

App governance

  • The app governance add-on for Microsoft Cloud App Security (MCAS) has gone into public preview. App governance provides monitoring of OAUth-based apps in your M365 tenant and generates alerts for activity that might represent malware or inappropriate levels of permissions.

Compliance offerings

Compliance & service assurance

  • Service assurance (updated; quarterly review content updates for certifications and statements of applicability)
    • Cloud background checks
    • Employee transfer & termination
    • Governance
    • Human resources
    • Incident management
    • Pre-employment screening
    • Security incident management (SIM)
    • SIM – Containment, eradication, and recovery
    • SIM – Detection & analysis
    • SIM – Post-incident reporting
    • SIM – Preparation
    • Tenant isolation

Data classification

Data loss prevention

Insider risk management

Privacy management

  • Microsoft privacy management has gone into public preview. Privacy management helps your organization understand and manage the personal data in your Microsoft 365 environment, remediate potential privacy risks, and fulfill subject rights requests.

Retention and records management

  • In preview: Retention policies for Teams now supports private channels as a new Teams location when you create or edit a retention policy
  • Instructions for importing a file plan are updated to include regulatory records and dependencies are now listed for each entry

Sensitive information types

The following pages were added:

Sensitivity labels

June 2021

Customer Key

Data connectors

eDiscovery

Sensitivity labels

  • The sensitivity label policy wizard now supports Outlook-specific options for default label and mandatory labeling as an easier configuration than the (still supported) PowerShell advanced settings.
  • Support for dynamic markings with variables is now rolling out for Word, Excel, and PowerPoint on the web
  • For auto-labeling policies for Exchange, if the label is configured for encryption, that encryption isn't applied. Additionally for Exchange auto-labeling policies, you can now configure exceptions and the following new conditions: subject, recipient address, or sender address matches patterns; recipient address contains words; sender domain is, recipient is a member of; sender is.
  • When you use sensitivity labels with teams, groups, and sites, you can use Set-SPOTenant with the BlockSendLabelMismatchEmail parameter to prevent the automatically generated email when the audit event Detected document sensitivity mismatch is logged. For more information, see Auditing sensitivity label activities.
  • The authentication context setting is now fully rolled out in preview for sensitivity labels. Additionally, this configuration is now supported by Microsoft Teams.
  • Files that are labeled and encrypted by a service principle name (such as Microsoft Cloud App Security) and then uploaded to SharePoint and OneDrive can now be opened in Office for the web when you've enabled sensitivity labels for Office files in SharePoint and OneDrive.
  • Co-authoring and AutoSave is no longer restricted to test tenants and now supported in production when you use version 2105: June 18 for Windows, and version 16.50+ for macOS. Note that this feature is still not supported by iOS and Android, and remains in preview.

May 2021

Data Loss Prevention

Retention and records management

  • If you release a retention policy from a SharePoint site or OneDrive account, you no longer have to wait the 30-day grace period before you can delete the site or account. A popular request by customers, this change is now complete for all tenants.
  • In preview, multi-stage disposition review: An administrator can now add up to five consecutive stages of disposition review for a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders.

Sensitive Information Types

Sensitivity labels

  • In preview, a new setting for authentication context is now available when you configure a sensitivity label for groups and sites. This option works in conjunction with Azure AD Conditional Access policies to enforce more stringent conditions when users access SharePoint sites that have the label applied. Make sure you read the dependencies and limitations before you configure this setting.
  • Auto-labeling policies that are configured just for Exchange now support sensitivity labels that apply encryption with Let users assign permissions for the Do Not Forward or Encrypt-Only options.
  • Mandatory labeling is now generally available for all Office apps, across all platforms.

April 2021

Advanced eDiscovery

  • Limits in Advanced eDiscovery. Organizations can now export up to 5 million items or 500 MB, whichever is smaller, in a single export of items from a review set.

Data Classification

Data connectors

Data Loss Prevention

Retention policies and retention label policies

  • The Microsoft 365 Groups location now supports applying the retention settings to just Microsoft 365 mailboxes or just the connected SharePoint sites by using the Set-RetentionCompliancePolicy PowerShell cmdlet with the Applications parameter.

Sensitivity labels

Outlook releases and updates: