SDU uses several Microsoft products under the Microsoft E5 license, including Microsoft 365, Microsoft Azure, and Dynamics 365.
- Microsoft 365 includes programs such as Outlook, OneDrive, Teams, and SharePoint. These services are maintained by Microsoft, and data is stored in SDU’s dedicated tenant on Microsoft servers located in Europe.
- Microsoft Azure supports various cloud service models. Some software is maintained and hosted by Microsoft, while other applications—such as SDU’s integrations with HCM and ERP—are hosted on Azure but maintained by SDU.
- Dynamics 365 is primarily a CRM (Customer Relationship Management) system built on Azure infrastructure.
SDU also uses Microsoft’s security products, including the Defender suite and Sentinel, Microsoft’s centralized log collection solution. The Defender suite protects SDU against malicious activity such as cyberattacks. It secures mobile devices (laptops, phones, tablets), Microsoft software (e.g., Word, Excel), network traffic, and third-party applications like ItsLearning and SurveyXact. These tools allow SDU to monitor user activity across systems, which is essential for detecting compromised accounts.
Security logs from the various Defender tools are sent to Sentinel, where alerts can be configured for actions that pose a risk of data compromise. Each user is assigned a risk score that changes based on their behaviour. Defender and Sentinel use machine learning to understand normal user behaviour and detect anomalies that may indicate account compromise, such as:
- Malware execution
- Behavioural changes
- Unusual working hours
- Transfers to external drives (e.g., USB sticks) or cloud services (e.g., Dropbox)
- High-volume file activity (e.g., mass printing or deletion)
- Downloading copyrighted material
- Logins from geographically distant locations within a short time frame (so called "impossible travel")
These indicators help identify potential misuse or compromised accounts.
SDU monitors security logs daily, both for safety concerns and to meet regulatory requirements. SDU is regularly audited by the National Audit Office and Danish Agency for Higher Education and Science.
To prevent misuse of logs and protect confidential data, SDU has strict access controls. Only a few trusted employees in SDU IT’s SecOps (Security Operations) team can access log data in Sentinel. Their access is reviewed and approved annually by the Director. With over 60,000 active user accounts, SecOps does not monitor individual users in real time. Instead, they respond to alerts and investigate suspicious activity.
This means that SecOps has access to see which systems and websites are being used by individual users and in some cases, SecOps may view email/document content if it is quarantined due to suspected malware. However, access to user identity is restricted and requires privileged access, which is logged and monitored. Functional separation ensures that SecOps staff cannot alter or delete logs.
SDU processes these logs to protect the university from attacks and misuse. Students are also encouraged to read the Guidelines for the use of IT by students at the University of Southern Denmark.
Personal equipment
Be aware that when you access SDU resources from personal equipment – for example, by click-ing a link to a digital exam sent via email – the system may, in some cases, collect logs from subsequent browser sessions (such as web searches) if you do not close the browser after accessing an SDU resource. This applies even when you are on a private network using your own computer, as it depends on the browser’s security settings. This is similar to how Facebook can track your activity if you open a link within its app and continue browsing in the same session.
Equipment provided by SDU
In special cases, students may be given equipment purchased and managed by SDU. This could include borrowing an exam computer or being required to use SDU-provided equipment for your thesis work. If you use equipment purchased and managed by SDU and configured according to the university’s security standards, you will generally encounter fewer security measures compared to when using personal equipment.
SDU’s network
If you use a personal device on SDU’s network, please note that SDU logs network traffic as required by authorities. However, SecOps staff do not have direct access to see which websites individual users visit from a personal device. Identifying specific user activity would require log correlation, which may be performed if requested by authorities, such as the police. SecOps can view URL logs if a user attempts to access a blocked website. SDU blocks websites based on recommendations from Microsoft, other security firms, and Danish authorities.