This chapter covers Microsoft Purview, Microsoft's comprehensive set of solutions for data governance, protection, and compliance. For the SC-900 exam, approximately 10-15% of questions relate to compliance solutions, and Purview is central to that objective (4.1). You will learn about Purview's key components—Data Classification, Data Loss Prevention (DLP), Records Management, Retention Policies, Audit, and Compliance Manager—and how they work together to help organizations understand, protect, and govern their data. Mastering this chapter is essential for answering scenario-based questions about compliance controls in Microsoft 365.
Jump to a section
Imagine a large corporate headquarters building with a central security control tower. This tower has multiple floors: one floor monitors all incoming and outgoing mail (Exchange Online), another floor oversees every document stored in filing cabinets (SharePoint), a third floor watches conversations in meeting rooms (Teams), and a fourth floor tracks data moving through the building's network (Endpoint). Each floor has its own specialized guards, but they all report to the central control room. The control room has a master log where every event is recorded (Audit Log), a set of rules for how sensitive information must be handled (Data Classification), and a policy board that decides what actions to take when a rule is broken (Data Loss Prevention). If a guard sees a document labeled 'Confidential' being taken out of the building without authorization, they alert the control room, which can automatically lock the door (Block), send an alert, and require the employee to take training. The control room also has a retention schedule: documents are kept for a specific time then shredded (Retention Policies), and some documents are marked as records that cannot be altered (Records Management). The entire operation is governed by a compliance manager who reviews the rules and reports to regulators (Compliance Manager). Microsoft Purview is this integrated control tower for your Microsoft 365 data, providing unified visibility, classification, protection, and governance across all your data estate.
What is Microsoft Purview?
Microsoft Purview is a family of data governance, protection, and compliance solutions that help organizations understand, manage, and protect their data across on-premises, hybrid, and multicloud environments. It was formerly known as Microsoft 365 Compliance Center and Azure Purview, which were merged into a single brand. Purview provides a unified view of data assets, enables data classification, enforces data loss prevention policies, manages records and retention, and simplifies compliance reporting.
Why Purview Exists
Organizations face increasing regulatory requirements (GDPR, HIPAA, CCPA, etc.) and need to protect sensitive data from accidental or malicious exposure. Purview addresses these challenges by offering:
Data Visibility: Know where sensitive data resides across Microsoft 365 services (Exchange, SharePoint, OneDrive, Teams) and beyond.
Data Protection: Prevent unauthorized sharing or leakage of sensitive information.
Data Governance: Manage data lifecycle through retention and deletion policies.
Compliance Management: Assess compliance posture and generate reports for auditors.
Key Components of Microsoft Purview
#### 1. Data Classification
Data Classification is the process of identifying and labeling sensitive data. Purview uses three layers:
Sensitive Information Types (SITs): Predefined or custom patterns that detect sensitive data like credit card numbers, Social Security numbers, or passport numbers. There are over 200 built-in SITs. Each SIT has a confidence level (high, medium, low) based on the proximity of supporting evidence.
Trainable Classifiers: Machine learning models that can classify content based on context, not just patterns. You can use pre-trained classifiers (e.g., for resumes, source code) or train your own using sample documents.
Sensitivity Labels: Labels like 'Confidential', 'General', or 'Highly Confidential' that can be applied manually or automatically. Labels can enforce protection actions such as encryption, watermarking, or access restrictions.
#### 2. Data Loss Prevention (DLP)
DLP policies detect and prevent accidental or intentional sharing of sensitive information. DLP works across Exchange Online, SharePoint, OneDrive, Teams, and endpoints (Windows 10/11). Key elements:
Rules: Conditions (e.g., content contains a SIT, user is external) and actions (e.g., block, notify, allow override).
Actions: Block access, send notification, allow with justification, or block with override.
DLP for Teams: Monitors messages and documents shared in Teams chats and channels.
Endpoint DLP: Extends DLP to files on Windows devices, even when not connected to the internet.
#### 3. Records Management
Records Management helps organizations manage legal or regulatory obligations by designating certain content as records. A record is a document that cannot be altered or deleted—it is immutable. Key concepts:
Retention Labels: Labels that apply retention and/or deletion actions. A label can be set to 'retain forever', 'delete after X days', or 'retain then delete'.
Record Labeling: When a retention label is marked as 'regulatory record' or 'record', the content becomes immutable. Users cannot edit or delete it.
Disposition Review: Before a retention period expires, a manager can review and approve deletion.
#### 4. Retention Policies and Retention Labels
Retention policies are applied at the location level (e.g., all SharePoint sites) and can retain or delete content. Retention labels are applied at the item level (e.g., a specific document). Both can be configured with:
Retention period: Number of days, months, or years. Maximum is 3650 days (10 years) for most policies.
Retention action: Retain content, delete content, or retain then delete.
Start of retention period: When content was created, last modified, or labeled.
#### 5. Audit (Standard and Premium)
Audit logging records user and admin activities across Microsoft 365. There are two tiers:
Standard Audit: Enabled by default for all organizations with eligible licenses. Records up to 90 days of audit logs.
Premium Audit: Requires E5/A5/G5 licenses. Extends retention to 1 year (or up to 10 years with add-on), provides high-value events like when a mailbox was accessed by a non-owner, and enables programmatic access via Graph API.
#### 6. Compliance Manager
Compliance Manager is a dashboard that provides a compliance score based on Microsoft's assessments of controls aligned with regulations (e.g., GDPR, NIST 800-53). It offers:
Assessments: Pre-built templates for over 40 regulations. You can create custom assessments.
Controls: Each control has Microsoft-managed actions and customer-managed actions. You track implementation status.
Compliance Score: A percentage (0-100%) indicating how well you meet the requirements. Actions have points that contribute to the score.
How Purview Interacts with Related Technologies
Purview integrates with:
Microsoft 365 sensitivity labels (from Azure Information Protection) – labels are used in DLP and retention.
Microsoft Defender for Cloud Apps – for cloud app discovery and DLP across third-party SaaS apps.
Microsoft Entra ID (Azure AD) – for user identity and access control.
Microsoft Graph API – for programmatic access to audit logs and classification.
Configuration and Verification
To configure a DLP policy:
Go to Microsoft Purview compliance portal > Data loss prevention > Policies.
Create a policy, choose locations (Exchange, SharePoint, etc.), and define rules.
Test with 'Test mode' before enforcement.
To verify DLP policy matches, use:
Activity Explorer: Shows all DLP rule matches and actions taken.
DLP Alerts: Configure alerts in the policy for high-severity matches.
To view audit logs:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "DLPRuleMatch"To view retention labels:
Get-RetentionCompliancePolicy | Format-Table Name, ModeExam-Relevant Details
Sensitivity labels are used for classification and protection; they can be applied automatically based on conditions.
DLP rules can include conditions like: content contains SIT, user is external, or user is a member of a group.
Retention labels are applied manually or automatically; retention policies are applied to locations.
Compliance Manager scores are based on actions taken; not all actions are mandatory.
Premium Audit requires E5 license and provides 1-year retention.
Maximum retention period for most policies is 3650 days (10 years).
Identify Sensitive Data with Classification
First, you run a data classification scan using Microsoft Purview Data Map or Microsoft 365 compliance center. You can use built-in sensitive information types (SITs) like credit card numbers or train a classifier for custom content. The scan identifies files and emails containing sensitive data across Exchange, SharePoint, OneDrive, and Teams. Results appear in Content Explorer and Activity Explorer. You can then apply sensitivity labels automatically based on classification results or manually.
Define DLP Policy Rules
In the Purview compliance portal, navigate to Data loss prevention > Policies. Click 'Create policy' and select a template (e.g., Financial data) or start from scratch. Choose locations: Exchange, SharePoint, OneDrive, Teams, and/or Devices. Define rules: a rule has conditions (e.g., content contains SIT 'Credit Card Number' and user is external) and actions (e.g., block access and notify user). You can set the rule to test mode or enforce it immediately. Each rule can have priority; higher priority rules are evaluated first.
Apply Retention Labels to Content
Retention labels are created in the Records Management section. You define the retention period (e.g., 7 years) and what happens at the end (delete or nothing). Labels can be published so users can apply them manually, or configured for auto-application based on conditions like SITs or keywords. When a label is applied, the content is retained for the specified period. If the label is marked as a 'record', the content becomes immutable—users cannot edit or delete it.
Monitor DLP Matches via Activity Explorer
After DLP policies are enforced, you monitor policy matches in Activity Explorer. It shows each match with details: rule name, location, user, action taken (block, allow override, etc.). You can filter by date, severity, or location. This helps identify false positives or policy violations. You can also set up alerts for specific rules to receive email notifications when a match occurs.
Review Compliance Score in Compliance Manager
Compliance Manager provides a dashboard with your overall compliance score. You select assessments (e.g., GDPR, NIST) and track the implementation of customer-managed actions. Each action contributes points. You can assign actions to people, upload evidence, and record test results. The score updates as you complete actions. The dashboard also shows Microsoft-managed actions that are already in place.
Enterprise Scenario 1: Healthcare Organization Protecting Patient Data
A hospital uses Microsoft 365 E5 and must comply with HIPAA. They configure Purview to automatically detect Protected Health Information (PHI) like Social Security numbers and medical record numbers. They use built-in SITs and create custom ones for patient IDs. DLP policies block sharing of PHI with external users via email and Teams. A retention label 'Patient Record - 7 Years' is auto-applied to documents containing PHI, ensuring they are retained for 7 years then deleted. Compliance Manager is used to track HIPAA controls, and the compliance officer reviews the score weekly. Common issues: false positives from non-PHI data like employee IDs; they fine-tune SITs by adjusting confidence levels.
Enterprise Scenario 2: Financial Services Firm Enforcing Data Governance
A bank uses Purview to manage regulatory requirements from FINRA and SEC. They classify all financial reports as 'Highly Confidential' using trainable classifiers. DLP policies block sharing of these reports with personal email addresses. Retention labels are applied to trade confirmations (retain 6 years) and customer records (retain 10 years). They use Premium Audit to track who accesses sensitive documents and retain logs for 1 year. The compliance team runs disposition reviews quarterly to approve deletion of expired records. Performance considerations: scanning large SharePoint farms can take days; they use incremental scans and limit locations to critical sites.
Scenario 3: Multinational Company Managing Cross-Border Data
A global company with offices in EU and US must comply with GDPR and CCPA. They use Purview to map data residency—data classification shows where personal data resides. DLP policies prevent transfer of personal data from EU to non-EU regions by blocking external sharing to countries not in the EU. Retention labels for HR records vary by country (e.g., 5 years in Germany, 3 years in US). Compliance Manager assessments are run separately for GDPR and CCPA. Common misconfiguration: forgetting to enable DLP for Teams, leading to data leaks via chat.
SC-900 Exam Focus on Microsoft Purview
The SC-900 exam objective 4.1 (Describe the compliance management capabilities in Microsoft 365) specifically tests your understanding of Purview components. Key areas:
Data Classification: Know the difference between sensitive information types (SITs) and trainable classifiers. SITs are pattern-based; trainable classifiers use AI. The exam may ask which to use for detecting resumes (trainable classifier).
DLP: Understand that DLP policies can be applied to Exchange, SharePoint, OneDrive, Teams, and endpoints. Common wrong answer: 'DLP only applies to email.' (Incorrect—it applies to multiple workloads.)
Retention vs. Records: Retention policies keep content for a set period; records are immutable. Trap: 'A retention label always makes content a record.' (False—only if the label is configured as a record label.)
Compliance Manager: Know that the compliance score is based on implemented actions, not just Microsoft's controls. Wrong answer: 'Compliance Manager automatically enforces compliance.' (It only tracks; you must implement actions.)
Audit: Premium Audit provides 1-year retention (not 90 days). The exam may ask which license is needed for Premium Audit (E5).
Default values: Maximum retention period for policies is 3650 days (10 years). Standard Audit retention is 90 days.
Edge cases: DLP for Teams only applies to messages and documents shared in Teams, not to private chats unless explicitly included.
Elimination strategy: If a question asks about 'detecting sensitive data', look for options mentioning SITs or trainable classifiers, not DLP (DLP uses classification but doesn't detect).
Microsoft Purview integrates data classification, DLP, retention, records management, audit, and compliance manager into one solution.
Sensitive Information Types (SITs) are pattern-based; trainable classifiers use AI to detect content based on context.
DLP policies can block, notify, or allow override when sensitive data is shared; they apply to Exchange, SharePoint, OneDrive, Teams, and endpoints.
Retention labels can be applied manually or automatically; only record labels enforce immutability.
Compliance Manager provides a compliance score (0-100%) based on implemented actions; it does not enforce controls.
Standard Audit retains logs for 90 days; Premium Audit (E5) retains for 1 year.
Maximum retention period for policies is 3650 days (10 years).
Purview requires appropriate licensing: E3 for basic features, E5 for advanced like Premium Audit and trainable classifiers.
These come up on the exam all the time. Here's how to tell them apart.
Sensitive Information Types (SITs)
Pattern-based detection using regular expressions
Over 200 built-in types (e.g., credit card, SSN)
Requires exact pattern match; confidence level based on proximity
Cannot learn from examples; must be predefined
Best for structured data like IDs and account numbers
Trainable Classifiers
AI/machine learning based on context
Pre-trained classifiers for resumes, source code, etc.
Can be trained with sample documents (50-500 positive samples)
Learns from examples; adapts to variations
Best for unstructured content like contracts or HR documents
Mistake
Microsoft Purview is just a new name for the Microsoft 365 compliance center.
Correct
Purview combines the former Microsoft 365 Compliance Center and Azure Purview (data governance for on-prem and multicloud) into a unified brand. It includes capabilities for data map, catalog, and scanning beyond M365.
Mistake
DLP policies can only be applied to email.
Correct
DLP policies can be applied to Exchange Online, SharePoint, OneDrive, Teams chats and channels, and Windows endpoints. They cover multiple workloads.
Mistake
Applying a retention label automatically makes the content a record.
Correct
Only retention labels configured as 'record' or 'regulatory record' enforce immutability. Regular retention labels simply retain or delete content without making it a record.
Mistake
Compliance Manager automatically enforces compliance controls.
Correct
Compliance Manager is a dashboard that tracks your compliance posture. It does not automatically enforce controls; you must implement customer-managed actions and upload evidence.
Mistake
Standard Audit logs are retained for 1 year.
Correct
Standard Audit retains logs for 90 days. Premium Audit (E5 license) retains logs for 1 year, extendable to 10 years with an add-on.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A retention policy is applied to a location (e.g., all SharePoint sites or all Exchange mailboxes) and retains or deletes content automatically. A retention label is applied to individual items (e.g., a specific document or email) and can also enforce actions. Labels can be published for manual application or auto-applied based on conditions. Policies are broader; labels are granular.
Go to Data Classification > Classifiers > Sensitive info types > Create. You define a pattern using regular expressions, keywords, and a confidence level. You can also use a dictionary file. Custom SITs are useful for detecting internal project codes or employee IDs. They can be used in DLP policies and auto-labeling.
Yes. DLP for Teams covers messages and documents shared in Teams chats and channels. You must enable Teams as a location in the DLP policy. Note that DLP for Teams does not cover private messages unless you specifically include 'Chat' location (available in some configurations).
Premium Audit requires an E5, A5, or G5 license. It provides 1-year retention of audit logs, high-value events (e.g., mailbox access by non-owner), and programmatic access via Graph API. Standard Audit is included with E3.
The score is calculated based on the percentage of implemented actions (both Microsoft-managed and customer-managed) for each control in an assessment. Each action has a point value. The total points earned divided by total possible points gives the score. The score does not reflect actual security posture, only implementation status.
A pre-trained trainable classifier for 'Resume' can detect resumes even if they don't contain specific keywords. You can also train your own classifier by uploading 50-500 positive samples (e.g., contracts) and 100-500 negative samples. The classifier learns patterns and can be used in auto-labeling or DLP.
Yes, with Azure Purview Data Map (now part of Microsoft Purview). You can register on-premises SQL Server, file servers, and other data sources using self-hosted integration runtime. This extends classification and scanning beyond Microsoft 365.
You've just covered Microsoft Purview — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?