This chapter covers compliance concepts in Microsoft 365, focusing on how organizations can manage regulatory requirements using Microsoft Purview. Compliance is a key domain in the SC-900 exam, appearing in roughly 20–25% of questions across Domain 1 (Describe the concepts of security, compliance, and identity). You will learn about the shared responsibility model, compliance center, compliance score, data lifecycle management, and information protection. Understanding these concepts is critical for demonstrating how Microsoft 365 helps organizations meet legal and regulatory obligations while maintaining data governance.
Jump to a section
Imagine a large corporation with a compliance department that must ensure all employee records are stored securely and only accessible to authorized personnel. The department has a giant filing cabinet with multiple locks. Each lock represents a different compliance control: one lock for data encryption (so only those with the key can read files), another for access logging (every time a drawer is opened, it's recorded), and a third for retention policies (files are automatically shredded after a set number of years). The compliance officer doesn't create the records—that's HR and Finance—but the officer sets the rules for how records must be handled. If HR wants to store a new employee file, they must follow the compliance officer's rules: encrypt the file, log who accesses it, and set a destruction date. The officer periodically audits the cabinet to ensure everyone is following the rules. If someone leaves a drawer unlocked, the officer flags it and forces a correction. In this analogy, the compliance officer is like Microsoft Purview Compliance Manager, the filing cabinet is your organization's data estate, and the locks are the compliance controls (e.g., encryption, retention, auditing). The officer doesn't manage the data itself but ensures that the processes around data meet regulatory requirements. Just as the officer uses a checklist of controls (like ISO 27001 or GDPR), Compliance Manager uses built-in assessments and control templates to evaluate your compliance posture and provide recommendations.
What Are Compliance Concepts and Why Do They Exist?
Compliance concepts refer to the set of practices, technologies, and policies that ensure an organization adheres to external laws, regulations, and internal standards when handling data. In the context of Microsoft 365, compliance is about managing data in a way that meets legal requirements such as GDPR, HIPAA, or ISO 27001, while also enabling business operations. The exam expects you to understand the shared responsibility model: Microsoft is responsible for the security of the cloud (physical infrastructure, platform), while the customer is responsible for security in the cloud (data, identities, configurations). Compliance is primarily a customer responsibility because the customer owns the data and decides how it is classified, retained, and protected.
The Microsoft Purview Compliance Portal
The central tool for compliance in Microsoft 365 is the Microsoft Purview compliance portal (formerly Microsoft 365 compliance center). It provides a unified view of your compliance posture across data lifecycle management, information protection, insider risk management, and auditing. The portal includes:
Compliance Manager: A dashboard that gives a compliance score based on controls you implement. It includes built-in assessments for regulations like GDPR, NIST 800-53, and FedRAMP.
Data Lifecycle Management: Tools for retaining and deleting data based on policies (e.g., retention labels, retention policies).
Information Protection: Features like sensitivity labels, data loss prevention (DLP), and encryption to protect data at rest and in transit.
Audit (Standard and Premium): Logs of user and admin activities for investigation and compliance reporting.
eDiscovery: Tools for searching and exporting content for legal cases.
Compliance Score and Compliance Manager
Compliance Manager works by assessing your tenant against a set of controls defined in a regulatory standard. Each control has a point value (e.g., up to 10 points per control) based on its importance and the implementation status. The compliance score is calculated as:
Score = (Total achieved points / Total possible points) * 100
Controls can be: - Microsoft-managed: Implemented by Microsoft (e.g., physical security of datacenters). These are automatically marked as completed. - Customer-managed: Implemented by the customer (e.g., enabling MFA, configuring retention policies). The customer must take action to implement these controls. - Shared: A combination (e.g., Microsoft provides encryption at rest, customer manages keys).
You can assign actions to specific users, track progress, and generate reports for auditors. The exam may test that Compliance Manager does not automatically enforce controls—it only provides recommendations and tracking.
Data Lifecycle Management
Data lifecycle management governs how data is created, stored, used, archived, and deleted. In Microsoft 365, this is achieved through:
Retention Policies: Apply at the location level (Exchange, SharePoint, OneDrive, Teams) to retain or delete content after a specified period. Default retention period for deleted items in Exchange is 14 days (can be extended to 30 days). For SharePoint, the retention period is 30 days by default for items in the recycle bin.
Retention Labels: Apply to individual items (e.g., a document or email) to enforce retention or deletion rules. Labels can be published automatically based on conditions (e.g., sensitive info types) or manually by users.
Records Management: Uses retention labels that mark content as a record, preventing modification or deletion. Records can be either regulatory (locked) or event-based (triggered by a specific event, e.g., employee termination).
Important exam trap: Retention policies are for locations (containers), retention labels are for items. Also, a retention label can be used to automatically apply a sensitivity label, but they are separate concepts.
Information Protection and Sensitivity Labels
Sensitivity labels are the primary mechanism for classifying and protecting data in Microsoft 365. They can be applied to:
Documents (Word, Excel, PowerPoint, PDF)
Emails
Containers (Teams, SharePoint sites, Microsoft 365 Groups)
When a sensitivity label is applied, it can enforce: - Encryption: Using Azure Information Protection (AIP) to encrypt the content so only authorized users can read it. - Visual markings: Headers, footers, or watermarks. - Access control: Prevent forwarding, printing, or copying.
Labels are defined in the Microsoft Purview compliance portal under Information Protection. They can be published to users via label policies. The exam expects you to know that sensitivity labels can be applied automatically using conditions (e.g., credit card number pattern) or manually by users.
Data Loss Prevention (DLP)
DLP policies prevent accidental sharing of sensitive information. They work by scanning content in Exchange, SharePoint, OneDrive, Teams, and endpoints for sensitive data types (e.g., credit card numbers, social security numbers). When a match occurs, the policy can:
Block sharing and notify the user.
Block sharing and allow override with justification.
Log the event for review.
Show a policy tip to the user.
DLP policies are created in the Purview compliance portal and can be scoped to specific locations or users. The exam may test that DLP does not encrypt data—it only blocks or warns on sharing.
Auditing and eDiscovery
Audit logging is essential for compliance. Microsoft 365 offers two tiers: - Audit (Standard): Enabled by default, logs 90 days of audit records for user and admin activities. - Audit (Premium): Requires E5 licensing, extends retention to 1 year (or 10 years for some logs), includes user-defined activities, and provides high-bandwidth APIs for ingestion.
eDiscovery tools allow you to search for content across Exchange, SharePoint, OneDrive, and Teams. There are three tiers: - Content Search: Basic search for content. - eDiscovery (Standard): Allows holds and export. - eDiscovery (Premium): Advanced analytics, machine learning, and review sets.
Insider Risk Management
This feature helps detect, investigate, and act on insider risks like data theft or policy violations. It uses templates (e.g., Data theft by departing users, Leaks of sensitive data) and correlates signals from Microsoft 365 logs, HR systems, and other sources. It is only available with E5 licensing.
Communication Compliance
Communication compliance helps organizations detect offensive language, harassment, or inappropriate sharing in emails and Teams messages. It uses customizable policies and machine learning classifiers. Also E5 only.
Shared Responsibility Model in Compliance
For compliance, Microsoft provides: - Physical security: Datacenter access controls, surveillance. - Infrastructure security: Network, hypervisor, storage security. - Platform compliance: Certifications and attestations (e.g., SOC 2, ISO 27001).
The customer is responsible for: - Data classification: Applying sensitivity labels. - User access: Managing permissions and MFA. - Data retention: Configuring retention policies. - Incident response: Investigating and reporting breaches.
Key Terms to Know for the Exam
Control: A specific requirement in a regulation (e.g., "Encrypt data at rest").
Assessment: A group of controls for a specific regulation (e.g., GDPR assessment).
Compliance Score: Numerical representation of compliance posture (0-100).
Sensitivity Label: Classification label with protection actions.
Retention Label: Label for managing retention and deletion.
DLP Policy: Rules to prevent data loss.
Audit Log: Record of activities.
eDiscovery: Search and export for legal purposes.
How These Concepts Interact
A typical workflow: An organization uses sensitivity labels to classify documents as "Confidential." A DLP policy blocks sharing of any document with "Confidential" label outside the organization. Retention labels automatically delete documents after 7 years. Audit logs capture all activities, and Compliance Manager tracks the implementation of these controls to provide a compliance score. If an insider attempts to exfiltrate data, Insider Risk Management flags the behavior. This integrated approach helps organizations maintain compliance without manual overhead.
Define Compliance Requirements
Identify the regulations and standards applicable to your organization, such as GDPR, HIPAA, or ISO 27001. This step involves understanding the specific controls required by each regulation. In Microsoft Purview Compliance Manager, you select the built-in assessments that match your requirements. Each assessment contains a set of controls that must be implemented. For example, the GDPR assessment includes controls like 'Data Protection by Design and Default' and 'Right to Erasure'. You must determine which controls are customer-managed and which are Microsoft-managed. This step sets the baseline for your compliance score.
Implement Customer-Managed Controls
Take action on the controls that are your responsibility. For example, enable multi-factor authentication (MFA) to satisfy an access control requirement. In Compliance Manager, you mark controls as 'Implemented' and provide evidence (e.g., a screenshot of MFA settings). The score updates as you implement controls. Common actions include creating retention policies, publishing sensitivity labels, configuring DLP policies, and enabling audit logging. Each action is tracked as a 'task' in Compliance Manager. You can assign tasks to specific users and set deadlines.
Automate with Policies and Labels
Use retention labels, sensitivity labels, and DLP policies to automate compliance. For instance, create a sensitivity label that automatically encrypts documents containing credit card numbers. Publish the label via a label policy so it appears in users' Office apps. Set up a retention label that deletes emails after 3 years. Use auto-labeling to apply labels based on sensitive data types. This step reduces manual effort and ensures consistent enforcement. In the exam, remember that auto-labeling uses conditions like 'contains credit card number' and applies the label automatically.
Monitor and Audit Activity
Enable Audit (Standard) logging to capture user and admin activities. For deeper visibility, upgrade to Audit (Premium). Use the audit log search in the Purview portal to investigate specific events. Set up alert policies to notify you of suspicious activities (e.g., mass download of files). Regularly review the audit logs for compliance violations. In the exam, know that Audit (Standard) retains logs for 90 days, while Audit (Premium) retains for 1 year (or 10 years for certain logs). eDiscovery tools allow you to preserve and export data for legal cases.
Review and Improve Compliance Score
Regularly check Compliance Manager to see your compliance score. The score is calculated based on the number of implemented controls. For example, if you have 50 controls implemented out of 100 possible, with each control worth up to 10 points, your score is 500/1000 = 50. Review the 'Improvement actions' tab to see which controls need attention. Prioritize high-impact controls (those with higher point values). Generate compliance reports for auditors. The exam may test that the compliance score is a snapshot and does not guarantee actual compliance—it's a tool for tracking progress.
Enterprise Scenario 1: Financial Institution Complying with SOX
A large bank must comply with the Sarbanes-Oxley Act (SOX), which requires strict controls over financial records. The bank uses Microsoft Purview Compliance Manager with the SOX assessment. They implement customer-managed controls like:
Enabling audit logging for all financial transactions (Audit Premium).
Applying retention labels to financial documents to retain for 7 years.
Using DLP policies to block sharing of financial reports outside the organization.
Configuring sensitivity labels to encrypt sensitive financial data.
In production, the bank has 50,000 users and millions of documents. They use auto-labeling to classify documents based on patterns like account numbers. The compliance score starts at 30 and improves to 85 after implementing controls. A common misconfiguration is forgetting to enable audit logging for all mailboxes, which causes gaps in the audit trail. The bank's compliance team runs monthly reports from Compliance Manager to present to auditors. Performance considerations include the number of DLP rules (avoid more than 500 rules per policy) and retention label processing latency (up to 7 days for full propagation).
Enterprise Scenario 2: Healthcare Organization under HIPAA
A hospital network must comply with HIPAA, which requires protection of electronic protected health information (ePHI). They use Microsoft 365 E5 licenses to access Compliance Manager with the HIPAA assessment. Key implementations:
Sensitivity labels for ePHI (e.g., 'PHI-Confidential') that encrypt emails and documents.
DLP policies that block sharing of ePHI via email or Teams.
Insider Risk Management policies to detect unusual access to patient records.
Retention policies to retain medical records for 6 years (as required by state law).
In production, the hospital has 10,000 employees. They configure auto-labeling for ePHI using the 'Health Information' sensitive info type. A common pitfall is not applying labels to all locations—some doctors use personal devices, so they deploy Microsoft Purview Information Protection for endpoints. The compliance score is used to track progress toward HIPAA compliance. They also use Communication Compliance to detect inappropriate language in patient communications. Performance: DLP policies can cause delays in email delivery if many rules are evaluated; they optimize by scoping policies to specific groups.
Scenario 3: Global Company Adhering to GDPR
A multinational tech company must comply with GDPR, which requires data protection for EU citizens. They use Microsoft Purview Compliance Manager with the GDPR assessment. They implement:
Data Lifecycle Management: Retention labels for personal data that automatically delete after 30 days unless a legal hold is applied.
Data Subject Requests (DSR) tool in the Purview portal to handle deletion or export requests.
Sensitivity labels for 'Personal Data' that restrict access to authorized users.
Audit logging to track all access to personal data.
In production, the company has 100,000 users across 50 countries. They use automated labeling to classify personal data based on conditions like 'EU passport number'. A common issue is that DSRs can be time-consuming if data is scattered across SharePoint, Exchange, and Teams. They use eDiscovery to search and export data. The compliance score helps them demonstrate due diligence to regulators. Misconfiguration: forgetting to enable 'Advanced Data Residency' to keep data within the EU region.
What SC-900 Tests on Compliance Concepts
The SC-900 exam objective 1.3 covers 'Describe the concepts of compliance' with sub-objectives:
Describe the shared responsibility model for compliance.
Describe data lifecycle management and retention policies.
Describe information protection and sensitivity labels.
Describe DLP and auditing.
Describe Compliance Manager and compliance score.
Questions are typically scenario-based, asking you to choose the correct tool or policy for a given requirement. Expect 4-6 questions on this topic.
Common Wrong Answers and Why Candidates Choose Them
Retention Policy vs. Retention Label: Candidates often confuse these. A retention policy applies to a location (e.g., all mailboxes in Exchange), while a retention label applies to individual items. The exam will describe a scenario where you need to retain a specific document for 5 years. The wrong answer is 'create a retention policy' because that would affect all items in the location. The correct answer is 'create a retention label and publish it'.
Compliance Manager vs. Secure Score: Secure Score is for security (vulnerabilities, configurations), while Compliance Score is for regulatory compliance. The exam might ask which tool helps with GDPR compliance. Wrong answer: Secure Score. Correct: Compliance Manager.
Sensitivity Label vs. Retention Label: Sensitivity labels protect data (encrypt, restrict access), retention labels manage lifecycle (keep or delete). A scenario asking to 'prevent unauthorized access' should use a sensitivity label, not a retention label.
DLP vs. Retention: DLP blocks sharing of sensitive data; retention keeps data for a period. If the requirement is 'prevent accidental sharing of credit card numbers', the answer is DLP, not retention.
Specific Numbers and Terms That Appear on the Exam
Audit (Standard) retention: 90 days.
Audit (Premium) retention: 1 year (up to 10 years for some logs).
Default retention for deleted items in Exchange: 14 days.
Compliance Score range: 0-100.
Control point values: up to 10 points per control.
Sensitivity labels can be applied manually or automatically.
Retention policies can be configured to retain or delete content.
eDiscovery: Standard and Premium tiers.
Edge Cases and Exceptions
If a retention label is set to delete after 3 years, but the user tries to delete the document earlier, the retention label prevents deletion until the 3 years expire.
If both a retention policy and a retention label apply to the same item, the longer retention period wins.
DLP policies can be overridden by users with justification, unless configured to block without override.
Compliance Manager does not automatically enforce controls; it only tracks implementation.
How to Eliminate Wrong Answers
Read the scenario carefully: Identify whether the requirement is about protection (sensitivity), retention (lifecycle), or blocking (DLP).
If the scenario mentions a specific regulation (e.g., GDPR), think Compliance Manager.
If it mentions 'classify and protect', think sensitivity labels.
If it mentions 'keep for 7 years', think retention labels or policies.
If it mentions 'monitor user activities', think audit or insider risk management.
Compliance Manager provides a compliance score (0-100) based on implemented controls; it does not enforce controls.
Retention policies apply to locations; retention labels apply to individual items.
Sensitivity labels classify and protect data (encryption, access control); retention labels manage lifecycle.
DLP policies block or warn on sharing of sensitive data; they do not encrypt.
Audit (Standard) is enabled by default with 90-day retention; Audit (Premium) requires E5 and extends to 1 year.
The shared responsibility model: Microsoft secures the cloud; customer secures data and configurations.
eDiscovery Standard allows holds and export; eDiscovery Premium adds analytics and machine learning.
Insider Risk Management and Communication Compliance require E5 licensing.
Auto-labeling applies sensitivity labels automatically based on conditions (e.g., credit card pattern).
Records management uses retention labels to mark content as a record, preventing modification or deletion.
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applies to a location (e.g., all Exchange mailboxes, all SharePoint sites).
Cannot be applied manually by users.
Used for broad, organization-wide retention or deletion rules.
Supports adaptive scopes (e.g., specific departments).
Cannot be used for records management.
Retention Label
Applies to individual items (e.g., a specific document or email).
Users can apply manually or automatically via auto-labeling.
Used for granular, item-level retention or deletion.
Supports event-based retention (e.g., employee termination).
Can be used to declare records (regulatory or non-regulatory).
Sensitivity Label
Protects data (encryption, access control, visual markings).
Applies classification (e.g., Confidential, Public).
Can be applied automatically based on sensitive info types.
Integrates with Azure Information Protection.
Does not manage data lifecycle (retention/deletion).
Retention Label
Manages data lifecycle (retain or delete after a period).
Does not provide encryption or access control.
Can be applied automatically based on conditions or events.
Integrates with records management.
Does not classify data for protection.
Mistake
Compliance Manager automatically enforces compliance controls.
Correct
Compliance Manager only provides recommendations and tracks implementation. It does not automatically apply settings; you must manually configure policies (e.g., retention, DLP) based on the recommendations.
Mistake
Retention policies and retention labels are the same.
Correct
Retention policies apply to entire locations (e.g., all mailboxes), while retention labels apply to individual items (e.g., a specific email). Labels are more granular and can be applied automatically based on conditions.
Mistake
Sensitivity labels only classify data without protecting it.
Correct
Sensitivity labels can enforce encryption, access control, and visual markings. They both classify and protect data.
Mistake
DLP policies can encrypt sensitive data when shared.
Correct
DLP policies block or warn on sharing; they do not encrypt. Encryption is done by sensitivity labels or Azure Information Protection.
Mistake
Audit (Standard) logging is disabled by default.
Correct
Audit (Standard) logging is enabled by default for all Microsoft 365 organizations. You do not need to enable it manually.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy applies to entire locations (e.g., all mailboxes in Exchange, all sites in SharePoint) and cannot be applied manually by users. A retention label applies to individual items (e.g., a specific email or document) and can be assigned manually by users or automatically via auto-labeling. Use retention policies for broad, organization-wide rules and retention labels for granular, item-level control. For example, if you need to retain all emails for 3 years, use a retention policy. If you need to retain a specific contract for 7 years, use a retention label.
The compliance score is calculated as (Total achieved points / Total possible points) * 100. Each control in an assessment has a maximum point value (up to 10 points). Achieved points are earned when you implement a control (e.g., enabling MFA). The score is a snapshot of your compliance posture and helps track progress. It does not guarantee actual compliance; it's a tool for managing improvement actions.
Yes. Sensitivity labels can enforce encryption using Azure Information Protection. When applied, the content is encrypted so that only authorized users can read it. You can configure who has access (e.g., specific users or groups) and what actions they can take (e.g., view only, no forwarding). Encryption is applied at the file level and travels with the document.
Audit (Standard) logging retains audit records for 90 days by default. This is enabled for all Microsoft 365 organizations. For longer retention, you need Audit (Premium) which extends retention to 1 year (and up to 10 years for certain high-value logs). Audit (Premium) is available with E5 or add-on licenses.
DLP policies scan content in Exchange, SharePoint, OneDrive, Teams, and endpoints for sensitive data types (e.g., credit card numbers, social security numbers). When a match is found, the policy can block sharing, show a policy tip, or log the event. DLP does not encrypt data; it only prevents unauthorized sharing. Policies can be scoped to specific locations, users, or groups.
eDiscovery Standard allows you to search for content, place holds, and export results. eDiscovery Premium (requires E5) adds advanced features like machine learning-based predictive coding, text analytics, and review sets for large-scale legal cases. Premium also supports culling (reducing the dataset) and tagging for relevance.
Microsoft is responsible for the security of the cloud (physical datacenters, network, hypervisor) and provides certifications (e.g., ISO 27001, SOC 2). The customer is responsible for security in the cloud: managing data classification, user access, retention policies, DLP, and incident response. Compliance Manager helps customers track their responsibilities.
You've just covered Compliance Concepts — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?