Office 365 Advanced Security Management gives you insight into suspicious activity in Office 365 so you can investigate situations that are potentially problematic and, if needed, take action to address security issues. Advanced Security Management is powered by Cloud App Security. With Advanced Security Management, you can:
See how your organization's data in Office 365 is accessed and used
Control access to Office 365 data on mobile devices/apps
Define policies that trigger alerts for atypical or suspicious activities
Suspend user accounts exhibiting suspicious activity
Require users to log back in to Office 365 apps after an alert has been triggered
Important: Advanced Security Management is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Security Management can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.
Advanced Security Management features a Cloud Discovery Dashboard and reports, the ability to manage app permissions, policies that you define (with starter templates), and alerts. To access these features, go to the Advanced Security Management portal.
As a global administrator or security administrator for Office 365, go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)
In the Security & Compliance Center, choose Alerts > Manage advanced alerts.
(If Advanced Security Management is not yet enabled, you can do that here.)
Choose Go to Advanced Security Management.
The Cloud Discovery Dashboard, also referred to as Productivity App Discovery, shows information about cloud app usage within your organization. An example report resembles the following image:
To get to this dashboard, in the Advanced Security Management portal, go to Discover > Cloud Discovery dashboard.
You can view usage trends, see the top cloud apps in use by your organization, and much more in this dashboard. To learn more, see Review app discovery findings in Advanced Security Management
You can use your traffic log files from your firewalls and proxies with Advanced Security Management. The more details that are included in those log files, the better visibility you'll have into user activity. You can use log files from Barracuda, Blue Coat, Check Point, Cisco, Clavister, Dell SonicWALL, Fortinet, Juniper, McAfee, Microsoft, Palo Alto, Sophos, Squid, Websence, Zscaler, and more. See Learn about log format requirements and supported data sources.
Save time in defining policies by using one or more templates as a starting point. You can choose from a variety of templates, templates to detect general anomalies, users logging in from a risky IP address, or administrator activities from non-corporate IP addresses.
To view/use policy templates, in the Advanced Security Management portal, go to Control > Templates. See .
Alerts can be set up using two types of policies: Anomaly detection policies, which are based on automatic algorithms that detect suspicious activity; and Activity policies, which are defined for different activities that might be atypical for your organization. When you review alerts that have been triggered, you can investigate to learn more details about what was going on. Then, if the activity is still suspicious, you can take action. For example, you can notify a user about an issue, suspend a user from signing in to Office 365, or require a user to sign back in to Office 365 apps.
To learn more about alerts, see: