Saturday, May 2, 2026

Microsoft 365 Security & Compliance (Purview) Complete Guide

Microsoft 365 Security & Compliance (Purview) — Complete Guide

Sensitivity Labels · DLP · Retention · eDiscovery · Audit · Insider Risk · Zero Trust · Conditional Access · Scenarios · Cheat Sheet

Core Concepts — Basics
Information Protection & Sensitivity Labels
Data Loss Prevention (DLP)
Data Lifecycle Management & Retention
eDiscovery, Audit & Insider Risk
Identity Protection & Zero Trust
Scenario-Based Questions
Cheat Sheet — Quick Reference

1. Core Concepts — Basics

What is Microsoft Purview and what does it cover?

Microsoft Purview is the unified data governance, risk, and compliance platform in Microsoft 365 — rebranded from Microsoft 365 Compliance Centre in 2022, consolidating Microsoft Information Protection (MIP) and Azure Purview under one brand.

Core capability areas:

Capability	Description
Information Protection	Sensitivity labels, encryption, rights management
Data Loss Prevention	Detect and prevent oversharing of sensitive information
Data Lifecycle Management	Retention policies, retention labels, records management
eDiscovery	Search, preserve, and export content for legal investigations
Audit	Comprehensive activity logging across M365 services
Compliance Manager	Assess compliance posture against regulations (GDPR, ISO 27001, HIPAA)
Insider Risk Management	Detect risky user behaviour before data leaks occur
Communication Compliance	Monitor communications for policy violations

What are the key Microsoft 365 compliance licence tiers?

Feature	E3	E5
Audit log retention	90 days	1 year (+10yr add-on)
eDiscovery	Standard	Premium (Advanced)
Insider Risk Management	No	Yes
Communication Compliance	No	Yes
Advanced DLP (Endpoint)	Limited	Full
Auto-labelling policies	Limited	Full
Customer Lockbox	No	Yes
MailItemsAccessed audit	No	Yes

Warning: Always clarify licence tier before designing a compliance solution. Insider Risk, Communication Compliance, and Advanced eDiscovery require E5 or the E5 Compliance add-on.

What is the Microsoft Purview compliance portal?

The Microsoft Purview compliance portal (compliance.microsoft.com) is the central management interface.

Key features:

Content Explorer: shows WHERE sensitive content lives (which sites, mailboxes, folders)
Activity Explorer: shows WHAT is happening to labelled content (label applied, removed, file shared externally)
Compliance Manager: compliance score dashboard with improvement actions per regulation
Solutions: access to all compliance tools — Information Protection, DLP, Records Management, eDiscovery, Audit

Tip: Content Explorer and Activity Explorer are powerful diagnostic tools — the "what" and "where" of your data estate.

2. Information Protection & Sensitivity Labels

What are Sensitivity Labels and how do they work?

Sensitivity Labels are metadata tags applied to emails, documents, meetings, and Microsoft 365 containers (Teams, SharePoint sites, M365 Groups) that define how content should be protected.

Typical label taxonomy:
Public              → no restrictions — safe for external sharing
General             → internal use, no encryption
Confidential
  ├── All Employees   → internal only, no encryption
  └── Specific People → encrypted, only named recipients open
Highly Confidential
  └── Restricted     → encrypted, watermarked, no forwarding/copy/print

What a label can enforce:
→ Encryption (Azure Rights Management): who can open, copy, print, forward
→ Content marking: header ("CONFIDENTIAL"), footer, watermark
→ Access control: prevent edit, copy, print, forward, screen capture
→ Container settings (Teams/SPO sites):
   Privacy: Public or Private (enforced)
   External sharing: blocked
   Unmanaged device access: browser-only or blocked
→ Auto-labelling: apply when sensitive info types detected

Label persistence:
→ Travels with the file wherever it goes
→ Emailed externally, stored in Dropbox, opened on personal device
→ Encryption follows the document — not the location

What is the difference between manual, recommended, and auto-labelling?

Manual labelling: user selects from Sensitivity button in Office apps/Outlook/Teams. Relies on user judgment.
Recommended labelling: client detects sensitive content → pops up recommendation. User can accept or dismiss.
Mandatory labelling: user must select a label before saving or sending — forces deliberate classification.
Auto-labelling (client-side): automatically applies label when sensitive content detected. No user prompt. Works in Office apps.
Auto-labelling policies (service-side): scan content at rest in SharePoint, OneDrive, and Exchange. Applies labels as a background service — catches existing content without user interaction. Requires E5.

Tip: Service-side auto-labelling policies are the most powerful — they scan ALL existing content and label it centrally. The answer to "how do you label millions of existing documents."

What is Azure Rights Management (ARM) and how does it underpin sensitivity labels?

Azure Rights Management is the cloud-based encryption and access control service that enforces sensitivity label protection.

How it works:
1. User applies "Confidential – Specific People" label to a document
2. AIP client encrypts the document with AES-256
3. A use licence is stored: who can access + what they can do
4. When recipient opens: their identity verified via Entra ID
5. If authorised: document decrypts in memory, permissions enforced
   If not authorised: document stays encrypted — cannot open

Permissions ARM can enforce:
VIEW (open/read)        → can read only
EDIT                    → can edit but not copy/print
COPY                    → can copy content to clipboard
PRINT                   → can print
FORWARD                 → can forward (email)
REPLY                   → can reply
EXTRACT                 → can copy/paste content

Super Users:
→ A designated group that can decrypt ANY ARM-protected content
→ Used by eDiscovery administrators and compliance officers
→ Must be explicitly configured — no default super users

3. Data Loss Prevention (DLP)

What is Data Loss Prevention (DLP) in Microsoft Purview?

DLP policies detect and prevent sharing of sensitive information across Microsoft 365. They monitor content, match against sensitive information types or labels, and take protective actions.

DLP policy structure:

1. Locations (where policy applies):
   → Exchange (email)
   → SharePoint Online
   → OneDrive for Business
   → Microsoft Teams chat and channel messages
   → Endpoint devices (Windows/macOS via MDE)
   → Power Platform
   → Microsoft Defender for Cloud Apps

2. Conditions (what triggers the policy):
   → Content contains: SITs (Credit Card, SSN, NHS No., IBAN)
   → Content is labelled: Highly Confidential
   → Being shared: externally / with specific domains
   → Instance count: ≥ 3 credit card numbers

3. Actions (what happens):
   → Block the action (prevent send/share)
   → Block with override (user overrides with justification)
   → Restrict access (accessible to owner only)
   → Show policy tip to user
   → Alert admin / send incident report
   → Quarantine the email

What are Sensitive Information Types (SITs)?

SITs are pattern definitions used to detect sensitive data in content — the "what to look for" in DLP and auto-labelling policies.

Type	Description
Built-in SITs	300+ pre-defined (Credit Card, SSN, NHS No., IBAN, Passport No.) — use regex + keyword proximity + checksum
Custom SITs	Organisation-specific patterns (employee IDs, project codes) — regex + keyword lists + confidence levels
Trainable classifiers	AI/ML models trained on document types ("Legal Contract", "HR Document", "Source Code")
Named entities	ML-based detection of personal names, addresses, medical terms — context-aware

Custom SIT example — Employee ID:
Pattern: EMP-[0-9]{6}   (e.g., EMP-123456)
Supporting keywords: "employee", "staff ID", "badge number"
Confidence levels:
  High:   pattern match + keyword within 200 chars
  Medium: pattern match alone

Custom SIT use in DLP:
→ Condition: content contains "Employee ID" custom SIT
→ Action: block external sharing, alert HR compliance team

What is Endpoint DLP?

Endpoint DLP extends Purview DLP policies to Windows 10/11 and macOS devices enrolled in Microsoft Defender for Endpoint (MDE).

Activities monitored and controlled:

Copy to USB/removable media: block or audit
Copy to network share: prevent unauthorised locations
Upload to cloud services: block personal Dropbox, Google Drive, personal OneDrive
Print: block or audit printing of sensitive files
Clipboard copy: block copying content from sensitive documents
Unallowed apps: prevent opening sensitive files in unauthorised apps

Warning: Endpoint DLP requires devices onboarded to Microsoft Defender for Endpoint. Devices not in MDE are unprotected — a common deployment gap.

4. Data Lifecycle Management & Retention

What are retention policies vs retention labels?

Retention policy: applied to a location (all SharePoint sites, all Exchange). Blunt instrument — retains or deletes everything in that location.

Retention label: applied to individual items. Provides item-level lifecycle management. Can declare items as records.

Retention policy (location-level):
→ Applied to: All SharePoint, All Exchange, All Teams
→ Setting: Retain 3 years, then delete
→ Effect: EVERYTHING in those locations retained for 3 years
→ Users cannot delete items during retention period

Retention label (item-level):
→ Applied to: specific documents, emails, or library items
→ Setting: "Contract" label → Retain 7 years, then disposition review
→ Effect: only labelled items have 7-year retention
→ Can declare records (immutable)

Priority rules :
1. Retain wins over delete
2. Longer retention wins over shorter
3. Explicit retention label wins over implicit retention policy

Example:
Retention policy: delete after 3 years
Retention label on item: retain for 7 years
→ RESULT: item kept for 7 years (label wins, longer wins)

Tip: The priority rule is a guaranteed question. "Preserve wins over delete, longer wins over shorter, label wins over policy."

What is Records Management and what is a regulatory record?

Record Type	Description
Record	Locked from editing/deletion during retention. Label CAN be removed by site owner. Most common.
Regulatory record	Strictest — label cannot be removed, content cannot be edited or deleted by ANYONE (including Global Admins) during retention period. Requires admin opt-in.
Disposition review	At end of retention period — reviewers must approve deletion or extend before auto-deletion. Full audit trail.
File plan	Structured classification system mapping business functions to retention labels. Exportable for regulatory review.

Critical: Regulatory records are irreversible. Once declared, no one — including Global Admins — can delete the content until the retention period expires. Test thoroughly before enabling in production.

What is Preservation Lock?

Preservation Lock locks a retention policy so it cannot be turned off or weakened — even by Global Admins. It is permanent and irreversible.

What Preservation Lock prevents:
→ Cannot decrease the retention duration
→ Cannot disable the policy
→ Cannot remove locations

What is still allowed:
→ Can ADD more locations
→ Can EXTEND the retention period (only strengthening)

Use cases:
→ SEC Rule 17a-4(f) — financial services record immutability
→ FINRA, CFTC regulations
→ Any regulation requiring "policies cannot be circumvented by insiders"

Enable via PowerShell (not available in UI):
Set-RetentionCompliancePolicy -Identity "SEC Records Policy" `
  -RestrictiveRetention $true

Critical: Preservation Lock is permanent. If you lock a policy with incorrect settings, you cannot fix it. Always test retention policies thoroughly before locking.

5. eDiscovery, Audit & Insider Risk

What are the three levels of eDiscovery in Microsoft Purview?

Level	Licence	Key Features
Content Search	Free	Search across Exchange/SPO/OneDrive/Teams. Export. No case management, no holds.
eDiscovery (Standard)	E3	Case-based. Add custodians, place holds, search within case, export.
eDiscovery (Premium)	E5	Custodian management, legal hold notifications, review sets, predictive coding, redaction, chain-of-custody audit.

eDiscovery Standard workflow:
1. Create case: "Smith v Contoso 2025"
2. Add custodians: relevant employees
3. Place holds: preserve Exchange/SPO/OneDrive for custodians
4. Search: keyword + date + sender/recipient filters
5. Review: preview content, identify relevant items
6. Export: PST (email) or file format for legal review

Hold types:
Query-based hold: only items matching search query preserved
Full hold:        ALL custodian content preserved

eDiscovery Premium additions:
→ Legal hold notifications: formal notice to custodians via email workflow
→ Review sets: collect evidence, apply tags/annotations/redactions
→ Predictive coding: AI scores relevance — prioritise review
→ Export formats: native, PST, PDF with bates numbering

What is Microsoft Purview Audit?

Purview Audit captures a comprehensive log of user and admin activities across Microsoft 365.

Audit tiers:
Standard (E3): 90-day retention, standard activities
Premium (E5):  1-year default (10-year add-on), high-value events

Key activities captured:
SharePoint: FileAccessed, FileSharingInvitationCreated,
            SitePermissionsModified, SensitivityLabelApplied
Exchange:   MailItemsAccessed (Premium only!), Send,
            SoftDelete, HardDelete, RecordDelete
Teams:      MeetingParticipantDetail, ChatCreated, MessageSent
Admin:      AddUser, ResetPassword, AssignRole, ChangePolicy

Search via portal:
Purview → Audit → New search
→ Filter: User, Activity type, Date range, Workload
→ Export to CSV for analysis

PowerShell:
Search-UnifiedAuditLog `
  -StartDate "2025-01-01" -EndDate "2025-01-31" `
  -Operations "FileAccessed" `
  -UserIds "user@contoso.com" `
  -ResultSize 5000

Tip: MailItemsAccessed (Premium audit only) shows which emails a compromised account READ — not just sent. Critical for breach investigations. This is the key E5 audit differentiator.

What is Insider Risk Management?

Insider Risk Management (IRM) uses Microsoft 365 signals to detect risky user behaviour patterns before they result in data leaks.

Built-in policy templates:

Template	Detects
Data theft by departing employee	Mass downloads, USB copies, sharing spikes in 90 days before/after last day
General data leaks	Unusual uploads to personal cloud, email to personal accounts, USB copies
Data leaks by priority users	Enhanced monitoring for executives, employees with elevated access
Security policy violations	Repeated disabling of security software, bypassing controls
Patient data misuse	Inappropriate access to patient records (Healthcare)

Warning: IRM requires HR and Legal involvement. Only compliance investigators see alerts — not regular managers. Involve your Data Protection Officer before deployment.

What is Communication Compliance?

Communication Compliance monitors internal and external communications for policy violations.

Policy types:
Offensive language / harassment  → detect threats, discrimination in Teams/email/Yammer
Financial regulatory compliance  → detect potential SEC/FINRA violations
Confidential info disclosure     → detect inappropriate sharing of business secrets
Conflict of interest             → detect undisclosed conflicts
Custom policies                  → keyword lists, SITs, trainable classifiers

Workflow:
Policy configured → communications captured and analysed
  → ML model scores each communication
  → High-confidence matches → alert for reviewer
  → Reviewer: Resolve / Escalate / Tag / Notify user
  → Full audit trail of all review actions

Requirements:
→ E5 or Communication Compliance add-on
→ Reviewers need Communication Compliance Analyst role
→ Privacy notice to users required in most jurisdictions (legal review)

6. Identity Protection & Zero Trust

What is Microsoft Defender for Office 365?

MDO protects against advanced email threats bypassing basic spam/malware filters.

Feature	How It Works
Safe Attachments	Opens attachments in a virtual sandbox (detonation) before delivery. Malicious → blocked. Adds 1-5 min delay.
Safe Links	Replaces URLs with Microsoft-proxied links. Re-evaluates at time-of-click for malicious content.
Anti-phishing	ML detects impersonation attacks, domain lookalikes, spear phishing, BEC.
Attack Simulation Training	Send simulated phishing emails. Track who clicked. Auto-enrol clickers in security training.
Threat Explorer	Investigate email threats — malicious emails received, delivery actions, users targeted.

Tip: Safe Attachments = sandboxing on delivery. Safe Links = time-of-click re-evaluation. Both are frequently asked about in .

What is Zero Trust and how does Microsoft implement it?

Zero Trust assumes breach and requires every access request to be explicitly authorised regardless of network location.

Three Zero Trust principles:

Verify explicitly: authenticate and authorise based on all available signals — identity, location, device health, data classification, anomalies
Use least privilege access: just-in-time, just-enough access; risk-based adaptive policies
Assume breach: minimise blast radius, segment access, verify encryption, use analytics

Microsoft Zero Trust pillars:
Identity        → Entra ID, MFA, Conditional Access, PIM
Endpoints       → Intune, Defender for Endpoint, compliance policies
Applications    → Defender for Cloud Apps, app governance
Data            → Purview sensitivity labels, DLP, encryption
Infrastructure  → Defender for Cloud, RBAC, Azure Policy
Network         → Network segmentation, Defender for Identity, Azure Firewall

Zero Trust access evaluation example:
User accesses SharePoint:
1. Is identity verified? (MFA complete) → Yes
2. Is device compliant? (Intune managed, patches current) → Yes
3. Is location allowed? (not blocked by Conditional Access) → Yes
4. Is data appropriately labelled? (sensitivity label applied) → Yes
All checks passed → access granted with minimum permissions

What is Conditional Access?

Conditional Access is the Entra ID policy engine that evaluates signals and enforces access decisions — the "if/then" engine of Zero Trust.

# Conditional Access policy structure:
WHEN (Assignments):
  Users: All users / Specific groups / Guest users
  Apps:  All cloud apps / Specific apps (SharePoint, Teams)
  Conditions:
    Sign-in risk:    Low / Medium / High (Identity Protection)
    Device platform: Windows / iOS / Android
    Location:        Trusted IP ranges / Named locations / Countries
    Client apps:     Browser / Mobile apps / Legacy auth clients
    Device state:    Compliant / Hybrid joined / Unmanaged

THEN (Access controls):
  Block access
  OR Grant with conditions:
    Require MFA
    Require device compliance (Intune)
    Require hybrid Azure AD join
    Require approved client app
  Session controls:
    Sign-in frequency (re-auth every X hours)
    Persistent browser: No (close browser = sign out)
    App-enforced restrictions (browser-only on SharePoint)

Key policies to implement:
1. Require MFA for all users (exclude break-glass accounts)
2. Block legacy authentication (highest-impact single policy)
3. Require compliant device for Office 365 apps
4. Allow SharePoint from personal devices — browser only
5. Block access from high-risk sign-in locations
6. Require MFA for admin roles always

Tip: Blocking legacy authentication is the highest-impact single security action. Legacy auth (POP, IMAP, SMTP, basic auth) cannot support MFA — it's the primary vector for credential stuffing attacks.

What is Privileged Identity Management (PIM)?

PIM provides just-in-time (JIT) privileged access — users hold elevated roles only when needed, for limited time, with approval and audit trail.

PIM role assignment types:
Eligible: user CAN activate the role but is not permanently assigned
Active:   role is live — user has elevated permissions now
Permanent active: always active (break-glass accounts only)

Activation flow:
User requests activation → provides justification → selects duration
  → Approval required from designated approver(s)
  → MFA required at activation
  → Role active for requested duration (max configurable)
  → After duration: role auto-deactivates

Without PIM:
Global Admin → permanently assigned → compromised account
= attacker has Global Admin permanently

With PIM:
Global Admin eligible → user activates for 2 hours when needed
→ Justification: "Creating new app registration for Project X"
→ Approval: IT Security manager approves
→ After 2 hours: role expires automatically
→ Compromised account: attacker has NO elevated access

Key roles to manage in PIM:
Global Administrator, SharePoint Administrator, Exchange Administrator,
Teams Administrator, Security Administrator, Compliance Administrator

Tip: PIM is one of the most impactful Microsoft 365 security controls. Nobody should have permanent standing Global Admin access — always a key recommendation in any security assessment.

7. Scenario-Based Questions

Scenario: Design a data protection strategy for a financial services firm under GDPR.

Sensitivity label taxonomy: Public / Internal / Confidential (All Staff) / Confidential (Finance) / Highly Confidential (PII). Highly Confidential enforces encryption, no external sharing, watermarking.
Auto-labelling policies: scan all SharePoint, OneDrive, Exchange — auto-apply "Confidential (PII)" label when EU GDPR SITs detected (EU National IDs, credit cards, IBAN, health info).
DLP policies:
- Block external sharing of content containing personal data SITs
- Prevent emailing EU personal data to non-approved domains
- Endpoint DLP: block USB copy of PII-containing files
Retention policies:
- 6-year financial records retention (regulatory requirement)
- Separate 3-year personal data retention (GDPR data minimisation)
- Disposition review at end of period — human review before deletion
Audit: Enable E5 Advanced Audit. 1-year audit log retention. Alerts for mass file downloads and unusual external sharing.
Conditional Access: MFA enforced for all, compliant device required, block legacy auth, browser-only for financial apps on personal devices.
Compliance Manager: track GDPR assessment score, document evidence of controls, work through improvement actions.

Scenario: Suspected data exfiltration by a departing employee. How do you investigate?

Insider Risk Management: check IRM "departing employee" alerts for the user. Review risk timeline showing download spikes, USB activity, cloud upload patterns.

Audit log search:

Search-UnifiedAuditLog -StartDate "2025-01-01" -EndDate "2025-03-01" `
  -UserIds "employee@contoso.com" `
  -Operations "FileDownloaded,FileSyncDownloadedFull,Send,MailItemsAccessed"

Look for: volume/timing of downloads, mass sync, emails to personal accounts.

eDiscovery case: create Standard/Premium case. Place hold on employee's Exchange mailbox and OneDrive to preserve evidence immediately.
Content search: search for company IP (product names, internal codenames) in the employee's outbound email to personal addresses.
Endpoint DLP: review DLP incident reports for USB copy activity from the employee's device.
Legal hold notification: if proceeding legally, issue formal hold via eDiscovery Premium custodian management.
Preserve before offboarding: convert mailbox to Inactive Mailbox before deleting the account. Apply retention hold on OneDrive. Do NOT delete the account immediately.

Scenario: A user cannot delete a document they created. Why and how do you resolve it?

Diagnose in order:

Retention label: open document in SharePoint → View properties → check for applied retention label. "Record" or active retention period = deletion blocked.
Retention policy: Purview → Data Lifecycle Management → Retention policies → check if any policy covers the site with active retention.
eDiscovery hold: check active eDiscovery cases — if document is in scope of a hold, deletion is blocked by the hold, not the policy.
Sensitivity label permissions: check if the label restricts deletion to owners only.

Resolution:

Retention label: site owner or records manager can remove non-regulatory labels. Regulatory records: cannot be removed until retention period expires.
Retention policy: wait for expiry, or modify policy scope if appropriate.
eDiscovery hold: must be released by the eDiscovery case manager — cannot be bypassed by admin.

Scenario: Implement comprehensive email security for a 1,000-person organisation.

Block legacy authentication (highest-impact single action): Conditional Access → block POP, IMAP, SMTP AUTH, basic auth for all users.
Enforce MFA: Conditional Access → require MFA for all users, all cloud apps. Use Authenticator app (not SMS for sensitive roles).
Enable Defender for Office 365 Plan 2:
- Safe Attachments: all internal + external email
- Safe Links: email + Teams + Office apps
- Anti-phishing: impersonation protection for all executives

Configure email authentication (DNS):

SPF:   v=spf1 include:spf.protection.outlook.com -all
DKIM:  Add DKIM signatures via Exchange Admin Centre
DMARC: v=DMARC1; p=reject; rua=mailto:dmarc@contoso.com

DMARC p=reject prevents spoofing of your domain.

DLP on email: detect and block exfiltration of sensitive data (credit cards, PII, financial data) via email.
Attack Simulation Training: quarterly phishing simulations. Auto-enrol clickers in security awareness training.
Mailbox audit (E5): enable MailItemsAccessed for all sensitive mailboxes (executives, finance, HR).
PIM for admin roles: no standing Exchange Admin or Global Admin. Activate via PIM with approval + justification.

Scenario: How do you assess and improve your organisation's compliance posture?

Compliance Manager: navigate to Purview → Compliance Manager. Review compliance score across regulations (GDPR, ISO 27001, NIST, HIPAA). Score is expressed as a percentage of controls implemented.
Improvement actions: Compliance Manager lists specific improvement actions — each with description, implementation guidance, points value, and test status. Prioritise high-point, high-impact actions.
Assessments: create regulation-specific assessments. Map Microsoft-managed controls (what Microsoft does) and customer-managed controls (what you must do).
Evidence collection: for each customer-managed control, upload evidence (policies, screenshots, certificates). Compliance Manager stores evidence for audit.
Regulatory templates: Compliance Manager includes 300+ pre-built templates for global regulations. Use the template for your specific regulation(s).
Action tracking: assign improvement actions to team members with due dates. Track completion status. Compliance Manager integrates with Microsoft Secure Score.

8. Cheat Sheet — Quick Reference

Sensitivity Label Hierarchy

Public → General → Confidential → Highly Confidential → Regulatory

Each level adds more protection:
Public:            No restrictions
General:           Internal only, no encryption
Confidential:      May include encryption, content marking
Highly Confidential: Encryption required, no external sharing, watermark
Regulatory:        All above + immutable record declaration

Container label (Teams/SharePoint site):
→ Privacy enforcement (Public/Private)
→ External sharing restriction
→ Unmanaged device restriction
→ Documents created inherit the container label

DLP Policy Quick Reference

Locations:
Exchange (email)         SharePoint         OneDrive
Teams chat/channel       Endpoint devices   Power Platform

Conditions:
Contains SIT             Labelled as        Shared externally
Instance count ≥ N       Recipient domain   File extension

Actions (least to most restrictive):
Policy tip only          Notify + allow     Override with justification
Block with override      Block completely   Quarantine + alert admin

Priority of DLP policies:
Lower number = higher priority
First matching policy wins (unless "Stop processing more rules" disabled)

Retention Priority Rules

Rule 1: Retain wins over delete
  Retention policy says delete after 3 years
  Retention label says retain for 7 years
  → Content retained for 7 years (retain wins)

Rule 2: Longer retention wins over shorter
  Policy 1: retain 3 years
  Policy 2: retain 5 years
  → Content retained for 5 years (longer wins)

Rule 3: Explicit label wins over implicit policy
  Retention policy applies to entire SharePoint site
  Retention label applies to specific document
  → Label settings apply to that document (explicit wins)

Hold priority:
eDiscovery hold > Retention label > Retention policy
(Holds always win — preserve for legal proceedings)

eDiscovery Levels

Content Search (Free):
→ Search across all M365 locations
→ Export results
→ No holds, no case management

eDiscovery Standard (E3):
→ Case management
→ Custodian holds (preserve content)
→ Case-scoped searches and exports

eDiscovery Premium (E5):
→ All Standard features
→ Legal hold notifications to custodians
→ Review sets with tags, annotations, redactions
→ Predictive coding (AI relevance scoring)
→ Chain-of-custody audit trail
→ Multiple export formats with bates numbering

Conditional Access Key Policies

Policy 1 — Require MFA for all users:
  Users: All   Apps: All cloud apps
  Grant: Require MFA
  Exclude: Break-glass accounts, service accounts

Policy 2 — Block legacy authentication (HIGHEST IMPACT):
  Users: All   Apps: All cloud apps
  Conditions: Client apps = Exchange ActiveSync + Other clients
  Grant: Block access

Policy 3 — Require compliant device:
  Users: All   Apps: Office 365
  Grant: Require device compliance (Intune)

Policy 4 — Browser-only for personal devices:
  Users: All   Apps: SharePoint / OneDrive
  Conditions: Device state = Unregistered
  Session: App-enforced restrictions (browser only, no download)

Policy 5 — Admin MFA always:
  Users: All admin roles
  Apps: All cloud apps
  Grant: Require MFA + Require compliant device

PIM Quick Reference

Role states:
Eligible  → can activate, not currently active
Active    → currently has the elevated permissions
Permanent → always active (break-glass accounts only)

Activation settings (configurable per role):
Max duration:          1 hour to 24 hours
Require justification: Yes (always recommended)
Require approval:      Yes for Global Admin, Security Admin
Require MFA:           Yes always
Notification:          Email to approvers + admin

Recommended roles to manage in PIM:
Global Administrator      Security Administrator
SharePoint Administrator  Exchange Administrator
Teams Administrator       Compliance Administrator
Billing Administrator     User Administrator

Compliance Score Components

Microsoft Purview Compliance Manager score:
Total score = Points achieved / Total points possible × 100

Point categories:
Microsoft-managed controls: ~50% (what Microsoft does for you)
Customer-managed controls:  ~50% (what you must configure)

Priority improvement actions (high points):
→ Enable MFA for all users
→ Enable audit log recording
→ Configure sensitivity labels
→ Enable DLP policies
→ Configure retention policies
→ Enable Safe Attachments and Safe Links
→ Block legacy authentication
→ Enable PIM for privileged roles
→ Configure DMARC, SPF, DKIM
→ Enable Endpoint DLP

Top 10 Tips

Retention priority: preserve beats delete, longer beats shorter, label beats policy — the most tested retention rule in every compliance . Know it by heart.
Regulatory records are truly irreversible — once declared, no one including Global Admins can delete the content until retention expires. Always emphasise this for risk-aware recommendations.
Block legacy authentication first — the highest single-impact security action. Legacy auth cannot support MFA and is the primary credential stuffing vector. Always recommend this before anything else.
MailItemsAccessed requires E5 audit — this is the forensic differentiator. Shows which emails a compromised account READ. Knowing this detail separates candidates in breach investigation scenarios.
Service-side auto-labelling covers existing content — client-side only works on content users open. Service-side scans ALL content in SharePoint/OneDrive/Exchange in the background. The answer to labelling millions of existing documents.
PIM = no standing admin access — eligible assignments + JIT activation = minimal blast radius if accounts are compromised. Always recommend PIM over permanent admin roles.
eDiscovery holds trump retention policies — a legal hold preserves content regardless of any retention policy configured to delete. Know this interaction for any litigation scenario.
Preservation Lock is irreversible — only enable after thorough testing. Once locked, you cannot weaken the policy even as Global Admin. Regulatory requirement (SEC Rule 17a-4) is the primary use case.
Endpoint DLP requires MDE onboarding — devices not in Microsoft Defender for Endpoint are not protected. Always check device onboarding coverage when designing Endpoint DLP.
Compliance Manager score is actionable — it's not just a vanity metric. Each improvement action has specific guidance, evidence requirements, and point value. Walk through Compliance Manager to show you know how to systematically improve posture.

Saturday, May 2, 2026