This chapter covers governance rules and risk owners within Microsoft 365 Defender, a key topic for the SC-200 exam (Objective 3.2). Governance rules define mandatory security controls that enforce compliance across the tenant, while risk owners are responsible for overseeing specific rules and responding to incidents. These concepts appear in approximately 10–15% of exam questions, often in case studies or scenario-based items. Understanding the interaction between rules and owners — and how to configure them via the Microsoft 365 Defender portal or PowerShell — is essential for passing the exam and for real-world security operations.
Jump to a section
In a large corporation, the board of directors establishes high-level security policies: 'All employees must use badge access to enter the building.' This is akin to a governance rule in Microsoft 365 Defender — a mandatory directive that controls behavior across the tenant. However, the board doesn't micromanage each floor; instead, each department head (risk owner) is responsible for implementing the policy within their area. The finance department head ensures that the badge system is enforced for the accounting floor, while the HR head does the same for personnel files. If a breach occurs in accounting, the finance head — not the board — is accountable. Similarly, in Microsoft 365 Defender, a governance rule might require that all external email be blocked unless approved. The risk owner for the 'Finance' scope configures exceptions for legitimate vendor emails. The rule itself is the policy; the risk owner is the person or group assigned to oversee that rule's application, review alerts, and approve or reject changes. Without a designated risk owner, no one is accountable when the rule fails or generates false positives — just as a corporate policy without a responsible manager would be ignored.
What Are Governance Rules and Risk Owners?
Governance rules in Microsoft 365 Defender are policy objects that enforce mandatory security controls across all workloads (Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and devices). Unlike standard alert rules or detection rules, governance rules cannot be overridden by individual users or local admins — they are tenant-wide mandates. They are part of the Microsoft 365 Defender's Governance module, accessible under Settings > Microsoft 365 Defender > Governance.
Risk owners are the designated individuals or groups responsible for a governance rule. Each rule must have at least one risk owner (typically a security administrator or a business unit lead). The risk owner receives notifications when the rule is triggered, approves or rejects exception requests, and is accountable for the rule's effectiveness.
Why Governance Rules Exist
Governance rules address a fundamental challenge: enforcing consistent security posture across a hybrid, multi-workload environment. Without governance rules, each admin could configure their own policies, leading to drift and gaps. Governance rules provide a centralized, unchangeable baseline. For example, a governance rule might require that all external sharing links in SharePoint expire after 30 days. Even if a site owner tries to set a longer expiration, the governance rule overrides it.
How Governance Rules Work Internally
Governance rules are evaluated by the Microsoft 365 Defender policy engine, which runs as a cloud service. The engine scans all applicable workloads every 15 minutes (or on-demand when a change is made). It compares the current configuration against the rule's conditions. If a violation is detected, the engine can either: - Alert only: Send an alert to the risk owner and optionally to a security information and event management (SIEM) system via Microsoft Sentinel. - Auto-remediate: Automatically enforce the rule by reverting the configuration to the compliant state. For example, if a user creates a sharing link with 'Anyone' access, the engine can change it to 'Specific people'.
The rule's scope defines which workloads and entities are covered. Scopes can be: - All workloads (Global) - Specific workload types (e.g., Exchange Online only) - Specific groups or users (using Azure AD groups) - Specific locations (e.g., only for users in a specific geographic region, using conditional access-like location policies)
Key Components, Values, Defaults, and Timers
- Rule types: The following rule types are available: - External sharing (SharePoint/OneDrive): Controls sharing link types (Anyone, People in your org, Specific people) and expiration. - Device compliance: Requires devices to meet compliance policies (e.g., require BitLocker, require antivirus). - Conditional access: Enforces conditional access policies for specific apps (e.g., require MFA for all users). - Data loss prevention (DLP): Enforces DLP policies (e.g., block sharing of credit card numbers). - Mail flow: Controls email routing (e.g., block all external email except from approved domains).
- Default values: When you create a governance rule, you must specify: - Name (string, up to 256 characters) - Description (optional, up to 1024 characters) - Scope (users, groups, workloads, or all) - Rule type and settings (depends on type) - Risk owner(s) (one or more users or groups) - Action on violation (Alert only or Auto-remediate) - Notification frequency: How often to send alerts (Every 15 minutes, Hourly, Daily, Weekly, or Never). Default is Hourly. - Auto-remediation delay: Time before auto-remediation is applied (0 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, 24 hours). Default is 1 hour.
- Timers: - Policy evaluation interval: Every 15 minutes (non-configurable). - Exception request expiration: If a user requests an exception, the risk owner has 7 days to approve or deny; otherwise, the request expires.
Configuration and Verification Commands
Governance rules can be managed via the Microsoft 365 Defender portal (GUI) or via PowerShell using the Exchange Online PowerShell module or the Security & Compliance Center PowerShell.
Example: Create a governance rule via PowerShell
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline
# Create a governance rule for external sharing
New-GovernanceRule -Name "Block External Sharing - Anyone" `
-PolicyType "ExternalSharing" `
-Scope "All" `
-Action "AlertOnly" `
-RiskOwner "secadmin@contoso.com" `
-Setting @{SharingCapability='Disabled'; ExpirationTime=30}Verify existing rules:
Get-GovernanceRule | Format-Table Name, PolicyType, Action, RiskOwner, Scope, StateView rule details:
Get-GovernanceRule -Identity "Block External Sharing - Anyone" | Format-ListInteraction with Related Technologies
Microsoft Sentinel: Governance rule alerts can be forwarded to Sentinel for correlation with other signals. Use the Alert Service connector in Sentinel to ingest alerts.
Microsoft Intune: Device compliance governance rules rely on Intune compliance policies. If a device is non-compliant, the governance rule can trigger an alert or block access.
Azure AD Identity Protection: Conditional access governance rules integrate with Identity Protection risk policies.
Microsoft 365 Defender alerts: Governance rule violations appear in the Alerts queue under Microsoft 365 Defender > Incidents & alerts > Alerts. They have a source type of 'Governance'.
Exam-Relevant Details
Risk owner assignment: A rule can have multiple risk owners, but at least one is required. Risk owners can be users or mail-enabled security groups.
Exception handling: Users can request exceptions to a governance rule via a self-service portal. The risk owner receives an email and can approve or deny within 7 days. If denied, the user receives a notification.
Auto-remediation: If auto-remediation is enabled, the policy engine will revert the change. However, the user is not notified unless an alert is configured.
Rule precedence: If multiple governance rules conflict, the most restrictive rule applies. For example, if one rule blocks external sharing and another allows it, the block takes precedence.
Delegation: Risk owners can delegate approval authority to another user for a specific period (up to 30 days).
Common Pitfalls
Not assigning a risk owner: The rule will not be enforced until a risk owner is assigned. The rule creation wizard requires at least one owner.
Conflicting scopes: If a user is in multiple scopes with different rules, the most restrictive rule applies, which may cause unexpected blocks.
Auto-remediation delay: Setting the delay to 0 minutes means immediate enforcement, which may disrupt users if the rule is overly broad.
Notification frequency: Setting it to 'Never' means risk owners will not be alerted, defeating the purpose of governance.
Summary of Mechanism
An admin creates a governance rule with a scope, condition, action, and risk owner.
The policy engine evaluates the rule every 15 minutes.
If a violation is found, the engine generates an alert (and optionally auto-remediates after the configured delay).
The risk owner receives the alert and can take action (e.g., approve exception, adjust rule).
The rule remains in effect until disabled or deleted by an admin with appropriate permissions (Global Admin, Security Admin, or Compliance Admin).
Define the governance rule scope
Determine which users, groups, workloads, or locations the rule will apply to. Scope options include 'All users' (tenant-wide), specific Azure AD groups, specific workload types (Exchange, SharePoint, Teams), or geographic locations. The scope is critical because it determines the blast radius of the rule. For example, a rule that blocks all external sharing might be scoped to a pilot group first to test impact. The scope is set during rule creation and can be modified later. If multiple scopes overlap, the most restrictive rule takes precedence. Exam tip: Remember that scopes can be based on Azure AD dynamic groups, which update automatically based on user attributes.
Configure rule conditions and actions
Select the rule type (e.g., External Sharing, Device Compliance, Conditional Access, DLP, Mail Flow) and specify the exact conditions. For External Sharing, you can choose to block 'Anyone' links, require expiration, or limit sharing to specific domains. For Device Compliance, you can require BitLocker, antivirus, or compliance policy. For Conditional Access, you can require MFA, compliant device, or approved app. The action can be 'Alert only' or 'Auto-remediate'. Auto-remediation will revert the violation after a configurable delay (0 minutes to 24 hours). The default delay is 1 hour. Exam tip: The exam often tests the difference between 'Alert only' and 'Auto-remediate' — remember that auto-remediation is not immediate unless you set delay to 0.
Assign risk owner(s) and notification settings
At least one risk owner must be assigned. This can be a user or a mail-enabled security group. The risk owner receives email notifications when the rule is triggered, based on the notification frequency (Every 15 minutes, Hourly, Daily, Weekly, or Never). The risk owner is also responsible for reviewing exception requests. If no risk owner is assigned, the rule cannot be saved. Exam tip: The exam may present a scenario where a rule is not working — check if a risk owner is assigned. Also, multiple risk owners can be assigned, but they all receive the same notifications.
Enable and monitor the rule
After creation, the rule is enabled by default. The policy engine begins evaluation within 15 minutes. You can monitor rule activity via the **Governance** section in Microsoft 365 Defender or via the **Alerts** queue. Alerts have a source type 'Governance' and include details about the violation, the affected user/device, and the rule that triggered it. You can also export logs using the **Activity log** or via PowerShell with `Get-GovernanceRuleAlert`. Exam tip: Know that governance rule alerts appear in the Microsoft 365 Defender alerts queue, not in the Security & Compliance Center.
Handle exceptions and review effectiveness
Users can request exceptions to a governance rule via a self-service portal (e.g., if they need to share a file with an external partner). The risk owner receives an email with the request and must approve or deny within 7 days. If approved, the exception is valid for a specified duration (up to 30 days). The risk owner can also delegate approval authority to another user for up to 30 days. Regularly review rule effectiveness using reports in **Microsoft 365 Defender > Reports > Governance**. Look for trends in violations and exceptions to fine-tune the rule. Exam tip: The 7-day expiration for exception requests and 30-day delegation limit are common exam numbers.
Enterprise Scenario 1: Enforcing External Sharing Policies in a Fortune 500 Company
A global company with 50,000 users needs to prevent sensitive data leakage via external sharing links in SharePoint and OneDrive. They create a governance rule that blocks all 'Anyone' links and requires all other external links to expire within 30 days. The scope is set to 'All users' except for a pilot group of 500 users in the marketing department who need temporary flexibility. The risk owner is the Chief Information Security Officer (CISO) and a deputy. The rule is set to 'Auto-remediate' with a 15-minute delay. When a user creates an 'Anyone' link, the policy engine reverts it to 'People in your org' within 15 minutes and sends an alert to the risk owners. The marketing team requests exceptions for specific vendor collaborations, which the CISO approves with a 7-day validity. Over time, the rule reduces external sharing violations by 80%. The company also integrates alerts into Microsoft Sentinel for correlation with other security events.
Enterprise Scenario 2: Device Compliance for Remote Workers
A healthcare organization with 10,000 remote workers must ensure all devices accessing patient data are compliant with HIPAA. They create a governance rule requiring devices to have BitLocker encryption, antivirus, and a compliant Intune policy. The scope includes all users in the 'Clinical' Azure AD group. The risk owner is the IT security team (a mail-enabled security group). The action is 'Alert only' — non-compliant devices are not blocked immediately, but alerts are sent daily. The security team uses these alerts to follow up with users and enforce compliance manually. After three months, they switch to 'Auto-remediate' with a 4-hour delay, which automatically blocks non-compliant devices from accessing Exchange Online and SharePoint. The rule integrates with Intune compliance policies; if a device becomes compliant, access is restored within 15 minutes. Misconfiguration example: Initially, the rule was scoped to 'All users', which included executives who were exempted — this caused a flood of false-positive alerts until the scope was corrected.
Enterprise Scenario 3: Conditional Access for External Partners
A technology company uses Azure AD B2B collaboration to grant external partners access to specific SharePoint sites. They need a governance rule that requires multi-factor authentication (MFA) for all external users accessing sensitive data. The rule is of type 'Conditional Access' and is scoped to the 'External Users' group. The risk owner is the partner management team. The action is 'Auto-remediate' with a 0-minute delay — if an external user tries to access without MFA, they are immediately blocked and prompted to enroll. The rule also sends an alert to the risk owner. Over six months, the rule prevents 50+ unauthorized access attempts. A common issue: when external users are removed from the B2B directory, the rule still applies to them until their accounts are deleted, causing confusion. The security team learns to clean up stale accounts regularly.
What SC-200 Tests on Governance Rules and Risk Owners
The SC-200 exam (Objective 3.2) focuses on your ability to configure, manage, and troubleshoot governance rules and risk owners. Specific sub-objectives include: - 3.2.1: Configure governance rules for Microsoft 365 Defender. - 3.2.2: Assign risk owners and manage exception requests. - 3.2.3: Monitor governance rule alerts and investigate violations.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'Governance rules can be overridden by local admin policies.' Why chosen: Candidates confuse governance rules with standard security policies that can be overridden. In reality, governance rules are mandatory and cannot be overridden by any user, including local admins.
2. Wrong answer: 'Risk owners must be individual users, not groups.' Why chosen: Candidates assume accountability must be assigned to a single person. However, risk owners can be mail-enabled security groups, allowing a team to share responsibility.
3. Wrong answer: 'Auto-remediation occurs immediately when a violation is detected.' Why chosen: Candidates overlook the configurable delay. The default delay is 1 hour, and it can be set from 0 minutes to 24 hours. Immediate remediation requires setting the delay to 0.
4. Wrong answer: 'Governance rules are evaluated in real-time.' Why chosen: Candidates assume real-time enforcement. The policy engine evaluates every 15 minutes, not in real time.
Specific Numbers, Values, and Terms That Appear on the Exam
Policy evaluation interval: 15 minutes.
Exception request expiration: 7 days.
Delegation period: Up to 30 days.
Auto-remediation delay defaults: 1 hour (configurable 0 min to 24 hours).
Notification frequency options: Every 15 minutes, Hourly, Daily, Weekly, Never.
Rule types: External Sharing, Device Compliance, Conditional Access, DLP, Mail Flow.
Risk owner: Can be user or mail-enabled security group.
Action: Alert only or Auto-remediate.
Edge Cases and Exceptions
Conflicting rules: If two rules apply to the same scope, the most restrictive rule wins. For example, if Rule A blocks all external sharing and Rule B allows it for a specific group, the block takes precedence.
Dynamic groups: Scopes can be based on Azure AD dynamic groups. If a user's attributes change, they may move in/out of scope at the next evaluation (up to 15 minutes).
Guest users: Governance rules apply to guest users as well, unless explicitly excluded via scope.
Deleted rules: If a rule is deleted, all associated alerts and exceptions are also removed.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about enforcement timing, remember the 15-minute evaluation interval — eliminate any answer that says 'real-time' or 'immediate' (unless auto-remediation delay is 0).
If a question asks about risk owner assignment, eliminate any answer that says 'must be a single user' — groups are allowed.
If a question asks about overriding rules, eliminate any answer that suggests any user can override — governance rules are mandatory.
If a question asks about exception handling, remember the 7-day expiration — eliminate any answer with a different number.
Exam Strategy
Focus on understanding the lifecycle: create rule → assign risk owner → evaluate every 15 min → alert/remediate → handle exceptions. Memorize the default values and the scope precedence. Practice with PowerShell cmdlets (Get-GovernanceRule, New-GovernanceRule) as the exam may include syntax-based questions.
Governance rules are mandatory security controls that cannot be overridden by any user, including local admins.
Each governance rule must have at least one risk owner (user or mail-enabled security group).
The policy engine evaluates governance rules every 15 minutes.
Auto-remediation has a configurable delay (default 1 hour, range 0 min to 24 hours).
Exception requests expire after 7 days if not approved or denied by the risk owner.
Risk owners can delegate approval authority to another user for up to 30 days.
If multiple governance rules conflict, the most restrictive rule applies.
Governance rules can be managed via Microsoft 365 Defender portal or PowerShell (Exchange Online PowerShell).
Alerts from governance rules appear in the Microsoft 365 Defender alerts queue with source type 'Governance'.
Common rule types: External Sharing, Device Compliance, Conditional Access, DLP, Mail Flow.
These come up on the exam all the time. Here's how to tell them apart.
Governance Rules (Microsoft 365 Defender)
Mandatory — cannot be overridden by any user or admin
Enforced across multiple workloads (Exchange, SharePoint, Teams, devices) from a single pane
Evaluated every 15 minutes by the policy engine
Support auto-remediation with configurable delay
Require assigned risk owner(s) for accountability
Standard Security Policies (e.g., Conditional Access, DLP)
Can be overridden by users with appropriate permissions (e.g., site owners can change sharing settings)
Configured separately per workload (e.g., Conditional Access in Azure AD, DLP in Compliance Center)
Evaluated in real-time or near real-time depending on the policy type
Typically alert-only; auto-remediation is not standard for all policy types
No mandatory risk owner; alerts go to default admin roles
Mistake
Governance rules are the same as DLP policies in the Compliance Center.
Correct
Governance rules are a distinct feature in Microsoft 365 Defender that enforce mandatory controls across multiple workloads. DLP policies in the Compliance Center are separate and can be overridden by users with appropriate permissions. Governance rules cannot be overridden by anyone.
Mistake
Risk owners must be individual users, not groups.
Correct
Risk owners can be either individual users or mail-enabled security groups. Using a group allows a team (e.g., security operations) to share responsibility for the rule.
Mistake
Auto-remediation always happens immediately when a violation is detected.
Correct
Auto-remediation occurs after a configurable delay, which defaults to 1 hour. The delay can be set from 0 minutes to 24 hours. Immediate remediation requires setting the delay to 0 minutes.
Mistake
Governance rules can be created and managed only through the Microsoft 365 Defender portal.
Correct
Governance rules can be managed via both the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or Security & Compliance Center PowerShell). The exam may test PowerShell cmdlets like New-GovernanceRule and Get-GovernanceRule.
Mistake
If a rule is set to 'Alert only', no action is taken and the violation persists.
Correct
Correct — 'Alert only' generates an alert but does not enforce compliance. The risk owner must manually remediate. However, the violation remains until manually fixed or until another process corrects it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A governance rule is mandatory and cannot be overridden by any user, including site owners or local admins. Standard security policies (like DLP or Conditional Access) can be overridden by users with appropriate permissions. Governance rules are enforced across multiple workloads from a single interface, while standard policies are configured per workload. Governance rules also require a risk owner and support auto-remediation with a configurable delay.
Yes, a governance rule can have multiple risk owners. They can be individual users or mail-enabled security groups. All assigned risk owners receive notifications and can manage exception requests. This is useful for distributing responsibility across a team.
Governance rules are evaluated every 15 minutes by the Microsoft 365 Defender policy engine. This is not configurable. If a change is made to a rule or a resource, the evaluation may occur sooner, but the standard interval is 15 minutes.
The user submits a request via the self-service portal. The risk owner receives an email notification and must approve or deny the request within 7 days. If approved, the exception is valid for a specified duration (up to 30 days). If denied or expired, the rule continues to apply. The risk owner can also delegate approval to another user for up to 30 days.
Yes, governance rules can be managed using Exchange Online PowerShell or Security & Compliance Center PowerShell. Cmdlets include New-GovernanceRule, Get-GovernanceRule, Set-GovernanceRule, and Remove-GovernanceRule. The exam may test your knowledge of these cmdlets.
The default auto-remediation delay is 1 hour. It can be configured from 0 minutes (immediate) to 24 hours. The delay gives users time to correct the violation before automatic enforcement occurs.
Governance rule alerts can be forwarded to Microsoft Sentinel using the Alert Service connector. This allows correlation with other security events and automated response playbooks. Sentinel can ingest alerts from Microsoft 365 Defender, including governance rule alerts.
You've just covered Governance Rules and Risk Owners — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?