Microsoft Purview Compliance Guide: Enterprise Data Governance & Protection for 2026

Microsoft Purview is the rebranded and expanded version of Microsoft 365 Compliance, Azure Purview, and Microsoft Information Protection. It offers a unified governance framework across three key areas:

• Data Security: sensitivity labels, DLP, insider risk
• Data Governance: data catalog, data map, data lineage
• Risk and Compliance: Compliance Manager, eDiscovery, audit, communication compliance

For enterprises in regulated industries, Purview is essential. It serves as the enforcement layer that turns regulatory requirements into technical controls, applied consistently across all data touchpoints.

The platform supports a range of Microsoft 365 workloads. These include:

• Exchange
• SharePoint
• OneDrive
• Teams
• Power BI

It also offers Azure services such as:

• Azure SQL
• Azure Storage
• Azure Synapse

Furthermore, the platform supports on-premises file shares, SQL Server databases, and multi-cloud environments like:

• AWS S3
• Google Cloud Storage

This broad scope is vital for organizations that manage regulated data on various platforms. For instance, a patient record created in an on-premises electronic health record system may include:

• Personal identification information
• Medical history and treatment details
• Billing and insurance data

• Shared via SharePoint
• Discussed in a Teams channel
• Visualized in a Power BI dashboard
• Archived in Azure Blob Storage

Throughout this process, it is crucial to maintain consistent classification and protection. Purview achieves this with persistent sensitivity labels that travel with the content.

EPC Group has successfully implemented Microsoft Purview in various sectors. This includes:

• Healthcare systems managing millions of patient records
• Financial institutions processing billions in daily transactions
• Federal agencies operating under FedRAMP High authorization boundaries

The platform can scale to meet enterprise needs when set up correctly. However, a misconfigured Purview deployment can create a false sense of compliance without real protection.

Expert consulting is essential in this situation. It helps ensure proper configuration and effective use of the platform.

Sensitivity labels are essential to Microsoft Purview compliance. Each enterprise Purview deployment starts with a label taxonomy. This taxonomy connects your data classification policy to enforceable technical controls.

A well-structured taxonomy usually includes five tiers:

• Public (unrestricted)
• Internal (company-only)
• Confidential (restricted access)
• Highly Confidential (encrypted with strict access controls)
• Regulated (industry-specific protections for PHI, PCI, or classified data)

Sub-labels add detail, such as:

• Highly Confidential - PHI for healthcare
• Highly Confidential - Financial for banking data
• Regulated - ITAR for defense-related content

Each label includes a protection payload. The Public tier applies no protection. The Internal tier adds headers and footers that mark the content as company property.

Confidential labels offer encryption that restricts access to verified internal users. They also prevent email forwarding.

Highly Confidential labels use Azure Rights Management encryption. This encryption includes specific permissions for users or groups.

Additionally, these labels:

• Disable printing and screen capture
• Apply watermarks
• Set content expiration dates

Regulated labels use strong encryption and audit logging for each access event. This helps organizations demonstrate compliance with HIPAA, GDPR, or FedRAMP.

• Identify who accessed regulated content
• Record when it was accessed
• Track what actions were taken

Auto-labeling is a key area where Purview delivers measurable ROI. It eliminates the need for employees to classify documents and emails manually. Instead, auto-labeling policies use over 300 built-in sensitive information types.

Additionally, they employ custom trainable classifiers to:

• Detect regulated content
• Apply the correct label automatically

In a 12,000-seat healthcare deployment, EPC Group configured auto-labeling to detect PHI patterns. This included:

• Medical record numbers
• Health plan beneficiary numbers
• ICD-10 codes

This process scanned 2.4 million documents. It automatically applied the Highly Confidential - PHI label and encryption. Within 60 days, 91 percent of health data was classified and protected. This was done without requiring any action from end users.

Sensitivity labels classify and encrypt data at rest. In contrast, DLP policies manage how data moves. Microsoft Purview DLP works across several platforms, including:

• Exchange Online
• SharePoint Online
• OneDrive for Business
• Microsoft Teams (chat and channel messages)
• Power BI
• Windows and macOS endpoints

This broad coverage prevents a confidential document from being:

• emailed externally
• uploaded to a personal cloud drive
• copied to a USB device
• printed at a remote location

These actions are restricted if the policy prohibits them.

Effective DLP in regulated environments needs a layered policy architecture. Each layer plays a specific role in protecting sensitive information.

• First layer: Detects high-confidence sensitive information types through exact data matches against known regulated records. It enforces hard blocks with no override.
• Second layer: Detects medium-confidence patterns using regex-based sensitive information types with corroborating context. It blocks access but allows business justification overrides.
• Third layer: Detects low-confidence indicators and warns users. It provides policy tips explaining why the content was flagged and what actions are restricted.

This graduated approach protects sensitive data without disrupting business operations due to false positive blocks.

Endpoint DLP provides protection beyond cloud workloads to the device level. On Windows and macOS endpoints enrolled in Microsoft Defender for Endpoint, Purview monitors:

• Clipboard operations
• USB device access
• Network share uploads
• Print operations
• Uploads to restricted cloud services

For a financial services client handling SEC-regulated trading data, EPC Group deployed endpoint DLP. This solution:

• Blocked USB transfers of any content labeled Confidential or above
• Monitored print operations for documents containing account numbers
• Generated alerts when traders attempted to upload client portfolios to unapproved cloud storage services

This approach closed the endpoint gap that cloud-only DLP cannot address.

Retention policies in Microsoft Purview manage the lifecycle of content from creation to disposal. Each regulated industry has specific retention requirements:

• HIPAA: Requires retention of medical records for at least 6 years from the creation date or last effective date.
• SEC Rule 17a-4: Mandates retention of financial communications for 3 to 6 years, depending on the document type.
• GDPR: Requires retention only as long as necessary for the stated purpose.
• NARA: Federal records schedules can mandate retention periods of up to 75 years for certain government records.

Purview retention policies enforce these obligations automatically. This helps prevent premature deletion or indefinite retention, ensuring compliance with data minimization principles.

Purview offers two key retention mechanisms that work together. Retention policies set broad rules for entire workloads or locations. For example:

• Retain all Exchange mailbox content for 7 years.
• Retain all SharePoint sites in the Finance department for 10 years.

Retention labels provide more specific rules for individual items. They support advanced scenarios, including:

• Disposition review, which requires human approval before deleting content.
• Regulatory record declaration, locking content as an unchangeable record that cannot be edited or deleted, even by administrators.
• Event-based retention, which starts the retention period when a triggering event occurs, such as contract expiration or employee termination.

Adaptive scopes, introduced in Microsoft Purview, target retention policies based on various user and site attributes. These include:

• User attributes: department, job title, location
• Site properties: sensitivity, template
• Mailbox attributes: litigation hold status, role-based access

This feature minimizes the need for manual updates to static scope definitions. For instance, when a new employee joins the Finance department:

• Adaptive scopes automatically add their mailbox.
• Adaptive scopes also add their OneDrive.
• These updates occur without requiring administrator action.

Microsoft Purview Compliance Manager changes how organizations handle regulatory compliance. It shifts the focus from periodic audits to continuous measurement.

The tool offers pre-built assessment templates for over 360 regulatory frameworks, including:

• HIPAA
• SOC 2 Type II
• GDPR
• ISO 27001
• NIST 800-53
• NIST CSF
• CMMC Level 2
• FedRAMP Moderate and High
• PCI DSS
• Industry-specific regulations

Each assessment divides the regulatory framework into specific controls. These controls are linked to particular Microsoft 365 and Azure configurations. They fall into two categories:

• Microsoft-managed: Actions implemented at the platform level.
• Customer-managed: Actions your organization must configure and document.

The compliance score is a weighted percentage reflecting the completion status of customer-managed improvement actions. When EPC Group begins a Microsoft 365 consulting engagement with a new enterprise client, the Compliance Manager score typically ranges between 25 and 45 percent, indicating significant gaps in data protection, identity management, and audit configurations. Over a 90-day engagement, we systematically address improvement actions, prioritized by point value and regulatory risk, to bring scores above 80 percent. Each completed action generates documented evidence that auditors can review during HIPAA risk assessments, SOC 2 examinations, or GDPR supervisory authority inquiries.

Multi-cloud assessment sets Purview Compliance Manager apart from standalone GRC tools. Organizations using Azure, AWS, and Google Cloud can evaluate controls across all three platforms from one dashboard.

For a government contractor under both FedRAMP and CMMC, EPC Group configured Compliance Manager to:

• Assess 247 controls
• Cover Microsoft 365
• Include Azure Government
• Evaluate an AWS GovCloud workload

This setup provided the contracting officer with a single compliance report for the entire authorization boundary.

External threat actors get most of the security budget and focus. However, insider threats are responsible for 60 percent of data breaches. This is shown in the 2024 Verizon Data Breach Investigations Report.

Microsoft Purview Insider Risk Management helps close this gap. It does this by:

• Correlating behavioral signals from M365 workloads
• Analyzing data from endpoints
• Integrating information from HR systems
• Reviewing physical access logs

These actions help identify patterns that may indicate data theft, policy violations, or security sabotage.

The platform uses policy templates to manage specific risk scenarios. One example is data theft by departing users, which can lead to investigations.

This situation arises when an employee resigns, as noted by the HR connector. Signs of potential data theft include:

• Downloading large amounts of files
• Forwarding emails to personal accounts
• Accessing SharePoint sites in unusual ways

• Data leak policies detect sharing of sensitivity-labeled content with unauthorized external recipients.
• Security policy violations identify users who disable security software, access blocked websites, or use unauthorized cloud storage.
• Sequence-based detection links multiple low-severity signals, such as renaming files, accessing unfamiliar repositories, and uploading to external services, into a high-severity alert that would not trigger an investigation on its own.

Privacy protection is built into the system. Pseudonymization replaces user identities with anonymous identifiers during initial alert triage. This process helps prevent bias in investigation decisions.

Authorized investigators can only disclose a user's real identity if they have sufficient evidence to escalate the issue. Each disclosure is recorded in a permanent audit trail. This approach:

• Meets GDPR data protection impact assessment requirements
• Respects employee privacy expectations
• Aids legitimate security investigations

• EPC Group has configured insider risk programs for financial institutions.
• A single departing employee exfiltrating client data could trigger SEC enforcement actions.
• Such actions may also lead to class-action litigation.

Microsoft Purview eDiscovery (Premium) offers complete electronic discovery tools for enterprises dealing with litigation, regulatory investigations, or internal compliance reviews. The workflow includes six key phases:

• Identification: Find relevant data custodians and sources.
• Preservation: Apply legal hold to protect data.
• Collection: Gather data from specific repositories using keyword and date filters.
• Processing: Extract text and metadata from collected items.
• Review: Utilize AI-powered analytics for analysis.
• Production: Export in industry-standard formats for external counsel.

Legal hold is a crucial capability for organizations. When litigation is likely, they must preserve relevant electronically stored information. Purview legal hold ensures that:

• Mailbox items
• Teams messages
• SharePoint documents
• OneDrive files

These items remain intact, even if users or automated retention policies attempt to delete them. Hold notifications include acknowledgment requirements and escalation for custodians who do not respond.

In a pharmaceutical litigation case, EPC Group:

• Placed 340 custodians on legal hold within 8 hours of receiving the preservation notice.
• Secured 14 terabytes of potentially relevant data across Exchange, SharePoint, and Teams.

Review set analytics can significantly lower legal costs. They include several key features:

• Near-duplicate detection: This groups similar documents, allowing reviewers to focus on a pivot document and quickly assess the entire cluster.
• Email threading: This reconstructs conversation chains, giving reviewers the full context of discussions instead of just individual messages.
• Themes clustering: This identifies topics across large document sets without needing predefined keywords.
• Relevance scoring and predictive coding: These use machine learning based on reviewer decisions to prioritize the most relevant documents.

These features can reduce the document review population by 40 to 70 percent. This decrease can lead to substantial savings in external counsel review costs.

For large-scale matters, these savings often reach six figures.

Information barriers in Microsoft Purview establish strict communication limits between user groups in the same Microsoft 365 tenant. When these barriers are activated, they stop specific groups from:

• Starting Teams chats
• Joining each other's Teams meetings
• Sharing SharePoint sites
• Sending emails
• Finding each other in the global address list

These controls are not advisory. They are firm technical blocks that end users cannot bypass.

Financial services organizations often adopt information barriers due to regulatory needs. These regulations separate:

• Investment banking from equity research (Chinese wall regulations)
• Proprietary trading desks from advisory groups
• Merger teams working on competing transactions

In legal organizations, teams that represent opposing parties in litigation encounter barriers that limit their interaction. In government and defense, access is restricted by security clearance levels and need-to-know designations. Educational institutions also create barriers to safeguard student records from staff who do not have FERPA-authorized access.

Configuration requires careful planning of user segments. This is based on Azure AD attributes like department, custom attributes, and group membership.

It also involves defining policies to either block or allow access between these segments.

EPC Group's implementation methodology includes a regulatory mapping exercise. This exercise identifies:

• Which communication paths must be blocked
• Which paths must be allowed
• Which paths require monitoring without blocking

Next, we configure segments and policies in a staged rollout. We validate barrier enforcement in a pilot group before deploying enterprise-wide to prevent unintended collaboration disruptions.

Data classification in Microsoft Purview is crucial for effective governance. It offers the visibility required to manage sensitive data. You cannot protect sensitive data without understanding:

• What sensitive data exists
• Where it is stored
• How it moves

Purview offers robust data classification features, including:

• Over 300 built-in sensitive information types covering common patterns across 40+ countries.
• Custom sensitive information types using regex, keyword dictionaries, and exact data match for organization-specific identifiers.
• Trainable classifiers that use machine learning to detect complex content categories like contracts, financial statements, resumes, source code, and medical records.

Content Explorer provides a searchable inventory of all content in your Microsoft 365 tenant. It identifies content that matches sensitive information types or trainable classifiers. Security teams can easily browse specific data types, including:

• Credit card numbers
• Social Security numbers
• Health information

• All documents containing credit card numbers across SharePoint and OneDrive

This helps organizations understand their exposure and verify that protection policies are effective. Activity Explorer displays how labeled and sensitive content is:

• Accessed
• Shared
• Downgraded
• Deleted

This information offers the behavioral insights needed to adjust DLP policies. It also helps identify users who may need extra training or oversight.

For organizations pursuing enterprise data governance, the data map capability extends classification beyond Microsoft 365 into Azure data services (Azure SQL, Synapse, Data Lake Storage, Cosmos DB), on-premises SQL Server and file shares, and multi-cloud sources including AWS S3, Amazon RDS, and Google Cloud Storage. This unified data map provides a single pane of glass for understanding where regulated data exists across your entire technology estate, not just your Microsoft environment. EPC Group has configured data maps spanning 200+ data sources for enterprises that needed a complete data inventory ahead of GDPR data protection impact assessments or HIPAA security risk analyses.

HIPAA Compliance Configuration

Healthcare organizations need to set up Purview to meet the HIPAA Security Rule's safeguards. These safeguards include:

• Administrative measures
• Physical measures
• Technical measures

Additionally, organizations must sign Microsoft's Business Associate Agreement for all M365 services.

• Deploy sensitivity labels with a Highly Confidential - PHI tier. This enforces Azure RMS encryption, disables forwarding and printing, and logs every access event.
• Configure auto-labeling policies using HIPAA-specific sensitive information types. These include medical record numbers, health plan beneficiary numbers, DEA numbers, ICD-10, and CPT codes to automatically detect and protect health data.
• Deploy DLP policies to hard-block external sharing of PHI-labeled content across Exchange, SharePoint, Teams, and endpoints.
• Enable audit logging with a 365-day retention period. This helps demonstrate the audit trail requirement during OCR investigations.

GDPR Data Protection

GDPR compliance in Purview emphasizes three key areas: data subject rights, lawful processing documentation, and data minimization.

Utilize Purview's Data Subject Request workflow to manage:

• Access requests
• Rectification requests
• Erasure requests

This can be done across all M365 workloads within the 30-day regulatory deadline.

• Content Search identifies all instances of a data subject's personal data across mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations.
• Retention policies enforce data minimization by automatically deleting content when the retention period expires, supporting the storage limitation principle (Article 5(1)(e)).
• Sensitivity labels with encryption protect personal data in transit and at rest, satisfying the integrity and confidentiality principle (Article 5(1)(f)).
• Records of processing activities are maintained through audit logging and Compliance Manager documentation.

SOC 2 Type II Controls

SOC 2 examinations assess trust service criteria in five key areas: security, availability, processing integrity, confidentiality, and privacy.

• Security: This includes sensitivity labels, DLP policies, and Conditional Access configurations.
• Confidentiality: This involves encryption policies and information barriers to prevent unauthorized disclosure.
• Privacy: This relates to data subject request workflows and retention policies that enforce data minimization.
• Processing Integrity: This is demonstrated through audit logging that shows data handling accuracy and completeness.
• Availability: This is ensured by retention policies that keep business-critical content accessible during required retention periods.

Compliance Manager offers a SOC 2 assessment template that tracks all five criteria with evidence collection workflows.

FedRAMP Authorization

Government agencies and contractors operating under FedRAMP must configure Purview within Microsoft 365 Government (GCC High or DoD) environments. FedRAMP High baselines require over 400 security controls derived from NIST 800-53. Purview contributes to access control (AC) through sensitivity labels and information barriers, audit and accountability (AU) through unified audit logging with extended retention, identification and authentication (IA) through integration with Entra ID Conditional Access, media protection (MP) through endpoint DLP blocking USB transfers of classified content, and system and information integrity (SI) through DLP policies that detect and block unauthorized data flows. EPC Group has configured Purview for federal contractors operating in authorization boundaries spanning GCC High and commercial tenants, requiring careful segmentation of Purview policies between controlled unclassified information (CUI) and standard business data.

EPC Group has 29 years of experience in enterprise Microsoft consulting. As a Microsoft Gold Partner, we have successfully implemented Microsoft Purview in many organizations. Our clients include:

• 500-seat mid-market firms
• 50,000-seat global enterprises

We serve various sectors, ensuring tailored solutions for each client's needs.

• Healthcare
• Financial services
• Government
• Defense

Our projects are led by Errin O'Connor, Chief AI Architect. He is a Microsoft Press bestselling author of four books. These books cover:

• Power BI
• SharePoint
• Azure
• Large-scale migrations

Our key strength is regulatory depth. While general IT consultancies can set up Purview, EPC Group configures it to ensure compliance with audits. We understand the specific control requirements for:

• Data governance
• Risk management
• Compliance frameworks

• Data protection regulations
• Industry standards
• Audit readiness

• HIPAA risk assessments
• SOC 2 Type II examinations
• GDPR Data Protection Authority inquiries
• FedRAMP-aligned consulting expertise work packages

We assist clients in managing crucial compliance events. Your Compliance Manager score needs to show over 80 percent coverage before a SOC 2 auditor arrives in 45 days.

Moreover, when the OCR requests documentation of your PHI safeguards after a breach notification, our regulatory expertise can be essential for success.

• Microsoft Gold Partner with deep Purview and compliance expertise
• 29 years of enterprise consulting across regulated industries
• Author of 4 Microsoft Press bestsellers on enterprise Microsoft technologies
• Proven deployments in healthcare (HIPAA), finance (SOC 2), government (FedRAMP)
• End-to-end implementation from assessment through audit support
• Integration with broader Microsoft 365 and Azure security architecture