This chapter covers the Microsoft Purview Compliance Portal, a key component of Microsoft's compliance solutions and a frequent topic on the SC-900 exam. You will learn about its core features, including Microsoft Purview Compliance Manager, Information Protection, Data Lifecycle Management, and Insider Risk Management. Approximately 15-20% of SC-900 exam questions touch on compliance solutions, with Purview features being a significant portion. Mastering this chapter is essential for understanding how organizations manage data governance, risk, and compliance in Microsoft 365.
Jump to a section
Imagine a multinational corporation with offices in 50 countries, each subject to different regulations like GDPR, HIPAA, and SOX. The company hires a central compliance officer who sets up a single, locked room called the "Compliance Hub." This room has several specialized desks: one for labeling sensitive documents (like marking files "Confidential" or "Internal Only"), another for monitoring emails for policy violations, another for managing data retention schedules, and a final desk for generating audit reports. Each desk has its own set of rules, but they all report to the same officer. Employees across the company must follow the rules set by this hub; if an employee tries to send a customer's personal data outside the company, the email monitoring desk intercepts it and either blocks it or encrypts it based on the officer's policies. The officer can also set up automatic alerts when certain actions occur, like a manager accessing HR files after hours. The key point is that all compliance activities are centralized, providing a single pane of glass for the officer to see the entire compliance posture, enforce policies consistently, and produce evidence for auditors. Without this hub, each office would manage compliance independently, leading to gaps, inconsistencies, and audit failures.
What is Microsoft Purview Compliance Portal?
Microsoft Purview Compliance Portal is a unified web-based interface within the Microsoft Purview compliance portal (formerly Microsoft 365 compliance center) that provides organizations with tools to manage data compliance, information protection, data lifecycle, and insider risk. It serves as the central hub for configuring and monitoring compliance-related policies across Microsoft 365 services such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and more. The portal is accessible at https://compliance.microsoft.com and requires appropriate administrative roles (e.g., Compliance Administrator, Compliance Data Administrator) to manage settings.
The Purview Compliance Portal is part of the broader Microsoft Purview suite, which also includes Microsoft Purview Data Map and Microsoft Purview Data Estate Insights (for on-premises and multi-cloud data governance). However, for the SC-900 exam, focus is on the compliance portal's capabilities related to Microsoft 365 workloads.
How It Works Internally
The Purview Compliance Portal operates as a layer above Microsoft 365 services, using APIs and agent-based mechanisms to apply policies. When an admin creates a policy (e.g., a data loss prevention policy to block sharing credit card numbers), the policy definition is stored in the Microsoft 365 compliance center's policy engine. This engine continuously evaluates data in transit and at rest across Exchange Online, SharePoint, Teams, etc. For example, when a user tries to share a file containing a Social Security Number via email, Exchange Online's transport rules invoke the DLP agent, which checks the content against the policy. If a match occurs, the action (block, notify, encrypt) is executed. The portal provides real-time alerts and reports on policy matches.
Key Components
Microsoft Purview Compliance Manager: A risk assessment tool that provides a dashboard of your compliance score (0-100%) based on pre-defined templates for regulations like GDPR, ISO 27001, NIST, etc. It includes built-in controls and actions to improve your score. The score is calculated based on the implementation status of each control (e.g., implemented, tested, not implemented). It also supports custom assessments for your own compliance requirements.
Information Protection: Includes Sensitivity Labels and Data Loss Prevention (DLP). Sensitivity Labels are metadata tags that classify data (e.g., Confidential, Highly Confidential) and can enforce encryption, watermarking, and access restrictions. DLP policies detect and protect sensitive information like credit card numbers, health records, or custom defined types.
Data Lifecycle Management: Manages retention and deletion of data through retention policies and retention labels. Retention policies apply at the site or mailbox level, while retention labels apply to individual items. Policies can be configured to retain data for a specific period, then delete it, or both. Also includes records management for declaring records (immutable, auditable) using retention labels.
Insider Risk Management: Analyzes user activity signals (e.g., downloading large amounts of files, accessing sensitive data after hours) to detect potential insider threats. Uses predefined policy templates like Data theft by departing users or General data leaks. Alerts are generated based on risk scores, and analysts can investigate cases with built-in forensic evidence (e.g., file activity logs).
eDiscovery: Allows legal teams to search for content across Exchange, SharePoint, Teams, etc., and place holds on data for litigation. Includes Core eDiscovery for basic search and export, and Advanced eDiscovery for more sophisticated workflows with machine learning-based review.
Audit: Provides unified audit log search across Microsoft 365. Admins can search for specific activities (e.g., user login, file delete, policy change) and export results. Standard audit retains logs for 90 days (default), while Audit (Premium) extends retention to 1 year or more, with high-value events like Exchange admin actions retained for 1 year automatically.
Communication Compliance: Monitors communications (email, Teams chats) for inappropriate language, harassment, or policy violations using machine learning classifiers. Creates cases for review.
Compliance Score: A key metric in Compliance Manager, calculated as a percentage of completed improvement actions. Each action has a point value based on its importance for the regulation. For example, enabling multi-factor authentication might score 10 points for ISO 27001.
Configuration and Verification
To configure a DLP policy: 1. Navigate to Data Loss Prevention > Policies > Create policy. 2. Choose a template (e.g., Financial data) or custom. 3. Select locations: Exchange, SharePoint, OneDrive, Teams chat/channel. 4. Define rules: Conditions (e.g., content contains SSN) and actions (e.g., block with override). 5. Test first in simulation mode, then enable.
To view DLP alerts: Go to Alerts > DLP alerts. To check Compliance Score: Compliance Manager > Overview.
Interaction with Related Technologies
Purview integrates with Azure Active Directory (now Microsoft Entra ID) for identity and access control, and with Microsoft 365 Defender for security signals (e.g., suspicious user activity). It also works with Azure Information Protection (AIP) for unified labeling (though AIP is being consolidated into Purview). For hybrid environments, Purview can extend policies to on-premises Exchange and SharePoint via connectors.
Common Exam Values and Defaults
Retention period for standard audit logs: 90 days (default).
Audit (Premium) retention: Up to 1 year (with add-on license).
Compliance Manager templates: Over 300 pre-built assessments.
Sensitivity label encryption: Supports AES 256-bit.
DLP rule evaluation: Content is scanned using data classification service; up to 500 built-in sensitive info types.
Insider Risk Management scoring: Risk score ranges from 0 to 100; alerts trigger above a configurable threshold (default 20).
Exam Traps
A common trap: Confusing the Purview Compliance Portal with the Azure portal or Microsoft 365 Defender. The Compliance Portal is specifically for compliance, not security (though some overlap exists). Another trap: Thinking Compliance Score is a security score (it's not; it's a compliance posture score). Also, candidates often mistake retention policies for backup (retention doesn't back up; it prevents deletion or ensures deletion after a period).
Access the Purview Compliance Portal
Navigate to https://compliance.microsoft.com and sign in with a user account that has the Compliance Administrator role (or equivalent). The role can be assigned in the Microsoft 365 admin center or via Azure AD. The portal dashboard displays overview tiles for Compliance Manager, Information Protection, DLP, and more. This is the entry point for all compliance activities.
Create a Sensitivity Label
Go to Information Protection > Labels > Create a label. Provide a name (e.g., 'Confidential'), description, and settings. Choose encryption (e.g., assign permissions now or let users assign), content marking (watermark, header, footer), and auto-labeling conditions (e.g., if document contains 'Project X'). The label is published to users via a label policy. Once applied, the label travels with the data when it moves (e.g., attached to email).
Configure a DLP Policy
In Data Loss Prevention > Policies > Create policy. Select a template (e.g., 'U.S. Personally Identifiable Information (PII) Data') or custom. Choose locations: Exchange, SharePoint, OneDrive, Teams. Define rules: conditions (e.g., content contains SSN) and actions (e.g., block access, notify user). Set policy mode to 'Test first' to avoid disruption. After testing, enable. The policy engine evaluates content in real-time.
Set Up a Retention Policy
Go to Data Lifecycle Management > Microsoft 365 > Retention policies > New retention policy. Name it and choose locations (e.g., Exchange mailboxes, SharePoint sites). Define retention period (e.g., 7 years) and action at end (delete or retain). Optionally, set a disposition review. The policy applies automatically to all content in the selected locations. Note: Retention policies always take precedence over any deletion settings.
Use Compliance Manager to Assess Compliance
In Compliance Manager > Overview, view your compliance score. Select a template (e.g., GDPR) to see all controls. For each control, you can implement improvement actions (e.g., enable MFA) and mark them as implemented. The score updates accordingly. You can also create custom assessments for your own regulations. Compliance Manager provides evidence storage for audit readiness.
Scenario 1: Healthcare Organization Subject to HIPAA A hospital uses Microsoft 365 for email and document storage. They need to protect patient health information (PHI) and comply with HIPAA. They configure:
- Sensitivity labels: 'PHI' label with encryption and watermarking, auto-applied to documents containing specific medical terms. - DLP policy: Blocks sharing of PHI externally unless encrypted and logs all attempts. - Retention policy: Retains patient records for 6 years per state law, then deletes. In production, they test policies in simulation mode first to avoid blocking legitimate workflows. Common issue: Overly broad DLP rules causing false positives, requiring tuning of sensitive info types. They use Compliance Manager to track HIPAA controls and achieve a score of 85%.
Scenario 2: Financial Services Firm Under SOX A bank must comply with Sarbanes-Oxley (SOX) for financial reporting. They use: - eDiscovery: To place legal holds on executives' mailboxes during audits. - Audit (Premium): To retain all audit logs for 1 year, as required by regulation. - Insider Risk Management: To detect departing employees downloading large financial datasets before leaving. They deploy a custom assessment in Compliance Manager for SOX. Performance: With 10,000 users, the audit log ingestion rate is about 1 million events per day; Audit (Premium) handles this with no performance degradation. Misconfiguration: Setting retention policy to delete after 7 years but forgetting to exclude records under legal hold; they learn that holds override retention deletion.
Scenario 3: Multinational Corporation Under GDPR A global company needs to comply with GDPR for EU citizens' data. They:
- Use Data Lifecycle Management to automatically delete personal data after 30 days unless a legal hold applies. - Configure Communication Compliance to monitor for inappropriate handling of personal data in emails. - Use Compliance Manager's GDPR template to track improvements. Scale: 50,000 users across 20 countries. They enable geo-based sensitivity labels (e.g., 'EU Personal Data') that auto-apply based on data location. Common pitfall: Failing to configure retention labels for specific document libraries, leading to data not being deleted as intended. They resolve by using auto-apply retention labels based on sensitive info types.
What Goes Wrong When Misconfigured - DLP in 'test' mode never blocks, so data leaks occur if admin forgets to enable. - Retention policy set to 'delete only' without retain causes data loss if needed for eDiscovery. - Insider Risk Management with too low a threshold (e.g., 10) floods analysts with false positives. - Compliance Manager actions not implemented lead to low score, failing audit readiness.
What SC-900 Tests - Objective 4.1: Describe the capabilities of Microsoft Purview Compliance Portal. Specifically, you need to know the main features: Compliance Manager, Information Protection (Sensitivity Labels, DLP), Data Lifecycle Management (Retention Policies, Retention Labels), Insider Risk Management, eDiscovery, Audit, and Communication Compliance. - The exam expects you to differentiate between these features and their use cases. - No deep configuration steps; just conceptual understanding and when to use each feature.
Common Wrong Answers and Why 1. Confusing Compliance Manager with Secure Score: Secure Score is for security posture; Compliance Score is for regulatory compliance. Candidates often pick Secure Score when asked about compliance assessments. 2. Thinking DLP policies apply to all locations by default: They don't; you must select locations (Exchange, SharePoint, etc.). A typical trap question asks where DLP can be applied, and options include 'All Microsoft 365 services' (wrong) vs specific services. 3. Believing retention policies back up data: They don't; they only prevent deletion or schedule deletion. Backup is a separate technology (e.g., Azure Backup). 4. Assuming Insider Risk Management monitors all users automatically: It requires a policy template to be enabled and configured with specific indicators (e.g., file downloads). 5. Mixing up retention labels and retention policies: Labels apply to individual items; policies apply to containers (site, mailbox). The exam may ask which to use for a specific scenario.
Specific Numbers and Terms - Standard audit log retention: 90 days. - Audit (Premium) retention: 1 year default for high-value events; extendable to 10 years with add-on. - Compliance Manager score range: 0-100%. - Number of built-in sensitive info types for DLP: 500+. - Insider Risk Management risk score threshold: Default 20 (configurable).
Edge Cases and Exceptions - Retention policies always take precedence over user deletion. If a user deletes a document under retention, it is moved to the Preservation Hold library. - Sensitivity labels can be auto-applied using trainable classifiers (machine learning) or exact data match. - Communication Compliance supports pre-built classifiers like 'Offensive Language'.
How to Eliminate Wrong Answers - If a question asks about 'compliance score', eliminate any answer mentioning security vulnerabilities. - For 'data retention', eliminate options that mention backup or archiving unless specifically about retention. - For 'preventing data leaks', look for DLP or sensitivity labels, not eDiscovery. - For 'auditing user activity', Audit or Insider Risk Management, not Compliance Manager.
The Microsoft Purview Compliance Portal is the central hub for data compliance in Microsoft 365, accessible at https://compliance.microsoft.com.
Compliance Manager provides a compliance score (0-100%) based on built-in regulatory templates (GDPR, ISO 27001, etc.) and improvement actions.
Data Loss Prevention (DLP) policies detect and protect sensitive information using sensitive info types (500+ built-in) across Exchange, SharePoint, OneDrive, and Teams.
Retention policies apply to containers (mailbox, site) and retain or delete data after a specified period; retention labels apply to individual items.
Standard audit log retention is 90 days; Audit (Premium) extends to at least 1 year for high-value events.
Insider Risk Management requires a configured policy with selected users and indicators to detect risky activities.
Sensitivity labels can encrypt (AES 256-bit), watermark, and auto-apply to files and emails, persisting with the data.
Communication Compliance monitors communications for policy violations using machine learning classifiers.
eDiscovery allows legal holds and content search across Microsoft 365 for litigation.
Retention policies always take precedence over user deletion; deleted items under retention are moved to Preservation Hold library.
These come up on the exam all the time. Here's how to tell them apart.
Retention Policy
Applies to containers (mailbox, site, OneDrive account).
Cannot be applied manually by users.
Automatically retains or deletes all content in the container.
Supports disposition review at end of retention.
Best for broad, organization-wide retention requirements.
Retention Label
Applies to individual items (documents, emails).
Users can apply manually, or auto-apply via conditions.
Retains or deletes only the labeled items.
Supports records management (immutable declaration).
Best for granular, item-level retention or classification.
Data Loss Prevention (DLP)
Detects and protects sensitive information (e.g., SSN, credit card).
Actions: Block, notify, encrypt, allow override.
Evaluates content in transit (email) and at rest (SharePoint).
Uses sensitive info types (built-in or custom).
Does not persist with the data after protection.
Sensitivity Labels
Classifies data with metadata (e.g., Confidential).
Actions: Encryption, watermark, header/footer, access restrictions.
Persists with the data wherever it goes (email, file).
Can be auto-applied based on content or context.
Enables persistent protection and tracking.
Mistake
Compliance Manager in Purview is the same as Secure Score in Microsoft 365 Defender.
Correct
Compliance Manager measures regulatory compliance (e.g., GDPR, ISO 27001) with a compliance score (0-100%). Secure Score measures security posture (e.g., vulnerability management, threat protection). They are separate tools in different portals.
Mistake
Data Loss Prevention (DLP) policies automatically apply to all Microsoft 365 services once created.
Correct
DLP policies require explicit selection of locations (Exchange Online, SharePoint Online, OneDrive, Teams chat/channel). They do not apply to all services by default. You must choose where the policy is enforced.
Mistake
Retention policies in Microsoft 365 create backups of data.
Correct
Retention policies do not back up data. They ensure data is retained for a specified period (preventing deletion) and optionally deleted after that period. Backups are separate (e.g., Azure Backup for SharePoint).
Mistake
Insider Risk Management automatically monitors all user activities without configuration.
Correct
Insider Risk Management requires you to create a policy based on a template (e.g., Data theft by departing users). You must select users and indicators (e.g., downloading files, accessing sensitive data). It does not monitor all users by default.
Mistake
Sensitivity labels only apply to documents in SharePoint and OneDrive.
Correct
Sensitivity labels can be applied to documents and emails. They travel with the data across Microsoft 365, including attachments in Exchange Online and containers like Teams sites. They also support auto-labeling for files and emails.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Microsoft Purview Compliance Portal focuses on data governance, compliance, and risk management (e.g., DLP, retention, insider risk). Microsoft 365 Defender is a security suite for threat protection (e.g., antivirus, anti-phishing, incident response). They serve different purposes: compliance vs. security. On SC-900, remember that Purview is for compliance; Defender is for security.
The compliance score is calculated as the percentage of completed improvement actions relative to total available points for a given assessment. Each improvement action has a point value based on its importance for the regulation. For example, enabling MFA might be worth 10 points. If you implement 8 out of 10 actions worth 80 points total, your score is 80%. The score updates in real-time as actions are completed.
Yes, DLP policies can be applied to Microsoft Teams chat and channel messages. When creating a DLP policy, you can select 'Teams chat and channel messages' as a location. The policy will evaluate messages in real-time for sensitive information and can block or notify users. This is a common exam scenario.
If a retention policy is set to retain data, deleting the document does not permanently remove it. The document is moved to the Preservation Hold library in SharePoint or the Recoverable Items folder in Exchange, where it remains for the retention period. Only after the retention period ends (and no other holds apply) can it be permanently deleted.
In the Purview Compliance Portal, go to Data Classification > Sensitive info types > Create. You can define patterns using regular expressions, keywords, and proximity. For example, to detect employee IDs like 'EMP-12345', you could create a pattern with regex 'EMP-\\d{5}'. You can also use exact data match (EDM) by uploading a database of values.
A retention label controls how long data is kept and what happens at the end of the period (retain, delete, or both). A sensitivity label controls classification and protection (encryption, watermarking). They can be used together: a document can have both a sensitivity label (Confidential) and a retention label (Retain 7 years).
Yes, but only if you have a hybrid deployment with Exchange Online. You can extend DLP policies and retention policies to on-premises Exchange using the Exchange hybrid configuration. However, not all features (like sensitivity labels) work on-premises without additional setup.
You've just covered Microsoft Purview Compliance Portal — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?