This chapter covers Microsoft 365 compliance administration, focusing on how to configure and manage compliance solutions in Microsoft Purview. As an MS-102 candidate, you must understand retention policies, data classification, eDiscovery, audit logging, and compliance score—topics that collectively represent approximately 15-20% of exam questions in domain 'Security Threats' objective 3.3. This chapter provides the deep technical knowledge required to design and troubleshoot compliance controls in enterprise environments.
Jump to a section
Imagine a bank vault that not only stores valuables but also enforces strict rules about who can access which safe deposit boxes, when, and under what conditions. The vault has multiple doors: the first requires a valid employee badge, the second requires a manager override for certain boxes, and the third logs every single entry attempt, successful or not. Inside, each box has a label specifying its retention period—after which the box self-destructs unless renewed. The bank also has a separate room where compliance officers can run reports on all access logs, identify boxes that are overdue for review, and apply legal holds on boxes involved in litigation. This vault is Microsoft Purview Compliance Portal. The employee badge is Azure AD authentication; the manager override is role-based access control (RBAC); the self-destruct timer is retention labels; the logging is unified audit log; and the compliance officer tools are eDiscovery, Content Search, and Data Loss Prevention policies. Just as the bank cannot let anyone wander into the vault without permission, your Microsoft 365 tenant cannot allow data to be stored without governance—compliance administration ensures that data is classified, retained, protected, and discoverable according to regulatory requirements.
What is Compliance Administration in Microsoft 365?
Compliance administration in Microsoft 365 encompasses the tools and policies that help organizations meet legal, regulatory, and internal standards for data governance. The central hub is the Microsoft Purview compliance portal (https://compliance.microsoft.com). Key capabilities include:
Information Protection: Sensitivity labels, data classification, and data loss prevention (DLP).
Records Management: Retention labels, retention policies, and disposition review.
eDiscovery: Content search, eDiscovery (Standard and Premium) for legal holds and export.
Audit: Unified audit log (Standard and Premium) for tracking user and admin activities.
Compliance Manager: Compliance score, assessments, and improvement actions.
Communication Compliance: Detect inappropriate messages in Teams, Exchange, and Yammer.
Insider Risk Management: Identify risky user activities based on indicators.
Why Compliance Administration Exists
Organizations must comply with regulations like GDPR, HIPAA, SOX, and FedRAMP. Microsoft 365 provides built-in controls to simplify compliance. The exam tests your ability to configure these controls correctly, understand their dependencies, and troubleshoot issues. For example, a retention policy applied to SharePoint sites will not work if the site is not indexed, or a DLP rule may not trigger if the sensitivity label is not published.
How It Works Internally
Retention Policies and Labels:
Retention policies are applied at the location level (Exchange, SharePoint, OneDrive, Teams, Yammer). They use a combination of timestamps (creation date, last modified date, or custom date) to calculate retention periods. When a policy is assigned, the Compliance service stamps items with a retention tag. The Managed Folder Assistant (for Exchange) or the retention timer (for SharePoint) evaluates items periodically. Default retention timers run every 7 days in Exchange, but can be forced via Start-ManagedFolderAssistant cmdlet. For SharePoint, the retention timer runs every 24 hours.
Retention labels are published to users via label policies, and users manually apply them to items. Labels can also be auto-applied based on sensitive information types, trainable classifiers, or content queries. Labels can trigger a disposition review when the retention period expires.
Data Classification:
Data classification uses content explorer and activity explorer to show where sensitive data resides. It relies on sensitive information types (SITs) like credit card numbers, passport IDs, or custom patterns. Trainable classifiers use machine learning to identify content (e.g., contracts, resumes).
eDiscovery:
eDiscovery (Standard) uses content searches across all workloads. Results are stored in a search result set and can be exported. eDiscovery (Premium) adds advanced features like predictive coding, review sets, and legal hold notifications. eDiscovery requires specific role groups: eDiscovery Manager and eDiscovery Administrator.
Audit Logging:
By default, audit logging is enabled for all tenants. Audit records are retained for 90 days (Standard) or 1 year (Premium, additional license required). The audit log records operations like mailbox access, file downloads, and admin actions. You can search the audit log in the compliance portal or via Search-UnifiedAuditLog cmdlet.
Compliance Manager:
Compliance Manager is a dashboard that calculates a compliance score based on improvement actions. Each action has a point value and is mapped to a control (e.g., GDPR Article 5). You can assign actions to users, upload evidence, and track progress.
Key Components, Values, Defaults, and Timers
Retention Policy Defaults: Items are retained based on the policy's retention period (e.g., 7 years). If deletion is also configured, items are deleted after retention period ends.
Retention Label Defaults: Labels can be used for records management (mark as record or regulatory record). Regulatory records are immutable and cannot be deleted even by administrators.
Audit Log Retention: Standard: 90 days; Premium: 1 year (requires E5 or add-on).
eDiscovery Case Limits: Standard: up to 10 GB of search results per case; Premium: up to 1 TB.
Compliance Score: Each improvement action has a maximum point value (e.g., 10 points). The score is calculated as (achieved points / total possible points) * 100.
Configuration and Verification Commands
To create a retention policy via PowerShell:
New-RetentionCompliancePolicy -Name "HR Retention" -SharePointLocation "https://contoso.sharepoint.com/sites/hr" -RetentionComplianceAction Keep -RetentionDuration 365To search the audit log:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations "FileDownloaded"To check DLP policy matches:
Get-DlpComplianceRule | Where-Object {$_.Mode -eq 'Enable'}How It Interacts with Related Technologies
Compliance administration integrates with Azure AD for identity and role assignments. For example, to manage eDiscovery cases, a user must be in the eDiscovery Manager role group. Sensitivity labels are published to users via label policies and can be auto-applied using DLP policies. DLP policies can detect sensitive data and trigger actions like blocking access or sending email notifications. Communication compliance policies rely on audit logs to detect inappropriate messages.
Common Pitfalls
Applying a retention policy to a SharePoint site that is not indexed will not work.
A DLP policy that uses a custom sensitive info type will not trigger if the type is not properly configured.
eDiscovery search may return stale results if the index is not up to date (can be fixed by re-indexing the site).
Audit log search may fail if the user does not have the Audit Log role.
Exam-Specific Details
The MS-102 exam expects you to know:
The difference between retention policies (applied automatically to locations) and retention labels (applied manually or auto-applied).
The default retention period for audit logs (90 days for Standard, 1 year for Premium).
That eDiscovery (Premium) includes predictive coding and review sets, while eDiscovery (Standard) does not.
That Compliance Manager scores are based on improvement actions, not just policies.
That communication compliance requires a license (E5 or add-on).
Enable Audit Logging
Before any compliance actions can be tracked, audit logging must be enabled. In Microsoft 365, audit logging is enabled by default for all tenants. However, you should verify this by navigating to the Purview compliance portal > Audit > Audit log. If it is disabled, you can enable it via PowerShell: `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. Once enabled, user and admin actions are recorded in the unified audit log. The audit log records the operation (e.g., FileDownloaded), user, timestamp, client IP, and details. By default, audit records are retained for 90 days. To extend retention to 1 year, you need Audit (Premium) licenses.
Create a Retention Policy
Retention policies are used to retain or delete data across locations. In the Purview compliance portal, go to Data Lifecycle Management > Retention Policies. Click 'New retention policy'. Provide a name and description. Choose the locations: Exchange email, SharePoint sites, OneDrive accounts, Teams channel messages, Teams chats, Yammer messages, or Skype for Business. You can also exclude specific users or sites. Then choose the retention period: either a fixed number of days/years, or indefinite (keep forever). Optionally, configure disposition review. The policy is then assigned to the Managed Folder Assistant (Exchange) or the SharePoint timer job. The policy will apply to all existing and future items in the selected locations. Verify with `Get-RetentionCompliancePolicy -Name "Policy Name"`.
Publish a Retention Label
Retention labels allow users to manually classify items. In Purview > Data Lifecycle Management > Retention Labels, create a new label. Define the label name, description, and retention settings (keep, delete, or both). Optionally mark as a record (regulatory or standard). Then publish the label via a label policy. Go to Label Policies > Publish labels. Select the label(s) and choose the locations (Exchange, SharePoint, OneDrive). Assign the policy to specific users or groups. Users will then see the label in Outlook, SharePoint, and OneDrive. To auto-apply labels, create an auto-apply policy based on sensitive info types or trainable classifiers. Verify with `Get-Label -Identity "Label Name"`.
Create a DLP Policy
Data Loss Prevention policies protect sensitive information from being shared. In Purview > Data Loss Prevention > Policies, click 'Create policy'. Choose a template (e.g., Financial data) or custom. Define the sensitive info types to detect (e.g., credit card numbers, SSN). Specify the locations: Exchange, SharePoint, OneDrive, Teams, and devices. Configure actions: block access, display a tip, send an email notification, or allow override. Test first in simulation mode. Once enabled, DLP rules are evaluated in real-time. For example, if a user tries to share a document containing credit card numbers externally, the rule can block the share and send an alert. Verify with `Get-DlpComplianceRule` and check the audit log for DLP rule matches.
Run an eDiscovery Search
eDiscovery allows you to search for content across Exchange, SharePoint, OneDrive, and Teams. In Purview > eDiscovery > Standard, create a new case. Then create a search within the case. Define the search query: keywords, conditions (date range, sender/author, file type). Choose the locations to search: all mailboxes, all sites, or specific ones. Run the search. Results are stored in the case. You can preview results, export them (download a CSV with metadata and a PST/PDF of items), or place a hold on items. eDiscovery (Premium) adds advanced features like predictive coding and review sets. To use eDiscovery, you must be a member of the eDiscovery Manager role group. Verify search results with `Get-ComplianceSearch -Identity "Search Name" | Start-ComplianceSearch`.
Enterprise Scenario 1: GDPR Compliance for a Multinational Corporation
A global company must comply with GDPR, which requires data retention limits (e.g., delete HR data after 7 years) and the ability to respond to data subject requests (DSRs) within 30 days. The compliance team uses Microsoft 365 to:
Create retention policies for Exchange (email) and SharePoint (documents) with a 7-year retention period and automatic deletion after that.
Publish retention labels for HR records that mark them as records (immutable).
Use eDiscovery (Premium) to search for a specific user's data across all workloads and export it in a machine-readable format (e.g., PST) for DSR fulfillment.
Configure audit logging to track all access to personal data.
Use Compliance Manager to track GDPR improvement actions and maintain a score of 80+.
Challenges: The company has 50,000 users and 500 SharePoint sites. Retention policies must be scoped correctly to avoid retaining data longer than necessary. They use PowerShell scripts to bulk-assign retention policies. The audit log generates millions of records per day; they use Audit (Premium) to retain logs for 1 year and run custom queries via Search-UnifiedAuditLog.
Enterprise Scenario 2: Legal Hold for Litigation
A company is facing a lawsuit and must preserve all relevant electronic documents. Legal team uses eDiscovery:
Create an eDiscovery (Standard) case named "Litigation 2024".
Place a hold on all mailboxes of custodians (key employees) and their SharePoint sites.
Use content search to find documents containing specific keywords (e.g., "contract").
Export results for review.
Use eDiscovery (Premium) for advanced analytics: predictive coding to reduce review volume, and review sets to tag documents.
Common misconfigurations: Not placing a hold before starting the search—if hold is not applied, items may be deleted by retention policies. Also, failing to include Teams chats (which are stored in Exchange mailboxes). The admin must ensure that the hold is applied to all relevant locations.
Enterprise Scenario 3: Insider Risk Detection
A company wants to detect employees exfiltrating sensitive data via email or USB. They use:
Communication compliance policies to detect inappropriate messages (e.g., harassment).
Insider risk management policies to detect unusual file downloads (e.g., downloading thousands of files from SharePoint).
DLP policies to block sharing of credit card numbers via email.
These policies rely on audit logs and user activity. The admin must assign the correct roles (Insider Risk Management Admin) and configure indicators (e.g., file download threshold). Performance: Real-time detection requires constant log ingestion. Misconfigurations: Not enabling the audit log or not assigning the correct role group.
What the MS-102 Exam Tests on Compliance Administration
The exam objective 3.3 covers compliance administration. Specifically, you must be able to:
Configure retention policies and labels (including auto-apply).
Manage eDiscovery cases and holds.
Analyze audit logs.
Configure DLP policies.
Use Compliance Manager.
Common Wrong Answers and Why Candidates Choose Them
Wrong: "Retention policies can be applied to individual items." Reality: Retention policies are applied to locations (mailboxes, sites). Only retention labels can be applied to individual items. Candidates confuse the two.
Wrong: "Audit logs are retained for 1 year by default." Reality: Default is 90 days; 1 year requires Audit (Premium) license. Candidates often think the default is longer.
Wrong: "eDiscovery (Standard) includes predictive coding." Reality: Predictive coding is only in eDiscovery (Premium). Candidates may think all eDiscovery features are the same.
Wrong: "DLP policies can only be applied to Exchange." Reality: DLP policies can be applied to Exchange, SharePoint, OneDrive, Teams, and devices (Microsoft 365 E5).
Wrong: "Compliance Manager score is based on the number of policies you have." Reality: Score is based on improvement actions completed, not number of policies.
Specific Numbers and Terms That Appear on the Exam
Default audit log retention: 90 days (Standard), 1 year (Premium).
Maximum eDiscovery Standard search results: 10 GB; Premium: 1 TB.
Retention policy timer: 7 days for Exchange, 24 hours for SharePoint.
DLP policy modes: Test, Test with notifications, Enable.
Sensitivity labels can be auto-applied using trainable classifiers or sensitive info types.
Edge Cases and Exceptions
A retention policy with both keep and delete actions: items are kept for the retention period, then deleted. If the item is modified, the retention period restarts based on the last modified date.
If a retention label is set as a regulatory record, even administrators cannot delete it.
eDiscovery hold overrides retention policies: items on hold are preserved even if retention policy would delete them.
DLP policy for Teams: works only for messages containing sensitive info; does not apply to files shared in Teams (those are in SharePoint).
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that retention policies are location-based, label-based are item-based. If a question asks about applying a retention setting to a specific document, the answer is a label, not a policy.
Audit log retention: if a question mentions 'default' without license, it's 90 days.
eDiscovery features: if a question mentions 'predictive coding' or 'review sets', it's Premium.
DLP scope: if a question mentions 'block sharing in Teams', remember that DLP for Teams only covers messages, not files.
Compliance Manager: if a question asks about improving score, the answer is 'complete improvement actions' not 'create more policies'.
Retention policies apply to locations; retention labels apply to items.
Audit log default retention is 90 days; extend to 1 year with Audit (Premium).
eDiscovery (Standard) supports search and export; Premium adds predictive coding and review sets.
DLP policies can be applied to Exchange, SharePoint, OneDrive, Teams, and devices (E5).
Compliance Manager score is based on completed improvement actions, not policy count.
eDiscovery holds override retention policies to preserve data for legal cases.
Sensitivity labels can be auto-applied using trainable classifiers or sensitive info types.
Retention label as regulatory record is immutable and cannot be deleted by anyone.
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applied automatically to entire locations (mailboxes, sites, etc.)
Cannot be applied to individual items by users
No manual user interaction required
Supports only one retention setting per location
Used for broad data lifecycle management
Retention Label
Applied manually by users or auto-applied via policies
Can be applied to individual items (documents, emails)
Requires user training or auto-classification rules
Multiple labels can coexist in a location
Used for granular classification and records management
Mistake
Retention policies can be applied to individual emails or documents.
Correct
Retention policies are applied to entire locations (mailbox, site) only. To apply retention to individual items, you must use retention labels (published via label policies).
Mistake
Audit logs are retained for 1 year by default.
Correct
The default retention for audit logs is 90 days. To retain logs for 1 year, you need Audit (Premium) licenses (E5 or add-on).
Mistake
eDiscovery (Standard) includes predictive coding and review sets.
Correct
Predictive coding and review sets are features of eDiscovery (Premium). eDiscovery (Standard) only supports content search and export.
Mistake
DLP policies in Teams cover files shared in chat.
Correct
DLP for Teams covers messages only. Files shared in Teams are stored in SharePoint and OneDrive, and DLP policies must be applied to those locations separately.
Mistake
Compliance Manager score increases automatically when you create policies.
Correct
The score increases only when you complete improvement actions (e.g., implement a policy, upload evidence). Simply creating a policy does not change the score.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy is applied automatically to entire locations (e.g., all mailboxes in Exchange) and cannot be applied to individual items by users. A retention label is applied manually by users or automatically via auto-apply policies, and it can be applied to individual items (documents, emails). For example, you might use a retention policy to delete all emails older than 7 years in a mailbox, and a retention label to mark specific contracts as records that must be kept for 10 years.
By default, audit logs are retained for 90 days. To retain logs for 1 year, you need Audit (Premium) licenses, which are included in Microsoft 365 E5 or available as an add-on. You can change the retention period in the Purview compliance portal under Audit > Audit retention policies.
eDiscovery (Standard) allows you to search for content, place holds, and export results. eDiscovery (Premium) adds advanced features: predictive coding (machine learning to reduce review volume), review sets (with tagging and analytics), legal hold notifications, and processing of large data sets (up to 1 TB). For the exam, remember that predictive coding is a Premium-only feature.
DLP for Teams covers messages only, not files. In the Purview compliance portal, create a DLP policy and select the Teams location. Choose the sensitive info type 'Credit Card Number'. Configure the action: 'Block people from sharing and restrict access' or 'Send notification'. Note that files shared in Teams are stored in SharePoint and OneDrive, so you must also apply DLP policies to those locations if you want to block file sharing.
Compliance Manager is a dashboard in Microsoft Purview that helps you track your compliance posture. The score is calculated based on improvement actions (e.g., enabling multi-factor authentication, configuring retention policies). Each action has a point value. The score is the percentage of achieved points out of total possible points. Simply creating a policy does not increase the score; you must complete the action and upload evidence if required.
Yes, a retention label can be configured to delete items after a retention period. When you create a label, you can choose 'Delete items automatically after a period' or 'Keep and delete' (keep for a period, then delete). You can also mark the label as a record to prevent deletion before the period ends. Regulatory records are immutable and cannot be deleted even by administrators.
In the Purview compliance portal, go to eDiscovery (Standard) > Cases > Create a case. Inside the case, go to 'Holds' and create a new hold. Select the locations (mailboxes, SharePoint sites, etc.). Specify the query (e.g., all content) and enable the hold. Once enabled, items in those locations are preserved even if retention policies would delete them. You can also use PowerShell: `New-CaseHoldRule -Name "Hold Rule" -Policy "Hold Policy" -ContentMatchQuery *`.
You've just covered Compliance Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?