Compliance Reporting¶
Compliance Manager¶
Purview portal → Compliance Manager
Compliance Manager provides a compliance score and actionable improvement recommendations mapped to regulatory frameworks.
Key features¶
- Compliance score: Percentage of controls implemented across assessed frameworks
- Improvement actions: Specific tasks with step-by-step instructions
- Assessments: Pre-built assessments for NIST 800-53, ISO 27001, Australian Privacy Act, SOC 2, PCI DSS, and more
Initial setup¶
- Navigate to Compliance Manager → Assessments
- The Microsoft 365 Data Protection Baseline assessment is pre-created — review it first
- Add additional assessments relevant to your compliance obligations:
- NIST 800-171 (for US government contractors)
- ISO/IEC 27001:2022
- Australian Privacy Act 1988
- IRAP (for Australian government)
- Assign improvement actions to owners
- Set target completion dates
Reading the compliance score¶
| Score range | Interpretation |
|---|---|
| 0–30% | Significant gaps — prioritise immediately |
| 30–60% | Moderate compliance — work through improvement actions |
| 60–80% | Good baseline — address remaining gaps |
| 80–100% | Strong posture — maintain and monitor |
Info
The score reflects Microsoft-managed controls (things Microsoft handles in the platform) plus your actions. You won't start at 0% — Microsoft controls typically account for 30–50% of the score.
Content Search¶
Purview portal → Content search
Search across Exchange, SharePoint, OneDrive, and Teams for compliance investigations.
Basic content search¶
- New search
- Configure locations: All Exchange mailboxes, All SharePoint sites, All OneDrive accounts
- Add keywords or conditions (date range, sender, file type)
- Run the search
- Preview results or Export to PST / flat files
Connect-IPPSSession -UserPrincipalName admin@domain.com
# Create and run a content search
New-ComplianceSearch -Name "Investigation - User X Data" `
-ExchangeLocation user@domain.com `
-ContentMatchQuery "FROM:user@domain.com AND (AccountNumber OR password)" `
-AllowNotFoundExchangeLocationsEnabled $true
Start-ComplianceSearch -Identity "Investigation - User X Data"
Get-ComplianceSearch -Identity "Investigation - User X Data" | Select-Object Status, Items, Size
eDiscovery¶
For legal hold and formal investigations:
Purview portal → eDiscovery → Standard (or Premium)
Standard eDiscovery workflow¶
- Create a case
- Add custodians and place on hold
- Run content searches within the case
- Review and export results
Placing a mailbox on eDiscovery hold¶
Connect-IPPSSession -UserPrincipalName admin@domain.com
# Create a case hold
New-CaseHoldPolicy -Name "Legal Hold - Case 2025-001" `
-Case "Case 2025-001" `
-ExchangeLocation user@domain.com `
-Enabled $true
New-CaseHoldRule -Name "Hold Rule" `
-Policy "Legal Hold - Case 2025-001" `
-ContentMatchQuery "" # Empty = hold all content
Data Lifecycle Management¶
Purview portal → Data lifecycle management
Retention policies¶
Apply blanket retention to all content in a location:
| Policy | Locations | Retention |
|---|---|---|
| Exchange retention | All mailboxes | Retain for 7 years, then nothing |
| Teams messages | All Teams channels | Retain for 3 years |
| SharePoint default | All sites | Retain for 5 years |
Purview portal → Data lifecycle management → Retention policies → New retention policy
| Setting | Value |
|---|---|
| Name | Exchange — 7 Year Retention |
| Locations | Exchange (all mailboxes), Exchange public folders |
| Retain items | 7 years |
| At end of retention period | Do nothing (or delete) |
Retention labels¶
For record-level retention (applied to specific items):
Purview portal → Data lifecycle management → Retention labels → Create
Example labels:
| Label | Retention | Record type |
|---|---|---|
| Financial Record — 7 Years | 7 years, delete after | Regulatory record |
| HR Record — 7 Years | 7 years, delete after | Regulatory record |
| Transient — 1 Year | 1 year, delete after | Not a record |
Insider Risk Management (Requires E5 Compliance)¶
Purview portal → Insider risk management
Detects anomalous user activity that may indicate insider threats (data exfiltration, policy violations):
Enable prerequisites¶
- Enable audit logging (see Audit Logs)
- Enable HR connector or use triggered departures (optional)
- Enable Microsoft 365 diagnostic data in the tenant
Create a policy¶
| Template | Use case |
|---|---|
| Data theft by departing users | Detects large downloads/exfiltration near offboarding |
| Data leaks | Detects unusual sharing of sensitive content |
| Security policy violations | Detects disabling of security tools |
| Risky browser usage | Visits to high-risk or blocked sites |