Audit-Ready: Microsoft 365 Compliance Center
Enterprise guide to the Purview compliance portal — Compliance Manager, data classification, DLP, insider risk, eDiscovery, audit, records management, and industry compliance.
Microsoft 365 Compliance Center Enterprise Guide 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.
Key Facts
- Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
- Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
- Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
- Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
- Microsoft Solutions Partner with experience across core current designations.
- Free consultation to apply this guide to your specific environment.
What Is the Microsoft 365 Compliance Center?
Quick Answer: The Microsoft 365 Compliance Center is now known as the Microsoft Purview compliance portal. You can access it at compliance.microsoft.com. This portal serves as the central hub for:
- Managing compliance solutions
- Monitoring data privacy
- Ensuring regulatory adherence
- Managing compliance
- Data governance
- Information protection
It is essential for your Microsoft 365 environment.
It offers several key features:
- Compliance Manager for scoring against 300+ regulations
- Data classification and sensitivity labels
- Data Loss Prevention (DLP)
- Insider risk management
- Communication compliance
- eDiscovery
- Audit logging
- Retention policies
- Records management
For regulated enterprises, this portal helps configure and demonstrate compliance controls for HIPAA, SOC 2, GDPR, and FedRAMP in Microsoft 365.
Every enterprise using Microsoft 365 must meet compliance obligations. These obligations may arise from:
- Industry regulations like HIPAA for healthcare
- SOC 2 for technology
- GDPR for global operations
They can also stem from internal governance requirements.
Microsoft 365 offers extensive compliance capabilities. It includes over 10 major modules and hundreds of configuration options. Despite this, most organizations use less than 20% of their licensed features.
This guide provides the complete walkthrough of every compliance module based on EPC Group experience implementing Microsoft 365 compliance frameworks for Fortune 500 organizations in healthcare, financial services, and government. We cover what each module does, when to use it, licensing requirements, and implementation priorities.
For data governance specifically focused on Microsoft Purview's data catalog and governance capabilities, see our Microsoft Purview Data Governance guide.
Compliance Portal Modules at a Glance
The Purview compliance portal contains 10 major modules. Understanding each module's purpose and licensing helps you prioritize implementation based on your regulatory requirements.
Compliance Manager
Compliance score, assessments for 300+ regulations, improvement actions, control mapping
All M365 plans (basic); E5 for advanced assessments
Data Classification
Sensitive information types, trainable classifiers, content explorer, activity explorer
E3/E5
Information Protection
Sensitivity labels, encryption, rights management, visual markings, auto-labeling
E3 (manual); E5 (auto-labeling)
Data Loss Prevention
DLP policies across Exchange, SharePoint, Teams, endpoints; 300+ sensitive info types
E3 (basic); E5 (endpoint DLP, advanced)
Insider Risk Management
Risk detection, case management, HR integration, activity correlation, ML risk scoring
E5 or Insider Risk add-on
Communication Compliance
Teams/email monitoring, regulatory compliance, offensive language detection, reviewer workflows
E5 or Communication Compliance add-on
eDiscovery
Content search, legal holds, case management, AI-powered review, custodian management
E3 (Standard); E5 (Premium)
Audit
Unified audit log, 180-day (Standard) or 10-year (Premium) retention, high-value events
All plans (Standard); E5 (Premium)
Data Lifecycle Management
Retention policies, retention labels, auto-apply labels, disposition review
E3/E5
Records Management
Regulatory records, file plan, disposition, immutable records, event-based retention
E5 or Records Management add-on
Compliance Manager and Compliance Score
Compliance Manager is essential for every compliance program in Microsoft 365. It offers a compliance score based on data. It also aligns your settings with regulatory requirements.
- Prioritizes actions that will have the greatest impact.
- Helps you understand your compliance status.
- Guides you in improving your compliance efforts.
How the Compliance Score Works
Microsoft-Managed Actions
Controls that Microsoft handles for the M365 infrastructure — encryption at rest, physical data center security, network segmentation. These points are automatically counted toward your score. You cannot modify them, but they demonstrate the shared responsibility model.
Customer-Managed Actions
Controls that your organization must configure — enabling MFA, deploying DLP policies, configuring retention, enabling audit logging. Each action has a point value based on its impact. Completing high-value actions (like DLP deployment) yields more points than lower-value ones (like password policy).
Assessment Templates
Pre-built assessments for 300+ regulatory frameworks (HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, CCPA). Each assessment maps specific M365 controls to regulatory requirements. You can run multiple assessments simultaneously to track compliance against all applicable regulations.
Improvement Actions
Prioritized list of specific steps to improve your score. Each action includes: description, implementation instructions, testing guidance, documentation templates, and point value. Actions are ranked by impact — focus on the top 10 improvement actions for the fastest compliance score increase.
EPC Group Benchmark: Organizations that do not use M365 compliance features usually score between 30% and 45%. However, with a focused 90-day compliance implementation, scores can rise to 70% to 80%. To reach scores of 90% or higher, organizations need advanced features, such as:
- Data loss prevention
- Information governance
- Advanced eDiscovery
- Data loss prevention
- Information governance
- Advanced eDiscovery
- Insider risk
- Communication compliance
- eDiscovery Premium
Moreover, having a dedicated compliance team is crucial for success.
The compliance score serves as an internal measurement tool, not a certification. Actual certifications, like SOC 2 and HIPAA, require an assessment by an independent auditor.
Data Classification
Data classification is essential for all compliance features. To protect sensitive data, you must first identify its location, type, and quantity within your M365 environment.
Sensitive Information Types
- 300+ built-in types (SSN, credit card, passport, health records)
- Custom types via regex, keyword dictionaries, exact data match
- Confidence levels (high, medium, low) reduce false positives
- Instance count thresholds — detect bulk exposure vs single occurrence
- Used by DLP, auto-labeling, insider risk, and communication compliance
Trainable Classifiers
- Machine learning models trained on content patterns
- Built-in classifiers: resumes, source code, financial statements, threats
- Custom classifiers trained on your organization-specific content
- Seed with 50-500 positive examples for accurate classification
- Combine with DLP and auto-labeling for intelligent protection
Content Explorer
- View actual documents containing sensitive information across M365
- Drill down by sensitive information type, sensitivity label, or retention label
- Shows document location, type, and matched sensitive content
- Requires Content Explorer Content Viewer role (restricted access)
- Essential for compliance audits — prove you know where sensitive data lives
Activity Explorer
- Timeline of data classification activities: labeling, DLP matches, sharing
- Filter by user, activity type, location, and date range
- Identifies trends: increasing DLP violations, declining label usage
- Export data for compliance reporting and executive dashboards
- Track adoption of sensitivity labels and classification policies
Information Protection and Sensitivity Labels
Sensitivity labels are vital for classifying and protecting content in Microsoft 365. These labels remain attached to the content, regardless of where it is stored or shared. This includes:
- SharePoint
- Downloaded to a device
- Emailed externally
- Shared in Teams
They play a key role in compliance, especially for organizations handling confidential data.
Enterprise Sensitivity Label Taxonomy
Public
Protections: No restrictions. Content can be shared freely.
Examples: Marketing materials, press releases, public documentation
General / Internal
Protections: No encryption. Header/footer marking. External sharing requires authentication.
Examples: Internal communications, meeting notes, project plans
Confidential
Protections: Encryption. Authenticated external sharing to approved domains only. No anonymous links. Watermarking on download.
Examples: Financial reports, strategy documents, client proposals, contracts
Highly Confidential
Protections: Full encryption. No external sharing. No download/print/copy. View-only access. Full audit trail. Automatic expiration.
Examples: PHI/PII, trade secrets, M&A documents, security assessments, board materials
Auto-labeling protects content that users may overlook. You can set up auto-labeling policies in the Purview compliance portal. This feature automatically applies sensitivity labels when documents include certain types of sensitive information.
Additionally, simulation mode allows you to preview which documents would receive labels before you enable enforcement.
Labels also apply to containers (SharePoint sites, Teams, M365 Groups) — setting site-level sharing restrictions, privacy settings, and conditional access policies automatically when the label is applied. This is the foundation for the three-tier sharing governance model described in our SharePoint External Sharing guide.
Data Loss Prevention (DLP)
DLP is the enforcement engine that stops sensitive data from leaving your organization through unauthorized channels. It operates across various platforms, including:
- SharePoint
- OneDrive
- Teams
- Endpoints
DLP detects and blocks policy violations in real time.
Email DLP (Exchange)
Scan outbound email for sensitive content before delivery. Block or encrypt messages containing PHI, PII, financial data, or custom sensitive types. Apply transport rules that quarantine suspicious emails for compliance review. Notify senders with policy tips explaining why their message was blocked and how to request an exception.
SharePoint and OneDrive DLP
Detect sensitive content in documents stored in SharePoint and OneDrive. Block external sharing of documents containing sensitive information. Apply sensitivity labels automatically when DLP detects regulated content. Show policy tips in SharePoint document libraries and OneDrive when users attempt to share protected content.
Teams DLP
Monitor Teams chat and channel messages for sensitive content in real time. Redact or block messages containing sensitive data — the message is replaced with a notification explaining the policy violation. Teams DLP covers 1:1 chats, group chats, and channel conversations. Particularly important for healthcare and financial services where employees may inadvertently share regulated data in chat.
Endpoint DLP
Monitor and control sensitive data on Windows and macOS devices. Detect when users copy sensitive files to USB drives, print sensitive documents, upload to unauthorized cloud storage, or copy sensitive content to clipboard. Actions include block, audit-only, or warn. Requires Microsoft 365 E5 or Endpoint DLP add-on. Essential for preventing data exfiltration via download-and-reshare.
Insider Risk and Communication Compliance
These two modules address the human element of compliance — detecting risky behavior and policy-violating communications before they result in data breaches, regulatory violations, or organizational harm.
Insider Risk Management
- Data theft by departing employees (HR connector triggers monitoring)
- Accidental data leaks (bulk file downloads, mass external sharing)
- Security policy violations (disabling MFA, bypassing DLP)
- ML-based risk scoring correlates multiple signals
- Case management with timeline, evidence, and recommended actions
- Privacy controls — user identities pseudonymized until escalation
Requires: E5 or Insider Risk Management add-on
Communication Compliance
- Regulatory language monitoring (SEC, FINRA, insider trading)
- Offensive language detection (harassment, threats, discrimination)
- Sensitive information in chats (passwords, PII, financial data)
- Built-in ML classifiers trained on millions of examples
- In-context review — surrounding messages shown, not just flagged content
- Role-based reviewer access with anonymization options
Requires: E5 or Communication Compliance add-on
eDiscovery and Audit
eDiscovery and audit are crucial for legal cases, compliance checks, and security incident responses. Every enterprise should set up these capabilities beforehand. If you wait until they are needed, you may miss important data.
eDiscovery Tiers
Content Search
All PlansBasic search across mailboxes, SharePoint, OneDrive, Teams. Export results. Available in all M365 plans. Use for simple investigations and ad-hoc searches.
eDiscovery Standard
E3/E5Adds case management, legal hold (preserves content from modification/deletion), and custodian identification. Place holds on specific mailboxes or sites. Required for litigation readiness.
eDiscovery Premium
E5Adds AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), non-M365 data processing, custodian communications, and privileged content detection. Required for complex litigation with large data volumes.
Audit Capabilities
Audit Standard
- 180-day log retention
- 100+ activity types across M365
- Search by user, activity, date, location
- Export to CSV for analysis
- Available in all M365 plans
Audit Premium
- 365-day retention (up to 10 years configurable)
- High-value events: MailItemsAccessed, SearchQuery
- Higher API throughput for large exports
- Intelligent insights for breach investigation
- Requires E5 license
Data Lifecycle Management and Records Management
Data lifecycle management ensures that content is retained for the required duration and deleted when it is no longer needed. Records management adds regulatory controls for content that must be kept as unchangeable records.
Retention Policies
Apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. Retention policies run silently in the background. Content is retained for the specified period (e.g., 7 years) and optionally deleted after. Users cannot see or override retention policies. Use for baseline organizational retention: "Keep all email for 7 years" or "Delete Teams messages after 1 year."
Retention Labels
Apply retention settings to individual items — specific documents, emails, or messages. Labels can be applied manually by users, automatically by policies (based on sensitive information types or keywords), or as defaults for document libraries. Labels support records management: declaring an item as a record locks it from editing or deletion. Use for specific content requiring different retention than the baseline or content requiring regulatory records declaration.
Records Management
Advanced records capabilities for regulated industries. File plan imports from existing records management systems. Regulatory records cannot be modified, deleted, or relabeled by anyone — including administrators. Disposition reviews require designated reviewers to approve deletion at the end of retention. Event-based retention starts the retention clock when a triggering event occurs (contract termination, product end-of-life). Proof of disposal documents deletion for audit compliance.
Auto-Apply Retention Labels
Automatically apply retention labels based on content conditions: sensitive information types (apply "7-Year Financial Retention" to documents containing account numbers), keywords (apply "Legal Hold" to documents containing case numbers), trainable classifiers (apply "HR Records" to documents matching employee file patterns). Auto-apply ensures retention compliance without relying on user action — critical for organizations with thousands of employees creating content daily.
Industry Compliance: HIPAA, SOC 2, GDPR
The Purview compliance portal maps directly to industry regulatory requirements. Each regulation has a Compliance Manager assessment template that identifies the specific M365 controls needed to achieve compliance.
HIPAA Compliance
- Business Associate Agreement (BAA) signed with Microsoft
- Sensitivity labels for PHI classification with encryption
- DLP policies detecting health-related sensitive information types
- 6-year retention policies for PHI-containing content
- Conditional access: MFA + managed devices for PHI access
- Audit Premium: 10-year retention, MailItemsAccessed for breach investigation
- Insider risk monitoring for PHI data exfiltration
- eDiscovery legal holds for investigation readiness
SOC 2 Compliance
- Security: Conditional access (MFA, device compliance, location), Defender for M365
- Availability: M365 SLA documentation, service health monitoring
- Processing Integrity: DLP for data accuracy, audit logs for processing trail
- Confidentiality: Sensitivity labels with encryption, information barriers, DLP
- Privacy: Data classification, privacy management, subject rights requests
- Evidence collection: Compliance Manager assessment reports, audit log exports
- Quarterly access reviews via Entra ID for SOC 2 evidence
- Change management documentation via M365 audit trail
GDPR Compliance
- Data classification to identify personal data across M365
- Sensitivity labels for personal data protection
- DLP policies preventing unauthorized personal data sharing
- Subject rights requests (DSAR) module for data subject access, erasure, export
- Privacy management to detect personal data overexposure
- Data residency controls for EU data processing requirements
- Retention policies aligned with data minimization principle
- Breach notification readiness: Audit Premium + incident response procedures
Frequently Asked Questions
What is the Microsoft 365 Compliance Center?
The Microsoft 365 Compliance Center — now rebranded as the Microsoft Purview compliance portal (compliance.microsoft.com) — is the centralized hub for managing compliance, data governance, and information protection across Microsoft 365. It provides tools for: Compliance Manager (compliance score and assessments), data classification (sensitive information types, trainable classifiers), information protection (sensitivity labels, encryption), Data Loss Prevention (DLP policies across Exchange, SharePoint, Teams, endpoints), insider risk management (detect and investigate risky user behavior), communication compliance (monitor Teams/email for policy violations), eDiscovery (legal hold, content search, case management), audit (unified audit log, advanced audit), data lifecycle management (retention policies, retention labels), and records management (regulatory records, disposition). The portal consolidates what was previously spread across the Security & Compliance Center, Azure Information Protection, and separate admin portals into a single compliance management interface.
What is Compliance Manager and how does the compliance score work?
Compliance Manager is the assessment and scoring tool within the Purview compliance portal that measures your organization's compliance posture against regulatory frameworks. The compliance score is calculated as: (points achieved from completed improvement actions) / (total achievable points) x 100. Microsoft manages some actions automatically (infrastructure controls like encryption at rest, which Microsoft handles for M365) — these count toward your score without your intervention. Customer-managed actions are the improvement steps your organization must implement (configuring DLP policies, enabling audit logging, deploying sensitivity labels). Compliance Manager provides pre-built assessments for 300+ regulations including HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, and CCPA. Each assessment maps specific M365 controls to regulatory requirements, making it clear which features to configure and which compliance gaps exist. EPC Group typically sees initial compliance scores of 30-45% for organizations that have not deliberately configured M365 compliance features.
How does Data Loss Prevention work in Microsoft 365?
Microsoft 365 DLP detects and protects sensitive information across Exchange email, SharePoint sites, OneDrive accounts, Teams messages, Power BI dashboards, and Windows/macOS endpoints. DLP policies consist of three components: 1) Conditions — what to detect (sensitive information types like SSNs, credit card numbers, health records, or custom patterns; sensitivity labels; document properties), 2) Actions — what to do when conditions are met (block sharing, encrypt, require justification, notify user via policy tip, alert compliance team, restrict to view-only), 3) Scope — where to enforce (specific users, groups, sites, or organization-wide). DLP includes 300+ built-in sensitive information types covering global regulations. You can create custom types using regex patterns, keyword dictionaries, or exact data match (EDM) for precise detection of your organization-specific data. DLP also includes endpoint DLP for Windows and macOS — monitoring clipboard, print, USB copy, and cloud upload activities. EPC Group implements DLP in test mode first, running for 2-4 weeks to identify false positives before enabling enforcement.
What is insider risk management in Microsoft 365?
Insider risk management detects potentially risky activities by users within your organization — data theft by departing employees, accidental data leaks, confidentiality violations, and security policy violations. It correlates signals from multiple sources: 1) HR connectors — employment status changes (resignation, termination) from your HR system trigger risk monitoring for the departing user, 2) DLP alerts — repeated DLP policy violations indicate potential data exfiltration, 3) Activity signals — mass file downloads, printing sensitive documents, copying to USB, emailing large attachments to personal accounts, 4) Security signals — disabling security controls, accessing sensitive sites outside normal patterns. Insider risk uses machine learning to correlate these signals and generate risk scores. High-risk users trigger cases that compliance investigators can review with a timeline of activities, risk indicators, and recommended actions. Privacy controls allow pseudonymization of user identities during investigation until escalation is approved. EPC Group configures insider risk policies aligned with the organization's data classification — monitoring is focused on Highly Confidential content, not routine activity.
How does eDiscovery work in Microsoft 365?
Microsoft 365 eDiscovery provides three tiers: 1) Content Search — basic search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams messages. Export results for review. Available in all M365 plans. 2) eDiscovery Standard — adds case management, legal hold (preserves content from deletion or modification), and custodian management. Place holds on specific mailboxes or sites to preserve evidence. Available with E3/E5. 3) eDiscovery Premium — adds advanced features: custodian management with communications, processing of non-M365 data sources, AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), and privileged content detection (attorney-client privilege). Available with E5. The eDiscovery workflow is: identify custodians > place legal holds > collect content via search > process and index > review with AI assistance > export for production. For litigation readiness, EPC Group recommends enabling mailbox and SharePoint audit logging, configuring retention policies to preserve data, and establishing an eDiscovery process playbook before litigation occurs.
What is the difference between retention policies and retention labels?
Retention policies and retention labels are both part of data lifecycle management but serve different purposes: Retention policies apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. They run silently in the background, retaining content for a specified period (e.g., 7 years) and optionally deleting it after. Users cannot override or see retention policies. Retention labels are applied to individual items — a specific document, email, or Teams message. Labels can be applied manually by users, automatically by auto-apply policies (based on sensitive information types, keywords, or trainable classifiers), or as default labels for document libraries. Labels support records management — declaring an item as a regulatory record locks it from editing or deletion and starts a disposition review at the end of retention. Use retention policies for baseline organizational retention (keep all email for 7 years). Use retention labels for specific content that needs different retention, records declaration, or disposition review. Both can coexist — if a retention policy and retention label conflict, the longer retention period wins.
How does communication compliance work?
Communication compliance monitors Teams messages, Exchange email, and third-party communications for policy violations. Common use cases: 1) Regulatory compliance — financial services firms monitor for insider trading language, unauthorized commitments, or disclosure violations (SEC, FINRA requirements), 2) Offensive language — detect harassment, threats, discrimination, or profanity in workplace communications, 3) Sensitive information sharing — identify when employees share confidential data, passwords, or PII in Teams or email, 4) Conflict of interest — detect communications that indicate undisclosed relationships with vendors or competitors. Policies use built-in classifiers (trained on millions of examples), custom keyword dictionaries, and sensitive information types to detect violations. When a violation is detected, a reviewer examines the communication in context (surrounding messages, not just the flagged message) and takes action: resolve as false positive, notify the user, escalate to HR/legal, or document for regulatory reporting. Communication compliance has built-in privacy controls — reviewer access is role-based, and users can be anonymized during investigation. EPC Group configures communication compliance primarily for financial services and healthcare clients where regulatory monitoring is required.
What audit capabilities does Microsoft 365 provide?
Microsoft 365 provides two audit tiers: 1) Audit Standard (all M365 plans) — unified audit log capturing user and admin activities across Exchange, SharePoint, OneDrive, Teams, Entra ID, and other M365 services. Includes 180 days of log retention, search and filter by date/user/activity/location, and export to CSV. Covers 100+ activity types including file access, sharing, login, admin changes, and DLP events. 2) Audit Premium (E5) — extends to 365 days of retention (configurable up to 10 years), adds high-value audit events (MailItemsAccessed for mailbox forensics, SearchQueryInitiatedExchange/SharePoint for search activity monitoring), intelligent insights (compromised account investigation, identifying accessed data during a breach), and higher API throughput for large-scale audit data retrieval. Audit data can be exported to Azure Sentinel or third-party SIEM platforms for long-term retention, correlation with non-M365 data, and advanced threat detection. EPC Group recommends enabling Audit Premium for all organizations handling sensitive data — the MailItemsAccessed event is essential for breach impact assessment.
How do you achieve HIPAA compliance with Microsoft 365?
HIPAA compliance in Microsoft 365 requires configuring multiple Purview compliance features: 1) Business Associate Agreement (BAA) — sign the Microsoft BAA through the Microsoft 365 admin center (prerequisite for any HIPAA use of M365), 2) Sensitivity labels — create "PHI" and "Highly Confidential PHI" labels that apply encryption, block external sharing, and enable watermarking, 3) DLP policies — detect health-related sensitive information types (medical record numbers, DEA numbers, health insurance IDs) and block unauthorized sharing, 4) Retention policies — retain all PHI-related communications and documents for the HIPAA-required 6-year retention period, 5) Access controls — conditional access policies requiring MFA, managed devices, and approved apps for accessing PHI content, 6) Audit — enable Audit Premium for 10-year retention and MailItemsAccessed events for breach investigation, 7) Insider risk — monitor for PHI data exfiltration by departing employees or unauthorized bulk access. Compliance Manager provides a HIPAA assessment template that maps all required controls to specific M365 configurations. EPC Group HIPAA compliance implementations typically take 6-8 weeks for organizations already running M365 E5.
How do you use Microsoft 365 for SOC 2 compliance?
SOC 2 compliance in Microsoft 365 maps the Trust Services Criteria to M365 controls: 1) Security — Entra ID conditional access (MFA, device compliance, location restrictions), Microsoft Defender for M365 (anti-phishing, safe attachments, safe links), and privileged access management, 2) Availability — M365 SLA (99.9%), geo-redundant data centers, and admin center service health monitoring, 3) Processing integrity — DLP policies verify data accuracy before sharing, audit logs provide processing trail, and retention policies ensure data is not prematurely deleted, 4) Confidentiality — sensitivity labels encrypt confidential content, information barriers prevent unauthorized communication between departments, and DLP blocks confidential data from leaving the organization, 5) Privacy — data classification identifies personal data, privacy management detects overexposure, and subject rights requests handle DSAR (data subject access requests) for GDPR and CCPA. Compliance Manager includes SOC 2 assessment templates mapping specific improvement actions to each Trust Services Criteria. EPC Group SOC 2 implementations focus on demonstrating the operating effectiveness of M365 controls through audit evidence collection — screenshot-documented configurations, audit log exports, and DLP match reports.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 compliance implementation, governance frameworks, and security configuration from EPC Group.
Read moreMicrosoft Purview Data Governance
Data catalog, data map, data lineage, and governance capabilities in Microsoft Purview beyond the compliance portal.
Read moreCompliance IT Consulting
Enterprise compliance consulting for HIPAA, SOC 2, GDPR, FedRAMP, and industry-specific regulatory frameworks.
Read moreNeed M365 Compliance Implementation?
EPC Group provides thorough Microsoft 365 compliance frameworks for enterprises. Our services include:
- Compliance Manager assessments
- Sensitivity label taxonomies
- DLP deployment
- Insider risk configuration
- eDiscovery readiness
Our 90-day compliance programs usually boost compliance scores from 30% to over 75%. We also help establish the controls necessary for HIPAA, SOC 2, and GDPR certification.
Microsoft 365 Compliance Center: Enterprise Guide 2026
The Microsoft 365 Compliance Center, now known as Microsoft Purview, serves as the main hub for data protection, regulatory compliance, and eDiscovery in M365. This guide includes:
- Compliance Manager
- DLP
- Sensitivity labels
- Insider risk
- eDiscovery
- Configuration steps for HIPAA, SOC 2, and GDPR
EPC Group has configured Purview for over 200 regulated enterprise tenants.
- The Compliance Center was rebranded as Microsoft Purview in 2022. The portal is at compliance.microsoft.com.
- Compliance Manager provides a score-based framework mapping your M365 controls to HIPAA, SOC 2, GDPR, and 300+ other regulations.
- DLP policies cover Exchange, SharePoint, Teams, OneDrive, and endpoint devices.
- eDiscovery Premium (E5 required) supports predictive coding and review sets for large legal matters.
- EPC Group has completed compliance configurations for HIPAA, SOC 2, FedRAMP, and CMMC environments.
What Is the Microsoft 365 Compliance Center?
The Microsoft 365 Compliance Center is the central hub for managing data protection, compliance, and legal duties in your Microsoft 365 tenant. In 2022, Microsoft renamed it to Microsoft Purview. You can access the portal at compliance.microsoft.com.
The portal brings together eight capability areas under one interface: Compliance Manager, Information Protection, Data Loss Prevention, Insider Risk Management, Communication Compliance, eDiscovery, Audit, and Data Lifecycle Management.
Compliance Manager
Compliance Manager provides your organization with a score-based view of how well your M365 configuration meets regulatory requirements. It covers over 300 frameworks, including:
- HIPAA
- SOC 2
- GDPR
- NIST 800-53
- ISO 27001
- FedRAMP
The dashboard displays your overall Compliance Score. It also lists improvement actions based on their impact. You can see the percentage of controls that are passing and failing.
Each improvement action links directly to the configuration page in the admin center.
Start with Compliance Manager before configuring individual policies. It tells you which gaps have the highest impact on your score and prioritizes your remediation work.
Information Protection and Sensitivity Labels
Sensitivity labels classify content and apply protection rules automatically. Labels travel with documents and emails — even when they leave your tenant.
A basic label taxonomy for enterprise environments includes:
- Public: No restrictions.
- Internal: Watermark applied, external sharing allowed with notification.
- Confidential: Encryption enforced, external sharing blocked by default.
- Highly Confidential: Encryption enforced, access restricted to named users or groups.
Auto-labeling policies scan content at rest and in transit. They apply labels automatically when sensitive information types — credit card numbers, SSNs, health record identifiers — are detected.
Data Loss Prevention (DLP)
DLP policies prevent sensitive data from leaving your organization through email, Teams chat, SharePoint sharing, OneDrive sync, or endpoint copy actions.
Configure DLP in three phases:
- Audit mode first: Run all new policies in simulation mode. Review policy match reports for 2–4 weeks before enforcing blocks.
- Notify, then block: Start with user notifications and policy tips. Move to blocks only after users understand the policies.
- Endpoint DLP last: Endpoint DLP requires Defender for Endpoint onboarding. Deploy after email and SharePoint policies are stable.
The most common DLP mistake is blocking everything on day one. This causes user complaints and shadow IT. Start in audit mode. Tune for false positives. Enforce incrementally.
Insider Risk Management
Insider Risk Management detects anomalous user behavior that may indicate data theft, policy violations, or security incidents. It analyzes signals from M365 activity, HR data connectors, and endpoint telemetry.
Common policy templates include:
- Data theft by departing employees: Triggered by HR termination signals plus elevated file download or copy activity.
- Data leaks: Detects sharing of sensitive content outside the organization.
- Security policy violations: Flags users repeatedly bypassing DLP controls or accessing restricted content.
Insider Risk Management requires E5 licensing. Privacy controls are built in — analysts see anonymized user IDs by default and must request de-anonymization through a role-based approval process.
eDiscovery and Legal Hold
Purview offers two eDiscovery tiers. eDiscovery Standard is included in E3. eDiscovery Premium requires E5 and adds review sets, predictive coding, and advanced analytics.
To implement a legal hold, start by creating a case in eDiscovery. You can place a hold on:
- Specific mailboxes
- SharePoint sites
- Teams channels
Content under hold is preserved, even if the user deletes it. It is important to document every hold in a legal hold register. Auditors and courts require this documentation.
eDiscovery Premium's predictive coding uses machine learning to identify relevant documents. For large matters with 100,000+ items, it reduces review time significantly compared to manual review.
Audit Log Configuration
Audit logging captures every significant user and admin action in your M365 tenant. It is the primary forensic record for security investigations and compliance audits.
Key configuration steps:
- Verify audit logging is enabled: Go to Purview → Audit → Start recording user and admin activity.
- E3 tenants retain audit logs for 90 days by default. Extend to 1 year via Audit (Standard).
- E5 tenants get Audit (Premium) with 10-year retention and MailItemsAccessed events for breach investigation.
- Configure log retention policies before an incident — you cannot recover logs that were not retained.
HIPAA Compliance Configuration in Microsoft 365
HIPAA compliance in Microsoft 365 requires configuring multiple Purview features. Complete these steps in order.
- Sign the Business Associate Agreement (BAA). Go to the Microsoft 365 admin center → Settings → Services → Microsoft Cloud Agreement. This is a prerequisite for any HIPAA use of M365.
- Create sensitivity labels for PHI. Create "PHI" and "Highly Confidential PHI" labels that apply encryption, block external sharing, and add watermarks.
- Configure DLP policies for health data. Use built-in sensitive information types: medical record numbers, DEA numbers, health insurance IDs. Set actions to block unauthorized external sharing.
- Set retention policies. Retain all PHI-related communications and documents for 6 years — the HIPAA-required minimum retention period.
- Configure Conditional Access. Require MFA, compliant devices, and approved apps for any access to PHI content.
- Enable Audit Premium. Turn on 10-year audit retention and MailItemsAccessed events. These are required for HIPAA breach investigation documentation.
- Deploy Insider Risk policies. Monitor for PHI data exfiltration by departing employees or unauthorized bulk access.
SOC 2 Compliance Configuration
SOC 2 maps the Trust Services Criteria to M365 controls. Cover these four areas.
- Security (CC6–CC9): Entra ID Conditional Access (MFA, device compliance, location restrictions), Defender for M365 (anti-phishing, safe attachments, safe links), and privileged access management.
- Availability (A1): M365 SLA documentation, Exchange Online Protection failover, and SharePoint geo-redundancy configuration.
- Confidentiality (C1–C2): Sensitivity labels on all confidential content, DLP policies blocking unauthorized external sharing, and Information Barriers between business units that must stay separate.
- Processing Integrity and Privacy (PI/P): Purview Data Map for inventory, retention policies for all data types, and Compliance Manager continuous assessment for gap tracking.
GDPR Configuration
GDPR compliance in Microsoft 365 focuses on data subject rights, consent, and data minimization. Key configurations include:
- Data Map: Use Purview Data Map to inventory where personal data lives across M365.
- Subject Access Requests: Use the DSR (Data Subject Request) workflow in Purview to respond to access, deletion, and portability requests.
- Retention and deletion: Configure retention policies that automatically delete personal data after the lawful retention period expires.
- DLP for PII: Block sharing of EU personal data types — national IDs, passport numbers, health data — using built-in sensitive information types.
EPC Group's Purview Implementation Experience
EPC Group has set up Microsoft Purview for over 200 regulated enterprise tenants. These tenants span various sectors, including healthcare, financial services, government, and professional services.
We have successfully completed compliance configurations in Microsoft 365 for:
- HIPAA
- SOC 2
- FedRAMP
- CMMC
- GDPR
Our compliance practice is led by experts with experience in regulated industries. They are specialists, not generalists, and avoid a one-size-fits-all approach.
We ensure thorough documentation of every configuration. This includes evidence artifacts that satisfy the requirements of auditors and external assessors.
Frequently Asked Questions
What is the Microsoft 365 Compliance Center called now?
In 2022, Microsoft renamed the Compliance Center to Microsoft Purview. The portal remains accessible at compliance.microsoft.com. All compliance features are now part of the Purview brand, including:
- DLP
- Insider Risk
- eDiscovery
- Audit
- Compliance Manager
Do I need E5 for full compliance capabilities?
E3 includes the following features:
- DLP
- Basic eDiscovery
- 90-day audit log retention
E5 offers additional capabilities:
- Insider Risk Management
- Communication Compliance
- eDiscovery Premium (review sets and predictive coding)
- 10-year audit retention
- Advanced auto-labeling
Regulated industries, such as healthcare, finance, and government, typically require E5 or specific E3 add-ons.
How do I start with Compliance Manager?
Visit compliance.microsoft.com and navigate to Compliance Manager. Here, you can review your Compliance Score and the list of improvement actions.
To optimize your efforts:
- Sort actions by point value and effort.
- Focus on high-impact, low-effort actions first.
Compliance Manager provides direct links to the relevant configuration pages in the admin center for each action.
What is the difference between DLP and sensitivity labels?
Sensitivity labels classify content and apply persistent protection rules — encryption, watermarks, sharing restrictions — that travel with the document.
DLP policies help monitor and control content movement. They can block emails, restrict SharePoint sharing, and prevent copying on endpoints.
These policies work together effectively:
- Labels classify content.
- DLP policies enforce controls based on labels or content types.
How long does it take to configure HIPAA compliance in Microsoft 365?
A complete HIPAA configuration typically requires 4–8 weeks for most enterprise environments. The Business Associate Agreement (BAA) is processed immediately.
Sensitivity labels and Data Loss Prevention (DLP) require 1 to 2 weeks for design, testing, and enforcement. However, permission remediation for SharePoint usually has the largest gap. This process can take 4 to 6 weeks. The overall time needed varies based on the size of the environment.
EPC Group manages these implementations from start to finish.
Can EPC Group run a Purview compliance assessment for our organization?
Yes. EPC Group's Purview assessment evaluates several key areas of your organization:
- Your current Compliance Score
- DLP policy gaps
- Sensitivity label coverage
- Audit log configuration
- Insider risk posture
The assessment generates a prioritized remediation roadmap, complete with effort estimates. Typically, engagements last 2–3 weeks.
Configure Microsoft Purview for Your Enterprise
EPC Group configures Microsoft Purview for regulated enterprise environments — HIPAA, SOC 2, GDPR, FedRAMP, and CMMC. We handle policy design, testing, deployment, and audit documentation from start to finish.