Microsoft 365 Compliance Center
Enterprise guide to the Purview compliance portal — Compliance Manager, data classification, DLP, insider risk, eDiscovery, audit, records management, and industry compliance.
What Is the Microsoft 365 Compliance Center?
Quick Answer: The Microsoft 365 Compliance Center — now rebranded as the Microsoft Purview compliance portal at compliance.microsoft.com — is the centralized hub for managing compliance, data governance, and information protection across your entire Microsoft 365 environment. It includes Compliance Manager (compliance scoring against 300+ regulations), data classification, sensitivity labels, DLP, insider risk management, communication compliance, eDiscovery, audit logging, retention policies, and records management. For regulated enterprises, this portal is where you configure and demonstrate HIPAA, SOC 2, GDPR, and FedRAMP compliance controls for Microsoft 365.
Every enterprise running Microsoft 365 has compliance obligations — whether driven by industry regulation (HIPAA for healthcare, SOC 2 for technology, GDPR for global operations) or internal governance requirements. The challenge is that Microsoft 365 compliance capabilities are extensive — over 10 major modules with hundreds of configuration options — and most organizations use less than 20% of what they have licensed.
This guide provides the complete walkthrough of every compliance module based on EPC Group experience implementing Microsoft 365 compliance frameworks for Fortune 500 organizations in healthcare, financial services, and government. We cover what each module does, when to use it, licensing requirements, and implementation priorities.
For data governance specifically focused on Microsoft Purview's data catalog and governance capabilities, see our Microsoft Purview Data Governance guide.
Compliance Portal Modules at a Glance
The Purview compliance portal contains 10 major modules. Understanding each module's purpose and licensing helps you prioritize implementation based on your regulatory requirements.
Compliance Manager
Compliance score, assessments for 300+ regulations, improvement actions, control mapping
All M365 plans (basic); E5 for advanced assessments
Data Classification
Sensitive information types, trainable classifiers, content explorer, activity explorer
E3/E5
Information Protection
Sensitivity labels, encryption, rights management, visual markings, auto-labeling
E3 (manual); E5 (auto-labeling)
Data Loss Prevention
DLP policies across Exchange, SharePoint, Teams, endpoints; 300+ sensitive info types
E3 (basic); E5 (endpoint DLP, advanced)
Insider Risk Management
Risk detection, case management, HR integration, activity correlation, ML risk scoring
E5 or Insider Risk add-on
Communication Compliance
Teams/email monitoring, regulatory compliance, offensive language detection, reviewer workflows
E5 or Communication Compliance add-on
eDiscovery
Content search, legal holds, case management, AI-powered review, custodian management
E3 (Standard); E5 (Premium)
Audit
Unified audit log, 180-day (Standard) or 10-year (Premium) retention, high-value events
All plans (Standard); E5 (Premium)
Data Lifecycle Management
Retention policies, retention labels, auto-apply labels, disposition review
E3/E5
Records Management
Regulatory records, file plan, disposition, immutable records, event-based retention
E5 or Records Management add-on
Compliance Manager and Compliance Score
Compliance Manager is the starting point for every compliance program in Microsoft 365. It provides a quantitative compliance score, maps your configuration to regulatory requirements, and prioritizes the improvement actions that have the most impact.
How the Compliance Score Works
Microsoft-Managed Actions
Controls that Microsoft handles for the M365 infrastructure — encryption at rest, physical data center security, network segmentation. These points are automatically counted toward your score. You cannot modify them, but they demonstrate the shared responsibility model.
Customer-Managed Actions
Controls that your organization must configure — enabling MFA, deploying DLP policies, configuring retention, enabling audit logging. Each action has a point value based on its impact. Completing high-value actions (like DLP deployment) yields more points than lower-value ones (like password policy).
Assessment Templates
Pre-built assessments for 300+ regulatory frameworks (HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, CCPA). Each assessment maps specific M365 controls to regulatory requirements. You can run multiple assessments simultaneously to track compliance against all applicable regulations.
Improvement Actions
Prioritized list of specific steps to improve your score. Each action includes: description, implementation instructions, testing guidance, documentation templates, and point value. Actions are ranked by impact — focus on the top 10 improvement actions for the fastest compliance score increase.
EPC Group Benchmark: Organizations that have not deliberately configured M365 compliance features typically score 30-45%. After a focused 90-day compliance implementation, scores reach 70-80%. Achieving 90%+ requires advanced features (insider risk, communication compliance, eDiscovery Premium) and dedicated compliance team management. The compliance score is not a certification — it is an internal measurement tool. Actual certification (SOC 2, HIPAA) requires independent auditor assessment.
Data Classification
Data classification is the foundation that all other compliance features build upon. Before you can protect sensitive data, you need to know where it is, what type it is, and how much of it exists across your M365 environment.
Sensitive Information Types
- 300+ built-in types (SSN, credit card, passport, health records)
- Custom types via regex, keyword dictionaries, exact data match
- Confidence levels (high, medium, low) reduce false positives
- Instance count thresholds — detect bulk exposure vs single occurrence
- Used by DLP, auto-labeling, insider risk, and communication compliance
Trainable Classifiers
- Machine learning models trained on content patterns
- Built-in classifiers: resumes, source code, financial statements, threats
- Custom classifiers trained on your organization-specific content
- Seed with 50-500 positive examples for accurate classification
- Combine with DLP and auto-labeling for intelligent protection
Content Explorer
- View actual documents containing sensitive information across M365
- Drill down by sensitive information type, sensitivity label, or retention label
- Shows document location, type, and matched sensitive content
- Requires Content Explorer Content Viewer role (restricted access)
- Essential for compliance audits — prove you know where sensitive data lives
Activity Explorer
- Timeline of data classification activities: labeling, DLP matches, sharing
- Filter by user, activity type, location, and date range
- Identifies trends: increasing DLP violations, declining label usage
- Export data for compliance reporting and executive dashboards
- Track adoption of sensitivity labels and classification policies
Information Protection and Sensitivity Labels
Sensitivity labels are the enterprise mechanism for classifying and protecting content across Microsoft 365. Labels persist with the content — whether the document is in SharePoint, downloaded to a device, emailed externally, or shared in Teams. This is the most important compliance feature for organizations handling confidential data.
Enterprise Sensitivity Label Taxonomy
Public
Protections: No restrictions. Content can be shared freely.
Examples: Marketing materials, press releases, public documentation
General / Internal
Protections: No encryption. Header/footer marking. External sharing requires authentication.
Examples: Internal communications, meeting notes, project plans
Confidential
Protections: Encryption. Authenticated external sharing to approved domains only. No anonymous links. Watermarking on download.
Examples: Financial reports, strategy documents, client proposals, contracts
Highly Confidential
Protections: Full encryption. No external sharing. No download/print/copy. View-only access. Full audit trail. Automatic expiration.
Examples: PHI/PII, trade secrets, M&A documents, security assessments, board materials
Auto-labeling extends protection to content that users forget to classify. Configure auto-labeling policies in the Purview compliance portal to automatically apply sensitivity labels when documents contain specific sensitive information types. Simulation mode lets you preview which documents would be labeled before enabling enforcement.
Labels also apply to containers (SharePoint sites, Teams, M365 Groups) — setting site-level sharing restrictions, privacy settings, and conditional access policies automatically when the label is applied. This is the foundation for the three-tier sharing governance model described in our SharePoint External Sharing guide.
Data Loss Prevention (DLP)
DLP is the enforcement engine that prevents sensitive data from leaving your organization through unauthorized channels. It works across email, SharePoint, OneDrive, Teams, and endpoints to detect and block policy violations in real time.
Email DLP (Exchange)
Scan outbound email for sensitive content before delivery. Block or encrypt messages containing PHI, PII, financial data, or custom sensitive types. Apply transport rules that quarantine suspicious emails for compliance review. Notify senders with policy tips explaining why their message was blocked and how to request an exception.
SharePoint and OneDrive DLP
Detect sensitive content in documents stored in SharePoint and OneDrive. Block external sharing of documents containing sensitive information. Apply sensitivity labels automatically when DLP detects regulated content. Show policy tips in SharePoint document libraries and OneDrive when users attempt to share protected content.
Teams DLP
Monitor Teams chat and channel messages for sensitive content in real time. Redact or block messages containing sensitive data — the message is replaced with a notification explaining the policy violation. Teams DLP covers 1:1 chats, group chats, and channel conversations. Particularly important for healthcare and financial services where employees may inadvertently share regulated data in chat.
Endpoint DLP
Monitor and control sensitive data on Windows and macOS devices. Detect when users copy sensitive files to USB drives, print sensitive documents, upload to unauthorized cloud storage, or copy sensitive content to clipboard. Actions include block, audit-only, or warn. Requires Microsoft 365 E5 or Endpoint DLP add-on. Essential for preventing data exfiltration via download-and-reshare.
Insider Risk and Communication Compliance
These two modules address the human element of compliance — detecting risky behavior and policy-violating communications before they result in data breaches, regulatory violations, or organizational harm.
Insider Risk Management
- Data theft by departing employees (HR connector triggers monitoring)
- Accidental data leaks (bulk file downloads, mass external sharing)
- Security policy violations (disabling MFA, bypassing DLP)
- ML-based risk scoring correlates multiple signals
- Case management with timeline, evidence, and recommended actions
- Privacy controls — user identities pseudonymized until escalation
Requires: E5 or Insider Risk Management add-on
Communication Compliance
- Regulatory language monitoring (SEC, FINRA, insider trading)
- Offensive language detection (harassment, threats, discrimination)
- Sensitive information in chats (passwords, PII, financial data)
- Built-in ML classifiers trained on millions of examples
- In-context review — surrounding messages shown, not just flagged content
- Role-based reviewer access with anonymization options
Requires: E5 or Communication Compliance add-on
eDiscovery and Audit
eDiscovery and audit are the investigative and evidentiary capabilities that support legal proceedings, compliance investigations, and security incident response. Every enterprise should have these configured before they are needed — retroactive setup misses critical data.
eDiscovery Tiers
Content Search
All PlansBasic search across mailboxes, SharePoint, OneDrive, Teams. Export results. Available in all M365 plans. Use for simple investigations and ad-hoc searches.
eDiscovery Standard
E3/E5Adds case management, legal hold (preserves content from modification/deletion), and custodian identification. Place holds on specific mailboxes or sites. Required for litigation readiness.
eDiscovery Premium
E5Adds AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), non-M365 data processing, custodian communications, and privileged content detection. Required for complex litigation with large data volumes.
Audit Capabilities
Audit Standard
- 180-day log retention
- 100+ activity types across M365
- Search by user, activity, date, location
- Export to CSV for analysis
- Available in all M365 plans
Audit Premium
- 365-day retention (up to 10 years configurable)
- High-value events: MailItemsAccessed, SearchQuery
- Higher API throughput for large exports
- Intelligent insights for breach investigation
- Requires E5 license
Data Lifecycle Management and Records Management
Data lifecycle management ensures content is retained for the required period and deleted when no longer needed. Records management adds regulatory controls for content that must be preserved as immutable records.
Retention Policies
Apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. Retention policies run silently in the background. Content is retained for the specified period (e.g., 7 years) and optionally deleted after. Users cannot see or override retention policies. Use for baseline organizational retention: "Keep all email for 7 years" or "Delete Teams messages after 1 year."
Retention Labels
Apply retention settings to individual items — specific documents, emails, or messages. Labels can be applied manually by users, automatically by policies (based on sensitive information types or keywords), or as defaults for document libraries. Labels support records management: declaring an item as a record locks it from editing or deletion. Use for specific content requiring different retention than the baseline or content requiring regulatory records declaration.
Records Management
Advanced records capabilities for regulated industries. File plan imports from existing records management systems. Regulatory records cannot be modified, deleted, or relabeled by anyone — including administrators. Disposition reviews require designated reviewers to approve deletion at the end of retention. Event-based retention starts the retention clock when a triggering event occurs (contract termination, product end-of-life). Proof of disposal documents deletion for audit compliance.
Auto-Apply Retention Labels
Automatically apply retention labels based on content conditions: sensitive information types (apply "7-Year Financial Retention" to documents containing account numbers), keywords (apply "Legal Hold" to documents containing case numbers), trainable classifiers (apply "HR Records" to documents matching employee file patterns). Auto-apply ensures retention compliance without relying on user action — critical for organizations with thousands of employees creating content daily.
Industry Compliance: HIPAA, SOC 2, GDPR
The Purview compliance portal maps directly to industry regulatory requirements. Each regulation has a Compliance Manager assessment template that identifies the specific M365 controls needed to achieve compliance.
HIPAA Compliance
- Business Associate Agreement (BAA) signed with Microsoft
- Sensitivity labels for PHI classification with encryption
- DLP policies detecting health-related sensitive information types
- 6-year retention policies for PHI-containing content
- Conditional access: MFA + managed devices for PHI access
- Audit Premium: 10-year retention, MailItemsAccessed for breach investigation
- Insider risk monitoring for PHI data exfiltration
- eDiscovery legal holds for investigation readiness
SOC 2 Compliance
- Security: Conditional access (MFA, device compliance, location), Defender for M365
- Availability: M365 SLA documentation, service health monitoring
- Processing Integrity: DLP for data accuracy, audit logs for processing trail
- Confidentiality: Sensitivity labels with encryption, information barriers, DLP
- Privacy: Data classification, privacy management, subject rights requests
- Evidence collection: Compliance Manager assessment reports, audit log exports
- Quarterly access reviews via Entra ID for SOC 2 evidence
- Change management documentation via M365 audit trail
GDPR Compliance
- Data classification to identify personal data across M365
- Sensitivity labels for personal data protection
- DLP policies preventing unauthorized personal data sharing
- Subject rights requests (DSAR) module for data subject access, erasure, export
- Privacy management to detect personal data overexposure
- Data residency controls for EU data processing requirements
- Retention policies aligned with data minimization principle
- Breach notification readiness: Audit Premium + incident response procedures
Frequently Asked Questions
What is the Microsoft 365 Compliance Center?
The Microsoft 365 Compliance Center — now rebranded as the Microsoft Purview compliance portal (compliance.microsoft.com) — is the centralized hub for managing compliance, data governance, and information protection across Microsoft 365. It provides tools for: Compliance Manager (compliance score and assessments), data classification (sensitive information types, trainable classifiers), information protection (sensitivity labels, encryption), Data Loss Prevention (DLP policies across Exchange, SharePoint, Teams, endpoints), insider risk management (detect and investigate risky user behavior), communication compliance (monitor Teams/email for policy violations), eDiscovery (legal hold, content search, case management), audit (unified audit log, advanced audit), data lifecycle management (retention policies, retention labels), and records management (regulatory records, disposition). The portal consolidates what was previously spread across the Security & Compliance Center, Azure Information Protection, and separate admin portals into a single compliance management interface.
What is Compliance Manager and how does the compliance score work?
Compliance Manager is the assessment and scoring tool within the Purview compliance portal that measures your organization's compliance posture against regulatory frameworks. The compliance score is calculated as: (points achieved from completed improvement actions) / (total achievable points) x 100. Microsoft manages some actions automatically (infrastructure controls like encryption at rest, which Microsoft handles for M365) — these count toward your score without your intervention. Customer-managed actions are the improvement steps your organization must implement (configuring DLP policies, enabling audit logging, deploying sensitivity labels). Compliance Manager provides pre-built assessments for 300+ regulations including HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, and CCPA. Each assessment maps specific M365 controls to regulatory requirements, making it clear which features to configure and which compliance gaps exist. EPC Group typically sees initial compliance scores of 30-45% for organizations that have not deliberately configured M365 compliance features.
How does Data Loss Prevention work in Microsoft 365?
Microsoft 365 DLP detects and protects sensitive information across Exchange email, SharePoint sites, OneDrive accounts, Teams messages, Power BI dashboards, and Windows/macOS endpoints. DLP policies consist of three components: 1) Conditions — what to detect (sensitive information types like SSNs, credit card numbers, health records, or custom patterns; sensitivity labels; document properties), 2) Actions — what to do when conditions are met (block sharing, encrypt, require justification, notify user via policy tip, alert compliance team, restrict to view-only), 3) Scope — where to enforce (specific users, groups, sites, or organization-wide). DLP includes 300+ built-in sensitive information types covering global regulations. You can create custom types using regex patterns, keyword dictionaries, or exact data match (EDM) for precise detection of your organization-specific data. DLP also includes endpoint DLP for Windows and macOS — monitoring clipboard, print, USB copy, and cloud upload activities. EPC Group implements DLP in test mode first, running for 2-4 weeks to identify false positives before enabling enforcement.
What is insider risk management in Microsoft 365?
Insider risk management detects potentially risky activities by users within your organization — data theft by departing employees, accidental data leaks, confidentiality violations, and security policy violations. It correlates signals from multiple sources: 1) HR connectors — employment status changes (resignation, termination) from your HR system trigger risk monitoring for the departing user, 2) DLP alerts — repeated DLP policy violations indicate potential data exfiltration, 3) Activity signals — mass file downloads, printing sensitive documents, copying to USB, emailing large attachments to personal accounts, 4) Security signals — disabling security controls, accessing sensitive sites outside normal patterns. Insider risk uses machine learning to correlate these signals and generate risk scores. High-risk users trigger cases that compliance investigators can review with a timeline of activities, risk indicators, and recommended actions. Privacy controls allow pseudonymization of user identities during investigation until escalation is approved. EPC Group configures insider risk policies aligned with the organization's data classification — monitoring is focused on Highly Confidential content, not routine activity.
How does eDiscovery work in Microsoft 365?
Microsoft 365 eDiscovery provides three tiers: 1) Content Search — basic search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams messages. Export results for review. Available in all M365 plans. 2) eDiscovery Standard — adds case management, legal hold (preserves content from deletion or modification), and custodian management. Place holds on specific mailboxes or sites to preserve evidence. Available with E3/E5. 3) eDiscovery Premium — adds advanced features: custodian management with communications, processing of non-M365 data sources, AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), and privileged content detection (attorney-client privilege). Available with E5. The eDiscovery workflow is: identify custodians > place legal holds > collect content via search > process and index > review with AI assistance > export for production. For litigation readiness, EPC Group recommends enabling mailbox and SharePoint audit logging, configuring retention policies to preserve data, and establishing an eDiscovery process playbook before litigation occurs.
What is the difference between retention policies and retention labels?
Retention policies and retention labels are both part of data lifecycle management but serve different purposes: Retention policies apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. They run silently in the background, retaining content for a specified period (e.g., 7 years) and optionally deleting it after. Users cannot override or see retention policies. Retention labels are applied to individual items — a specific document, email, or Teams message. Labels can be applied manually by users, automatically by auto-apply policies (based on sensitive information types, keywords, or trainable classifiers), or as default labels for document libraries. Labels support records management — declaring an item as a regulatory record locks it from editing or deletion and starts a disposition review at the end of retention. Use retention policies for baseline organizational retention (keep all email for 7 years). Use retention labels for specific content that needs different retention, records declaration, or disposition review. Both can coexist — if a retention policy and retention label conflict, the longer retention period wins.
How does communication compliance work?
Communication compliance monitors Teams messages, Exchange email, and third-party communications for policy violations. Common use cases: 1) Regulatory compliance — financial services firms monitor for insider trading language, unauthorized commitments, or disclosure violations (SEC, FINRA requirements), 2) Offensive language — detect harassment, threats, discrimination, or profanity in workplace communications, 3) Sensitive information sharing — identify when employees share confidential data, passwords, or PII in Teams or email, 4) Conflict of interest — detect communications that indicate undisclosed relationships with vendors or competitors. Policies use built-in classifiers (trained on millions of examples), custom keyword dictionaries, and sensitive information types to detect violations. When a violation is detected, a reviewer examines the communication in context (surrounding messages, not just the flagged message) and takes action: resolve as false positive, notify the user, escalate to HR/legal, or document for regulatory reporting. Communication compliance has built-in privacy controls — reviewer access is role-based, and users can be anonymized during investigation. EPC Group configures communication compliance primarily for financial services and healthcare clients where regulatory monitoring is required.
What audit capabilities does Microsoft 365 provide?
Microsoft 365 provides two audit tiers: 1) Audit Standard (all M365 plans) — unified audit log capturing user and admin activities across Exchange, SharePoint, OneDrive, Teams, Entra ID, and other M365 services. Includes 180 days of log retention, search and filter by date/user/activity/location, and export to CSV. Covers 100+ activity types including file access, sharing, login, admin changes, and DLP events. 2) Audit Premium (E5) — extends to 365 days of retention (configurable up to 10 years), adds high-value audit events (MailItemsAccessed for mailbox forensics, SearchQueryInitiatedExchange/SharePoint for search activity monitoring), intelligent insights (compromised account investigation, identifying accessed data during a breach), and higher API throughput for large-scale audit data retrieval. Audit data can be exported to Azure Sentinel or third-party SIEM platforms for long-term retention, correlation with non-M365 data, and advanced threat detection. EPC Group recommends enabling Audit Premium for all organizations handling sensitive data — the MailItemsAccessed event is essential for breach impact assessment.
How do you achieve HIPAA compliance with Microsoft 365?
HIPAA compliance in Microsoft 365 requires configuring multiple Purview compliance features: 1) Business Associate Agreement (BAA) — sign the Microsoft BAA through the Microsoft 365 admin center (prerequisite for any HIPAA use of M365), 2) Sensitivity labels — create "PHI" and "Highly Confidential PHI" labels that apply encryption, block external sharing, and enable watermarking, 3) DLP policies — detect health-related sensitive information types (medical record numbers, DEA numbers, health insurance IDs) and block unauthorized sharing, 4) Retention policies — retain all PHI-related communications and documents for the HIPAA-required 6-year retention period, 5) Access controls — conditional access policies requiring MFA, managed devices, and approved apps for accessing PHI content, 6) Audit — enable Audit Premium for 10-year retention and MailItemsAccessed events for breach investigation, 7) Insider risk — monitor for PHI data exfiltration by departing employees or unauthorized bulk access. Compliance Manager provides a HIPAA assessment template that maps all required controls to specific M365 configurations. EPC Group HIPAA compliance implementations typically take 6-8 weeks for organizations already running M365 E5.
How do you use Microsoft 365 for SOC 2 compliance?
SOC 2 compliance in Microsoft 365 maps the Trust Services Criteria to M365 controls: 1) Security — Entra ID conditional access (MFA, device compliance, location restrictions), Microsoft Defender for M365 (anti-phishing, safe attachments, safe links), and privileged access management, 2) Availability — M365 SLA (99.9%), geo-redundant data centers, and admin center service health monitoring, 3) Processing integrity — DLP policies verify data accuracy before sharing, audit logs provide processing trail, and retention policies ensure data is not prematurely deleted, 4) Confidentiality — sensitivity labels encrypt confidential content, information barriers prevent unauthorized communication between departments, and DLP blocks confidential data from leaving the organization, 5) Privacy — data classification identifies personal data, privacy management detects overexposure, and subject rights requests handle DSAR (data subject access requests) for GDPR and CCPA. Compliance Manager includes SOC 2 assessment templates mapping specific improvement actions to each Trust Services Criteria. EPC Group SOC 2 implementations focus on demonstrating the operating effectiveness of M365 controls through audit evidence collection — screenshot-documented configurations, audit log exports, and DLP match reports.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 compliance implementation, governance frameworks, and security configuration from EPC Group.
Read moreMicrosoft Purview Data Governance
Data catalog, data map, data lineage, and governance capabilities in Microsoft Purview beyond the compliance portal.
Read moreCompliance IT Consulting
Enterprise compliance consulting for HIPAA, SOC 2, GDPR, FedRAMP, and industry-specific regulatory frameworks.
Read moreNeed M365 Compliance Implementation?
EPC Group implements comprehensive Microsoft 365 compliance frameworks for enterprises — from Compliance Manager assessments and sensitivity label taxonomies to DLP deployment, insider risk configuration, and eDiscovery readiness. Our 90-day compliance programs typically increase compliance scores from 30% to 75%+ while establishing the controls needed for HIPAA, SOC 2, and GDPR certification.