Microsoft Purview Compliance Guide: Enterprise Data Governance & Protection for 2026

Microsoft Purview is the rebranded and expanded version of Microsoft 365 Compliance, Azure Purview, and Microsoft Information Protection. It offers a unified governance framework across three key areas:

• Data Security: sensitivity labels, DLP, insider risk
• Data Governance: data catalog, data map, data lineage
• Risk and Compliance: Compliance Manager, eDiscovery, audit, communication compliance

For enterprises in regulated industries, Purview is essential. It serves as the enforcement layer that turns regulatory requirements into technical controls, applied consistently across all data touchpoints.

The platform covers various Microsoft 365 workloads, including Exchange, SharePoint, OneDrive, Teams, and Power BI. It also includes Azure services like Azure SQL, Azure Storage, and Azure Synapse. Additionally, it supports on-premises file shares, SQL Server databases, and multi-cloud environments such as AWS S3 and Google Cloud Storage.

This broad scope is essential for organizations that handle regulated data across different platforms. For example, a patient record created in an on-premises electronic health record system may be:

• Shared via SharePoint
• Discussed in a Teams channel
• Visualized in a Power BI dashboard
• Archived in Azure Blob Storage

Throughout this process, it is crucial to maintain consistent classification and protection. Purview achieves this with persistent sensitivity labels that travel with the content.

EPC Group has deployed Microsoft Purview across healthcare systems handling millions of patient records, financial institutions processing billions in daily transactions, and federal agencies operating under FedRAMP High authorization boundaries. The platform scales to enterprise requirements when configured correctly, but a misconfigured Purview deployment creates a dangerous illusion of compliance without actual protection. That distinction is where expert consulting makes the difference.

Sensitivity labels are essential to Microsoft Purview compliance. Each enterprise Purview deployment starts with a label taxonomy. This taxonomy connects your data classification policy to enforceable technical controls.

A well-structured taxonomy usually includes five tiers:

• Public (unrestricted)
• Internal (company-only)
• Confidential (restricted access)
• Highly Confidential (encrypted with strict access controls)
• Regulated (industry-specific protections for PHI, PCI, or classified data)

Sub-labels add detail, such as:

• Highly Confidential - PHI for healthcare
• Highly Confidential - Financial for banking data
• Regulated - ITAR for defense-related content

Each label includes a protection payload. The Public tier applies no protection. The Internal tier adds headers and footers that mark the content as company property.

Confidential labels provide encryption that limits access to authenticated internal users and prevents email forwarding. Highly Confidential labels enforce Azure Rights Management encryption with specific user or group permissions. They also disable printing and screen capture, apply watermarks, and set content expiration dates.

Regulated labels combine strict encryption with audit logging for every access event. This allows organizations to show HIPAA, GDPR, or FedRAMP auditors who accessed regulated content, when it was accessed, and what actions were taken.

Auto-labeling is where Purview delivers measurable ROI. Instead of relying on every employee to manually classify documents and emails, auto-labeling policies utilize over 300 built-in sensitive information types. They also use custom trainable classifiers to detect regulated content and apply the correct label automatically.

In a 12,000-seat healthcare deployment, EPC Group configured auto-labeling to detect PHI patterns. This included:

• Medical record numbers
• Health plan beneficiary numbers
• ICD-10 codes

This process scanned 2.4 million documents and automatically applied the Highly Confidential - PHI label with encryption. Within 60 days, 91 percent of health data was classified and protected without requiring any action from end users.

While sensitivity labels classify and encrypt data at rest, DLP policies control how data moves. Microsoft Purview DLP operates across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams (chat and channel messages), Power BI, and Windows and macOS endpoints. This multi-workload coverage ensures that a confidential document cannot be emailed externally, uploaded to a personal cloud drive, copied to a USB device, or printed at a remote location if the policy prohibits those actions.

Effective DLP in regulated environments needs a layered policy architecture. Each layer plays a specific role in protecting sensitive information.

• First layer: Detects high-confidence sensitive information types through exact data matches against known regulated records. It enforces hard blocks with no override.
• Second layer: Detects medium-confidence patterns using regex-based sensitive information types with corroborating context. It blocks access but allows business justification overrides.
• Third layer: Detects low-confidence indicators and warns users. It provides policy tips explaining why the content was flagged and what actions are restricted.

This graduated approach protects sensitive data without disrupting business operations due to false positive blocks.

Endpoint DLP provides protection beyond cloud workloads to the device level. On Windows and macOS endpoints enrolled in Microsoft Defender for Endpoint, Purview monitors:

• Clipboard operations
• USB device access
• Network share uploads
• Print operations
• Uploads to restricted cloud services

For a financial services client handling SEC-regulated trading data, EPC Group deployed endpoint DLP. This solution:

• Blocked USB transfers of any content labeled Confidential or above
• Monitored print operations for documents containing account numbers
• Generated alerts when traders attempted to upload client portfolios to unapproved cloud storage services

This approach closed the endpoint gap that cloud-only DLP cannot address.

Retention policies in Microsoft Purview manage the lifecycle of content from creation to disposal. Each regulated industry has specific retention requirements:

• HIPAA: Requires retention of medical records for at least 6 years from the creation date or last effective date.
• SEC Rule 17a-4: Mandates retention of financial communications for 3 to 6 years, depending on the document type.
• GDPR: Requires retention only as long as necessary for the stated purpose.
• NARA: Federal records schedules can mandate retention periods of up to 75 years for certain government records.

Purview retention policies enforce these obligations automatically. This helps prevent premature deletion or indefinite retention, ensuring compliance with data minimization principles.

Purview offers two key retention mechanisms that work together. Retention policies set broad rules for entire workloads or locations. For example:

• Retain all Exchange mailbox content for 7 years.
• Retain all SharePoint sites in the Finance department for 10 years.

Retention labels provide more specific rules for individual items. They support advanced scenarios, including:

• Disposition review, which requires human approval before deleting content.
• Regulatory record declaration, locking content as an unchangeable record that cannot be edited or deleted, even by administrators.
• Event-based retention, which starts the retention period when a triggering event occurs, such as contract expiration or employee termination.

Adaptive scopes, introduced in Microsoft Purview, dynamically target retention policies based on user attributes (department, job title, location), site properties (sensitivity, template), or mailbox attributes (litigation hold status, role-based access). This eliminates the manual maintenance burden of static scope definitions. When a new employee joins the Finance department, adaptive scopes automatically include their mailbox and OneDrive in the financial records retention policy without administrator intervention.

Microsoft Purview Compliance Manager changes how organizations handle regulatory compliance. It shifts the focus from periodic audits to continuous measurement.

The tool offers pre-built assessment templates for over 360 regulatory frameworks, including:

• HIPAA
• SOC 2 Type II
• GDPR
• ISO 27001
• NIST 800-53
• NIST CSF
• CMMC Level 2
• FedRAMP Moderate and High
• PCI DSS
• Industry-specific regulations

Each assessment breaks down the regulatory framework into individual controls. It maps these controls to specific Microsoft 365 and Azure configurations. The controls are categorized as either Microsoft-managed (actions implemented at the platform level) or customer-managed (actions your organization must configure and document).

The compliance score is a weighted percentage reflecting the completion status of customer-managed improvement actions. When EPC Group begins a Microsoft 365 consulting engagement with a new enterprise client, the Compliance Manager score typically ranges between 25 and 45 percent, indicating significant gaps in data protection, identity management, and audit configurations. Over a 90-day engagement, we systematically address improvement actions, prioritized by point value and regulatory risk, to bring scores above 80 percent. Each completed action generates documented evidence that auditors can review during HIPAA risk assessments, SOC 2 examinations, or GDPR supervisory authority inquiries.

Multi-cloud assessment is a capability that distinguishes Purview Compliance Manager from standalone GRC tools. Organizations operating in Azure, AWS, and Google Cloud can extend assessments to evaluate controls across all three platforms from a single dashboard. For a government contractor operating under both FedRAMP and CMMC, EPC Group configured Compliance Manager to assess 247 controls spanning Microsoft 365, Azure Government, and an AWS GovCloud workload, providing the contracting officer with a single compliance report covering the entire authorization boundary.

External threat actors receive the majority of security budget and attention, but insider threats account for 60 percent of data breaches according to the 2024 Verizon Data Breach Investigations Report. Microsoft Purview Insider Risk Management addresses this gap by correlating behavioral signals across M365 workloads, endpoints, HR systems, and physical access logs to identify patterns that indicate potential data theft, policy violations, or security sabotage.

The platform uses policy templates to address specific risk scenarios. For example, data theft by departing users can trigger investigations. This occurs when an employee who has resigned, as reported by the HR connector, starts downloading large amounts of files, forwarding emails to personal accounts, or accessing SharePoint sites in unusual ways.

• Data leak policies detect sharing of sensitivity-labeled content with unauthorized external recipients.
• Security policy violations identify users who disable security software, access blocked websites, or use unauthorized cloud storage.
• Sequence-based detection links multiple low-severity signals, such as renaming files, accessing unfamiliar repositories, and uploading to external services, into a high-severity alert that would not trigger an investigation on its own.

Privacy protection is built into the system. Pseudonymization replaces user identities with anonymous identifiers during initial alert triage. This process helps prevent bias in investigation decisions.

Authorized investigators can only reveal the user's real identity when there is enough evidence to warrant escalation. Each identity revelation is logged in an immutable audit trail. This design meets GDPR data protection impact assessment requirements and employee privacy expectations while allowing legitimate security investigations.

• EPC Group has configured insider risk programs for financial institutions.
• A single departing employee exfiltrating client data could trigger SEC enforcement actions.
• Such actions may also lead to class-action litigation.

Microsoft Purview eDiscovery (Premium) provides end-to-end electronic discovery capabilities required by enterprises facing litigation, regulatory investigations, or internal compliance reviews. The workflow spans six phases: identification of relevant data custodians and sources, preservation via legal hold, collection from specific repositories with keyword and date filtering, processing to extract text and metadata from collected items, review using AI-powered analytics, and production in industry-standard export formats for external counsel.

Legal hold is a crucial capability for organizations. When litigation is likely, they must preserve relevant electronically stored information. Purview legal hold ensures that:

• Mailbox items
• Teams messages
• SharePoint documents
• OneDrive files

These items are preserved even if users or automated retention policies try to delete them. Hold notifications are tracked with acknowledgment requirements and escalation for non-responsive custodians. In a pharmaceutical litigation case, EPC Group placed 340 custodians on legal hold within 8 hours of receiving the preservation notice. This secured 14 terabytes of potentially relevant data across Exchange, SharePoint, and Teams.

Review set analytics can significantly lower legal costs. They include several key features:

• Near-duplicate detection: This groups similar documents, allowing reviewers to focus on a pivot document and quickly assess the entire cluster.
• Email threading: This reconstructs conversation chains, giving reviewers the full context of discussions instead of just individual messages.
• Themes clustering: This identifies topics across large document sets without needing predefined keywords.
• Relevance scoring and predictive coding: These use machine learning based on reviewer decisions to prioritize the most relevant documents.

These features can reduce the document review population by 40 to 70 percent. This reduction often leads to six-figure savings in external counsel review costs for large-scale matters.

Information barriers in Microsoft Purview establish strict communication limits between user groups in the same Microsoft 365 tenant. When these barriers are activated, they stop specific groups from:

• Starting Teams chats
• Joining each other's Teams meetings
• Sharing SharePoint sites
• Sending emails
• Finding each other in the global address list

These controls are not advisory. They are firm technical blocks that end users cannot bypass.

Financial services organizations often adopt information barriers due to regulatory needs. These regulations separate:

• Investment banking from equity research (Chinese wall regulations)
• Proprietary trading desks from advisory groups
• Merger teams working on competing transactions

In legal organizations, barriers keep teams representing opposing parties in litigation apart. In government and defense, barriers ensure access is based on security clearance levels and need-to-know designations. Educational institutions use barriers to protect student records data from staff without FERPA-authorized access.

Configuration requires careful planning of user segments based on Azure AD attributes (department, custom attribute, group membership) and defining block or allow policies between segments. EPC Group's implementation methodology begins with a regulatory mapping exercise that identifies which communication paths must be blocked, which must be allowed, and which require monitoring without blocking. We then configure segments and policies in a staged rollout, validating barrier enforcement in a pilot group before enterprise-wide deployment to prevent unintended collaboration disruptions.

Data classification in Microsoft Purview is essential for effective governance. It provides the visibility needed to manage sensitive data. Without knowing what sensitive data exists, where it is stored, and how it moves, you cannot protect it.

Purview offers robust data classification features, including:

• Over 300 built-in sensitive information types covering common patterns across 40+ countries.
• Custom sensitive information types using regex, keyword dictionaries, and exact data match for organization-specific identifiers.
• Trainable classifiers that use machine learning to detect complex content categories like contracts, financial statements, resumes, source code, and medical records.

Content explorer provides a searchable inventory of all content across your Microsoft 365 tenant that matches sensitive information types or trainable classifiers. Security teams can browse specific data types (for example, all documents containing credit card numbers across SharePoint and OneDrive) to understand exposure and verify that protection policies are functioning correctly. Activity explorer shows how labeled and sensitive content is being accessed, shared, downgraded, or deleted, providing the behavioral intelligence needed to tune DLP policies and identify users who need additional training or oversight.

For organizations pursuing enterprise data governance, the data map capability extends classification beyond Microsoft 365 into Azure data services (Azure SQL, Synapse, Data Lake Storage, Cosmos DB), on-premises SQL Server and file shares, and multi-cloud sources including AWS S3, Amazon RDS, and Google Cloud Storage. This unified data map provides a single pane of glass for understanding where regulated data exists across your entire technology estate, not just your Microsoft environment. EPC Group has configured data maps spanning 200+ data sources for enterprises that needed a complete data inventory ahead of GDPR data protection impact assessments or HIPAA security risk analyses.

HIPAA Compliance Configuration

Healthcare organizations must configure Purview to comply with the HIPAA Security Rule's safeguards. This includes administrative, physical, and technical measures. Organizations should also execute Microsoft's Business Associate Agreement for all M365 services.

• Deploy sensitivity labels with a Highly Confidential - PHI tier. This enforces Azure RMS encryption, disables forwarding and printing, and logs every access event.
• Configure auto-labeling policies using HIPAA-specific sensitive information types. These include medical record numbers, health plan beneficiary numbers, DEA numbers, ICD-10, and CPT codes to automatically detect and protect health data.
• Deploy DLP policies to hard-block external sharing of PHI-labeled content across Exchange, SharePoint, Teams, and endpoints.
• Enable audit logging with a 365-day retention period. This helps demonstrate the audit trail requirement during OCR investigations.

GDPR Data Protection

GDPR compliance in Purview focuses on data subject rights, lawful processing documentation, and data minimization. Use Purview's Data Subject Request workflow to handle access, rectification, and erasure requests across all M365 workloads within the 30-day regulatory deadline.

• Content Search identifies all instances of a data subject's personal data across mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations.
• Retention policies enforce data minimization by automatically deleting content when the retention period expires, supporting the storage limitation principle (Article 5(1)(e)).
• Sensitivity labels with encryption protect personal data in transit and at rest, satisfying the integrity and confidentiality principle (Article 5(1)(f)).
• Records of processing activities are maintained through audit logging and Compliance Manager documentation.

SOC 2 Type II Controls

SOC 2 examinations assess trust service criteria in five key areas: security, availability, processing integrity, confidentiality, and privacy.

• Security: This includes sensitivity labels, DLP policies, and Conditional Access configurations.
• Confidentiality: This involves encryption policies and information barriers to prevent unauthorized disclosure.
• Privacy: This relates to data subject request workflows and retention policies that enforce data minimization.
• Processing Integrity: This is demonstrated through audit logging that shows data handling accuracy and completeness.
• Availability: This is ensured by retention policies that keep business-critical content accessible during required retention periods.

Compliance Manager offers a SOC 2 assessment template that tracks all five criteria with evidence collection workflows.

FedRAMP Authorization

Government agencies and contractors operating under FedRAMP must configure Purview within Microsoft 365 Government (GCC High or DoD) environments. FedRAMP High baselines require over 400 security controls derived from NIST 800-53. Purview contributes to access control (AC) through sensitivity labels and information barriers, audit and accountability (AU) through unified audit logging with extended retention, identification and authentication (IA) through integration with Entra ID Conditional Access, media protection (MP) through endpoint DLP blocking USB transfers of classified content, and system and information integrity (SI) through DLP policies that detect and block unauthorized data flows. EPC Group has configured Purview for federal contractors operating in authorization boundaries spanning GCC High and commercial tenants, requiring careful segmentation of Purview policies between controlled unclassified information (CUI) and standard business data.

EPC Group brings 29 years of enterprise Microsoft consulting experience to every Purview engagement. As a Microsoft Gold Partner, we have deployed Microsoft Purview across organizations ranging from 500-seat mid-market firms to 50,000-seat global enterprises in healthcare, financial services, government, and defense. Our engagements are led by Errin O'Connor, Chief AI Architect and Microsoft Press bestselling author of four books covering Power BI, SharePoint, Azure, and large-scale migrations.

Our key strength is regulatory depth. While general IT consultancies can set up Purview, EPC Group configures it to ensure compliance with audits. We know the specific control requirements for:

• HIPAA risk assessments
• SOC 2 Type II examinations
• GDPR Data Protection Authority inquiries
• FedRAMP-aligned consulting expertise work packages

We have guided clients through these compliance events. When your Compliance Manager score needs to show 80+ percent coverage before a SOC 2 auditor arrives in 45 days, or when OCR requests documentation of your PHI safeguards after a breach notification, our regulatory depth can make the difference between passing and failing.

• Microsoft Gold Partner with deep Purview and compliance expertise
• 29 years of enterprise consulting across regulated industries
• Author of 4 Microsoft Press bestsellers on enterprise Microsoft technologies
• Proven deployments in healthcare (HIPAA), finance (SOC 2), government (FedRAMP)
• End-to-end implementation from assessment through audit support
• Integration with broader Microsoft 365 and Azure security architecture