This chapter covers Microsoft 365 governance policies and controls, a critical area for the MS-900 exam (Domain 3.2). Governance in Microsoft 365 refers to the policies, processes, and tools that manage access, data protection, and compliance across the tenant. Expect approximately 10-15% of exam questions to touch on governance policies, including Conditional Access, Data Loss Prevention (DLP), retention policies, and compliance controls. Understanding these mechanisms is essential for demonstrating how organizations can enforce security and regulatory requirements within Microsoft 365.
Jump to a section
Imagine you are the building manager of a large corporate office tower. The building has multiple floors, each with different security needs: the ground floor lobby is open to the public, the second floor has meeting rooms, floors 3-10 contain open-plan workspaces, and the top floor houses the executive suite and sensitive data center. To enforce security, you implement a governance system: a centralized checklist that every person entering the building must follow. This checklist is not just a list of rules—it is a dynamic set of policies that control access based on identity, time, and purpose. For example, a visitor must sign in at the lobby, receive a badge that expires at 5 PM, and be escorted to their specific floor. An employee, on the other hand, swipes their ID card to enter any floor between 7 AM and 7 PM, but the data center requires an additional fingerprint scan. The building's security team regularly reviews logs and updates the checklist—adding new rules when a floor becomes restricted or removing access for terminated employees. This checklist is Microsoft 365's governance policies and controls: a centralized, policy-driven framework that defines who can access what, under what conditions, and how compliance is enforced and audited. Just as the building manager uses the checklist to protect the building, Microsoft 365 uses policies to protect data and resources.
What Are Governance Policies and Controls in Microsoft 365?
Governance policies and controls in Microsoft 365 are a set of tools and services that help organizations manage their data, users, and devices in a compliant and secure manner. These policies are defined centrally and applied across Microsoft 365 services, including Exchange Online, SharePoint Online, OneDrive for Business, Teams, and more. The primary goal is to ensure that access to resources is appropriate, data is protected from leakage or unauthorized sharing, and the organization meets regulatory obligations.
Key Components
Conditional Access Policies – These are the primary mechanism for controlling access based on conditions such as user identity, device health, location, and application sensitivity. Conditional Access policies are enforced by Azure Active Directory (Azure AD) and can require multi-factor authentication (MFA), restrict access from untrusted networks, or block access from devices that are not compliant.
Data Loss Prevention (DLP) Policies – DLP policies prevent sensitive information from being shared or leaked. They can detect and block the sharing of credit card numbers, social security numbers, or custom patterns. DLP policies work across Exchange, SharePoint, OneDrive, Teams, and endpoints.
Retention Policies and Labels – Retention policies allow organizations to keep or delete data after a specified period. They are used for compliance with legal requirements or internal data governance. Retention labels can be applied manually or automatically based on conditions.
Information Protection Policies – This includes sensitivity labels and encryption policies. Sensitivity labels classify data and enforce protections such as encryption, visual markings, and access restrictions.
Compliance Manager – A tool that provides assessments, templates, and actions to help organizations meet compliance standards like GDPR, HIPAA, and ISO 27001.
How Conditional Access Works Internally
Conditional Access policies are evaluated at the time of authentication. The flow is:
User attempts to access a resource (e.g., SharePoint Online).
Azure AD evaluates the policy based on conditions: user, group, location, device platform, application, and risk level.
If conditions are met, the policy applies controls such as requiring MFA, blocking access, or requiring device compliance.
The result is enforced by Azure AD, and the user is either granted access (possibly after satisfying additional controls) or denied.
Key defaults:
Conditional Access policies are evaluated after primary authentication (password) but before access to the resource.
Policies can be set to "Report-only" mode to test without impacting users.
Azure AD Premium P1 or P2 is required for Conditional Access.
DLP Policy Mechanics
DLP policies consist of: - Rules that define conditions (e.g., content contains a sensitive info type) and actions (e.g., block sharing, notify user, or allow but log). - Sensitive information types – Microsoft provides built-in types (e.g., credit card number, U.S. Social Security number) and allows custom types via regex or function. - Policy tips – Users see a warning when they try to share sensitive data, with options to override if justified.
DLP processing:
Content is scanned in transit (email) or at rest (SharePoint, OneDrive).
For email, DLP is evaluated during send; for SharePoint, it is evaluated when a file is uploaded or modified.
Matches are logged in the DLP reports and can trigger incident reports.
Retention Policies and Labels
Retention policies work on a container level (e.g., a SharePoint site or Exchange mailbox) while retention labels work on individual items. Retention policies are defined with: - Retention period – number of days, months, or years. - Action at end of period – delete, keep, or both. - Start of retention – based on content creation date, last modified date, or label assignment date.
When a retention policy is applied, items are preserved in a secure location (e.g., Preservation Hold library in SharePoint) until the retention period ends. If an item is deleted before the end of retention, it is moved to the Preservation Hold library.
Key default values:
Maximum retention period: 5 years for some policies, indefinite for others.
Retention labels can be applied automatically using trainable classifiers or sensitive info types.
Information Protection and Sensitivity Labels
Sensitivity labels are published to users via a label policy. When a user applies a label to a document or email, the label can enforce:
Encryption (via Azure Information Protection).
Visual markings (header, footer, watermark).
Access restrictions (e.g., only certain users can view).
Labels can be applied automatically based on content inspection (e.g., if document contains credit card numbers) or user action. Labels are stored in the file's metadata and travel with the file even outside Microsoft 365.
Compliance Manager
Compliance Manager provides: - Assessments – based on regulations (e.g., GDPR, NIST 800-53). - Actions – steps to improve compliance, each with implementation status, test status, and evidence. - Score – a compliance score from 0 to 100% based on completed actions.
Interaction Between Components
Governance policies often work together. For example:
A Conditional Access policy may require MFA for users accessing sensitive data.
A DLP policy may block sharing of credit card numbers.
A retention policy may keep all communications in a legal hold for 7 years.
Sensitivity labels can be used to classify data, and DLP policies can enforce rules on labeled data.
Configuration and Verification Commands
While most governance policies are configured via the Microsoft 365 admin centers (e.g., Microsoft Purview compliance portal, Azure AD admin center), some tasks can be performed via PowerShell.
Example: Connect to Azure AD and view Conditional Access policies
Connect-AzureAD
Get-AzureADMSConditionalAccessPolicyExample: Connect to Security & Compliance Center for DLP policies
Connect-IPPSSession
Get-DlpCompliancePolicyExample: View retention policies
Connect-IPPSSession
Get-RetentionCompliancePolicyKey Defaults and Limits
Conditional Access policies can be applied to up to 250 groups.
DLP policies support up to 100 sensitive info types per policy.
Retention policies cannot be deleted if they are still in effect; they must be disabled first.
Sensitivity labels can be published to up to 500,000 users.
Common Exam Traps
Trap: Confusing retention policies with retention labels. Retention policies apply at the container level (e.g., entire site), while labels apply to individual items.
Trap: Thinking DLP only works for email. DLP also covers SharePoint, OneDrive, Teams, and endpoints.
Trap: Assuming Conditional Access requires Azure AD P2. It requires P1; P2 adds risk-based policies.
Trap: Believing that retention policies prevent deletion. They preserve deleted items but do not prevent deletion; they allow recovery.
Define Governance Requirements
Begin by identifying the organization's compliance and security needs. This includes regulatory requirements (e.g., GDPR, HIPAA), internal data classification policies, and access control rules. Document the types of sensitive data, retention periods, and conditions under which access should be restricted. This step sets the scope for all subsequent policy creation. Involve stakeholders from legal, HR, and IT to ensure all requirements are captured.
Create Sensitivity Labels
In the Microsoft Purview compliance portal, define sensitivity labels that classify data based on sensitivity (e.g., Public, Internal, Confidential, Highly Confidential). Each label can enforce encryption, visual markings, and access restrictions. Configure auto-labeling rules based on sensitive info types or trainable classifiers. Publish labels via label policies to specific users or groups. This step is foundational for information protection.
Configure DLP Policies
Create DLP policies in the Microsoft Purview compliance portal. Define rules that detect sensitive information types (e.g., credit card numbers, passport numbers). Specify actions such as blocking sharing, notifying users, or allowing override with justification. Test the policy in simulation mode first. Assign the policy to locations (Exchange, SharePoint, OneDrive, Teams). Monitor DLP reports for false positives.
Set Up Retention Policies
Define retention policies in the Microsoft Purview compliance portal. Choose a scope (e.g., entire organization, specific locations) and set retention periods (e.g., 7 years for financial records). Specify whether to delete, keep, or both at the end of the period. Apply the policy. For item-level retention, create retention labels and publish them. Use adaptive scopes to target specific users or groups dynamically.
Implement Conditional Access Policies
In the Azure AD admin center, create Conditional Access policies. Assign to users, groups, or workload identities. Define conditions: sign-in risk, device platform, location, client apps. Set access controls: require MFA, require compliant device, block access. Enable policy in report-only mode initially to test impact. After validation, enable the policy. Monitor sign-in logs to ensure policies are working as intended.
Enterprise Scenario 1: Financial Institution with Regulatory Compliance
A large bank must comply with GDPR and PCI DSS. They use sensitivity labels to classify all documents containing customer financial data as "Highly Confidential". DLP policies block sharing of credit card numbers outside the organization, with a policy tip allowing override with justification (audited). Retention policies keep all customer communications for 7 years. Conditional Access policies require MFA for all users accessing financial systems and block access from untrusted IP addresses. The compliance team uses Compliance Manager to track their GDPR assessment score, currently at 85%, with actions to improve. Misconfiguration: Initially, they set retention policies to delete after 7 years but forgot to exclude legal hold items, causing deletion of documents under litigation hold. They fixed by using retention labels for legal hold.
Enterprise Scenario 2: Healthcare Provider with Mobile Workforce
A hospital uses Microsoft 365 for email and Teams. They need to protect patient health information (PHI) under HIPAA. They deploy sensitivity labels that automatically encrypt emails containing PHI. DLP policies detect and block sharing of medical record numbers. Conditional Access policies require device compliance for mobile devices accessing Exchange Online. They also use retention policies to keep medical records for 6 years. Common issue: Users complain that DLP blocks legitimate sharing of patient data with other healthcare providers. They create a custom DLP rule that allows sharing with specific domains (e.g., @otherhospital.com) with justification. They also enable DLP simulation mode first to fine-tune.
Enterprise Scenario 3: Multinational Corporation with Data Residency Requirements
A global company must store data in specific geographic regions. They use Conditional Access policies to restrict SharePoint access based on IP location (e.g., block from outside EU for EU tenant). They also use retention policies to automatically delete data older than 10 years unless under legal hold. Sensitivity labels enforce encryption that prevents access from non-corporate devices. Challenge: They have multiple tenants for different regions, requiring separate policy sets. They use multi-geo capabilities in Microsoft 365 to manage data residency per user. Misconfiguration: They set a retention policy to keep data for 5 years but later needed to extend to 7 years; they learned that retention policies can be extended but not shortened if items are already marked for deletion.
What MS-900 Tests on This Topic (Objective 3.2)
The exam focuses on understanding the purpose and capabilities of governance policies, not deep configuration. Key areas: - Conditional Access: Know that it requires Azure AD P1, can require MFA, and can block access based on location or device. Understand the difference between Conditional Access and Azure AD Identity Protection (which adds risk). - DLP: Know that DLP policies can prevent sharing of sensitive data across Exchange, SharePoint, OneDrive, and Teams. Understand policy tips and override capabilities. - Retention Policies: Know that retention policies preserve data for a specified period, can delete or keep, and apply at the container level. Understand that retention labels apply to individual items. - Sensitivity Labels: Know that they classify and protect data, can enforce encryption, and travel with the file. - Compliance Manager: Know it provides a compliance score and assessments for regulations.
Common Wrong Answers
Confusing Conditional Access with Azure AD Identity Protection: Candidates choose Identity Protection as requiring MFA. Reality: Conditional Access enforces MFA; Identity Protection provides risk signals.
Thinking DLP only works for email: Many choose that DLP only covers Exchange. Reality: It covers multiple workloads.
Believing retention policies prevent deletion: Candidates think retention policies block users from deleting files. Reality: They preserve deleted items in a hidden location.
Assuming sensitivity labels require Azure Information Protection: Reality: Sensitivity labels are built into Microsoft 365 and do not require AIP (though AIP can integrate).
Specific Numbers and Terms
Conditional Access requires Azure AD Premium P1 (not P2).
DLP policies can include up to 100 sensitive info types per policy.
Retention policies can be set for a minimum of 1 day and maximum of 5 years (or indefinite).
Compliance Manager provides a score from 0 to 100%.
Edge Cases
Retention policies cannot be deleted while in effect; must be disabled first.
DLP policies can be set to "Test" mode with policy tips.
Conditional Access policies can be applied to workload identities (service principals) in Azure AD P2.
How to Eliminate Wrong Answers
If a question mentions "requires MFA based on location", the answer is Conditional Access.
If a question mentions "prevents sharing of credit card numbers", the answer is DLP.
If a question mentions "keeps data for 7 years after creation", the answer is retention policy.
If a question mentions "classifies documents and encrypts", the answer is sensitivity labels.
Conditional Access requires Azure AD Premium P1 and can enforce MFA, block access, and require compliant devices.
DLP policies protect sensitive data across Exchange, SharePoint, OneDrive, and Teams by detecting and blocking sharing of sensitive info types.
Retention policies preserve or delete data after a specified period; they do not block deletion but preserve deleted items.
Sensitivity labels classify data and enforce encryption and visual markings; they travel with the file.
Compliance Manager provides a compliance score (0-100%) and assessments for regulations like GDPR and HIPAA.
Retention policies apply at the container level; retention labels apply to individual items.
Conditional Access policies can be tested in report-only mode before enforcement.
DLP policies support policy tips to warn users before sharing sensitive data.
These come up on the exam all the time. Here's how to tell them apart.
Conditional Access
Enforces access controls based on conditions like location, device, and app.
Requires Azure AD Premium P1 or P2.
Can require MFA, block access, or require compliant device.
Evaluated at authentication time.
Does not use risk signals by default (unless integrated with Identity Protection).
Azure AD Identity Protection
Detects sign-in risks and user risks using machine learning.
Requires Azure AD Premium P2.
Can automatically remediate risks (e.g., force password reset).
Generates risk events and risk levels.
Can be used as a condition in Conditional Access policies.
Retention Policy
Applies at the container level (e.g., entire SharePoint site, Exchange mailbox).
Cannot be applied manually by users.
Preserves and/or deletes data after a specified period.
Supports both keep and delete actions.
Can be applied to all content in a location automatically.
Retention Label
Applies to individual items (e.g., a specific document, email).
Can be applied manually by users or automatically via rules.
Preserves and/or deletes the labeled item.
Supports additional actions like marking as a record.
Can be used for disposition reviews.
DLP Policy
Prevents accidental sharing of sensitive data.
Works by scanning content for sensitive info types.
Can block, notify, or allow override.
Applies to data in transit and at rest.
Does not classify data for persistent protection.
Sensitivity Label
Classifies data and enforces protection (encryption, markings).
Can be applied manually or automatically based on content.
Protection travels with the file (persistent).
Does not block sharing by itself; DLP can enforce on labeled content.
Used for information protection and compliance.
Mistake
Conditional Access policies require Azure AD Premium P2.
Correct
Conditional Access requires Azure AD Premium P1. P2 adds Identity Protection and risk-based policies.
Mistake
Data Loss Prevention (DLP) only works for Exchange Online email.
Correct
DLP policies work across Exchange Online, SharePoint Online, OneDrive for Business, Teams chat and channels, and can also extend to endpoints via Microsoft 365 DLP.
Mistake
Retention policies block users from deleting files.
Correct
Retention policies do not block deletion. When a user deletes an item, it is preserved in a hidden location (e.g., Preservation Hold library) until the retention period ends.
Mistake
Sensitivity labels require Azure Information Protection (AIP) subscription.
Correct
Sensitivity labels are built into Microsoft 365 E3/E5 and do not require a separate AIP subscription. AIP provides additional features like unified labeling client but is not mandatory.
Mistake
Compliance Manager automatically enforces compliance.
Correct
Compliance Manager provides assessments and recommendations but does not enforce policies. It tracks actions and scores, but implementation must be done separately.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy applies to a container (e.g., a SharePoint site or Exchange mailbox) and automatically retains or deletes all content within that container. A retention label applies to individual items (e.g., a specific document or email) and can be assigned manually by users or automatically based on conditions. Retention labels also allow marking items as records.
No, Conditional Access requires Azure AD Premium P1. Azure AD Premium P2 adds Identity Protection features, which can provide risk-based conditions for Conditional Access policies, but the core Conditional Access functionality is available with P1.
Yes, DLP policies can be applied to Teams chat and channel messages. They can detect sensitive info types and block messages containing them, with policy tips notifying the user.
The file is not permanently deleted. It is moved to a hidden preservation location (e.g., the Preservation Hold library in SharePoint) and retained until the retention period ends. The user sees the file as deleted, but admins can recover it.
Sensitivity labels can enforce encryption using Azure Information Protection, which allows the labeled file to be encrypted. The encryption persists even when the file is shared outside the organization, and access can be controlled by the label's settings (e.g., only specific users can open).
The compliance score is a percentage (0-100%) that represents how many improvement actions have been completed out of the total required for a specific assessment (e.g., GDPR). It is calculated based on actions implemented, tested, and with evidence submitted.
Yes, multiple retention policies can apply to the same content. In such cases, the longest retention period is applied. If one policy says delete after 3 years and another says keep for 5 years, the content is kept for 5 years.
You've just covered Microsoft 365 Governance Policies and Controls — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?