11.5 Purview Playbook for Compliance, Data, and Risk
Key Takeaways
- Microsoft Purview is the SC-900 product family for compliance and data governance; it absorbed Microsoft Information Protection (MIP).
- Compliance Manager and compliance score handle assessment and improvement actions, not threat hunting; do not swap compliance score with Defender for Cloud secure score.
- Sensitivity labels classify and can encrypt; DLP prevents leakage; retention and records management control lifecycle; eDiscovery and audit support investigation.
- The Service Trust Portal (compliance resources) and Microsoft Priva (privacy) sit inside the compliance solutions boundary alongside Purview.
Choose Purview When the Asset Is Data or Compliance Evidence
Microsoft Purview is the SC-900 product family for compliance and data governance. If a scenario mentions data classification, sensitivity labels, data loss prevention (DLP), retention policies, retention labels, records management, eDiscovery, audit, insider risk management, content explorer, activity explorer, or Compliance Manager, start with Purview. The word "security" in a scenario does not always mean Defender; protecting sensitive information and proving compliance are Purview responsibilities.
Note the rebrand: Microsoft Information Protection (MIP) is now Microsoft Purview Information Protection, the classification and labeling layer of the suite.
The compliance domain also includes the Microsoft Service Trust Portal and Microsoft Priva. The Service Trust Portal hosts Microsoft's compliance resources, audit reports, and privacy principles. Microsoft Priva delivers privacy risk management and subject-rights-request capabilities. Neither is interchangeable with Sentinel or Entra — they sit firmly in the compliance and privacy lane.
| Requirement | Capability to recognize | Why it fits |
|---|---|---|
| Assess compliance posture and improvement actions | Compliance Manager and compliance score | The task is compliance assessment. |
| Identify and classify sensitive information | Data classification, content explorer, activity explorer | The task is understanding data. |
| Mark content as confidential and optionally encrypt it | Sensitivity labels and label policies | The task is information protection. |
| Prevent sensitive data from leaving approved channels | Data loss prevention (DLP) | The task is data-protection policy. |
| Keep or delete content according to rules | Retention policies, retention labels, records management | The task is lifecycle management. |
| Find information for legal or investigation needs | eDiscovery and audit | The task is compliance investigation. |
| Identify risky insider activity | Insider risk management | The task is organizational risk review. |
Purview Elimination Rules
A four-line lane check resolves most ambiguous compliance items:
- If the scenario says classify, label, retain, discover, audit, or manage records, think Purview.
- If it says sign in, access, role, or governance of identities, think Entra.
- If it says incident, hunting, workbook, connector, or playbook, think Sentinel.
- If it says endpoint, email, cloud app, cloud workload, vulnerability, or threat intelligence, think Defender.
The Score Trap and the Label/DLP/Retention Trio
Compliance Manager is a frequent distractor because the phrase "compliance score" can sound like a security score. For SC-900, compliance score is tied to Compliance Manager and its improvement actions, which measure progress against regulatory and standards-based controls. Secure score and cloud posture recommendations belong to Defender for Cloud. Do not swap them: one measures compliance assessment, the other measures cloud security posture. In final review, write the score's name next to its domain before answering.
Sensitivity labels, DLP, and retention often appear together but are distinct concepts. Sensitivity labels classify content and can drive protection actions such as encryption and visual marking. DLP policies prevent sensitive data from being shared or transmitted in ways that violate policy. Retention controls answer a lifecycle question: how long content must be kept and when it can be deleted. Mixing them up is a top SC-900 compliance error.
A strong final-review habit is to translate every compliance prompt into a verb. Classify maps to data classification. Label maps to sensitivity labels. Prevent leakage maps to DLP. Keep records maps to retention or records management. Search for legal evidence maps to eDiscovery. Review activity maps to audit. Assess posture maps to Compliance Manager. Manage privacy and subject rights maps to Priva. Once the verb is clear, the Purview capability is usually obvious, and the security or identity distractors fall away because they answer a different verb entirely.
Information Protection, Data Lifecycle, and Risk Inside Purview
Purview is best understood as three jobs working together. The first is information protection: discover and classify data with sensitive information types and trainable classifiers, then apply sensitivity labels that can mark documents, enforce encryption, and restrict access regardless of where the file travels. The second is data loss prevention, which uses those classifications to stop sensitive content from being shared through email, Teams, endpoints, or cloud apps in violation of policy.
The third is data lifecycle and records management, which uses retention labels and policies to keep content for a required period and dispose of it on schedule, and records management to declare immutable records for regulatory retention.
| Purview job | Core capabilities | Question it answers |
|---|---|---|
| Information protection | Data classification, sensitivity labels, encryption | What is this data and how is it protected? |
| Data loss prevention | DLP policies across Microsoft 365 and endpoints | How do we stop it from leaking? |
| Data lifecycle / records | Retention labels, retention policies, records management | How long do we keep or delete it? |
| Discover and investigate | eDiscovery, audit (Standard and Premium) | How do we find and prove activity? |
| Risk and privacy | Insider risk management, Communication Compliance, Priva | Who is acting riskily and how do we manage privacy? |
Compliance Posture and Trust Resources
The assessment and trust side rounds out the domain. Compliance Manager measures your posture against regulations and standards, expressing progress as a compliance score built from improvement actions you complete and controls Microsoft manages. The Service Trust Portal publishes Microsoft's own audit reports, certifications, and data-protection documentation so customers can evaluate Microsoft's compliance — it is a resource library, not a configuration tool. Microsoft Priva focuses on privacy: identifying personal data risk and automating data subject requests under regulations such as the GDPR.
Insider risk management and Communication Compliance detect risky internal activity and policy-violating communications respectively.
The exam habit that ties this together is domain discipline. Every capability above answers a compliance or data-governance question, never a SIEM, identity-access, or threat-protection question. When a four-option list pairs a Purview capability against a Defender or Sentinel option, ask whether the scenario is fundamentally about data, evidence, or obligation (Purview) or about threats, operations, or access (Defender, Sentinel, Entra). Naming the domain first, then the capability, is what keeps the compliance-solutions domain — roughly 25 to 30 percent of SC-900 — from turning into guesswork.
A company wants to measure compliance posture and track recommended improvement actions against regulatory controls. Which capability should you choose?
A policy must prevent sensitive information from being emailed or copied outside approved channels. Which Microsoft Purview capability is the best match?
A scenario mentions a 'compliance score' and improvement actions. A learner is tempted to pick Defender for Cloud secure score. Why is that wrong?