Microsoft Purview: Data Governance & Compliance Guide

Microsoft Purview Data Governance: Enterprise Guide (2026)

Microsoft Purview is the unified data governance, compliance, and risk plane across Microsoft 365, Microsoft Fabric, Azure, and Microsoft Copilot. This guide is the working enterprise deployment playbook EPC Group uses for Fortune 500 governance programs — sensitivity labels, DLP, eDiscovery, audit, insider risk, AI governance, and Compliance Manager.

EPC Group has delivered Microsoft Purview implementations for Fortune 500 healthcare, financial services, government, manufacturing, and technology since the Azure Information Protection era and through the Microsoft Information Protection rebrand into Purview.

TL;DR — The 8-Domain Microsoft Purview Operating Model

Domain	Purpose
Information Protection	Sensitivity labels and encryption
Data Loss Prevention	Block exfiltration of sensitive data
Data Lifecycle Management	Retention, deletion, records management
eDiscovery	Litigation, regulatory, internal investigation
Insider Risk Management	Employee risk signal correlation
Compliance Manager	Control attestation and assessment
AI Hub	Microsoft Copilot risk monitoring
Data Map and Catalog	Data discovery and classification (Purview Data Governance)

Domain 1: Information Protection (Sensitivity Labels)

EPC Group Standard 5-Tier Taxonomy

1. Public — public information, no restrictions
2. General — internal but not sensitive
3. Confidential — internal sensitive, encryption optional
4. Highly Confidential — limited distribution, encryption required
5. Restricted — regulated data, encryption required, Copilot blocked

Each tier has sub-labels for industry-specific scenarios (Restricted-PHI, Restricted-MNPI, Restricted-CUI, etc.).

Auto-Labeling at Scale

Data Surface	Auto-Labeling Approach
SharePoint Online	Service-side auto-labeling policies
OneDrive	Service-side auto-labeling policies
Exchange Online	Service-side auto-labeling policies
Office desktop apps	Client-side auto-labeling
Microsoft Fabric	Auto-labeling on data sources
Microsoft Copilot	Label-aware grounding
Third-party SaaS	Microsoft Defender for Cloud Apps

Coverage targets: 80%+ of regulated content within 90 days, 95%+ within 180 days.

Domain 2: Data Loss Prevention (DLP)

Standard DLP Policy Framework

EPC Group standard DLP policies for enterprise rollout:

• PII protection — block external sharing of SSN, credit card, financial account numbers
• PHI protection — block external sharing of medical record patterns (regulated tenants)
• Credentials in code — block GitHub, ADO, internal repositories from leaking credentials
• Confidential project keywords — block sharing of project codenames externally
• Strategic and pre-public — block external sharing of M&A keywords, financial pre-public data

Endpoint DLP

Microsoft Purview Endpoint DLP extends to:

• Clipboard content monitoring
• USB device blocking for Restricted-tier data
• Cloud upload monitoring (Dropbox, Google Drive, personal email)
• Network share monitoring
• Bluetooth file transfer blocking
• Print monitoring

DLP for Microsoft Copilot

Purview DLP policies block:

• Restricted-tier data from Copilot grounding
• Sensitive prompts (e.g., "summarize this PII document")
• Sensitive responses (e.g., redact SSN appearing in Copilot output)
• Cross-tenant sharing of Copilot generated content with sensitive sources

Domain 3: Data Lifecycle Management (DLM)

Retention Label Framework

Retention Period	Use Case
Short-term (30/60/90 days)	Transient data, draft content
7 years	HIPAA, FINRA, broker-dealer records
10 years	SEC Rule 17a-4 broker-dealer records
Permanent	Vital records, IP, regulatory submissions

Records Management

Microsoft Purview records management includes:

• Declared records (immutable, deletion-protected)
• Regulatory record categories (with retention proof)
• Disposition review workflow (legal/compliance approval before deletion)
• Records management audit log (separate from operational audit log)
• Records retention attestation reports for regulators

Domain 4: eDiscovery

Tier Selection

Tier	Use Case
Microsoft Purview eDiscovery (Standard)	Internal investigation, basic litigation
Microsoft Purview eDiscovery (Premium)	Complex litigation, regulatory inquiry, large data volumes

Premium adds: custodian-based scoping, hold preservation across all M365 surfaces, native review interface, ML-assisted relevance scoring, error remediation, advanced analytics.

eDiscovery Integration

• Microsoft Copilot prompts and responses included in eDiscovery scope
• Microsoft Teams chat (1:1, group, channel) included
• SharePoint, OneDrive, Exchange Online included
• Yammer (Viva Engage) included
• Cross-tenant collaboration included for tenants with reciprocal eDiscovery agreements

Domain 5: Insider Risk Management (IRM)

Risk Indicator Categories

• Departure risk — employee notice, performance review, termination
• Data exfiltration — anomalous download patterns, USB use, cloud upload
• Policy violation — sensitivity label tampering, DLP override
• Communication risk — confidential project leakage, harassment patterns
• Security incident — credential compromise, suspicious sign-in patterns

Privacy Controls

Microsoft Purview Insider Risk Management is built for privacy-by-design:

• Pseudonymization of user identity by default
• Manager / HR investigator workflow with named-identity unmasking
• Audit log of investigator actions
• GDPR-aligned data minimization
• Works councils notification compliance for European tenants

Domain 6: Compliance Manager

Built-In Control Frameworks

Microsoft Compliance Manager ships with control mappings for:

• NIST CSF, NIST SP 800-53, NIST SP 800-171, NIST AI RMF
• ISO 27001, ISO 27017, ISO 27018, ISO 27701
• HIPAA, HITRUST CSF
• SOC 1, SOC 2, SOC 3
• PCI DSS, FFIEC
• FedRAMP Moderate / High
• CMMC (1.0 and 2.0)
• GDPR, CCPA, LGPD
• ISO 42001 (AI management)
• EU AI Act

Customer-Side Control Implementation

Compliance Manager tracks Microsoft service-side controls (Microsoft attestation) AND customer-side controls (your implementation). Standard EPC Group package includes:

• Customer-Responsibility Matrix prepopulated for Microsoft 365, Azure, Microsoft Fabric
• Evidence collection automation via Microsoft Sentinel and Microsoft Purview audit
• Control attestation reports for board, audit committee, regulator submissions

Domain 7: AI Hub (Microsoft Copilot Risk Monitoring)

Day-1 Capabilities

• Microsoft Copilot for M365 prompt and response monitoring
• Sensitive data exposure detection (Restricted-tier exposure)
• Anomalous prompt pattern detection
• Compliance reporting (HIPAA, GDPR, EU AI Act)
• Integration with Microsoft Sentinel for SOC alerting
• User-level adoption metrics

Custom AI Risk Detections

Microsoft Sentinel + AI Hub custom rules for:

• High-volume Restricted-tier grounding attempts
• Off-hours / off-region Copilot usage
• Cross-program data correlation (Information Barriers violation indicators)
• Sensitive data exfiltration via Copilot output
• Prompt-injection attack patterns

Domain 8: Microsoft Purview Data Governance (Data Map and Catalog)

Multi-Cloud Data Coverage

Source	Native Connector
Microsoft 365	Native
Microsoft Fabric / OneLake	Native
Azure Data Lake / Synapse / Cosmos DB	Native
AWS S3, RDS, Redshift	Native
Google BigQuery, Cloud SQL	Native
Snowflake, Databricks	Native
SAP HANA, Salesforce	Native
On-premises SQL Server, Oracle, Teradata	Self-hosted Integration Runtime

Data Catalog

• Asset inventory with technical metadata
• Glossary terms with business owner attribution
• Data lineage (source-to-consumption)
• Sensitivity classification surfaced from Information Protection
• Governance domain alignment (data products, data domains)

Frequently Asked Questions

How much does Microsoft Purview cost?

Microsoft Purview pricing depends on which capabilities you license:

• Microsoft 365 E5 includes: sensitivity labels, DLP, retention, eDiscovery (Premium), Insider Risk, AI Hub
• Microsoft 365 E3 includes: basic sensitivity labels, basic DLP, basic retention, eDiscovery (Standard)
• Microsoft Purview Data Governance (former Data Map): consumption-based, typical mid-market $50K-$200K/year
• Compliance Manager: included with E3/E5
  Most enterprises run Microsoft 365 E5 + Microsoft Purview Data Governance for full coverage.

Should we use Microsoft Purview or a third-party governance tool?

Microsoft Purview is the recommended primary governance plane for Microsoft 365 anchored enterprises. Third-party tools (Collibra, Alation, Atlan) typically integrate alongside Purview rather than replace it. Common pattern: Purview for Microsoft 365 + Microsoft Fabric, third-party for non-Microsoft data sources.

Can Purview cover non-Microsoft data?

Yes. Microsoft Purview Data Governance scans AWS, GCP, Snowflake, Databricks, SAP, Salesforce, and on-premises sources. DLP and Information Protection extend to third-party SaaS via Microsoft Defender for Cloud Apps.

What's the deployment timeline?

Six to twelve months for enterprise-wide deployment. EPC Group standard sequence:

• Months 1-2: Sensitivity label taxonomy and pilot
• Months 2-4: DLP policy rollout
• Months 3-5: Retention and records management
• Months 5-8: Insider Risk and AI Hub
• Months 6-12: Microsoft Purview Data Governance for non-M365 sources

How does this integrate with our SOC?

Microsoft Sentinel ingests Microsoft Purview signals (DLP alerts, AI Hub alerts, Insider Risk alerts) for unified SOC monitoring. Custom analytics rules and playbooks automate incident response. Integration with ServiceNow and other ITSM tools for ticket creation.

Who delivers Microsoft Purview engagements?

EPC Group senior architects with combined Azure Information Protection, Microsoft Information Protection, and Microsoft Purview experience since 2017. Errin O'Connor is a 4-time Microsoft Press author. Senior architects bring CIPP, CISSP, and Microsoft Information Protection Specialist credentials.

Next Steps

Schedule a 30-minute Microsoft Purview discovery call at /schedule or call (888) 381-9725. Senior architects (not sales) take discovery calls.

Related reading: Microsoft Copilot Governance Framework for Regulated Industries, Microsoft 365 Security Audit Enterprise Checklist, HIPAA-Compliant Microsoft 365, and NIST AI RMF Microsoft Stack Implementation.