This chapter covers Microsoft 365 compliance capabilities that help organizations meet regulatory requirements, protect sensitive data, and respond to legal investigations. For the MS-900 exam, compliance questions typically account for 10-15% of the total, focusing on the purpose and high-level capabilities of each tool rather than deep configuration. You must understand the differences between Microsoft Purview solutions, including Data Loss Prevention, sensitivity labels, eDiscovery, and Compliance Manager, and know which tool applies to which scenario.
Jump to a section
Think of Microsoft 365 compliance as a team of building inspectors working for a large office complex. The complex (your tenant) has many floors, rooms, and tenants (users and data). The inspectors enforce building codes (regulatory requirements) and safety rules (company policies). They use blueprints (sensitivity labels) to mark which rooms are for public use, which are confidential, and which are top-secret. They install cameras and log books (audit logs and activity reports) at every door to record who enters and when. They have a fire suppression system (Data Loss Prevention) that automatically triggers sprinklers if sensitive documents try to leave the building via unauthorized exits (email, USB, cloud upload). They also have a quarantine room (eDiscovery holds) where they can freeze all documents related to a lawsuit, preventing anyone from altering or deleting them. Just like inspectors need to know the exact location of every fire extinguisher and exit, compliance administrators must know where sensitive data lives, how it flows, and who accesses it. The inspectors don't prevent all accidents, but they ensure the building meets code and can prove compliance after an incident.
What is Microsoft 365 Compliance?
Microsoft 365 compliance refers to the set of tools and services within Microsoft Purview that help organizations govern their data, protect sensitive information, and meet regulatory obligations. The exam focuses on understanding the purpose of each solution, not detailed configuration steps. The key areas are: Data Loss Prevention (DLP), sensitivity labels and label policies, eDiscovery, Compliance Manager, and records management.
Data Loss Prevention (DLP)
DLP detects and prevents accidental or intentional sharing of sensitive information. It works by scanning content for sensitive data types (e.g., credit card numbers, Social Security numbers, passport numbers) and applying rules to block or warn when such data is shared via email, Teams, SharePoint, or OneDrive. DLP policies are created in the Microsoft Purview compliance portal and can be scoped to specific locations, users, or groups. Key components: - Sensitive info types: Built-in (over 200) and custom types defined via pattern matching. - Actions: Block, warn, or allow with justification. - Conditions: Content contains, context (e.g., shared externally), or amount of sensitive data. - Policy tips: Notifications in Outlook or Teams that educate users about policy violations.
Sensitivity Labels
Sensitivity labels allow you to classify and protect data based on its sensitivity level. Labels are applied manually by users or automatically via auto-labeling policies. They persist with the document, even when it leaves Microsoft 365 (e.g., saved to desktop or emailed). Labels can enforce encryption, visual markings (headers/footers/watermarks), and access restrictions. For exam purposes, remember that sensitivity labels are the primary tool for data classification and protection, while DLP focuses on preventing data exfiltration.
eDiscovery
Microsoft Purview eDiscovery provides tools to identify, preserve, collect, and export data relevant to legal or internal investigations. Two tiers exist: - eDiscovery (Standard): Basic search and hold capabilities. - eDiscovery (Premium): Advanced analytics, machine learning, and review sets.
Key features: - Content search: Search across Exchange, SharePoint, OneDrive, Teams, and more. - Legal hold: Preserve content in-place, preventing deletion or modification. - Review sets: Stabilize results for review and analysis.
Compliance Manager
Compliance Manager helps organizations assess their compliance posture against regulatory frameworks (e.g., GDPR, HIPAA, ISO 27001). It provides: - Assessments: Pre-built templates for regulations. - Actions: Improvement actions with implementation status. - Score: Compliance score (0-100%) based on completed actions.
The exam expects you to know that Compliance Manager is a tool for tracking and reporting compliance activities, not for enforcement.
Records Management
Records management allows organizations to manage data retention and disposal through retention labels and policies. Retention labels can be applied automatically or manually and enforce retention or deletion after a specified period. Records management also supports disposition reviews and event-based retention.
Interaction Between Tools
Sensitivity labels classify data; DLP uses those labels to enforce policies.
eDiscovery can place a hold on content that has retention labels, but retention policies take precedence.
Compliance Manager tracks the implementation of DLP, sensitivity labels, and other controls.
Default Values and Limits
Maximum DLP policy rules per tenant: 500
Maximum sensitivity labels per tenant: 500
Maximum retention labels per tenant: 1,000
eDiscovery (Standard) search results limit: 150 GB per export
Compliance Manager free tier includes assessments for Microsoft 365, Azure, and Dynamics 365.
Configuration and Verification
While the exam does not require command-line configuration, you should know how to access these tools:
Microsoft Purview compliance portal: https://compliance.microsoft.com
PowerShell module: ExchangeOnlineManagement for eDiscovery cmdlets.
Example cmdlet to create a DLP rule:
New-DlpComplianceRule -Name "Block Credit Card Numbers" -Policy "My DLP Policy" -ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount="1"} -BlockAccess $trueIdentify Sensitive Data Types
The first step in implementing DLP is to identify what constitutes sensitive data for your organization. Microsoft provides over 200 built-in sensitive info types (SITs) such as credit card numbers, SWIFT codes, and passport numbers. You can also create custom SITs using regex or keyword lists. This step is critical because DLP rules rely on SITs to trigger actions. In the exam, know that SITs are defined in the Microsoft Purview compliance portal under Data Classification > Sensitive info types.
Create a DLP Policy
A DLP policy is a container for rules. You specify locations (Exchange, SharePoint, OneDrive, Teams chat/channel messages, and devices) and conditions. For example, a policy might block emails containing 5 or more credit card numbers sent to external recipients. The policy can also include policy tips to warn users. In the exam, remember that DLP policies are scoped to specific locations and can be applied to all users or specific groups.
Apply Sensitivity Labels
Sensitivity labels are created and published via label policies. Users apply labels manually in Office apps, or auto-labeling can be configured to scan files and apply labels based on conditions (e.g., if a document contains a passport number). Labels can enforce encryption, which restricts access to authorized users only. For the exam, know that labels are stored in the file's metadata and travel with it, even outside Microsoft 365.
Set Up Retention Policies
Retention policies preserve data for a specified period and then delete it automatically. They apply at the container level (e.g., entire SharePoint site) or folder level. Retention labels can be applied to individual items. When a legal hold is placed via eDiscovery, retention policies are overridden to preserve data. The exam tests that retention policies are used for compliance, not for backup.
Initiate eDiscovery Case
When litigation or investigation arises, an eDiscovery manager creates a case in the Purview portal. They can place legal holds on custodians or content locations, search for relevant data using keywords and conditions, and add results to a review set. In Premium, analytics tools help identify duplicates and relevant documents. The exam expects you to know the difference between Standard and Premium eDiscovery.
Enterprise Scenario 1: Healthcare Organization (HIPAA Compliance)
A hospital uses DLP to prevent patient data (e.g., medical record numbers, diagnosis codes) from being emailed outside the organization. They configure a DLP policy that blocks any email containing 3 or more instances of a custom SIT for patient IDs. The policy also sends a policy tip to the sender and notifies the compliance team. They also apply a 'Protected Health Information' sensitivity label to all patient records, which encrypts the document and restricts access to clinical staff only. In production, they monitor the DLP reports weekly to identify false positives and adjust thresholds. A common misconfiguration is setting the minimum count too low (e.g., 1), causing excessive blocks and user frustration.
Enterprise Scenario 2: Financial Services (SOX Compliance)
A bank uses Compliance Manager to track their compliance with SOX. They assign improvement actions to IT and legal teams, and the compliance score is reported to the board quarterly. They also use eDiscovery Premium to respond to SEC requests, placing holds on relevant mailboxes and SharePoint sites. During a typical investigation, they search for keywords like 'financial statement' and 'audit' across 500 mailboxes and 200 sites, preserving 2 TB of data. The review set allows legal teams to tag and review documents efficiently. A common pitfall is not enabling audit logging, which is required for eDiscovery to search mailbox content.
Scenario 3: Multinational Corporation (GDPR Compliance)
A global company uses sensitivity labels to classify data as 'Public', 'Internal', 'Confidential', and 'Highly Confidential'. They configure auto-labeling to apply 'Confidential' to any document containing a European customer's personal data. DLP policies block sharing of 'Highly Confidential' documents outside the organization. They also use retention policies to delete personal data after 5 years to comply with data minimization. In production, they handle 10,000 documents per day and use the activity explorer to audit label usage. A common issue is label policies not covering all users due to exclusion rules, leading to unlabeled data.
What MS-900 Tests on Compliance (Objective 3.2)
MS-900 focuses on the purpose and high-level capabilities of Microsoft Purview solutions. You will NOT be asked to configure DLP rules or write PowerShell commands. Instead, expect scenario-based questions that ask which tool to use for a specific compliance need.
Common Wrong Answers and Why
Using Azure Information Protection (AIP) instead of sensitivity labels: AIP is the older unified labeling client, but sensitivity labels are the current solution. The exam uses 'sensitivity labels' exclusively.
Confusing DLP with sensitivity labels: DLP prevents data exfiltration; sensitivity labels classify and protect data. A common trap: 'Which tool prevents sensitive data from being emailed?' Answer: DLP, not sensitivity labels.
Choosing eDiscovery Standard when Premium is required: Premium includes advanced analytics and review sets. If the question mentions 'machine learning' or 'review set', the answer is Premium.
Selecting Compliance Manager for enforcement: Compliance Manager only tracks and reports; it does not enforce policies. Enforcement is done via DLP, labels, or retention policies.
Specific Numbers and Terms to Memorize
Maximum DLP rules: 500 per tenant.
Maximum sensitivity labels: 500 per tenant.
eDiscovery Standard vs Premium: Premium includes analytics and review sets.
Compliance Manager score range: 0-100%.
Retention labels: up to 1,000 per tenant.
Edge Cases
When a retention policy conflicts with a legal hold, the legal hold takes precedence.
DLP can be applied to Teams chat and channel messages (not just email).
Sensitivity labels support automatic classification for files in SharePoint and OneDrive.
Compliance Manager includes free assessments for Microsoft 365, Azure, and Dynamics 365.
How to Eliminate Wrong Answers
If the question asks about 'preventing data loss', eliminate any answer mentioning 'classification' or 'labeling' unless it's combined with DLP.
If the question asks about 'responding to a lawsuit', eliminate Compliance Manager and DLP; the correct answer is eDiscovery.
If the question asks about 'assessing compliance posture', the answer is Compliance Manager.
DLP uses sensitive info types to detect and block unauthorized sharing of sensitive data.
Sensitivity labels classify data and can enforce encryption; they travel with the file.
eDiscovery Standard provides search and hold; Premium adds analytics and review sets.
Compliance Manager tracks compliance posture and provides a score from 0-100%.
Retention policies preserve data for a set period and then delete it automatically.
Legal holds from eDiscovery override retention policies.
Maximum DLP rules per tenant: 500; maximum sensitivity labels: 500.
These come up on the exam all the time. Here's how to tell them apart.
Data Loss Prevention (DLP)
Focuses on preventing data exfiltration via email, Teams, and cloud apps.
Uses sensitive info types (SITs) to detect specific data patterns.
Can block, warn, or allow sharing of sensitive data.
Applies at the transport or storage layer.
Does not encrypt data; only monitors and restricts sharing.
Sensitivity Labels
Focuses on classifying and protecting data at rest and in transit.
Uses labels to mark sensitivity level (e.g., Confidential, Internal).
Can enforce encryption and access restrictions.
Persists with the document, even outside Microsoft 365.
Does not actively block sharing; encryption controls access.
Mistake
Sensitivity labels only work within Microsoft 365.
Correct
Sensitivity labels persist with the file even when saved to a local drive or shared outside Microsoft 365, provided the user has the Azure Information Protection unified labeling client installed.
Mistake
DLP can block all sensitive data exfiltration.
Correct
DLP cannot prevent users from copying data via screenshots, printing, or manual retyping. It only monitors specific channels like email, Teams, and SharePoint.
Mistake
Compliance Manager enforces compliance policies.
Correct
Compliance Manager is a reporting and tracking tool only. It does not enforce any policies; enforcement is done through DLP, retention policies, and sensitivity labels.
Mistake
eDiscovery Standard includes advanced analytics.
Correct
eDiscovery Standard provides basic search and hold. Advanced analytics (e.g., machine learning, review sets) are only in eDiscovery Premium.
Mistake
Retention policies back up your data.
Correct
Retention policies preserve data for compliance purposes, not for backup. They do not protect against accidental deletion or corruption; they only ensure data is not permanently deleted before the retention period ends.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
DLP (Data Loss Prevention) prevents sensitive data from being shared inappropriately by monitoring channels like email, Teams, and SharePoint. It uses sensitive info types to detect patterns (e.g., credit card numbers) and can block or warn users. Sensitivity labels classify data (e.g., Confidential, Public) and can enforce encryption, but they do not actively block sharing. Labels are applied manually or automatically and persist with the file. For the exam, remember: DLP is for prevention, labels are for classification and protection.
Use Microsoft Purview eDiscovery. eDiscovery (Standard) allows you to place legal holds on mailboxes, SharePoint sites, and other locations to preserve content from deletion or modification. For advanced analytics and review sets, use eDiscovery (Premium). The exam expects you to know that eDiscovery is the correct tool for litigation and investigation scenarios.
Compliance Manager provides pre-built assessments for regulations like GDPR, HIPAA, and ISO 27001. It tracks improvement actions, assigns tasks, and calculates a compliance score (0-100%). It does not enforce policies; it only reports on implementation status. For the exam, understand that Compliance Manager is a tracking and reporting tool, not an enforcement tool.
A retention policy applies to containers like SharePoint sites or Exchange mailboxes, preserving all content for a specified period and then deleting it. A retention label applies to individual items (documents, emails) and can also trigger disposition reviews. Both are used for compliance, not backup. The exam may ask which to use for item-level retention (answer: retention label).
Yes, DLP policies can be scoped to Microsoft Teams chat and channel messages. This allows detection and blocking of sensitive data shared in Teams conversations. The exam includes this as a possible scenario.
The maximum number of sensitivity labels per tenant is 500. This limit is important for large organizations planning label hierarchies. The exam may test this value.
The compliance score ranges from 0 to 100%. It is calculated based on the completion of improvement actions. The exam may ask about this range.
You've just covered Microsoft 365 Compliance — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?