This chapter covers regulatory compliance in Microsoft Purview, a critical domain for the MS-102 exam. You will learn how to implement Information Protection, Data Loss Prevention (DLP), Records Management, Audit, and eDiscovery to meet regulatory requirements like GDPR, HIPAA, and SOX. Approximately 15-20% of MS-102 exam questions touch on compliance topics, making this a high-yield area. The chapter provides deep technical explanations, step-by-step workflows, and exam-focused insights to help you master objective 3.3.
Jump to a section
Imagine you are the security manager of a large bank. The bank has multiple vaults, each with its own access rules. Some vaults contain customer account records, others contain loan documents, and some hold internal audit reports. You must ensure that only authorized employees can access specific vaults, and you must keep a detailed log of every access attempt—successful or not—for regulatory auditors. Additionally, you need to automatically classify documents as they are placed into vaults based on their content (e.g., any document containing a social security number goes into the high-security vault). You also have to set retention policies: certain documents must be kept for exactly 7 years, then securely shredded. If a document contains sensitive information like a credit card number, you must automatically encrypt it. Microsoft Purview is this entire vault management system for Microsoft 365. Information Protection is the automatic classification and labeling of documents (like sorting documents into the right vault folders). Data Loss Prevention (DLP) is the guard at the vault door who checks if an employee is allowed to take a document out of the vault and if so, under what conditions (e.g., they can read but not print). Records Management is the retention and disposal schedule—like a timer that automatically shreds documents after the required period. Audit is the security camera that records every action. eDiscovery is the tool that allows auditors to quickly search all vaults for specific documents without opening every box. This analogy directly mirrors how Purview components work together to manage compliance across Exchange, SharePoint, OneDrive, Teams, and endpoints.
What is Regulatory Compliance in Microsoft Purview?
Regulatory compliance in Microsoft Purview refers to the suite of tools and services that help organizations meet legal, regulatory, and organizational standards for data protection, retention, and discovery. The core components are: - Microsoft Information Protection (MIP): Sensitive information types, sensitivity labels, and labeling policies. - Data Loss Prevention (DLP): Policies that detect and prevent accidental or intentional sharing of sensitive data. - Records Management: Retention labels, retention policies, and disposal review. - Audit (Standard and Premium): Logging of user and admin activities. - eDiscovery (Standard and Premium): Search, hold, and export of content for legal investigations.
These components work together to enforce data governance across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and endpoints.
How Purview Compliance Works Internally
Sensitive Information Types (SITs) are the foundation. Microsoft provides over 200 built-in SITs (e.g., Credit Card Number, U.S. Social Security Number). Each SIT is defined by a regular expression pattern, checksum validation, keyword proximity, and confidence level. For example, the SIT for U.S. Social Security Number uses the pattern \d{3}-\d{2}-\d{4} and validates with Luhn checksum (though SSNs don't actually use Luhn; Microsoft uses a similar algorithm for other types). Custom SITs can be created using the Compliance Center or PowerShell.
Sensitivity labels are the primary classification tool. They can be published to users or auto-applied based on SIT detection. Labels can enforce encryption (using Azure Information Protection), visual markings (header/footer/watermark), and auto-labeling for files and emails. When a label is applied, it stamps the document with metadata and optionally encrypts it using Azure RMS. Encryption uses a symmetric key wrapped with an asymmetric RSA key pair per tenant.
DLP policies are evaluated at the transport layer (Exchange Online) and at rest (SharePoint, OneDrive). For Exchange, the policy is enforced during message submission—the transport agent inspects the message body, attachments, and subject. For SharePoint and OneDrive, the policy is enforced when a document is shared externally or accessed by an unauthorized user. DLP rules can block access, send notifications, or trigger incident reports.
Retention policies work via a timer in the content's metadata. When a retention label is applied, the item's RetentionDate is calculated based on the item's creation date or last modified date, plus the retention period. During the retention period, the item cannot be permanently deleted. After the period expires, a disposal review may occur, or the item is automatically deleted.
Audit logging captures events from Exchange, SharePoint, Azure AD, and other workloads. Standard Audit logs are retained for 90 days by default. Premium Audit extends retention to 1 year for all events and up to 10 years for specific high-value events (e.g., when an admin accesses a mailbox). Audit logs are stored in the Unified Audit Log (UAL) and can be searched via the Compliance Center or Search-UnifiedAuditLog cmdlet.
eDiscovery uses content search to query mailboxes, SharePoint sites, OneDrive locations, and Teams. eDiscovery holds (litigation holds) preserve content by placing a hold on the source—this prevents deletion and version cleanup. eDiscovery Premium adds machine learning models for relevance and predictive coding.
Key Components, Values, Defaults, and Timers
Sensitive Information Types: Over 200 built-in. Confidence levels: Low (65%), Medium (75%), High (85%).
Sensitivity Labels: Can encrypt using Azure RMS. Default encryption template: "Do Not Forward" for emails, "Confidential" for documents.
DLP Policy Priority: Policies are evaluated in order of priority (1 is highest). Only the first matching rule applies.
Retention Period: Range from 1 day to 100 years. Default for new policies: 7 years.
Audit Retention: Standard 90 days; Premium 1 year; Premium with extended retention up to 10 years (requires add-on).
eDiscovery Hold: Holds are indefinite until removed. Maximum of 10,000 holds per organization.
Auto-labeling policies: Can scan up to 1 million items per day per tenant. Requires at least 10 sensitive items to trigger.
Configuration and Verification Commands
To create a custom sensitive information type using PowerShell:
$pattern = @{
Id = "CustomSSN"
Name = "Custom SSN Pattern"
Pattern = @{
Id = "SSNPattern"
Elements = @(
@{
Name = "SSNRegex"
Regex = @{
Pattern = "\d{3}-\d{2}-\d{4}"
IsCaseSensitive = $false
}
}
)
ConfidenceLevel = 85
}
}
New-DlpSensitiveInformationType -Name "Custom SSN" -Description "Detects SSN" -Pattern $patternTo create a DLP policy:
New-DlpCompliancePolicy -Name "PII Policy" -Comment "Blocks PII sharing" -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -TeamsLocation All
New-DlpComplianceRule -Name "Block Credit Card" -Policy "PII Policy" -BlockAccess $true -NotifyUser $true -SensitiveInformationNames "Credit Card Number"To search audit logs:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations "MailboxLogin", "FileAccessed" -ResultSize 1000Interaction with Related Technologies
Purview compliance integrates with: - Azure AD: For user identity and group membership used in policy scoping. - Microsoft 365 Defender: DLP incidents can be integrated with Defender for Cloud Apps for cloud app governance. - Information Rights Management (IRM): Sensitivity labels use Azure RMS encryption. - Microsoft Teams: DLP policies can be applied to Teams chat and channel messages (requires Premium DLP). - Endpoint DLP: Extends DLP to Windows 10/11 devices via the Microsoft 365 Apps for Enterprise.
Exam-Relevant Details
The MS-102 exam specifically tests:
The difference between retention labels and retention policies.
How auto-labeling works with sensitive information types.
The default retention period for audit logs.
The concept of "double key encryption" for sensitivity labels.
The use of eDiscovery holds and how they differ from retention policies.
The ability to apply DLP to Teams chat (requires Microsoft Teams DLP licensing).
Identify Sensitive Data Types
Start by determining what data your organization needs to protect. Use the Compliance Center > Data classification > Sensitive info types to browse built-in types (e.g., Credit Card Number, U.S. Social Security Number). For custom needs, create your own SIT using PowerShell or the Compliance Center. Define a pattern with a regex, keywords, and confidence level. For example, to detect employee IDs like 'EMP-12345', you would create a regex pattern `EMP-\d{5}` and set confidence to 85. This step is crucial because SITs are the foundation for auto-labeling and DLP policies.
Create and Publish Sensitivity Labels
In the Compliance Center > Information protection > Labels, create labels with encryption, content marking, and auto-labeling rules. For instance, create a label called 'Confidential - Financial' that encrypts documents and applies a header 'CONFIDENTIAL'. Publish the label to users via a label policy. You can also configure auto-labeling using a policy that scans for SITs and automatically applies the label. Auto-labeling policies run every 24 hours and can process up to 1 million items per day.
Configure DLP Policies
DLP policies are created in Compliance Center > Data loss prevention. Define the policy scope (Exchange, SharePoint, OneDrive, Teams, endpoints) and set rules. For example, a rule might block sharing of credit card numbers externally. When a rule matches, the user gets a policy tip (in Outlook) or the action is blocked. DLP policies are evaluated in priority order; only the first matching rule applies. You can test policies in simulation mode before enforcing them.
Set Up Retention Labels and Policies
Go to Compliance Center > Records management > Labels. Create retention labels that specify how long to keep content (e.g., 7 years) and what happens after (delete or review). Publish labels via a retention label policy. Alternatively, use auto-apply labels based on SITs. Retention policies can be applied at the location level (e.g., all SharePoint sites) without user intervention. Remember: retention labels override retention policies if both are applied.
Enable and Search Audit Logs
Ensure audit logging is enabled (it is on by default for E5 tenants). In Compliance Center > Audit, you can search for specific activities. Use the Audit log search to find events like 'FileDeleted' or 'MailboxLogin'. For extended retention, you need Audit Premium licensing. Export audit logs as CSV for further analysis. Use PowerShell to automate searches with `Search-UnifiedAuditLog`. Audit logs are critical for compliance reporting and forensic investigations.
Create eDiscovery Cases and Holds
In Compliance Center > eDiscovery, create a case for legal investigations. Add custodians and place holds on their mailboxes, SharePoint sites, and OneDrive accounts. Holds preserve content indefinitely and prevent deletion. Use content search to find relevant data. For large cases, use eDiscovery Premium with machine learning to review documents. Export search results as PST or native files. eDiscovery holds are separate from retention policies and can coexist.
Enterprise Scenario 1: Financial Services Compliance
A large bank must comply with SOX (Sarbanes-Oxley) and PCI DSS. They use Purview to automatically classify any document containing credit card numbers or financial statements. They create custom SITs for account numbers. Sensitivity labels enforce encryption on all documents containing PII. DLP policies block any email containing credit card numbers from being sent outside the organization. Retention labels keep financial records for 7 years, then automatically delete them. Audit logs are retained for 1 year (Premium) to meet regulatory requirements. eDiscovery cases are used for internal investigations. The bank deploys Endpoint DLP on all employee laptops to prevent sensitive data from being copied to USB drives. Common issues include false positives from DLP policies (e.g., blocking legitimate credit card transactions) and performance impact of auto-labeling on large SharePoint farms. They mitigate by using simulation mode and scoping policies to specific sites.
Enterprise Scenario 2: Healthcare Provider
A hospital must comply with HIPAA. They use Purview to protect electronic protected health information (ePHI). Built-in SITs for medical terms and patient IDs are used. Sensitivity labels mark all medical records as 'Highly Confidential' with encryption. DLP policies prevent sharing of patient data in Teams chats and emails. Retention policies keep medical records for 6 years (state requirement). Audit logs track access to patient records. eDiscovery holds are placed on terminated employees' mailboxes. The hospital also uses communication compliance to detect inappropriate patient data sharing. Challenges include managing retention across different state laws and ensuring that auto-labeling does not miss newly created documents. They use adaptive scoping to apply policies only to departments handling ePHI.
Enterprise Scenario 3: Multinational Corporation
A global company must comply with GDPR and local data residency laws. They use Purview to classify personal data across regions. Sensitivity labels include geographic scoping (e.g., 'EU Personal Data'). DLP policies block cross-border transfers of EU citizen data. Retention policies align with GDPR's 'right to erasure' by setting a maximum retention of 5 years. Audit logs are searched regularly for data subject access requests (DSARs). eDiscovery cases are used to respond to DSARs within the 30-day window. The company uses double key encryption for highly sensitive data. Performance considerations include high volume of audit log events (millions per day) and the need to index large amounts of data for eDiscovery. They use audit log retention policies to purge old logs and optimize eDiscovery searches by date range.
What MS-102 Tests on This Topic
The MS-102 exam objective 3.3 focuses on implementing and managing regulatory compliance solutions using Microsoft Purview. Key sub-objectives include:
Configure and manage sensitivity labels and policies.
Implement DLP policies and respond to DLP alerts.
Manage retention labels and policies.
Configure audit and eDiscovery.
Common Wrong Answers and Why Candidates Choose Them
Confusing retention labels with retention policies: Many candidates think retention labels are the same as retention policies. Wrong. Labels are applied to individual items (manually or auto-applied) and travel with the item. Policies are applied at the location level (e.g., all SharePoint sites) and do not move with content. The exam tests this distinction.
Assuming DLP policies apply to all workloads by default: Candidates often choose an answer that says DLP works for Teams chat without additional licensing. Actually, DLP for Teams requires Microsoft Teams DLP licensing (E5 or add-on). The exam may present a scenario where DLP is not blocking Teams messages, and the correct answer is to enable Teams DLP licensing.
Mixing up Audit Standard and Premium retention: Standard is 90 days, Premium is 1 year. Some candidates think Standard is 180 days. The exam asks: 'How long are audit logs retained for E3 tenants?' Answer: 90 days.
Believing eDiscovery holds and retention policies are redundant: Candidates think if a retention policy exists, an eDiscovery hold is unnecessary. Wrong. eDiscovery holds are litigation-specific and preserve content even if a retention policy would delete it. They are independent.
Specific Numbers and Terms Appearing on the Exam
Default retention for audit logs: 90 days (Standard).
Maximum retention for Premium Audit: 1 year (or 10 years with add-on).
Auto-labeling scan limit: 1 million items per day.
DLP policy priority: numeric, 1 is highest.
Sensitivity label encryption: uses Azure RMS.
eDiscovery hold maximum: 10,000 per organization.
Edge Cases and Exceptions
Double key encryption: Requires a separate key management solution. The exam may ask when to use it (e.g., when the organization wants to control the key separate from Microsoft).
Retention for Teams: Retention policies apply to private messages (1:1 chat) and channel messages. But retention labels cannot be applied to Teams messages directly—only to files shared in Teams.
DLP for on-premises: DLP can be extended to on-premises file shares via Microsoft 365 Defender for Cloud Apps.
How to Eliminate Wrong Answers
If a question asks about preventing users from sending credit card numbers via email, the answer must involve a DLP policy scoped to Exchange Online.
If a question asks about preserving content for a lawsuit, the answer is eDiscovery hold, not a retention policy.
If a question asks about automatic classification based on content, the answer is auto-labeling with sensitive information types.
Always check the licensing: E3 vs E5 affects audit retention and Teams DLP.
Microsoft Purview integrates Information Protection, DLP, Records Management, Audit, and eDiscovery for end-to-end compliance.
Sensitive Information Types (SITs) are regex-based patterns with confidence levels (65%, 75%, 85%).
Sensitivity labels can enforce encryption via Azure RMS and can be auto-applied using auto-labeling policies.
DLP policies are evaluated in priority order (1 is highest) and can be tested in simulation mode.
Retention labels are item-level; retention policies are location-level. Labels can override policies.
Standard Audit retains logs for 90 days; Premium Audit retains for 1 year (up to 10 with add-on).
eDiscovery holds preserve content indefinitely for legal cases and are separate from retention policies.
DLP for Teams requires Microsoft Teams DLP licensing (E5 or add-on).
Auto-labeling policies can scan up to 1 million items per day per tenant.
Double key encryption allows organizations to control their own encryption key separate from Microsoft.
These come up on the exam all the time. Here's how to tell them apart.
Retention Labels
Applied to individual items (documents, emails).
Travel with the item if moved.
Can be auto-applied based on SITs.
Support disposal review.
Can be used for records management.
Retention Policies
Applied to locations (mailboxes, sites).
Do not travel with items.
Cannot be auto-applied based on content.
Do not support disposal review.
Used for organization-wide retention.
Audit Standard
90-day retention.
Logs all basic events.
Included with E3.
No bandwidth allocation.
Limited search capabilities.
Audit Premium
1-year retention (up to 10 years with add-on).
Logs high-value events (e.g., mailbox access).
Requires E5 or add-on.
Higher API bandwidth.
Advanced search and export.
DLP for Exchange
Inspects email messages and attachments.
Enforced during transport.
Policy tips in Outlook.
No additional licensing.
Supports incident reports.
DLP for Teams
Inspects chat and channel messages.
Enforced in real-time.
Policy tips in Teams.
Requires Teams DLP licensing.
Supports end-user notifications.
Mistake
Retention labels and retention policies are the same thing.
Correct
Retention labels are applied to individual items (manually or automatically) and travel with the item. Retention policies are applied to locations (e.g., all mailboxes) and do not move with content. Labels can override policies.
Mistake
DLP policies automatically apply to Teams chat without extra licensing.
Correct
DLP for Teams chat and channel messages requires Microsoft Teams DLP licensing (E5 or add-on). Standard DLP covers Exchange, SharePoint, and OneDrive.
Mistake
Audit logs are retained for 180 days by default.
Correct
Standard Audit logs are retained for 90 days. Premium Audit extends to 1 year. Some events can be retained up to 10 years with additional licensing.
Mistake
eDiscovery holds are unnecessary if you have retention policies.
Correct
eDiscovery holds are litigation-specific and prevent content from being deleted even if a retention policy would delete it. They are independent and can coexist.
Mistake
Sensitivity labels can only be applied manually by users.
Correct
Sensitivity labels can be auto-applied based on sensitive information types or by default label policies. Auto-labeling scans content and applies labels automatically.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention label is applied to individual items (documents, emails) and travels with the item if moved or copied. A retention policy is applied to a location (e.g., all mailboxes in an organization) and does not move with items. Labels can be auto-applied based on sensitive information types, while policies are static. If both are applied, the label's retention setting takes precedence.
By default, Standard Audit logs are retained for 90 days. With Audit Premium (E5 or add-on), retention is extended to 1 year for all events. Some high-value events (e.g., admin mailbox access) can be retained for up to 10 years with additional licensing. You can also create custom audit retention policies.
Yes, but it requires Microsoft Teams DLP licensing (included in E5 or as an add-on). Standard DLP policies cover Exchange, SharePoint, and OneDrive. For Teams, you must enable DLP for Teams in the policy settings. The policy can detect sensitive information in chat and channel messages and block or notify users.
An eDiscovery hold is used to preserve content for legal investigations. It prevents deletion and version cleanup for specific custodians or content. A retention policy is used for general compliance (e.g., keep emails for 7 years). Holds are indefinite until released, while policies have a fixed duration. They can coexist: a hold will override a policy's deletion action.
You can create custom SITs using the Compliance Center or PowerShell. Define a pattern with a regular expression, optional keywords, and a confidence level (65-85). For example, to detect employee IDs like 'EMP-12345', use regex `EMP-\d{5}`. You can also use proximity and checksum validation. The custom SIT can then be used in auto-labeling and DLP policies.
Double key encryption (DKE) is a feature that allows organizations to use their own encryption key stored in a separate key management system (e.g., on-premises HSM). Microsoft cannot access the key. This is used for highly sensitive data where regulatory compliance requires the organization to maintain sole control over encryption keys. DKE is configured via sensitivity labels.
DLP alerts appear in the Compliance Center under Data loss prevention > Alerts. You can view the incident, see the policy that triggered it, and the content involved. Actions include dismissing the alert, reporting it as false positive, or escalating for investigation. You can also configure automated responses like notifying the user's manager.
You've just covered Regulatory Compliance in Microsoft Purview — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?