Microsoft Purview Compliance Guide: Enterprise Data Governance & Protection for 2025-2026

Microsoft Purview is the rebranded and expanded evolution of Microsoft 365 Compliance, Azure Purview, and Microsoft Information Protection. It provides a unified governance plane across three domains: data security (sensitivity labels, DLP, insider risk), data governance (data catalog, data map, data lineage), and risk and compliance (Compliance Manager, eDiscovery, audit, communication compliance). For enterprises operating in regulated industries, Purview is not optional tooling. It is the enforcement layer that translates regulatory obligations into technical controls applied consistently across every data touchpoint.

The platform spans Microsoft 365 workloads (Exchange, SharePoint, OneDrive, Teams, Power BI), Azure services (Azure SQL, Azure Storage, Azure Synapse), on-premises file shares and SQL Server databases, and multi-cloud environments including AWS S3 and Google Cloud Storage. This cross-platform scope is critical for organizations whose regulated data does not stay neatly inside a single cloud boundary. A patient record created in an on-premises electronic health record system, shared via SharePoint, discussed in a Teams channel, visualized in a Power BI dashboard, and archived in Azure Blob Storage must maintain consistent classification and protection at every stage. Purview makes that possible through persistent sensitivity labels that travel with the content.

EPC Group has deployed Microsoft Purview across healthcare systems handling millions of patient records, financial institutions processing billions in daily transactions, and federal agencies operating under FedRAMP High authorization boundaries. The platform scales to enterprise requirements when configured correctly, but a misconfigured Purview deployment creates a dangerous illusion of compliance without actual protection. That distinction is where expert consulting makes the difference.

Sensitivity labels are the cornerstone of Microsoft Purview compliance. Every enterprise Purview deployment begins with a label taxonomy that maps your data classification policy to enforceable technical controls. A well-designed taxonomy typically includes five tiers: Public (unrestricted), Internal (company-only), Confidential (restricted access), Highly Confidential (encrypted with strict access controls), and Regulated (industry-specific protections for PHI, PCI, or classified data). Sub-labels provide granularity: Highly Confidential - PHI for healthcare, Highly Confidential - Financial for banking data, Regulated - ITAR for defense-related content.

Each label carries a protection payload. At the Public tier, no protection is applied. At Internal, content marking adds headers and footers identifying the content as company property. Confidential labels add encryption that restricts access to authenticated internal users and prevents forwarding of email. Highly Confidential labels enforce Azure Rights Management encryption with specific user or group permissions, disable printing and screen capture, apply watermarks, and set content expiration dates. Regulated labels combine the strictest encryption with audit logging of every access event, enabling organizations to demonstrate to HIPAA, GDPR, or FedRAMP auditors exactly who accessed regulated content, when, and what actions they performed.

Auto-labeling is where Purview delivers measurable ROI. Rather than depending on every employee to manually classify every document and email, auto-labeling policies use over 300 built-in sensitive information types and custom trainable classifiers to detect regulated content and apply the appropriate label automatically. In a 12,000-seat healthcare deployment, EPC Group configured auto-labeling that detected PHI patterns (medical record numbers, health plan beneficiary numbers, ICD-10 codes) across 2.4 million documents, automatically applying the Highly Confidential - PHI label with encryption. Within 60 days, 91 percent of health data was classified and protected without a single end-user action required.

While sensitivity labels classify and encrypt data at rest, DLP policies control how data moves. Microsoft Purview DLP operates across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams (chat and channel messages), Power BI, and Windows and macOS endpoints. This multi-workload coverage ensures that a confidential document cannot be emailed externally, uploaded to a personal cloud drive, copied to a USB device, or printed at a remote location if the policy prohibits those actions.

Effective DLP in regulated environments requires a layered policy architecture. The first layer detects high-confidence sensitive information types (exact data match against known regulated records) and enforces hard blocks with no override. The second layer detects medium-confidence patterns (regex-based sensitive information types with corroborating context) and blocks with business justification override. The third layer detects low-confidence indicators and warns users with policy tips explaining why the content was flagged and what actions are restricted. This graduated approach achieves protection without paralyzing business operations with false positive blocks.

Endpoint DLP extends protection beyond cloud workloads to the device level. On Windows and macOS endpoints enrolled in Microsoft Defender for Endpoint, Purview monitors clipboard operations, USB device access, network share uploads, print operations, and upload to restricted cloud services. For a financial services client handling SEC-regulated trading data, EPC Group deployed endpoint DLP that blocked USB transfers of any content labeled Confidential or above, monitored print operations for documents containing account numbers, and generated alerts when traders attempted to upload client portfolios to unapproved cloud storage services. This closed the endpoint gap that cloud-only DLP cannot address.

Retention policies in Microsoft Purview govern the lifecycle of content from creation through disposition. Every regulated industry has specific retention obligations: HIPAA requires retention of medical records for a minimum of 6 years from the date of creation or last effective date, SEC Rule 17a-4 mandates retention of financial communications for 3 to 6 years depending on document type, GDPR requires retention no longer than necessary for the stated purpose, and federal records schedules under NARA can mandate retention periods extending to 75 years for certain government records. Purview retention policies enforce these obligations automatically, eliminating the risk of premature deletion or indefinite retention that violates data minimization principles.

Purview supports two complementary retention mechanisms. Retention policies apply broad rules to entire workloads or locations (retain all Exchange mailbox content for 7 years, retain all SharePoint sites in the Finance department for 10 years). Retention labels apply granular rules to individual items and support advanced scenarios including disposition review (requiring human approval before content is deleted), regulatory record declaration (locking content as an immutable record that cannot be edited or deleted even by administrators), and event-based retention (starting the retention clock when a triggering event occurs, such as contract expiration or employee termination).

Adaptive scopes, introduced in Microsoft Purview, dynamically target retention policies based on user attributes (department, job title, location), site properties (sensitivity, template), or mailbox attributes (litigation hold status, role-based access). This eliminates the manual maintenance burden of static scope definitions. When a new employee joins the Finance department, adaptive scopes automatically include their mailbox and OneDrive in the financial records retention policy without administrator intervention.

Microsoft Purview Compliance Manager transforms regulatory compliance from a periodic audit exercise into a continuous measurement discipline. It provides pre-built assessment templates for over 360 regulatory frameworks including HIPAA, SOC 2 Type II, GDPR, ISO 27001, NIST 800-53, NIST CSF, CMMC Level 2, FedRAMP Moderate and High, PCI DSS, and industry-specific regulations. Each assessment decomposes the regulatory framework into individual controls, maps those controls to specific Microsoft 365 and Azure configurations, and categorizes them as Microsoft-managed (inherited actions that Microsoft implements at the platform level) or customer-managed (improvement actions that your organization must configure and document).

The compliance score is a weighted percentage reflecting the completion status of customer-managed improvement actions. When EPC Group begins a Microsoft 365 consulting engagement with a new enterprise client, the Compliance Manager score typically ranges between 25 and 45 percent, indicating significant gaps in data protection, identity management, and audit configurations. Over a 90-day engagement, we systematically address improvement actions, prioritized by point value and regulatory risk, to bring scores above 80 percent. Each completed action generates documented evidence that auditors can review during HIPAA risk assessments, SOC 2 examinations, or GDPR supervisory authority inquiries.

Multi-cloud assessment is a capability that distinguishes Purview Compliance Manager from standalone GRC tools. Organizations operating in Azure, AWS, and Google Cloud can extend assessments to evaluate controls across all three platforms from a single dashboard. For a government contractor operating under both FedRAMP and CMMC, EPC Group configured Compliance Manager to assess 247 controls spanning Microsoft 365, Azure Government, and an AWS GovCloud workload, providing the contracting officer with a single compliance report covering the entire authorization boundary.

External threat actors receive the majority of security budget and attention, but insider threats account for 60 percent of data breaches according to the 2024 Verizon Data Breach Investigations Report. Microsoft Purview Insider Risk Management addresses this gap by correlating behavioral signals across M365 workloads, endpoints, HR systems, and physical access logs to identify patterns that indicate potential data theft, policy violations, or security sabotage.

The platform operates on policy templates targeting specific risk scenarios. Data theft by departing users triggers investigations when an employee who has submitted a resignation (fed via HR connector) begins downloading unusual volumes of files, forwarding emails to personal accounts, or accessing SharePoint sites outside their normal pattern. Data leaks policies detect sharing of sensitivity-labeled content with unauthorized external recipients. Security policy violations identify users disabling security software, accessing blocked websites, or using unauthorized cloud storage. Sequence-based detection correlates multiple low-severity signals (renaming files, accessing unfamiliar repositories, then uploading to external services) into a high-severity composite alert that individually would not trigger investigation.

Privacy protection is architected into the system. Pseudonymization replaces user identities with anonymous identifiers during initial alert triage, preventing bias in investigation decisions. Only when accumulated evidence warrants escalation can authorized investigators reveal the user's real identity, and every identity revelation is logged in an immutable audit trail. This design meets GDPR data protection impact assessment requirements and employee privacy expectations while enabling legitimate security investigations. EPC Group has configured insider risk programs for financial institutions where a single departing employee exfiltrating client data could trigger SEC enforcement actions and class-action litigation.

Microsoft Purview eDiscovery (Premium) provides end-to-end electronic discovery capabilities required by enterprises facing litigation, regulatory investigations, or internal compliance reviews. The workflow spans six phases: identification of relevant data custodians and sources, preservation via legal hold, collection from specific repositories with keyword and date filtering, processing to extract text and metadata from collected items, review using AI-powered analytics, and production in industry-standard export formats for external counsel.

Legal hold is the most operationally critical capability. When litigation is reasonably anticipated, organizations have a duty to preserve potentially relevant electronically stored information. Purview legal hold ensures that mailbox items, Teams messages, SharePoint documents, and OneDrive files are preserved even if users or automated retention policies attempt to delete them. Hold notifications are tracked with acknowledgment requirements and escalation for non-responsive custodians. In a pharmaceutical litigation engagement, EPC Group placed 340 custodians on legal hold within 8 hours of receiving the preservation notice, securing 14 terabytes of potentially relevant data across Exchange, SharePoint, and Teams.

Review set analytics dramatically reduce legal costs. Near-duplicate detection groups substantially similar documents so reviewers examine the pivot document and quickly disposition the entire cluster. Email threading reconstructs conversation chains so reviewers see the complete thread context rather than individual messages. Themes clustering identifies topics across large document sets without keyword pre-definition. Relevance scoring and predictive coding use machine learning trained on reviewer decisions to prioritize the most likely relevant documents. These capabilities typically reduce the document review population by 40 to 70 percent, translating directly into six-figure savings in external counsel review costs for large-scale matters.

Information barriers in Microsoft Purview create policy-enforced communication boundaries between user segments within the same Microsoft 365 tenant. When activated, barriers prevent designated groups from initiating Teams chats, joining each other's Teams meetings, sharing SharePoint sites, sending emails, or discovering each other in the global address list. These are not advisory controls. They are hard technical blocks that cannot be overridden by end users.

Financial services organizations are the most common adopters of information barriers due to regulatory requirements separating investment banking from equity research (Chinese wall regulations), proprietary trading desks from advisory groups, and merger teams working on competing transactions. In legal organizations, barriers separate teams representing adverse parties in litigation. In government and defense, barriers enforce compartmentalized access based on security clearance levels and need-to-know designations. Educational institutions use barriers to isolate student records data from staff who lack FERPA-authorized access.

Configuration requires careful planning of user segments based on Azure AD attributes (department, custom attribute, group membership) and defining block or allow policies between segments. EPC Group's implementation methodology begins with a regulatory mapping exercise that identifies which communication paths must be blocked, which must be allowed, and which require monitoring without blocking. We then configure segments and policies in a staged rollout, validating barrier enforcement in a pilot group before enterprise-wide deployment to prevent unintended collaboration disruptions.

Data classification in Microsoft Purview provides the visibility foundation on which all other governance controls depend. If you cannot see what sensitive data exists, where it resides, and how it moves, you cannot protect it. Purview's data classification capabilities include over 300 built-in sensitive information types covering common patterns across 40+ countries, custom sensitive information types using regex, keyword dictionaries, and exact data match for organization-specific identifiers, and trainable classifiers that use machine learning to detect complex content categories like contracts, financial statements, resumes, source code, and medical records.

Content explorer provides a searchable inventory of all content across your Microsoft 365 tenant that matches sensitive information types or trainable classifiers. Security teams can browse specific data types (for example, all documents containing credit card numbers across SharePoint and OneDrive) to understand exposure and verify that protection policies are functioning correctly. Activity explorer shows how labeled and sensitive content is being accessed, shared, downgraded, or deleted, providing the behavioral intelligence needed to tune DLP policies and identify users who need additional training or oversight.

For organizations pursuing enterprise data governance, the data map capability extends classification beyond Microsoft 365 into Azure data services (Azure SQL, Synapse, Data Lake Storage, Cosmos DB), on-premises SQL Server and file shares, and multi-cloud sources including AWS S3, Amazon RDS, and Google Cloud Storage. This unified data map provides a single pane of glass for understanding where regulated data exists across your entire technology estate, not just your Microsoft environment. EPC Group has configured data maps spanning 200+ data sources for enterprises that needed a complete data inventory ahead of GDPR data protection impact assessments or HIPAA security risk analyses.

HIPAA Compliance Configuration

Healthcare organizations must configure Purview to meet the HIPAA Security Rule's administrative, physical, and technical safeguards. Execute Microsoft's Business Associate Agreement covering all M365 services. Deploy sensitivity labels with a Highly Confidential - PHI tier that enforces Azure RMS encryption, disables forwarding and printing, and logs every access event. Configure auto-labeling policies using HIPAA-specific sensitive information types (medical record numbers, health plan beneficiary numbers, DEA numbers, ICD-10 and CPT codes) to automatically detect and protect health data. Deploy DLP policies that hard-block external sharing of PHI-labeled content across Exchange, SharePoint, Teams, and endpoints. Enable audit logging with 365-day retention for demonstrating the audit trail requirement during OCR investigations.

GDPR Data Protection

GDPR compliance in Purview centers on data subject rights, lawful processing documentation, and data minimization. Use Purview's Data Subject Request workflow to process access, rectification, and erasure requests across all M365 workloads within the 30-day regulatory deadline. Content Search identifies all instances of a data subject's personal data across mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations. Retention policies enforce data minimization by automatically deleting content when the retention period expires, supporting the storage limitation principle (Article 5(1)(e)). Sensitivity labels with encryption protect personal data in transit and at rest, satisfying the integrity and confidentiality principle (Article 5(1)(f)). Records of processing activities are maintained through audit logging and Compliance Manager documentation.

SOC 2 Type II Controls

SOC 2 examinations evaluate trust service criteria across security, availability, processing integrity, confidentiality, and privacy. In Purview, security maps to sensitivity labels, DLP policies, and Conditional Access configurations. Confidentiality maps to encryption policies and information barriers that prevent unauthorized disclosure. Privacy maps to data subject request workflows and retention policies that enforce data minimization. Processing integrity maps to audit logging that demonstrates data handling accuracy and completeness. Availability maps to retention policies that ensure business-critical content remains accessible during required retention periods. Compliance Manager provides a SOC 2 assessment template that tracks all five criteria with evidence collection workflows.

FedRAMP Authorization

Government agencies and contractors operating under FedRAMP must configure Purview within Microsoft 365 Government (GCC High or DoD) environments. FedRAMP High baselines require over 400 security controls derived from NIST 800-53. Purview contributes to access control (AC) through sensitivity labels and information barriers, audit and accountability (AU) through unified audit logging with extended retention, identification and authentication (IA) through integration with Entra ID Conditional Access, media protection (MP) through endpoint DLP blocking USB transfers of classified content, and system and information integrity (SI) through DLP policies that detect and block unauthorized data flows. EPC Group has configured Purview for federal contractors operating in authorization boundaries spanning GCC High and commercial tenants, requiring careful segmentation of Purview policies between controlled unclassified information (CUI) and standard business data.

EPC Group brings 28+ years of enterprise Microsoft consulting experience to every Purview engagement. As a Microsoft Gold Partner, we have deployed Microsoft Purview across organizations ranging from 500-seat mid-market firms to 50,000-seat global enterprises in healthcare, financial services, government, and defense. Our engagements are led by Errin O'Connor, Chief AI Architect and Microsoft Press bestselling author of four books covering Power BI, SharePoint, Azure, and large-scale migrations.

Our differentiation is regulatory depth. General IT consultancies can configure Purview settings. EPC Group configures Purview to pass audits. We understand the specific control requirements of HIPAA risk assessments, SOC 2 Type II examinations, GDPR Data Protection Authority inquiries, and FedRAMP authorization packages because we have supported clients through those exact compliance events. When your Compliance Manager score needs to demonstrate 80+ percent coverage before a SOC 2 auditor arrives in 45 days, or when OCR requests documentation of your PHI safeguards after a breach notification, that regulatory depth is the difference between passing and failing.

• Microsoft Gold Partner with deep Purview and compliance expertise
• 28+ years of enterprise consulting across regulated industries
• Author of 4 Microsoft Press bestsellers on enterprise Microsoft technologies
• Proven deployments in healthcare (HIPAA), finance (SOC 2), government (FedRAMP)
• End-to-end implementation from assessment through audit support
• Integration with broader Microsoft 365 and Azure security architecture