Microsoft Purview: Enterprise Data Governance & Compliance

Microsoft Purview is a unified data governance, compliance, and risk management platform that helps organizations discover, classify, protect, and govern data across their entire digital estate. It combines two core capabilities: 1) Purview Compliance — information protection with sensitivity labels, DLP policies, insider risk management, communication compliance, eDiscovery, data lifecycle management, records management, and audit. 2) Purview Governance — data map, data catalog, data estate insights, and data sharing for multi-cloud and on-premises environments. Purview replaced the separate Microsoft Information Protection (MIP), Microsoft Compliance Center, and Azure Purview products under a single brand. It protects data in Microsoft 365, Azure, AWS, GCP, on-premises databases, and SaaS applications — providing a single pane of glass for enterprise data governance.

Purview Compliance (formerly Microsoft 365 Compliance) focuses on protecting and governing data within Microsoft 365 — it includes sensitivity labels, DLP, insider risk management, communication compliance, eDiscovery, audit, records management, and data lifecycle management. Licensed through M365 E3/E5. Purview Governance (formerly Azure Purview) focuses on discovering and cataloging data across your entire data estate — it includes data map, data catalog, data estate insights, data sharing, and data quality. Licensed through Azure consumption or capacity units. Most enterprises need both: Compliance to protect regulated data in M365, and Governance to catalog and discover data across multi-cloud and on-premises sources. EPC Group implements both as an integrated data governance program.

Purview Information Protection uses sensitivity labels to classify and protect data across 5 layers: 1) Visual markings — headers, footers, and watermarks applied to documents and emails indicating classification level. 2) Encryption — Azure Rights Management encryption that travels with the document, controlling who can open, edit, copy, print, and forward content. 3) Access control — label-based restrictions preventing unauthorized users from accessing content regardless of where it is stored or shared. 4) Auto-labeling — machine learning classifiers and sensitive information types that automatically apply labels to content matching defined patterns (SSN, credit cards, PHI). 5) Container labels — site-level and group-level labels applied to SharePoint sites, Teams channels, and Microsoft 365 Groups that enforce privacy, guest access, and sharing policies. Labels persist across the data lifecycle — a Confidential label applied in Word follows the document through email, SharePoint, OneDrive, Teams, and third-party applications.

Enterprise DLP configuration in Purview should cover 6 policy categories: 1) Regulatory data — detect and protect PII (SSN, passport numbers), PHI (medical record numbers, diagnosis codes), and financial data (credit card numbers, bank accounts) across Exchange, SharePoint, OneDrive, Teams, and endpoints. 2) Intellectual property — custom classifiers trained on proprietary data (source code, product designs, trade secrets). 3) Copilot DLP — policies that prevent AI from surfacing or generating regulated data in responses. 4) Endpoint DLP — extend protection to Windows and macOS devices including copy to USB, print, upload to cloud storage, and clipboard monitoring. 5) Power BI DLP — detect sensitive data in Power BI datasets and reports. 6) Adaptive protection — DLP policies that automatically increase restrictions for users flagged by Insider Risk Management. Start with built-in templates for your industry (HIPAA, PCI-DSS, GDPR, GLBA) and customize from there.

Purview Insider Risk Management uses behavioral analytics and machine learning to detect 5 categories of insider threats: 1) Data theft by departing employees — monitors for bulk downloads, USB transfers, email forwarding spikes, and cloud upload patterns during the 90-day exit window. 2) Data leaks — detects when users share sensitive content externally through email, Teams, SharePoint sharing, or third-party cloud storage. 3) Security policy violations — identifies users attempting to bypass security controls, access unauthorized resources, or install prohibited applications. 4) Patient data misuse (healthcare) — monitors for unauthorized PHI access patterns that may indicate snooping or data theft. 5) Risky AI usage — detects unusual Copilot query patterns, bulk data extraction via AI, and attempts to manipulate AI guardrails. The system assigns risk scores based on cumulative indicators — a single action rarely triggers an alert, but patterns of behavior (downloading files + forwarding emails + printing documents in the same week) escalate the risk score for investigation.

Purview eDiscovery provides 3 tiers: 1) Content Search — basic search across Exchange, SharePoint, OneDrive, and Teams for up to 10 content sources. Included in E3. 2) eDiscovery Standard — adds case management, legal hold, and export capabilities. Create cases, place custodians on hold to preserve data, search across all content sources, and export results for legal review. Included in E3. 3) eDiscovery Premium — adds custodian management, advanced processing (OCR, thread deduplication, near-duplicate detection), review sets with analytics, and predictive coding (AI-assisted relevance scoring). Premium supports 25 million items per review set and provides privilege detection, theme clustering, and conversation threading. Required for complex litigation. Licensed with E5 or E5 Compliance add-on. EPC Group configures eDiscovery workflows with proper role-based access so legal teams can conduct investigations without IT involvement.

The Purview Data Map automatically scans and registers data sources across your entire estate: Azure (SQL, Blob, ADLS, Synapse, Cosmos DB), AWS (S3, RDS, Redshift), GCP (BigQuery, Cloud Storage), on-premises (SQL Server, Oracle, SAP, Teradata), and SaaS (Power BI, Salesforce). For each source, the Data Map captures: schema and column metadata, data classification (PII, PHI, financial data detected automatically), lineage (how data flows between systems), and glossary terms (business definitions mapped to technical assets). The Data Catalog provides a searchable business-friendly interface where data consumers can find, understand, and request access to data assets. Users search by keyword, classification, glossary term, or data owner — without needing to know which database or table contains the information. This eliminates the single biggest barrier to enterprise data adoption: nobody knows where the data is.

Purview compliance capabilities are split across license tiers: M365 E3 ($36/user/month) — manual sensitivity labels, basic DLP (Exchange, SharePoint, OneDrive), Content Search, eDiscovery Standard, basic audit (180-day retention), manual retention labels and policies. M365 E5 ($57/user/month) — adds auto-labeling (client-side and service-side), advanced DLP (endpoint DLP, adaptive protection, Teams DLP), Insider Risk Management, Communication Compliance, eDiscovery Premium, Advanced Audit (1-year retention), Information Barriers, and Privileged Access Management. Standalone add-ons: E5 Compliance ($12/user/month) adds all E5 compliance features to E3. E5 Information Protection & Governance ($12/user/month) adds auto-labeling and advanced data lifecycle. For regulated industries, EPC Group recommends E5 or E3 + E5 Compliance because auto-labeling, Insider Risk Management, and Advanced Audit are non-negotiable for demonstrating compliance.

A full Purview implementation for an enterprise of 5,000-50,000 users typically takes 16-24 weeks across 5 phases: Phase 1 (Weeks 1-4) — Discovery and planning: data classification assessment, label taxonomy design, DLP policy design, licensing review. Phase 2 (Weeks 5-8) — Information Protection: sensitivity label deployment, auto-labeling configuration, encryption policies, container labels. Phase 3 (Weeks 9-12) — DLP and Compliance: DLP policy deployment in simulation mode, Communication Compliance, Insider Risk Management configuration. Phase 4 (Weeks 13-16) — Advanced capabilities: eDiscovery workflows, records management, data lifecycle management, audit configuration. Phase 5 (Weeks 17-20) — Governance: Purview Data Map configuration, data catalog setup, data estate scanning, glossary and lineage mapping. Ongoing (Weeks 21+) — optimization, policy tuning, user training, and governance program management. EPC Group offers fixed-fee accelerators that compress this timeline to 12-16 weeks for organizations with clear requirements.

Purview provides 8 HIPAA-specific capabilities: 1) PHI classification — 14 built-in sensitive information types for healthcare data including medical record numbers, DEA numbers, and health insurance IDs. 2) HIPAA sensitivity labels — Confidential-PHI labels that enforce encryption and access restrictions on all protected health information. 3) Healthcare DLP policies — built-in HIPAA template policies for Exchange, SharePoint, OneDrive, Teams, and endpoints. 4) Minimum necessary enforcement — DLP and access controls ensure only authorized personnel access PHI relevant to their role. 5) Breach notification support — eDiscovery and Content Search enable rapid identification of affected records when a breach occurs. 6) Audit trail — Advanced Audit captures who accessed, modified, or shared PHI with 1-year retention for compliance evidence. 7) BAA coverage — Microsoft signs Business Associate Agreements covering Purview compliance services. 8) Patient data snooping detection — Insider Risk Management monitors for unauthorized PHI access patterns common in healthcare organizations.