Microsoft 365 Compliance Guide: Enterprise Framework for Purview, DLP, and eDiscovery

The Microsoft 365 Compliance Landscape in 2026

Microsoft 365 is no longer just a productivity suite—it is the platform where your organization's most sensitive data lives. Emails containing patient health information, Teams chats discussing M&A activity, SharePoint documents with financial reports, and OneDrive files with personally identifiable information. Without proper compliance controls, every one of these interactions is a potential regulatory violation and litigation risk.

Microsoft has consolidated its compliance tools under the Microsoft Purview brand, creating a unified compliance and data governance platform. At EPC Group, we have implemented Microsoft 365 compliance frameworks for healthcare organizations managing HIPAA, financial institutions meeting SOC 2, and government agencies achieving FedRAMP compliance. The framework in this guide is what we use with our Microsoft 365 consulting clients.

Microsoft Purview Compliance Manager

Purview Compliance Manager is the central hub for managing your organization's compliance posture across Microsoft 365. It provides a compliance score, pre-built regulatory assessments, and actionable improvement recommendations.

Setting Up Compliance Manager

• Access Compliance Manager: Navigate to compliance.microsoft.com and select Compliance Manager. Requires Compliance Administrator, Global Administrator, or Compliance Data Administrator role.
• Review your compliance score: The baseline score reflects Microsoft-managed controls (infrastructure-level protections) already in place. Your starting score is typically 30-40% before any customer actions.
• Add regulatory assessments: Add assessments for your applicable regulations: HIPAA for healthcare, SOC 2 for SaaS providers, GDPR for EU data processing, PCI DSS for payment card data, and FedRAMP for government contracts. Each assessment adds specific improvement actions.
• Assign improvement actions: Each assessment contains improvement actions assigned to your organization. Assign these to specific team members (IT security, legal, HR) with due dates. Track completion status through the Compliance Manager dashboard.

Compliance Score Optimization

The compliance score is calculated based on the points value of completed improvement actions relative to total possible points. Focus on high-impact actions first.

Data Loss Prevention (DLP) Policies

DLP policies are the first line of defense against accidental or intentional data leakage in Microsoft 365. They monitor content across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and Windows endpoints for sensitive information types and enforce protective actions.

Designing DLP Policies by Regulation

The most effective approach is to design DLP policies around your regulatory requirements, not around individual data types. This ensures comprehensive coverage and simplifies policy management.

• HIPAA DLP Policy: Detect Protected Health Information (PHI) including patient names + medical record numbers, diagnoses, medications, insurance IDs. Locations: Exchange, SharePoint, OneDrive, Teams, Endpoints. Actions: Block external sharing, require encryption for emails, notify compliance officer, log all incidents. EPC Group implements this for healthcare clients as part of our HIPAA compliance framework.
• PCI DSS DLP Policy: Detect credit card numbers (Visa, Mastercard, Amex patterns), CVV codes, and cardholder data. Locations: All Microsoft 365 locations. Actions: Block sharing, encrypt, notify security team. Consider endpoint DLP to prevent copying to USB drives.
• GDPR DLP Policy: Detect EU personal data: national ID numbers, passport numbers, IBAN codes, and personal data of EU residents. Locations: Exchange, SharePoint, Teams. Actions: Notify data protection officer, require justification for external sharing, log for DPIA reporting.
• Financial Data DLP Policy: Detect banking information, financial statements, and material non-public information. Locations: Exchange, Teams (especially relevant for information barriers). Actions: Block external sharing, require manager approval, audit trail for SOC 2.

DLP Policy Best Practices

• Start in test mode: Deploy all DLP policies in "test with notifications" mode for 2-4 weeks before enforcement. Review false positive rates and tune detection rules. This prevents disrupting legitimate business processes.
• Use custom sensitive information types: Standard SITs cover common patterns, but every organization has unique data formats (employee IDs, account numbers, proprietary formats). Create custom SITs using exact data match (EDM) for the highest accuracy.
• Implement policy tips: Enable policy tips that educate users in real-time when they are about to share sensitive content. Policy tips reduce violations by 60-70% by catching accidental sharing before it happens.
• Leverage trainable classifiers: For unstructured sensitive content that pattern matching cannot detect (legal privilege, financial projections), use Microsoft 365 trainable classifiers trained on your organization's actual content.
• Configure escalation workflows: Route DLP alerts to the appropriate compliance team using severity levels: Low (email notification), Medium (Teams alert + incident), High (immediate compliance officer notification + automatic block).

Retention Policies and Labels

Data retention is a compliance requirement in virtually every regulated industry. Microsoft 365 retention policies and labels ensure that data is retained for the required period, disposed of when no longer needed, and protected from deletion during legal holds.

Retention Policy Architecture

Industry Retention Requirements

Auto-Apply Retention Labels

Manual labeling is unreliable at scale. Use auto-apply policies to automatically apply retention labels based on sensitive information types (documents containing SSNs get labeled "PII - 7 Year Retention"), keywords or searchable properties (documents in specific libraries), and trainable classifiers (contracts, financial statements, HR documents). Auto-apply reduces compliance gaps from user non-compliance and ensures consistent retention across the entire organization.

eDiscovery: Legal Hold and Investigation

eDiscovery in Microsoft 365 enables legal teams to identify, preserve, collect, and produce electronically stored information for litigation, regulatory investigations, and internal inquiries. Microsoft offers three tiers of eDiscovery capability.

eDiscovery Tiers Comparison

eDiscovery Best Practices

• Implement preservation holds proactively: Do not wait for litigation to establish hold procedures. Create a legal hold workflow that can be activated within 24 hours of a hold notice. Include Teams data, OneDrive files, Exchange mailboxes, and SharePoint content.
• Use custodian management (Premium): Identify key custodians, map their data sources (primary mailbox, OneDrive, Teams channels they are in, SharePoint sites), and place holds at the custodian level rather than searching broadly.
• Leverage predictive coding: For large matters with millions of documents, use eDiscovery Premium predictive coding (relevance scoring) to prioritize review. This reduces review volume by 60-80% compared to linear review.
• Document the process: Maintain detailed records of search queries, hold notifications, collection procedures, and chain of custody. Courts require defensible processes, not just results.
• Train legal teams on self-service: Enable legal team members to run their own searches and hold operations without IT involvement for every request. Reduces response time and frees IT resources.

Information Barriers

Information barriers in Microsoft 365 prevent specific groups of users from communicating with each other through Teams, SharePoint, and OneDrive. This is essential for financial institutions that must maintain ethical walls between investment banking and research departments, and for organizations managing conflicts of interest.

• Segment definition: Define user segments based on Azure AD attributes (department, company, custom attributes). Segments represent groups that should be separated, such as "Investment Banking" and "Equity Research."
• Policy types: Create "block" policies that prevent two segments from communicating, or "allow" policies that permit communication only with specified segments. Block policies are most common for regulatory compliance.
• Affected applications: Information barriers apply to Teams (chat, channels, meetings), SharePoint (site access), and OneDrive (file sharing). Users in blocked segments cannot find each other in Teams people picker or share files.
• Implementation considerations: Information barriers require careful planning. Audit existing cross-department Teams and SharePoint access before enabling barriers. Communicate changes to affected users. Test in a pilot group before organization-wide deployment.

Compliance for Regulated Industries

Each regulated industry has specific compliance requirements that map to Microsoft 365 features. Here is how EPC Group approaches compliance configuration for key industries.

Healthcare (HIPAA)

• Execute a Microsoft Business Associate Agreement (BAA) before storing PHI in Microsoft 365
• Implement DLP policies for all 18 HIPAA identifiers (name, DOB, SSN, medical record number, etc.)
• Enable sensitivity labels: "PHI - Confidential" with encryption and access restrictions
• Configure audit log retention for 7+ years (HIPAA minimum 6 years)
• Implement conditional access policies requiring MFA and compliant devices for PHI access

Financial Services (SOC 2 / SEC)

• Configure information barriers between conflicted departments (investment banking, research, trading)
• Implement communication compliance policies to monitor for insider trading language
• Enable retention labels with regulatory record lock for SEC Rule 17a-4 compliance
• Deploy DLP policies for financial data (account numbers, trade confirmations, client PII)
• Configure privileged access management for administrator actions on compliance data

Government (FedRAMP)

• Use Microsoft 365 GCC or GCC High environments for government data (not commercial M365)
• Implement NIST 800-53 control families using Compliance Manager assessments
• Configure continuous monitoring with Microsoft Defender for Cloud Apps
• Enable advanced audit logging with 1-year retention (10-year for high-impact systems)
• Implement data loss prevention for Controlled Unclassified Information (CUI) markings

Building Your Compliance Roadmap

Do not attempt to implement all compliance features simultaneously. A phased approach ensures proper configuration, user adoption, and reduces the risk of business disruption.

• Phase 1 (Weeks 1-4) - Foundation: Multi-factor authentication, Compliance Manager assessment, baseline retention policies, audit log configuration
• Phase 2 (Weeks 5-8) - Protection: DLP policies (test mode), sensitivity labels, conditional access policies, device compliance requirements
• Phase 3 (Weeks 9-12) - Governance: DLP enforcement, auto-apply retention labels, eDiscovery procedures, AI governance integration for Copilot compliance
• Phase 4 (Ongoing) - Optimization: Information barriers, insider risk management, communication compliance, continuous Compliance Manager score improvement

Partner with EPC Group for Microsoft 365 Compliance

EPC Group brings 25+ years of Microsoft ecosystem expertise and deep compliance knowledge to every Microsoft 365 compliance engagement. Our team includes certified compliance administrators, information protection specialists, and industry-specific regulatory experts who understand the technical implementation and the regulatory context.

Our Microsoft 365 compliance engagements include: regulatory gap analysis, Compliance Manager optimization, DLP policy design and deployment, retention framework implementation, eDiscovery readiness assessment, information barrier configuration, and ongoing compliance monitoring with quarterly reviews.