Microsoft Purview: The Complete Enterprise Data Governance Guide for 2026
Microsoft Purview has become the governance backbone of the Microsoft data platform, connecting Microsoft 365, Azure, Fabric, and multi-cloud environments under a single governance framework. This guide covers everything from initial setup through enterprise-wide deployment across regulated industries.
Microsoft Purview Data Governance Guide 2026
Microsoft Purview is the data governance platform for Microsoft 365, Azure, and Microsoft Fabric. It manages sensitivity labels, DLP, compliance reporting, and the data catalog from one console. It supports HIPAA, SOC 2, FedRAMP, GDPR, and the EU AI Act. Last updated: 2026 · Read time: ~5 min
Key facts
- Purview governs data across Microsoft 365, Azure, and Microsoft Fabric from a single console — no other platform covers all three.
- The EU AI Act, HIPAA, and SEC regulations now require the kind of data lineage and classification that Purview provides. Governance is no longer optional.
- Sensitivity labels in Purview flow from source data through Fabric processing into Power BI reports.
- EPC Group's Purview implementations follow a three-tier pricing model based on organization size and compliance requirements.
- HIPAA retention requirement: 6 years minimum for covered entity records.
Why Purview is now required infrastructure
Three major regulations changed the governance landscape in 2024–2025:
- EU AI Act. Requires data lineage for AI training data. Enterprises using Copilot or Azure OpenAI in EU jurisdictions must document data provenance.
- HIPAA. Demands PHI tracking across all systems — including AI tools that surface health data.
- SEC regulations. Require data governance documentation for financial data used in reporting and AI applications.
Microsoft Purview is the only platform that governs data across Microsoft 365, Azure, and Microsoft Fabric from one console. That single-console view is what makes it the infrastructure of choice for regulated industries deploying AI.
EU AI Act compliance requirements for Purview
Enterprises using Microsoft Copilot, Azure OpenAI, or Power BI Copilot in EU jurisdictions face specific compliance requirements under the EU AI Act. Key articles that require Purview controls:
- Article 6 — AI system inventory and risk classification. Document all AI systems and their risk level.
- Article 10 — Data governance. Data used for AI must be governed, classified, and documented.
- Article 11 — Technical documentation. Maintain technical documentation for AI systems including data sources.
- Article 12 — Record-keeping. Automated logging of AI operations and decisions.
- Article 13 — Transparency. AI systems must disclose their nature and data sources to users.
- Article 14 — Human oversight. AI decisions must be subject to human review for high-risk use cases.
- Article 43 — Conformity assessment. High-risk AI systems require documented conformity assessment.
Purview governance for Microsoft Fabric
Microsoft Fabric is Microsoft's analytics and data platform. Purview governs Fabric workloads through five integrated controls:
- Sensitivity labels. Flow from source data through Fabric processing to Power BI reports. A confidential label on the source stays on the report.
- Data lineage tracking. Track every transformation across Fabric lakehouses and warehouses. Auditors see exactly how data moved from source to report.
- Data catalog discovery. Discover Fabric assets — lakehouses, warehouses, semantic models — in the Purview catalog.
- Access policies for OneLake. Control who can read which Fabric lakehouse data through Purview access policies.
- Compliance scanning. Scan Fabric workspaces for sensitive data that lacks proper classification or access controls.
HIPAA compliance with Purview
HIPAA requires specific controls for Protected Health Information (PHI). Purview covers all of them:
- Sensitivity labels for PHI identification. Auto-label medical record numbers, diagnosis codes, patient names, and other PHI patterns.
- DLP policies. Block unauthorized PHI sharing via email, Teams, or file upload. Require business justification for external PHI sharing.
- Retention policies. 6-year minimum retention for covered entity records, aligned to HIPAA requirements.
- Audit logging. Track who accessed PHI, when, and from where.
- Encryption. PHI encrypted at rest and in transit through sensitivity label encryption.
Purview pricing tiers
EPC Group's Purview implementations follow a three-tier model based on compliance scope and organization size. Exact pricing depends on your Microsoft 365 licensing, the number of data sources scanned, and the compliance frameworks in scope. EPC Group scopes each engagement in a discovery workshop before providing a fixed-fee proposal.
Frequently asked questions
What is the difference between Microsoft Purview and Azure Purview?
Azure Purview was the previous name for the data catalog and governance capabilities now called Microsoft Purview Data Governance. Microsoft rebranded and unified compliance tools (formerly called Microsoft Information Protection, Microsoft Compliance) with Azure Purview under the single Microsoft Purview brand in 2022.
Today, Microsoft Purview covers both compliance (sensitivity labels, DLP, eDiscovery) and data governance (data map, catalog, lineage).
Does Microsoft Purview work with non-Microsoft data sources?
Yes. Purview's Data Map scans Amazon S3, Google Cloud Storage, Azure SQL, Azure Data Lake, SAP, Oracle, SQL Server, and many other sources. Sensitivity labels can be applied to non-Microsoft content. DLP policies extend to endpoints regardless of the cloud service. Governance coverage is not limited to Microsoft-only environments.
How does Purview support the EU AI Act?
Purview provides data lineage (required by Article 10), audit logging (required by Article 12), and data catalog documentation (required by Article 11).
For organizations using Microsoft Copilot or Azure OpenAI in EU jurisdictions, Purview is the primary mechanism for meeting EU AI Act data governance requirements. Compliance Manager includes an EU AI Act assessment template.
What is the minimum Purview deployment for a HIPAA-covered entity?
Minimum HIPAA deployment: sensitivity labels identifying PHI, DLP policies blocking unauthorized PHI sharing, 6-year retention policies, audit logging for PHI access events, and encryption for PHI at rest and in transit.
This covers the HIPAA Security Rule technical safeguard requirements. EPC Group typically completes the HIPAA minimum deployment in 4–6 weeks.
Can Purview sensitivity labels apply automatically?
Yes. Auto-labeling uses built-in sensitive information types (SSN, credit card numbers, medical record numbers, passport numbers) and custom regex patterns to detect and label content automatically.
Auto-labeling works on SharePoint files, Exchange email, Teams messages, and OneDrive content. Client-side auto-labeling applies labels in real time as users create or edit documents in Office apps.
Ready to deploy Microsoft Purview as your governance foundation? Contact EPC Group for a Purview readiness assessment.
Frequently Asked Questions
What is Microsoft Purview?
Microsoft Purview is Microsoft's unified data governance, risk, and compliance platform. It combines the former Azure Purview (data catalog, data map) with Microsoft 365 compliance features (DLP, sensitivity labels, retention, eDiscovery, insider risk management). Purview provides a single pane of glass for governing data across Microsoft 365, Azure, on-premises, and multi-cloud environments.
How much does Microsoft Purview cost?
Microsoft Purview has both free and paid tiers. Basic features (sensitivity labels, manual classification, basic DLP) are included in Microsoft 365 E3. Advanced features (auto-classification, advanced DLP, insider risk management, compliance manager, eDiscovery Premium) require Microsoft 365 E5 or E5 Compliance add-on ($12/user/month). Azure Purview data catalog pricing is consumption-based. EPC Group helps organizations optimize Purview licensing.
How does Purview integrate with Microsoft Fabric?
Microsoft Purview provides governance for Microsoft Fabric through: sensitivity labels that flow from source data through Fabric processing to Power BI reports, data lineage tracking across Fabric lakehouses and warehouses, data catalog discovery of Fabric assets, access policies for OneLake data, and compliance scanning for sensitive data in Fabric workspaces. This integration makes Purview essential for governed analytics.
Is Microsoft Purview HIPAA compliant?
Yes, Microsoft Purview supports HIPAA compliance when properly configured. Key requirements include: sensitivity labels for PHI identification, DLP policies to prevent PHI oversharing, retention policies meeting 6-year HIPAA requirements, audit logging for access tracking, and encryption for data at rest and in transit. A Business Associate Agreement (BAA) with Microsoft is required. EPC Group implements HIPAA-compliant Purview configurations for healthcare organizations.
What is the difference between Purview and Azure Purview?
Azure Purview has been rebranded as part of the unified Microsoft Purview platform. The data catalog, data map, and data governance features from the former Azure Purview are now called Microsoft Purview Data Governance. The Microsoft 365 compliance features (DLP, sensitivity labels, retention) are called Microsoft Purview Information Protection and Microsoft Purview Compliance. All are managed through the unified Purview portal at purview.microsoft.com.