EPC Group - Enterprise Microsoft AI, SharePoint, Power BI, and Azure Consulting
G2 High Performer Summer 2025, Momentum Leader Spring 2025, Leader Winter 2025, Leader Spring 2026
BlogContact
Ready to transform your Microsoft environment?Get started today
(888) 381-9725Get Free Consultation
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌

EPC Group

Enterprise Microsoft consulting with 29 years serving Fortune 500 companies.

(888) 381-9725
contact@epcgroup.net
4900 Woodway Drive, Suite 830
Houston, TX 77056

Follow Us

Solutions

  • M&A Practices

    • M&A Tenant Migration
    • Carve-Out Migration
    • Private Equity Practice
    • Engagement Operating Model
  • All Services
  • Microsoft 365 Consulting
  • AI Governance
  • Azure AI Consulting
  • Cloud Migration
  • Microsoft Copilot
  • Data Governance
  • Microsoft Fabric
  • Dynamics 365
  • Power BI Consulting
  • SharePoint Consulting
  • Microsoft Teams
  • vCIO / vCAIO Services
  • Large-Scale Migrations
  • SharePoint Development

Industries

  • All Industries
  • Healthcare IT
  • Financial Services
  • Government
  • Education
  • Teams vs Slack

Power BI

  • Case Studies
  • 24/7 Emergency Support
  • Dashboard Guide
  • Gateway Setup
  • Premium Features
  • Lookup Functions
  • Power Pivot vs BI
  • Treemaps Guide
  • Dataverse
  • Power BI Consulting

Company

  • About Us
  • Our History
  • Microsoft Gold Partner
  • Case Studies
  • Testimonials
  • Fixed-Fee Accelerators
  • Blog
  • Resources
  • All Guides & Articles
  • Video Library
  • Client Reviews
  • Engagement Operating Model
  • FAQ
  • Contact
  • Schedule a consultation

Microsoft Teams

  • Teams Questions
  • Teams Healthcare
  • Task Management
  • PSTN Calling
  • Enable Dial Pad

Azure & SharePoint

  • Azure Databricks
  • Azure DevOps
  • Azure Synapse
  • SharePoint MySites
  • SharePoint ECM
  • SharePoint vs M-Files

Comparisons

  • M365 vs Google
  • Databricks vs Dataproc
  • Dynamics vs SAP
  • Intune vs SCCM
  • Power BI vs MicroStrategy

Legal

  • Sitemap
  • Privacy Policy
  • Terms
  • Cookies

About EPC Group

EPC Group is a Microsoft consulting firm founded in 1997 (originally Enterprise Project Consulting, renamed EPC Group in 2005). 29 years of enterprise Microsoft consulting experience. EPC Group historically held the distinction of being the oldest continuous Microsoft Gold Partner in North America from 2016 until the program's retirement. Because Microsoft officially deprecated the Gold/Silver tiering framework, EPC Group transitioned to the modern Microsoft Solutions Partner ecosystem and currently holds the core Microsoft Solutions Partner designations.

Headquartered at 4900 Woodway Drive, Suite 830, Houston, TX 77056. Public clients include NASA, FBI, Federal Reserve, Pentagon, United Airlines, PepsiCo, Nike, and Northrop Grumman. 6,500+ SharePoint implementations, 1,500+ Power BI deployments, 500+ Microsoft Fabric implementations, 70+ Fortune 500 organizations served, 11,000+ enterprise engagements, 200+ Microsoft Power BI and Microsoft 365 consultants on staff.

About Errin O'Connor

Errin O'Connor is the Founder, CEO, and Chief AI Architect of EPC Group. Microsoft MVP multiple years, first awarded 2003. 4× Microsoft Press bestselling author of Windows SharePoint Services 3.0 Inside Out (MS Press 2007), Microsoft SharePoint Foundation 2010 Inside Out (MS Press 2011), SharePoint 2013 Field Guide (Sams/Pearson 2014), and Microsoft Power BI Dashboards Step by Step (MS Press 2018).

Original SharePoint Beta Team member (Project Tahoe). Original Power BI Beta Team member (Project Crescent). FedRAMP framework contributor. Worked with U.S. CIO Vivek Kundra on the Obama administration's 25-Point Plan to reform federal IT, and with NASA CIO Chris Kemp as Lead Architect on the NASA Nebula Cloud project. Speaker at Microsoft Ignite, SharePoint Conference, KMWorld, and DATAVERSITY.

© 2026 EPC Group. All rights reserved. Microsoft, SharePoint, Power BI, Azure, Microsoft 365, Microsoft Copilot, Microsoft Fabric, and Microsoft Dynamics 365 are trademarks of the Microsoft group of companies.

Microsoft 365 Compliance Center Enterprise Guide 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.

Key Facts

  • Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
  • Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
  • Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
  • Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
  • Microsoft Solutions Partner with experience across all six current designations.
  • Free consultation to apply this guide to your specific environment.
Audit-Ready: Microsoft 365 Compliance Center - EPC Group enterprise consulting

Audit-Ready: Microsoft 365 Compliance Center

Enterprise guide to the Purview compliance portal — Compliance Manager, data classification, DLP, insider risk, eDiscovery, audit, records management, and industry compliance.

What Is the Microsoft 365 Compliance Center?

Quick Answer: The Microsoft 365 Compliance Center — now rebranded as the Microsoft Purview compliance portal at compliance.microsoft.com — is the centralized hub for managing compliance, data governance, and information protection across your entire Microsoft 365 environment. It includes Compliance Manager (compliance scoring against 300+ regulations), data classification, sensitivity labels, DLP, insider risk management, communication compliance, eDiscovery, audit logging, retention policies, and records management. For regulated enterprises, this portal is where you configure and demonstrate HIPAA, SOC 2, GDPR, and FedRAMP compliance controls for Microsoft 365.

Every enterprise running Microsoft 365 has compliance obligations — whether driven by industry regulation (HIPAA for healthcare, SOC 2 for technology, GDPR for global operations) or internal governance requirements. The challenge is that Microsoft 365 compliance capabilities are extensive — over 10 major modules with hundreds of configuration options — and most organizations use less than 20% of what they have licensed.

This guide provides the complete walkthrough of every compliance module based on EPC Group experience implementing Microsoft 365 compliance frameworks for Fortune 500 organizations in healthcare, financial services, and government. We cover what each module does, when to use it, licensing requirements, and implementation priorities.

For data governance specifically focused on Microsoft Purview's data catalog and governance capabilities, see our Microsoft Purview Data Governance guide.

Compliance Portal Modules at a Glance

The Purview compliance portal contains 10 major modules. Understanding each module's purpose and licensing helps you prioritize implementation based on your regulatory requirements.

Compliance Manager

Compliance score, assessments for 300+ regulations, improvement actions, control mapping

All M365 plans (basic); E5 for advanced assessments

Data Classification

Sensitive information types, trainable classifiers, content explorer, activity explorer

E3/E5

Information Protection

Sensitivity labels, encryption, rights management, visual markings, auto-labeling

E3 (manual); E5 (auto-labeling)

Data Loss Prevention

DLP policies across Exchange, SharePoint, Teams, endpoints; 300+ sensitive info types

E3 (basic); E5 (endpoint DLP, advanced)

Insider Risk Management

Risk detection, case management, HR integration, activity correlation, ML risk scoring

E5 or Insider Risk add-on

Communication Compliance

Teams/email monitoring, regulatory compliance, offensive language detection, reviewer workflows

E5 or Communication Compliance add-on

eDiscovery

Content search, legal holds, case management, AI-powered review, custodian management

E3 (Standard); E5 (Premium)

Audit

Unified audit log, 180-day (Standard) or 10-year (Premium) retention, high-value events

All plans (Standard); E5 (Premium)

Data Lifecycle Management

Retention policies, retention labels, auto-apply labels, disposition review

E3/E5

Records Management

Regulatory records, file plan, disposition, immutable records, event-based retention

E5 or Records Management add-on

Compliance Manager and Compliance Score

Compliance Manager is the starting point for every compliance program in Microsoft 365. It provides a quantitative compliance score, maps your configuration to regulatory requirements, and prioritizes the improvement actions that have the most impact.

How the Compliance Score Works

Microsoft-Managed Actions

Controls that Microsoft handles for the M365 infrastructure — encryption at rest, physical data center security, network segmentation. These points are automatically counted toward your score. You cannot modify them, but they demonstrate the shared responsibility model.

Customer-Managed Actions

Controls that your organization must configure — enabling MFA, deploying DLP policies, configuring retention, enabling audit logging. Each action has a point value based on its impact. Completing high-value actions (like DLP deployment) yields more points than lower-value ones (like password policy).

Assessment Templates

Pre-built assessments for 300+ regulatory frameworks (HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, CCPA). Each assessment maps specific M365 controls to regulatory requirements. You can run multiple assessments simultaneously to track compliance against all applicable regulations.

Improvement Actions

Prioritized list of specific steps to improve your score. Each action includes: description, implementation instructions, testing guidance, documentation templates, and point value. Actions are ranked by impact — focus on the top 10 improvement actions for the fastest compliance score increase.

EPC Group Benchmark: Organizations that have not deliberately configured M365 compliance features typically score 30-45%. After a focused 90-day compliance implementation, scores reach 70-80%. Achieving 90%+ requires advanced features (insider risk, communication compliance, eDiscovery Premium) and dedicated compliance team management. The compliance score is not a certification — it is an internal measurement tool. Actual certification (SOC 2, HIPAA) requires independent auditor assessment.

Data Classification

Data classification is the foundation that all other compliance features build upon. Before you can protect sensitive data, you need to know where it is, what type it is, and how much of it exists across your M365 environment.

Sensitive Information Types

  • 300+ built-in types (SSN, credit card, passport, health records)
  • Custom types via regex, keyword dictionaries, exact data match
  • Confidence levels (high, medium, low) reduce false positives
  • Instance count thresholds — detect bulk exposure vs single occurrence
  • Used by DLP, auto-labeling, insider risk, and communication compliance

Trainable Classifiers

  • Machine learning models trained on content patterns
  • Built-in classifiers: resumes, source code, financial statements, threats
  • Custom classifiers trained on your organization-specific content
  • Seed with 50-500 positive examples for accurate classification
  • Combine with DLP and auto-labeling for intelligent protection

Content Explorer

  • View actual documents containing sensitive information across M365
  • Drill down by sensitive information type, sensitivity label, or retention label
  • Shows document location, type, and matched sensitive content
  • Requires Content Explorer Content Viewer role (restricted access)
  • Essential for compliance audits — prove you know where sensitive data lives

Activity Explorer

  • Timeline of data classification activities: labeling, DLP matches, sharing
  • Filter by user, activity type, location, and date range
  • Identifies trends: increasing DLP violations, declining label usage
  • Export data for compliance reporting and executive dashboards
  • Track adoption of sensitivity labels and classification policies

Information Protection and Sensitivity Labels

Sensitivity labels are the enterprise mechanism for classifying and protecting content across Microsoft 365. Labels persist with the content — whether the document is in SharePoint, downloaded to a device, emailed externally, or shared in Teams. This is the most important compliance feature for organizations handling confidential data.

Enterprise Sensitivity Label Taxonomy

Public

Protections: No restrictions. Content can be shared freely.

Examples: Marketing materials, press releases, public documentation

General / Internal

Protections: No encryption. Header/footer marking. External sharing requires authentication.

Examples: Internal communications, meeting notes, project plans

Confidential

Protections: Encryption. Authenticated external sharing to approved domains only. No anonymous links. Watermarking on download.

Examples: Financial reports, strategy documents, client proposals, contracts

Highly Confidential

Protections: Full encryption. No external sharing. No download/print/copy. View-only access. Full audit trail. Automatic expiration.

Examples: PHI/PII, trade secrets, M&A documents, security assessments, board materials

Auto-labeling extends protection to content that users forget to classify. Configure auto-labeling policies in the Purview compliance portal to automatically apply sensitivity labels when documents contain specific sensitive information types. Simulation mode lets you preview which documents would be labeled before enabling enforcement.

Labels also apply to containers (SharePoint sites, Teams, M365 Groups) — setting site-level sharing restrictions, privacy settings, and conditional access policies automatically when the label is applied. This is the foundation for the three-tier sharing governance model described in our SharePoint External Sharing guide.

Data Loss Prevention (DLP)

DLP is the enforcement engine that prevents sensitive data from leaving your organization through unauthorized channels. It works across email, SharePoint, OneDrive, Teams, and endpoints to detect and block policy violations in real time.

Email DLP (Exchange)

Scan outbound email for sensitive content before delivery. Block or encrypt messages containing PHI, PII, financial data, or custom sensitive types. Apply transport rules that quarantine suspicious emails for compliance review. Notify senders with policy tips explaining why their message was blocked and how to request an exception.

SharePoint and OneDrive DLP

Detect sensitive content in documents stored in SharePoint and OneDrive. Block external sharing of documents containing sensitive information. Apply sensitivity labels automatically when DLP detects regulated content. Show policy tips in SharePoint document libraries and OneDrive when users attempt to share protected content.

Teams DLP

Monitor Teams chat and channel messages for sensitive content in real time. Redact or block messages containing sensitive data — the message is replaced with a notification explaining the policy violation. Teams DLP covers 1:1 chats, group chats, and channel conversations. Particularly important for healthcare and financial services where employees may inadvertently share regulated data in chat.

Endpoint DLP

Monitor and control sensitive data on Windows and macOS devices. Detect when users copy sensitive files to USB drives, print sensitive documents, upload to unauthorized cloud storage, or copy sensitive content to clipboard. Actions include block, audit-only, or warn. Requires Microsoft 365 E5 or Endpoint DLP add-on. Essential for preventing data exfiltration via download-and-reshare.

Insider Risk and Communication Compliance

These two modules address the human element of compliance — detecting risky behavior and policy-violating communications before they result in data breaches, regulatory violations, or organizational harm.

Insider Risk Management

  • Data theft by departing employees (HR connector triggers monitoring)
  • Accidental data leaks (bulk file downloads, mass external sharing)
  • Security policy violations (disabling MFA, bypassing DLP)
  • ML-based risk scoring correlates multiple signals
  • Case management with timeline, evidence, and recommended actions
  • Privacy controls — user identities pseudonymized until escalation

Requires: E5 or Insider Risk Management add-on

Communication Compliance

  • Regulatory language monitoring (SEC, FINRA, insider trading)
  • Offensive language detection (harassment, threats, discrimination)
  • Sensitive information in chats (passwords, PII, financial data)
  • Built-in ML classifiers trained on millions of examples
  • In-context review — surrounding messages shown, not just flagged content
  • Role-based reviewer access with anonymization options

Requires: E5 or Communication Compliance add-on

eDiscovery and Audit

eDiscovery and audit are the investigative and evidentiary capabilities that support legal proceedings, compliance investigations, and security incident response. Every enterprise should have these configured before they are needed — retroactive setup misses critical data.

eDiscovery Tiers

Content Search

All Plans

Basic search across mailboxes, SharePoint, OneDrive, Teams. Export results. Available in all M365 plans. Use for simple investigations and ad-hoc searches.

eDiscovery Standard

E3/E5

Adds case management, legal hold (preserves content from modification/deletion), and custodian identification. Place holds on specific mailboxes or sites. Required for litigation readiness.

eDiscovery Premium

E5

Adds AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), non-M365 data processing, custodian communications, and privileged content detection. Required for complex litigation with large data volumes.

Audit Capabilities

Audit Standard

  • 180-day log retention
  • 100+ activity types across M365
  • Search by user, activity, date, location
  • Export to CSV for analysis
  • Available in all M365 plans

Audit Premium

  • 365-day retention (up to 10 years configurable)
  • High-value events: MailItemsAccessed, SearchQuery
  • Higher API throughput for large exports
  • Intelligent insights for breach investigation
  • Requires E5 license

Data Lifecycle Management and Records Management

Data lifecycle management ensures content is retained for the required period and deleted when no longer needed. Records management adds regulatory controls for content that must be preserved as immutable records.

Retention Policies

Apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. Retention policies run silently in the background. Content is retained for the specified period (e.g., 7 years) and optionally deleted after. Users cannot see or override retention policies. Use for baseline organizational retention: "Keep all email for 7 years" or "Delete Teams messages after 1 year."

Retention Labels

Apply retention settings to individual items — specific documents, emails, or messages. Labels can be applied manually by users, automatically by policies (based on sensitive information types or keywords), or as defaults for document libraries. Labels support records management: declaring an item as a record locks it from editing or deletion. Use for specific content requiring different retention than the baseline or content requiring regulatory records declaration.

Records Management

Advanced records capabilities for regulated industries. File plan imports from existing records management systems. Regulatory records cannot be modified, deleted, or relabeled by anyone — including administrators. Disposition reviews require designated reviewers to approve deletion at the end of retention. Event-based retention starts the retention clock when a triggering event occurs (contract termination, product end-of-life). Proof of disposal documents deletion for audit compliance.

Auto-Apply Retention Labels

Automatically apply retention labels based on content conditions: sensitive information types (apply "7-Year Financial Retention" to documents containing account numbers), keywords (apply "Legal Hold" to documents containing case numbers), trainable classifiers (apply "HR Records" to documents matching employee file patterns). Auto-apply ensures retention compliance without relying on user action — critical for organizations with thousands of employees creating content daily.

Industry Compliance: HIPAA, SOC 2, GDPR

The Purview compliance portal maps directly to industry regulatory requirements. Each regulation has a Compliance Manager assessment template that identifies the specific M365 controls needed to achieve compliance.

HIPAA Compliance

  • Business Associate Agreement (BAA) signed with Microsoft
  • Sensitivity labels for PHI classification with encryption
  • DLP policies detecting health-related sensitive information types
  • 6-year retention policies for PHI-containing content
  • Conditional access: MFA + managed devices for PHI access
  • Audit Premium: 10-year retention, MailItemsAccessed for breach investigation
  • Insider risk monitoring for PHI data exfiltration
  • eDiscovery legal holds for investigation readiness

SOC 2 Compliance

  • Security: Conditional access (MFA, device compliance, location), Defender for M365
  • Availability: M365 SLA documentation, service health monitoring
  • Processing Integrity: DLP for data accuracy, audit logs for processing trail
  • Confidentiality: Sensitivity labels with encryption, information barriers, DLP
  • Privacy: Data classification, privacy management, subject rights requests
  • Evidence collection: Compliance Manager assessment reports, audit log exports
  • Quarterly access reviews via Entra ID for SOC 2 evidence
  • Change management documentation via M365 audit trail

GDPR Compliance

  • Data classification to identify personal data across M365
  • Sensitivity labels for personal data protection
  • DLP policies preventing unauthorized personal data sharing
  • Subject rights requests (DSAR) module for data subject access, erasure, export
  • Privacy management to detect personal data overexposure
  • Data residency controls for EU data processing requirements
  • Retention policies aligned with data minimization principle
  • Breach notification readiness: Audit Premium + incident response procedures

Frequently Asked Questions

What is the Microsoft 365 Compliance Center?

The Microsoft 365 Compliance Center — now rebranded as the Microsoft Purview compliance portal (compliance.microsoft.com) — is the centralized hub for managing compliance, data governance, and information protection across Microsoft 365. It provides tools for: Compliance Manager (compliance score and assessments), data classification (sensitive information types, trainable classifiers), information protection (sensitivity labels, encryption), Data Loss Prevention (DLP policies across Exchange, SharePoint, Teams, endpoints), insider risk management (detect and investigate risky user behavior), communication compliance (monitor Teams/email for policy violations), eDiscovery (legal hold, content search, case management), audit (unified audit log, advanced audit), data lifecycle management (retention policies, retention labels), and records management (regulatory records, disposition). The portal consolidates what was previously spread across the Security & Compliance Center, Azure Information Protection, and separate admin portals into a single compliance management interface.

What is Compliance Manager and how does the compliance score work?

Compliance Manager is the assessment and scoring tool within the Purview compliance portal that measures your organization's compliance posture against regulatory frameworks. The compliance score is calculated as: (points achieved from completed improvement actions) / (total achievable points) x 100. Microsoft manages some actions automatically (infrastructure controls like encryption at rest, which Microsoft handles for M365) — these count toward your score without your intervention. Customer-managed actions are the improvement steps your organization must implement (configuring DLP policies, enabling audit logging, deploying sensitivity labels). Compliance Manager provides pre-built assessments for 300+ regulations including HIPAA, SOC 2, GDPR, FedRAMP, ISO 27001, NIST 800-53, PCI DSS, and CCPA. Each assessment maps specific M365 controls to regulatory requirements, making it clear which features to configure and which compliance gaps exist. EPC Group typically sees initial compliance scores of 30-45% for organizations that have not deliberately configured M365 compliance features.

How does Data Loss Prevention work in Microsoft 365?

Microsoft 365 DLP detects and protects sensitive information across Exchange email, SharePoint sites, OneDrive accounts, Teams messages, Power BI dashboards, and Windows/macOS endpoints. DLP policies consist of three components: 1) Conditions — what to detect (sensitive information types like SSNs, credit card numbers, health records, or custom patterns; sensitivity labels; document properties), 2) Actions — what to do when conditions are met (block sharing, encrypt, require justification, notify user via policy tip, alert compliance team, restrict to view-only), 3) Scope — where to enforce (specific users, groups, sites, or organization-wide). DLP includes 300+ built-in sensitive information types covering global regulations. You can create custom types using regex patterns, keyword dictionaries, or exact data match (EDM) for precise detection of your organization-specific data. DLP also includes endpoint DLP for Windows and macOS — monitoring clipboard, print, USB copy, and cloud upload activities. EPC Group implements DLP in test mode first, running for 2-4 weeks to identify false positives before enabling enforcement.

What is insider risk management in Microsoft 365?

Insider risk management detects potentially risky activities by users within your organization — data theft by departing employees, accidental data leaks, confidentiality violations, and security policy violations. It correlates signals from multiple sources: 1) HR connectors — employment status changes (resignation, termination) from your HR system trigger risk monitoring for the departing user, 2) DLP alerts — repeated DLP policy violations indicate potential data exfiltration, 3) Activity signals — mass file downloads, printing sensitive documents, copying to USB, emailing large attachments to personal accounts, 4) Security signals — disabling security controls, accessing sensitive sites outside normal patterns. Insider risk uses machine learning to correlate these signals and generate risk scores. High-risk users trigger cases that compliance investigators can review with a timeline of activities, risk indicators, and recommended actions. Privacy controls allow pseudonymization of user identities during investigation until escalation is approved. EPC Group configures insider risk policies aligned with the organization's data classification — monitoring is focused on Highly Confidential content, not routine activity.

How does eDiscovery work in Microsoft 365?

Microsoft 365 eDiscovery provides three tiers: 1) Content Search — basic search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams messages. Export results for review. Available in all M365 plans. 2) eDiscovery Standard — adds case management, legal hold (preserves content from deletion or modification), and custodian management. Place holds on specific mailboxes or sites to preserve evidence. Available with E3/E5. 3) eDiscovery Premium — adds advanced features: custodian management with communications, processing of non-M365 data sources, AI-powered review sets (predictive coding, near-duplicate detection, email threading, relevance scoring), and privileged content detection (attorney-client privilege). Available with E5. The eDiscovery workflow is: identify custodians > place legal holds > collect content via search > process and index > review with AI assistance > export for production. For litigation readiness, EPC Group recommends enabling mailbox and SharePoint audit logging, configuring retention policies to preserve data, and establishing an eDiscovery process playbook before litigation occurs.

What is the difference between retention policies and retention labels?

Retention policies and retention labels are both part of data lifecycle management but serve different purposes: Retention policies apply broad retention settings to entire locations — all Exchange mailboxes, all SharePoint sites, specific Teams channels. They run silently in the background, retaining content for a specified period (e.g., 7 years) and optionally deleting it after. Users cannot override or see retention policies. Retention labels are applied to individual items — a specific document, email, or Teams message. Labels can be applied manually by users, automatically by auto-apply policies (based on sensitive information types, keywords, or trainable classifiers), or as default labels for document libraries. Labels support records management — declaring an item as a regulatory record locks it from editing or deletion and starts a disposition review at the end of retention. Use retention policies for baseline organizational retention (keep all email for 7 years). Use retention labels for specific content that needs different retention, records declaration, or disposition review. Both can coexist — if a retention policy and retention label conflict, the longer retention period wins.

How does communication compliance work?

Communication compliance monitors Teams messages, Exchange email, and third-party communications for policy violations. Common use cases: 1) Regulatory compliance — financial services firms monitor for insider trading language, unauthorized commitments, or disclosure violations (SEC, FINRA requirements), 2) Offensive language — detect harassment, threats, discrimination, or profanity in workplace communications, 3) Sensitive information sharing — identify when employees share confidential data, passwords, or PII in Teams or email, 4) Conflict of interest — detect communications that indicate undisclosed relationships with vendors or competitors. Policies use built-in classifiers (trained on millions of examples), custom keyword dictionaries, and sensitive information types to detect violations. When a violation is detected, a reviewer examines the communication in context (surrounding messages, not just the flagged message) and takes action: resolve as false positive, notify the user, escalate to HR/legal, or document for regulatory reporting. Communication compliance has built-in privacy controls — reviewer access is role-based, and users can be anonymized during investigation. EPC Group configures communication compliance primarily for financial services and healthcare clients where regulatory monitoring is required.

What audit capabilities does Microsoft 365 provide?

Microsoft 365 provides two audit tiers: 1) Audit Standard (all M365 plans) — unified audit log capturing user and admin activities across Exchange, SharePoint, OneDrive, Teams, Entra ID, and other M365 services. Includes 180 days of log retention, search and filter by date/user/activity/location, and export to CSV. Covers 100+ activity types including file access, sharing, login, admin changes, and DLP events. 2) Audit Premium (E5) — extends to 365 days of retention (configurable up to 10 years), adds high-value audit events (MailItemsAccessed for mailbox forensics, SearchQueryInitiatedExchange/SharePoint for search activity monitoring), intelligent insights (compromised account investigation, identifying accessed data during a breach), and higher API throughput for large-scale audit data retrieval. Audit data can be exported to Azure Sentinel or third-party SIEM platforms for long-term retention, correlation with non-M365 data, and advanced threat detection. EPC Group recommends enabling Audit Premium for all organizations handling sensitive data — the MailItemsAccessed event is essential for breach impact assessment.

How do you achieve HIPAA compliance with Microsoft 365?

HIPAA compliance in Microsoft 365 requires configuring multiple Purview compliance features: 1) Business Associate Agreement (BAA) — sign the Microsoft BAA through the Microsoft 365 admin center (prerequisite for any HIPAA use of M365), 2) Sensitivity labels — create "PHI" and "Highly Confidential PHI" labels that apply encryption, block external sharing, and enable watermarking, 3) DLP policies — detect health-related sensitive information types (medical record numbers, DEA numbers, health insurance IDs) and block unauthorized sharing, 4) Retention policies — retain all PHI-related communications and documents for the HIPAA-required 6-year retention period, 5) Access controls — conditional access policies requiring MFA, managed devices, and approved apps for accessing PHI content, 6) Audit — enable Audit Premium for 10-year retention and MailItemsAccessed events for breach investigation, 7) Insider risk — monitor for PHI data exfiltration by departing employees or unauthorized bulk access. Compliance Manager provides a HIPAA assessment template that maps all required controls to specific M365 configurations. EPC Group HIPAA compliance implementations typically take 6-8 weeks for organizations already running M365 E5.

How do you use Microsoft 365 for SOC 2 compliance?

SOC 2 compliance in Microsoft 365 maps the Trust Services Criteria to M365 controls: 1) Security — Entra ID conditional access (MFA, device compliance, location restrictions), Microsoft Defender for M365 (anti-phishing, safe attachments, safe links), and privileged access management, 2) Availability — M365 SLA (99.9%), geo-redundant data centers, and admin center service health monitoring, 3) Processing integrity — DLP policies verify data accuracy before sharing, audit logs provide processing trail, and retention policies ensure data is not prematurely deleted, 4) Confidentiality — sensitivity labels encrypt confidential content, information barriers prevent unauthorized communication between departments, and DLP blocks confidential data from leaving the organization, 5) Privacy — data classification identifies personal data, privacy management detects overexposure, and subject rights requests handle DSAR (data subject access requests) for GDPR and CCPA. Compliance Manager includes SOC 2 assessment templates mapping specific improvement actions to each Trust Services Criteria. EPC Group SOC 2 implementations focus on demonstrating the operating effectiveness of M365 controls through audit evidence collection — screenshot-documented configurations, audit log exports, and DLP match reports.

Related Resources

Microsoft 365 Consulting Services

Enterprise Microsoft 365 compliance implementation, governance frameworks, and security configuration from EPC Group.

Read more

Microsoft Purview Data Governance

Data catalog, data map, data lineage, and governance capabilities in Microsoft Purview beyond the compliance portal.

Read more

Compliance IT Consulting

Enterprise compliance consulting for HIPAA, SOC 2, GDPR, FedRAMP, and industry-specific regulatory frameworks.

Read more

Need M365 Compliance Implementation?

EPC Group implements comprehensive Microsoft 365 compliance frameworks for enterprises — from Compliance Manager assessments and sensitivity label taxonomies to DLP deployment, insider risk configuration, and eDiscovery readiness. Our 90-day compliance programs typically increase compliance scores from 30% to 75%+ while establishing the controls needed for HIPAA, SOC 2, and GDPR certification.

Get Compliance Assessment (888) 381-9725

Microsoft 365 Compliance Center: Enterprise Guide 2026

The Microsoft 365 Compliance Center — now Microsoft Purview — is the central hub for data protection, regulatory compliance, and eDiscovery in M365. This guide covers Compliance Manager, DLP, sensitivity labels, insider risk, eDiscovery, and configuration steps for HIPAA, SOC 2, and GDPR. EPC Group has configured Purview for 200+ regulated enterprise tenants.

  • The Compliance Center was rebranded as Microsoft Purview in 2022. The portal is at compliance.microsoft.com.
  • Compliance Manager provides a score-based framework mapping your M365 controls to HIPAA, SOC 2, GDPR, and 300+ other regulations.
  • DLP policies cover Exchange, SharePoint, Teams, OneDrive, and endpoint devices.
  • eDiscovery Premium (E5 required) supports predictive coding and review sets for large legal matters.
  • EPC Group has completed compliance configurations for HIPAA, SOC 2, FedRAMP, and CMMC environments.

What Is the Microsoft 365 Compliance Center?

The Microsoft 365 Compliance Center is the unified portal for managing data protection, compliance, and legal obligations across your Microsoft 365 tenant. Microsoft rebranded it as Microsoft Purview in 2022. The portal address remains compliance.microsoft.com.

The portal brings together eight capability areas under one interface: Compliance Manager, Information Protection, Data Loss Prevention, Insider Risk Management, Communication Compliance, eDiscovery, Audit, and Data Lifecycle Management.

Compliance Manager

Compliance Manager gives your organization a score-based view of how well your M365 configuration meets regulatory requirements. It covers 300+ frameworks, including HIPAA, SOC 2, GDPR, NIST 800-53, ISO 27001, and FedRAMP.

The dashboard shows your overall Compliance Score, improvement actions sorted by impact, and the percentage of controls currently passing versus failing. Each improvement action links directly to the configuration page in the admin center.

Start with Compliance Manager before configuring individual policies. It tells you which gaps have the highest impact on your score and prioritizes your remediation work.

Information Protection and Sensitivity Labels

Sensitivity labels classify content and apply protection rules automatically. Labels travel with documents and emails — even when they leave your tenant.

A basic label taxonomy for enterprise environments includes:

  • Public: No restrictions.
  • Internal: Watermark applied, external sharing allowed with notification.
  • Confidential: Encryption enforced, external sharing blocked by default.
  • Highly Confidential: Encryption enforced, access restricted to named users or groups.

Auto-labeling policies scan content at rest and in transit. They apply labels automatically when sensitive information types — credit card numbers, SSNs, health record identifiers — are detected.

Data Loss Prevention (DLP)

DLP policies prevent sensitive data from leaving your organization through email, Teams chat, SharePoint sharing, OneDrive sync, or endpoint copy actions.

Configure DLP in three phases:

  1. Audit mode first: Run all new policies in simulation mode. Review policy match reports for 2–4 weeks before enforcing blocks.
  2. Notify, then block: Start with user notifications and policy tips. Move to blocks only after users understand the policies.
  3. Endpoint DLP last: Endpoint DLP requires Defender for Endpoint onboarding. Deploy after email and SharePoint policies are stable.

The most common DLP mistake is blocking everything on day one. This causes user complaints and shadow IT. Start in audit mode. Tune for false positives. Enforce incrementally.

Insider Risk Management

Insider Risk Management detects anomalous user behavior that may indicate data theft, policy violations, or security incidents. It analyzes signals from M365 activity, HR data connectors, and endpoint telemetry.

Common policy templates include:

  • Data theft by departing employees: Triggered by HR termination signals plus elevated file download or copy activity.
  • Data leaks: Detects sharing of sensitive content outside the organization.
  • Security policy violations: Flags users repeatedly bypassing DLP controls or accessing restricted content.

Insider Risk Management requires E5 licensing. Privacy controls are built in — analysts see anonymized user IDs by default and must request de-anonymization through a role-based approval process.

eDiscovery and Legal Hold

Purview offers two eDiscovery tiers. eDiscovery Standard is included in E3. eDiscovery Premium requires E5 and adds review sets, predictive coding, and advanced analytics.

For legal hold, create a case in eDiscovery and place a hold on specific mailboxes, SharePoint sites, or Teams channels. Content under hold is preserved even if the user deletes it. Document every hold in a legal hold register — auditors and courts require this documentation.

eDiscovery Premium's predictive coding uses machine learning to identify relevant documents. For large matters with 100,000+ items, it reduces review time significantly compared to manual review.

Audit Log Configuration

Audit logging captures every significant user and admin action in your M365 tenant. It is the primary forensic record for security investigations and compliance audits.

Key configuration steps:

  • Verify audit logging is enabled: Go to Purview → Audit → Start recording user and admin activity.
  • E3 tenants retain audit logs for 90 days by default. Extend to 1 year via Audit (Standard).
  • E5 tenants get Audit (Premium) with 10-year retention and MailItemsAccessed events for breach investigation.
  • Configure log retention policies before an incident — you cannot recover logs that were not retained.

HIPAA Compliance Configuration in Microsoft 365

HIPAA compliance in Microsoft 365 requires configuring multiple Purview features. Complete these steps in order.

  1. Sign the Business Associate Agreement (BAA). Go to the Microsoft 365 admin center → Settings → Services → Microsoft Cloud Agreement. This is a prerequisite for any HIPAA use of M365.
  2. Create sensitivity labels for PHI. Create "PHI" and "Highly Confidential PHI" labels that apply encryption, block external sharing, and add watermarks.
  3. Configure DLP policies for health data. Use built-in sensitive information types: medical record numbers, DEA numbers, health insurance IDs. Set actions to block unauthorized external sharing.
  4. Set retention policies. Retain all PHI-related communications and documents for 6 years — the HIPAA-required minimum retention period.
  5. Configure Conditional Access. Require MFA, compliant devices, and approved apps for any access to PHI content.
  6. Enable Audit Premium. Turn on 10-year audit retention and MailItemsAccessed events. These are required for HIPAA breach investigation documentation.
  7. Deploy Insider Risk policies. Monitor for PHI data exfiltration by departing employees or unauthorized bulk access.

SOC 2 Compliance Configuration

SOC 2 maps the Trust Services Criteria to M365 controls. Cover these four areas.

  1. Security (CC6–CC9): Entra ID Conditional Access (MFA, device compliance, location restrictions), Defender for M365 (anti-phishing, safe attachments, safe links), and privileged access management.
  2. Availability (A1): M365 SLA documentation, Exchange Online Protection failover, and SharePoint geo-redundancy configuration.
  3. Confidentiality (C1–C2): Sensitivity labels on all confidential content, DLP policies blocking unauthorized external sharing, and Information Barriers between business units that must stay separate.
  4. Processing Integrity and Privacy (PI/P): Purview Data Map for inventory, retention policies for all data types, and Compliance Manager continuous assessment for gap tracking.

GDPR Configuration

GDPR compliance in Microsoft 365 focuses on data subject rights, consent, and data minimization. Key configurations include:

  • Data Map: Use Purview Data Map to inventory where personal data lives across M365.
  • Subject Access Requests: Use the DSR (Data Subject Request) workflow in Purview to respond to access, deletion, and portability requests.
  • Retention and deletion: Configure retention policies that automatically delete personal data after the lawful retention period expires.
  • DLP for PII: Block sharing of EU personal data types — national IDs, passport numbers, health data — using built-in sensitive information types.

EPC Group's Purview Implementation Experience

EPC Group has configured Microsoft Purview for 200+ regulated enterprise tenants across healthcare, financial services, government, and professional services. We have completed HIPAA, SOC 2, FedRAMP, CMMC, and GDPR compliance configurations in Microsoft 365.

Our compliance practice is led by architects who have worked directly with regulated industries — not generalists applying a template. We document every configuration with evidence artifacts suitable for auditors and external assessors.

Frequently Asked Questions

What is the Microsoft 365 Compliance Center called now?

Microsoft renamed the Compliance Center to Microsoft Purview in 2022. The portal is still at compliance.microsoft.com. All compliance features — DLP, Insider Risk, eDiscovery, Audit, Compliance Manager — are now branded under the Purview umbrella.

Do I need E5 for full compliance capabilities?

E3 includes DLP, basic eDiscovery, and 90-day audit log retention. E5 adds Insider Risk Management, Communication Compliance, eDiscovery Premium (review sets and predictive coding), 10-year audit retention, and advanced auto-labeling. Regulated industries — healthcare, finance, government — typically need E5 or specific E3 add-ons.

How do I start with Compliance Manager?

Go to compliance.microsoft.com → Compliance Manager. Review your Compliance Score and the improvement actions list. Sort actions by point value and effort. Start with high-impact, low-effort actions. Compliance Manager links each action directly to the relevant configuration page in the admin center.

What is the difference between DLP and sensitivity labels?

Sensitivity labels classify content and apply persistent protection rules — encryption, watermarks, sharing restrictions — that travel with the document.

DLP policies monitor and control how content moves — blocking emails, restricting SharePoint sharing, preventing endpoint copy actions. They work together: labels classify content, and DLP policies enforce controls based on label or content type.

How long does it take to configure HIPAA compliance in Microsoft 365?

A complete HIPAA configuration takes 4–8 weeks for most enterprise environments. The BAA is immediate. Sensitivity labels and DLP take 1–2 weeks to design, test, and enforce. Permission remediation for SharePoint (often the largest gap) takes 4–6 weeks depending on environment size. EPC Group completes these implementations end-to-end.

Can EPC Group run a Purview compliance assessment for our organization?

Yes. EPC Group's Purview assessment covers your current Compliance Score, DLP policy gaps, sensitivity label coverage, audit log configuration, and insider risk posture. The assessment produces a prioritized remediation roadmap with effort estimates. Engagements typically take 2–3 weeks.

Configure Microsoft Purview for Your Enterprise

EPC Group configures Microsoft Purview for regulated enterprise environments — HIPAA, SOC 2, GDPR, FedRAMP, and CMMC. We handle policy design, testing, deployment, and audit documentation from start to finish.

Call (888) 381-9725 or request a 30-minute discovery call.