Microsoft 365 Compliance Guide: Enterprise Framework for Purview, DLP, and eDiscovery
This guide provides a thorough overview of Microsoft 365 compliance. It covers:
- Purview Compliance Manager
- Data Loss Prevention policies
- Retention labels
- eDiscovery
- Information barriers
It is designed for enterprises in healthcare, financial services, and government that need to comply with HIPAA, SOC 2, GDPR, and FedRAMP requirements.
Microsoft 365 Compliance Guide 2026: Purview, DLP, and eDiscovery
Last updated: 2026 | Read time: 6 min
Microsoft 365 offers a complete compliance platform through Microsoft Purview. This platform includes:
- Data loss prevention
- Retention labels
- eDiscovery
- Information barriers
- Regulatory scoring via Compliance Manager
This guide details how to set up each component for HIPAA, GDPR, FINRA, FedRAMP, SOC 2, and PCI DSS requirements.
- Microsoft Purview Compliance Manager: pre-built assessments for 360+ regulations
- Compliance Manager score: 0–100% measuring your current posture against selected frameworks
- DLP policies detect sensitive information types (SITs) and enforce blocking, encryption, or notification
- eDiscovery (Premium): conversation threading, near-duplicate detection, and predictive coding
- Information barriers: restrict communication between specific departments (trading desk / research)
- EPC Group: 29 years, 11,000+ engagements, 70+ Fortune 500 clients
The Microsoft 365 Compliance Landscape in 2026
Microsoft Purview is the unified compliance platform for Microsoft 365. It replaces the older Security & Compliance Center and consolidates all compliance capabilities into a single administration experience.
The platform covers four major compliance domains:
- Data governance: Sensitivity labels, retention labels, records management
- Risk and compliance: Compliance Manager, Insider Risk Management, Communication Compliance
- Data protection: DLP policies, encryption, information barriers
- eDiscovery and audit: Content Search, eDiscovery Standard and Premium, Audit Premium
Microsoft Purview Compliance Manager
Compliance Manager is the scoring and assessment engine. It measures your Microsoft 365 environment against regulatory frameworks and provides step-by-step improvement guidance.
- Pre-built assessments for 360+ regulations: HIPAA, GDPR, SOC 2, FedRAMP, PCI DSS, and more
- Compliance score: 0–100% reflecting your current posture on the selected frameworks
- Improvement actions: specific configuration steps with point values and implementation guidance
- Shared responsibility model: Microsoft-owned controls (platform security) vs customer-owned controls (your configuration)
Data Loss Prevention (DLP)
DLP policies detect sensitive content and take automated action to protect it. They apply across Exchange Online, SharePoint, OneDrive, Teams, and endpoints.
How DLP Policies Work
DLP policies help find sensitive content using Sensitive Information Types (SITs). These are pattern-matching engines that can identify:
- Credit card numbers
- Social Security numbers
- Health records
- Over 300 other data types
When a match is found, the policy can take one of three actions:
- Block access to the sensitive content.
- Notify the user about the detected content.
- Log the event for further review.
- Block sharing (prevent the user from sharing the file externally)
- Require encryption (wrap the content in Rights Management before sending)
- Notify compliance officers (generate an alert for review)
Auto-Apply Retention Labels
Auto-apply policies apply retention labels automatically based on three trigger types:
- Sensitive information types: documents containing SSNs get labeled "PII – 7 Year Retention"
- Keywords or searchable properties: documents in specific libraries or with specific metadata values
- Trainable classifiers: contracts, financial statements, HR documents — pre-trained AI models
Retention Labels and Records Management
Retention labels define how long content must be kept and what happens at the end of the retention period (delete, review, or mark as a record).
Retention Label Design
- Map retention labels to regulatory obligations: HIPAA (6 years), FINRA (3–6 years), SOX (7 years), SEC 17a-4 (immutable)
- Create a label taxonomy before deploying — retroactive re-labeling is expensive
- Use file plan for formal records management: item type, disposition reviewer, regulatory citation
- Disposition review: requires a human reviewer before permanent deletion of regulated records
eDiscovery
eDiscovery searches for content across Microsoft 365 in response to legal holds, investigations, or regulatory inquiries. Microsoft 365 provides three tools with escalating capability.
- Content Search: Finds content across mailboxes, sites, and Teams. No case management — results only.
- eDiscovery (Standard): Adds legal hold, case management, and export capability.
- eDiscovery (Premium): Adds conversation threading, near-duplicate detection, predictive coding (relevance ranking), and custodian management. Required for complex litigation with high document volumes.
Information Barriers
Information barriers (IB) restrict communication and collaboration between specific departments or user groups. These barriers are required by regulations in financial services. For example, the Chinese Wall separates trading desks from research teams.
IBs are also increasingly used in healthcare. They help to separate clinical teams from billing teams.
- Restrict Teams messaging and meeting invites between designated groups
- Block SharePoint file sharing across IB-separated departments
- Prevent OneDrive sharing between restricted groups
- Requires Microsoft 365 E5 or Compliance E5 add-on
EPC Group Microsoft 365 Compliance Services
EPC Group delivers Microsoft 365 compliance as fixed-fee engagements. Every engagement produces documented controls your compliance officer can sign off on.
- Regulatory gap analysis vs your applicable frameworks (HIPAA, GDPR, FINRA, FedRAMP)
- Compliance Manager optimization: review existing score, prioritize improvement actions
- DLP policy design and deployment across all M365 workloads
- Retention framework implementation: label taxonomy, auto-apply policies, records management
- eDiscovery readiness assessment: hold verification, custodian mapping, search validation
- Information barrier configuration for financial services and healthcare
- Ongoing compliance monitoring with quarterly review cadence
Frequently Asked Questions
What is a Sensitive Information Type (SIT) and how many does Microsoft provide?
A Sensitive Information Type (SIT) is a pattern-matching engine that identifies specific data in Microsoft 365 content.
Microsoft offers over 300 pre-built Sensitive Information Types (SITs). These include:
- Credit card numbers
- Social Security numbers
- Passport numbers
- Health record identifiers
- Financial account numbers
- And many more
You can also create custom SITs for data patterns specific to your organization.
What is the difference between DLP and sensitivity labels?
Sensitivity labels are used to classify and protect content. They remain attached to the file, regardless of its location. Data Loss Prevention (DLP) policies help identify and stop specific actions. These policies can:
- Prevent unauthorized sharing of sensitive information.
- Monitor data access and usage.
- Enforce compliance with regulations.
- Block sharing
- Require encryption
- Alert on policy violations
Both features work together:
- Sensitivity labels identify what the content is.
- DLP policies enforce what can be done with it.
Do we need eDiscovery Premium or will Standard work?
eDiscovery Standard is sufficient for straightforward legal holds and content exports.
Premium is necessary for several specific situations. These include:
- High document volumes
- Complex litigation that requires relevance ranking (predictive coding)
- Conversation threading across Teams and email
- Custodian management for large numbers of data subjects
Additionally, regulated industries that face frequent regulatory inquiries typically require Premium.
What does EPC Group charge for a Microsoft 365 compliance engagement?
Engagements are fixed-fee based on the number of regulatory frameworks in scope, the complexity of your data environment, and whether you need ongoing managed compliance monitoring.
A baseline compliance engagement includes a gap analysis, DLP, and a retention framework. The cost usually falls within the mid-five figure range.
For a detailed estimate, please reach out to EPC Group at:
- Phone: (888) 381-9725
- Email: contact@epcgroup.net
Start Your Microsoft 365 Compliance Engagement
EPC Group offers Microsoft 365 compliance consulting to Fortune 500 companies in various sectors. These include:
- Healthcare
- Financial services
- Federal government
- Manufacturing
To schedule a Compliance Readiness Assessment, call (888) 381-9725, email contact@epcgroup.net, or visit /contact.
Frequently Asked Questions
What is Microsoft Purview Compliance Manager?
Microsoft Purview Compliance Manager is a risk-based compliance management solution within Microsoft 365 that helps organizations assess, monitor, and improve their compliance posture. It provides pre-built assessments for 360+ regulations (HIPAA, GDPR, SOC 2, FedRAMP, PCI DSS, etc.), a compliance score (0-100%) that measures your current posture, and recommended improvement actions with step-by-step implementation guidance. Compliance Manager is included in Microsoft 365 E3/E5 licenses.
How do Microsoft 365 DLP policies work?
Data Loss Prevention (DLP) policies in Microsoft 365 detect and prevent the sharing of sensitive information across Exchange, SharePoint, OneDrive, Teams, and endpoint devices. DLP policies use sensitive information types (SITs) like credit card numbers, Social Security numbers, and health records to identify sensitive content, then enforce actions like blocking sharing, requiring encryption, or notifying compliance officers. Microsoft 365 E5 or E5 Compliance add-on is required for endpoint DLP.
What is the difference between retention labels and retention policies in Microsoft 365?
Retention policies apply retention settings broadly to entire locations (all Exchange mailboxes, all SharePoint sites) and are best for baseline retention across the organization. Retention labels apply to individual items (specific emails, documents) and support more granular control including disposition review, records management, and event-based retention. Most enterprises use both: retention policies for baseline data lifecycle management and retention labels for regulatory records that require specific handling.
How does eDiscovery work in Microsoft 365?
Microsoft 365 eDiscovery enables legal teams to search, preserve, collect, and export electronically stored information (ESI) for litigation, investigations, and regulatory inquiries. Content Search finds content across mailboxes, sites, and Teams. eDiscovery (Standard) adds legal hold, case management, and export. eDiscovery (Premium) adds advanced features like conversation threading, near-duplicate detection, predictive coding, and custodian management. Premium requires Microsoft 365 E5 or E5 eDiscovery add-on.
Do we need Microsoft 365 E5 for compliance features?
Not necessarily. Microsoft 365 E3 includes basic compliance features: Purview Compliance Manager (limited assessments), basic DLP for Exchange and SharePoint, standard retention policies, and Content Search. Microsoft 365 E5 adds advanced capabilities: endpoint DLP, advanced eDiscovery, auto-labeling, insider risk management, communication compliance, and information barriers. For regulated industries (healthcare, financial services), E5 or the E5 Compliance add-on ($12/user/month) is typically necessary to meet regulatory requirements.