Compliance Examined
Engineers are always under pressure to streamline processes by their managers, by their organization and incidentally by outside pressures and malicious actors. The use of scripting via small chunks of code or larger pre-coded scripts are ways that these same engineers automate tasks. Reporting efforts are a must for relieving those pressures and Microsoft engineers have resources in the form of PowerShell modules to do this. For Microsoft’s Purview workload, a script called Configuration Analyzer for Microsoft Purview, or CAMP, which was previously known as Microsoft Compliance Configuration Analyzer, or MCCA.
What makes the script useful is that it is a one-stop shop of analysis where engineers can look at a wholistic picture of the Purview configuration, choose a regional basis for the report or trim down which portions of Purview they need to report one. Government Cloud breakdowns for DoD and GCC High are also available options. Breaking down the list, we have the following sections to analyze:
- Data Loss Prevention
- Information Protection
- Information Governance
- Records Management
- Communication Compliance
- Insider Risk Management
- Audit
- eDiscovery
Each of these areas also have sub-categories which are analyzed, for example, eDiscovery analyzes both Core eDiscovery and Advanced eDiscovery and creates separate recommendations for each sub feature of eDiscovery.
For engineers that may be new to the Compliance aspect of Microsoft 365, the guidance will be a good place to start. However, any guidance should be taken with a grain of salt as your organization may have different priorities, requirements and or standard for Compliance and taken actions recommended in this report does not guarantee compliance.
Required Permissions
The CAMP Report cmdlet requires a varied set of permissions because it does delve into quite a few areas of an organizations Microsoft 365 tenant and while it would be nice to have Global Reader permissions be enough, it is not. So make sure to refer to the table on the documentation – a full report will require the Compliance Admin or Global Admin roles. Otherwise, we lack Communication Compliance, Auditing and eDiscovery queries.
PowerShell Modules Required
Exchange Online PowerShell v3 (version 3.3.0)
Getting Started
Before we get into how to generate a report, we need to make sure to install the CAMP module and import it into our PowerShell session.
Running a Report
First install the module:
Install-Module CAMPImport the Module
Import-Module CampWe can also update the module if your version has grown stale:
Update-Module Camp
Default Run
Get-CampReport will prompt for a username, then prompt to login that user and once that completes, run its analysis resulting in an HTML file for output:
Additional Options
The Get-CAMPReport cmdlet has some additional parameters that can be chosen to either limit the scope of the analysis or target specific Geo locations. The GitHub for this module provides charts to help choose the Geo's and Solutions listed below.
Geo: Allows the selection of a region of the world in case there are region specific considerations such as Sensitive Information Types. For example, if we wish to include France, Switzerland and the UK into the scan, we add this to the Get-CampReport line:
-Geo @(5,12,14)
At the end of the script, the report regional analysis is reported:
As well as in the report itself:
Solution: Choose which part or parts of the CAMP report you wish to run. Use the list from the help page to determine which numbers to select. For example, if we only have Global Reader rights, we choose all the other options:
-Solution @(1,2,3,4,6)
Report Generation
Final report (Summary is short due to the selections):
ExchangeEnvironmentName: Allows the script to perform an analysis based on the type of Exchange environment with valid values of O365Default, O365USGovDoD and O365USGovGCCHigh.
In addition to these parameters, we also have two available switches:
NoVersionCheck: Self-explanatory as the script will not look to see if it is the latest version.
TurnDataCollectionOff: Microsoft by default collects data each time a CAMP Report is generated and adding this switch turns off data collection.
Additionally, there is a Collection parameter that is for Microsoft Internal use only.
Benefits to Administrators
This script is written by Microsoft engineers and advice provided is from the ‘horse’s mouth’ which is a desired product for organizations. The resulting HTML report can be used for high level analysis by managers and directors, while the rest of the report can be used by IT/Engineers with its descriptive information and there are different alert levels: OK, Information and Improvement. Let’s break these down with a sample report.
Take for example, in the below screenshot, Communication Compliance:
We see that there are three alerts, two for improvement and one for a followed best practice. Expanding each improvement provides the Action Item, what action needs to be taken as well as links to documentation and to Communication Compliance in the Purview Compliance portal.
The ‘OK’ is an indicator that a tenant is configured per Microsoft’s own advice for a tenant and also contains links to Microsoft Learn documentation as well as the referenced configuration in the Purview Compliance portal.
Or perhaps the report provides a Recommendation for action, shown in gray:
Breaking down the Recommendation fort Compliance Manager we are given somewhat generic advice to use the Compliance Manager in our tenant and we are also provided with relevant links to resources for a QuickStart Guide, learning about the product as well as a direct link to the Compliance Manager. The value here would be for those that are new to this product.
Feedback
Microsoft provides three to provide feedback on this PowerShell Module, with the first located at the upper right of the Report’s output HTML file:
The second is to go to the GitHub for the module and make comments, provide feedback and make requests. Make sure to do at least one of these as they could alert Microsoft to issues or provide guidance on what organizations are looking for.
Finally, Microsoft offers a feedback email address (mecahelp@microsoft.com) which can be used as well.
The Bigger Picture
The CAMP script is another useful resource from Microsoft that can assist those in charge of their tenant to get a grasp on how their configuration stacks up per Microsoft’s advice. Advice from these types of reports do need to be taken with some grains of salt as not all advice will fit and not all configurations are appropriate/necessary for every tenant. Add scripts of this sort, like CAMP and ORCA, to quarterly, bi-annual and/or annual reporting as this will help an organization keep abreast of their tenant’s posture. Make sure to keep this module up to date as it will be updated and new features will be released.
