Microsoft Purview Portal
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Microsoft Purview Compliance Management: Navigating the Microsoft Purview Portal
In the modern digital landscape, data is no longer confined to a single server room or a handful of local spreadsheets. It lives in the cloud, on mobile devices, within collaborative chat apps, and across third-party platforms. For organizations, this "data sprawl" creates a massive challenge: how do you keep track of sensitive information while ensuring you meet the ever-growing list of legal and regulatory requirements? This is where Microsoft Purview comes into play.
The Microsoft Purview portal serves as the centralized command center for an organization's entire data governance, risk management, and compliance strategy. It is designed to bring together tools that were previously scattered across different interfaces, providing a unified view of your data estate. Whether you are a compliance officer trying to meet GDPR requirements, an IT admin setting up data loss prevention policies, or a legal professional managing a discovery process, the Purview portal is your primary workspace. Understanding how to navigate and utilize this portal is not just a technical skill; it is a fundamental requirement for protecting your organization's reputation and operational integrity.
Understanding the Unified Portal Experience
The Microsoft Purview portal represents a significant shift in how Microsoft approaches data management. Previously, administrators had to jump between the Microsoft 365 Compliance Center and Azure Purview to manage different aspects of their data. The unified portal integrates these experiences, allowing you to manage "data at rest" (like databases and file shares) and "data in motion" (like emails and Teams chats) from one location.
When you first log in to the portal, you are greeted by a dashboard that provides a high-level overview of your organization's compliance posture. This isn't just a static display; it is an interactive interface that highlights urgent issues, such as active data loss prevention (DLP) alerts or pending improvement actions in your compliance score. The navigation is divided into logical sections, making it easier to find specific tools based on the task at hand.
Callout: The Evolution of Purview
It is helpful to understand that Microsoft Purview is the rebranding and integration of two major product lines. What used to be "Azure Purview" handles data governance and discovery across multi-cloud and on-premises environments. What used to be "Microsoft 365 Compliance" handles information protection, risk management, and regulatory compliance within the Microsoft 365 ecosystem. By merging these into the Purview portal, Microsoft provides a "single pane of glass" for your entire data estate.
The Home Page and Solution Catalog
The Home page of the Purview portal is customizable. You can pin "cards" that show the most relevant information for your role. For instance, a security analyst might want to see the "Recent Alerts" card, while a compliance manager might prioritize the "Compliance Manager" card.
If you don't see a specific tool on the left-hand navigation bar, you can find it in the Solution Catalog. The catalog categorizes tools into four main areas:
- Information Protection & Governance: Tools for labeling data and managing its lifecycle.
- Privacy & Risk Management: Tools for identifying internal threats and managing privacy requests.
- Discovery & Response: Tools for legal investigations and auditing.
- Data Management: Tools for mapping and cataloging data across various platforms.
Core Pillars of Microsoft Purview
To master the portal, you need to understand the primary functions it performs. Let's break down the most critical components that you will interact with daily.
1. Compliance Manager and Compliance Score
The Compliance Manager is perhaps the most important tool for high-level oversight. It translates complex regulatory requirements (like HIPAA, ISO 27001, or GDPR) into practical, actionable steps. Instead of reading a 200-page legal document, you can look at the "Improvement Actions" list in the portal.
Each action you take—such as turning on Multi-Factor Authentication (MFA) or setting up a retention policy—contributes points to your Compliance Score. This score gives you a quantifiable way to measure progress. It is important to remember that the score is a reflection of your configuration and process, not a guarantee of legal immunity.
Note: Microsoft automatically manages some "Microsoft actions" for you. These are security controls that Microsoft implements on their end as the cloud provider. Your focus should remain on the "Customer actions," which are the configurations you are responsible for within your own tenant.
2. Information Protection (Sensitivity Labels)
Information Protection is about knowing what data you have and ensuring it stays safe. The core mechanism here is the Sensitivity Label. These labels are tags that you apply to documents or emails. They can be applied manually by users or automatically based on the content of the file (such as detecting a credit card number).
When a label is applied, it can trigger specific protections. For example, a label named "Highly Confidential" might encrypt a document so that only people within your organization can open it, even if the file is accidentally shared with an external party.
3. Data Loss Prevention (DLP)
While labels help classify data, DLP policies act as the enforcement arm. A DLP policy monitors data in transit and in use. You can configure a policy to look for specific types of sensitive information, like Social Security numbers or passport details.
If a user tries to send an email containing ten credit card numbers to an external recipient, the DLP policy can intervene. It can block the email entirely, show a "Policy Tip" to the user explaining why the action is risky, or simply log the event for an administrator to review later.
Technical Implementation: Using PowerShell with Purview
While most tasks can be completed in the graphical user interface (GUI), advanced administrators often use PowerShell to automate repetitive tasks or manage settings at scale. To interact with Microsoft Purview via code, you use the Exchange Online PowerShell module or the Security & Compliance PowerShell module.
Below is an example of how you might use PowerShell to view all your existing sensitivity labels. This is useful for generating reports or checking the status of labels across a large organization.
# First, connect to the Security & Compliance PowerShell module
# You will need the correct permissions (Compliance Admin or Global Admin)
Connect-IPPSSession -UserPrincipalName [email protected]
# Retrieve a list of all sensitivity labels configured in the Purview portal
$labels = Get-Label
# Display the name, visibility, and whether the label is active
$labels | Select-Object Name, ContentType, State | Format-Table -AutoSize
# Example: Check the details of a specific label named "Internal Use Only"
Get-Label -Identity "Internal Use Only" | Select-Object -ExpandProperty Settings
Explanation of the code:
Connect-IPPSSession: This command establishes a secure connection to the Purview back-end.Get-Label: This cmdlet fetches the configuration for all sensitivity labels defined in your tenant.Select-Object: This is used to filter the output so you only see the most relevant columns, like the name and state (Enabled/Disabled).Format-Table: This makes the output readable in the console.
Tip: If you are managing thousands of labels or complex DLP rules, using PowerShell is much faster than clicking through the portal. It also allows you to export configurations to a CSV file for auditing purposes.
Step-by-Step: Setting Up Your First Compliance Policy
Setting up a policy in the Purview portal follows a consistent workflow. Let's walk through the process of creating a simple Data Loss Prevention (DLP) policy to protect financial data.
Step 1: Access the DLP Solution
Navigate to the Microsoft Purview portal. On the left navigation bar, select Data Loss Prevention and then click on Policies.
Step 2: Start the Policy Wizard
Click + Create policy. You will be presented with several templates. Microsoft provides pre-built templates for various industries (Financial, Medical, Privacy). For this example, select Financial and then choose U.S. Financial Data. This template automatically looks for credit card numbers, bank account numbers, and ABA routing numbers.
Step 3: Choose Locations
Decide where the policy should be applied. You can choose to monitor:
- Exchange email
- SharePoint sites
- OneDrive accounts
- Teams chat and channel messages
- Devices (Endpoint DLP)
For a basic start, it is often best to select Exchange and OneDrive to see how the policy behaves in the most common communication channels.
Step 4: Define Policy Settings
You will be asked if you want to use the default settings or create custom rules. Stick with the defaults for your first policy. The default settings usually trigger an action if "low volume" (1-9 instances) or "high volume" (10 or more instances) of sensitive data is detected.
Step 5: Configure Actions and Notifications
Choose what happens when a match occurs.
- User Notifications: Turn this on. It displays a "Policy Tip" to the user, which is a great way to educate employees in real-time.
- Incident Reports: Set this to send an email to your compliance team whenever a high-volume violation occurs.
Step 6: Test the Policy
This is the most critical step. You are given the option to "Test it out first," "Turn it on right away," or "Keep it off." Always choose Test it out first. This allows the policy to run in the background and generate alerts without actually blocking any user actions. You can review the results for a week or two to ensure you aren't getting too many "false positives" before you move the policy to full enforcement.
Managing Permissions in the Portal
Not everyone in your IT department should have full access to the Microsoft Purview portal. Because this portal contains sensitive information (like the results of legal investigations or internal risk alerts), you must follow the principle of "least privilege."
Microsoft Purview uses Role-Based Access Control (RBAC). There are several built-in role groups designed for specific job functions:
| Role Group | Primary Responsibility |
|---|---|
| Compliance Administrator | Has full access to the portal and can manage all policies and settings. |
| Compliance Data Investigator | Can perform searches and review data but cannot change policies. |
| eDiscovery Manager | Can create and manage eDiscovery cases for legal holds and exports. |
| Information Protection Admin | Specifically focuses on sensitivity labels and classification. |
| Records Manager | Manages retention schedules and document disposal. |
Warning: Be careful with the "Global Administrator" role. While a Global Admin can access everything, it is better to assign the "Compliance Administrator" role to those who need it. This limits the "blast radius" if an account is ever compromised.
Data Governance: The Data Map and Catalog
While the compliance side of Purview focuses on "thou shalt not" (policies and restrictions), the governance side focuses on "how do I find this?". This is primarily handled through the Data Map and the Data Catalog.
The Data Map
The Data Map is the foundation. It automatically discovers data across your organization. You can connect it to Azure SQL databases, Amazon S3 buckets, on-premises file shares, and even Power BI. Once connected, Purview scans the metadata (data about the data) to understand what is stored there.
The Data Catalog
The Data Catalog is the user-facing side of governance. It allows data scientists, analysts, and business users to search for data using friendly terms. Instead of asking an IT person, "Where is the customer sales database?", a user can search the catalog. The catalog shows who owns the data, how sensitive it is (based on labels), and where it came from (lineage).
Callout: Data Lineage
One of the most powerful features of the Data Catalog is "Lineage." This provides a visual map showing how data has moved through your system. For example, it might show that data started in an on-premises SQL server, was moved to an Azure Data Lake via an ETL process, and finally ended up in a Power BI report. If the data in the report looks wrong, lineage helps you trace it back to the source.
Best Practices for Purview Management
Successfully managing the Microsoft Purview portal requires more than just knowing where the buttons are. It requires a strategic approach.
Start with a Pilot Program
Do not try to turn on every feature at once. Start with one solution, such as Information Protection. Create a small set of labels and test them with a specific department (like HR or Finance) before rolling them out to the entire company. This allows you to refine your labels and policies based on real-world feedback.
Involve Stakeholders Early
Compliance is not just an IT problem. It involves Legal, HR, and Department Heads. Before creating a retention policy that deletes emails after five years, check with your legal department to ensure that meets your industry's regulations. If you create a policy that blocks all external sharing, you might accidentally stop the Sales team from doing their jobs.
Review Your Compliance Score Regularly
The Compliance Score is a living metric. New regulations are added, and your environment changes. Make it a habit to review the "Improvement Actions" at least once a month. This keeps your organization's security and compliance posture from stagnating.
Use "Policy Tips" for Education
Most data leaks are accidental, not malicious. When you set up DLP, use Policy Tips. These are small banners that appear in Outlook or Teams when a user does something risky. Educating a user in the moment is far more effective than sending them to a mandatory training session once a year.
Common Pitfalls and How to Avoid Them
Even experienced administrators can run into trouble with Microsoft Purview. Here are some common mistakes to watch out for.
1. Over-Labeling
A common mistake is creating too many sensitivity labels. If you give users 20 different labels to choose from (e.g., "Internal," "Private," "Secret," "Super Secret," "Departmental Only"), they will get confused. Confused users often pick the wrong label or find ways to bypass the system entirely. Stick to 5 or fewer top-level labels.
2. Ignoring False Positives
If your DLP policies are too aggressive, they will flag legitimate business activity as a "violation." This is known as a false positive. If users are constantly blocked from doing their work, they will complain to leadership, and you may be forced to turn the policies off. Always monitor your alerts and tune your policies to reduce noise.
3. Neglecting the "Audit" Log
The Purview portal has a powerful Audit tool that logs almost every action taken in your Microsoft 365 environment. Many organizations only look at these logs after a problem occurs. Best practice is to regularly review audit logs or, better yet, export them to a SIEM (Security Information and Event Management) tool like Microsoft Sentinel for automated analysis.
4. Licensing Misunderstandings
Microsoft Purview features are tiered based on your licensing (E3 vs. E5). For example, "Manual" sensitivity labeling is available in E3, but "Automatic" labeling usually requires E5. Before you plan a complex rollout, ensure your organization has the correct licenses for the features you intend to use.
Comparison: E3 vs. E5 Compliance Capabilities
Feature Microsoft 365 E3 Microsoft 365 E5 Manual Sensitivity Labels Yes Yes Automatic Sensitivity Labels No Yes Basic eDiscovery Yes Yes Advanced eDiscovery (Premium) No Yes Basic Audit (90 days) Yes Yes Advanced Audit (1 year+) No Yes Insider Risk Management No Yes
Advanced Feature: Insider Risk Management
One of the more sophisticated tools within the Purview portal is Insider Risk Management. While DLP focuses on the data, Insider Risk focuses on the user's behavior. It uses machine learning to identify patterns that might indicate a security risk, such as a user downloading a massive amount of data from SharePoint right before they resign.
This tool is highly sensitive because it involves monitoring employee activity. Microsoft builds "Privacy by Design" into this solution. For example, by default, the names of the users being flagged are pseudonymized. An investigator might see "User A" triggered an alert, but they won't know it's "John Doe" unless they have the specific permissions to reveal the identity for a formal investigation.
Quick Reference: Navigating the Purview Portal
To help you find your way around, here is a quick guide to where the most common tasks are located:
- To create a retention policy: Go to Data Lifecycle Management > Microsoft 365 > Retention Policies.
- To find where a specific file is stored in Azure: Go to the Data Catalog and use the search bar.
- To respond to a legal request for emails: Go to eDiscovery > Standard or Premium and create a "Case."
- To see if your organization is meeting GDPR requirements: Go to Compliance Manager and filter your assessments by "GDPR."
- To see which users are sharing the most sensitive data: Go to Data Loss Prevention > Activity explorer.
Conclusion and Key Takeaways
The Microsoft Purview portal is a comprehensive ecosystem designed to handle the complexities of modern data management. It moves away from the idea of "security as a wall" and toward "security as a layer" that follows the data wherever it goes. By centralizing governance, protection, and compliance, it allows organizations to be more agile while still maintaining strict control over their most valuable assets.
Success in the portal requires a blend of technical configuration, strategic planning, and ongoing maintenance. As regulations change and your data grows, your approach to Purview must evolve as well.
Key Takeaways:
- Unified Command Center: The Purview portal integrates data governance (formerly Azure Purview) and compliance (formerly Microsoft 365 Compliance) into a single interface for managing your entire data estate.
- Quantifiable Progress: Use the Compliance Manager and Compliance Score to translate regulatory requirements into actionable technical steps and track your progress over time.
- Classification is Key: Sensitivity labels are the foundation of data protection. They allow you to classify data and apply encryption or restrictions that stay with the file regardless of where it is stored.
- Test Before Enforcing: Always run DLP and other compliance policies in "Test Mode" first. This prevents business disruption and allows you to tune the policies for accuracy.
- Principle of Least Privilege: Use Purview’s specific RBAC roles (like eDiscovery Manager or Records Manager) to ensure staff only have access to the data and tools necessary for their specific job.
- Education through Policy Tips: Use the built-in notification features to educate users about data risks in real-time, reducing the likelihood of accidental data leaks.
- Automation via PowerShell: For large-scale environments, use PowerShell to manage labels and policies efficiently, allowing for better auditing and consistency.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons