Reviewed by Jonathan West · Updated Jun 23, 2026

Microsoft Purview for Business: The Complete Compliance Guide

How small businesses use Microsoft Purview to protect sensitive data, meet compliance requirements, and lock down Microsoft 365.

Reviewed by Jonathan West · Updated Jun 23, 2026

Microsoft Purview is Microsoft's unified platform for data governance, compliance, and security. It brings together tools that were once scattered across separate admin centers — eDiscovery, data loss prevention, information protection, insider risk management, and communication compliance — into one place.

If your business runs on Microsoft 365, Purview is already partly active in your environment. Most small businesses never configure it. That's a problem. Unprotected email, unclassified documents, and missing retention policies create real legal and financial risk.

This guide explains what Microsoft Purview does, which tools matter most for small businesses, and how to start using it without a dedicated IT team.


What Microsoft Purview Is

Microsoft Purview is a compliance and data governance platform built into Microsoft 365. Microsoft launched it in 2022 by merging the older Microsoft 365 Compliance Center with Azure Purview (a data catalog tool). The result is a single admin experience covering both cloud security and data governance.

Purview is not one product. It is a suite of tools organized under one roof. Each tool solves a specific compliance or data protection problem. You pick what your business needs and configure it through the Microsoft Purview Compliance Portal.

The compliance portal replaces what was called the Microsoft 365 Compliance Center. If you used the old compliance center, you are already familiar with the interface. The URL changed; the underlying tools got new names and expanded capabilities.

  • Information Protection — classify and label sensitive documents
  • Data Loss Prevention (DLP) — block accidental sharing of PII, credit card numbers, health data
  • eDiscovery — search mailboxes and files for legal holds or investigations
  • Communication Compliance — flag policy violations in Teams and email
  • Insider Risk Management — detect unusual file access or data exfiltration behavior
  • Retention Policies — keep or delete records automatically based on rules
  • Microsoft Purview Message Encryption — encrypt outbound emails to external recipients
The Microsoft Purview Compliance Portal is your single dashboard for all of these tools. Access it at compliance.microsoft.com.

Worried that sensitive client data is sitting unprotected inside Microsoft 365 — but not sure where to start with Purview? Book a free compliance audit and we will configure your core DLP, sensitivity labels, and retention policies in a single week.

Book a Free Compliance Audit

The Key Tools Inside Microsoft Purview

Microsoft Purview Information Protection lets you apply sensitivity labels to files and emails. A label like 'Confidential — Client Data' can automatically encrypt the file, add a watermark, and prevent forwarding. Labels travel with the document, even if someone copies it to a USB drive.

Data Loss Prevention policies scan content in real time. When an employee tries to email a file containing Social Security numbers or credit card data, DLP can block the message, warn the user, or alert an admin. You define the rules. Microsoft ships hundreds of pre-built templates for HIPAA, GDPR, PCI-DSS, and other frameworks.

Microsoft Purview Message Encryption (formerly Office 365 Message Encryption) protects emails sent to external recipients. The recipient gets a secure link to read the message without needing a Microsoft account. This matters for attorneys, accountants, and healthcare providers who regularly send sensitive documents by email.

eDiscovery allows legal or HR teams to search across Exchange, SharePoint, Teams, and OneDrive for specific communications or files. If your company faces litigation, eDiscovery is how you produce documents without manually searching every inbox.

Retention policies automate record-keeping. You can require that contracts are kept for seven years, or that employee messages are deleted after 90 days. Automation removes human error from compliance workflows.

  • Sensitivity labels — protect files regardless of where they travel
  • DLP policies — 100+ built-in templates for major compliance frameworks
  • Message Encryption — secure email to external parties, no account required
  • eDiscovery — legal hold and content search across all M365 workloads
  • Retention policies — automated record lifecycle management
Purview DLP templates cover HIPAA, GDPR, PCI-DSS, and dozens of US state privacy laws out of the box. You do not need to write rules from scratch.

Real Use Cases for Small Businesses

Small businesses handle sensitive data every day — client contracts, employee records, financial statements, health information. Most of that data sits unprotected in shared drives and inboxes. Purview changes that without requiring enterprise IT staff.

A law firm with 12 employees can use sensitivity labels to mark client files as 'Attorney-Client Privileged.' Purview blocks anyone outside the firm from opening those files, even if they receive them accidentally. If the firm sends a contract to a client, Message Encryption ensures only that client can read it.

A medical practice can deploy HIPAA DLP policies in under an hour using Microsoft's built-in templates. Any email containing a patient name plus a diagnosis or prescription gets flagged before it leaves the building. Retention policies automatically archive patient communications for the required six years.

  • Prevent accidental sharing of client PII via email or OneDrive links
  • Encrypt financial documents before sending to clients or vendors
  • Audit who accessed a sensitive file and when
  • Meet HIPAA retention requirements without manual filing
  • Satisfy GDPR data subject access requests using eDiscovery search
  • Detect when an employee downloads an unusual volume of files before resigning
Case study: A 20-person accounting firm configured Purview DLP in one afternoon. In the first week, it blocked three accidental emails containing client Social Security numbers.

Purview Pricing: What's Included and What Costs Extra

Microsoft Purview is not sold as a standalone subscription. Its features come bundled with Microsoft 365 plans. The higher the plan tier, the more Purview features you unlock.

Microsoft 365 Business Premium ($22/user/month) includes core Purview features: Information Protection, basic DLP, Message Encryption, and retention policies. This plan covers most small business compliance needs.

Microsoft 365 E3 ($36/user/month) adds eDiscovery, advanced retention, and communication compliance. Microsoft 365 E5 ($57/user/month) or the Microsoft Purview compliance add-on ($12/user/month on top of E3) unlocks insider risk management, advanced eDiscovery, and premium DLP features.

For most small businesses under 100 employees, Business Premium is enough. If you face regulatory audits, hold government contracts, or work in healthcare or financial services, evaluate whether E3 or the compliance add-on is worth the step-up.

  • Business Premium ($22/user/mo) — core DLP, labels, encryption, retention
  • E3 ($36/user/mo) — adds eDiscovery, communication compliance
  • E5 ($57/user/mo) — adds insider risk, advanced eDiscovery, premium DLP
  • Purview compliance add-on (~$12/user/mo on E3) — gets you most E5 compliance features at a lower base cost
Already on Microsoft 365 Business Premium? You have more Purview tools available than you realize. Start with the Compliance Portal before buying any add-ons.

How to Get Started With Microsoft Purview

Start at compliance.microsoft.com. Sign in with your Microsoft 365 admin account. The Compliance Portal dashboard shows your Microsoft Compliance Score — a number that tells you how well your current configuration matches recommended controls for your industry.

Step one is to enable sensitivity labels. Go to Information Protection > Labels. Create a label hierarchy like Public, Internal, Confidential, and Highly Confidential. Publish those labels to your users. Outlook and Word will show a label picker in the toolbar.

Step two is to activate a DLP policy. Go to Data Loss Prevention > Policies > Create Policy. Pick a regulatory template (for example, HIPAA or US PII). Walk through the wizard. Set the policy to 'audit only' mode first so you can see what would be flagged before turning on enforcement.

Step three is to configure retention policies for email and SharePoint. Go to Data Lifecycle Management > Retention Policies. Apply a policy that retains Exchange email for seven years. This single policy eliminates a major compliance gap for most small businesses.

Run these three steps in order. Most small businesses can complete the initial configuration in a single afternoon without external help.

  • Step 1: Create and publish sensitivity labels in Information Protection
  • Step 2: Activate a DLP policy in audit mode, then switch to enforce
  • Step 3: Set retention policies for email and SharePoint
  • Step 4: Configure Message Encryption rules for outbound external emails
  • Step 5: Review Compliance Score and address top recommendations
Always start DLP policies in 'test' or 'audit' mode. Running enforcement immediately on a new policy can block legitimate business emails and frustrate users.

Microsoft Purview vs Proofpoint vs Mimecast

Microsoft Purview is not the only option for email security and compliance. Proofpoint and Mimecast are two well-established alternatives that specialize in email protection. Here is how they compare for small businesses already using Microsoft 365.

Purview wins on integration and total cost if you are already on M365 Business Premium or higher. Proofpoint and Mimecast charge separately — typically $3–$8 per user per month for baseline plans — on top of your existing Microsoft licensing. For a 25-person team, that adds $900–$2,400 per year.

However, Proofpoint and Mimecast offer more advanced threat intelligence, sandboxing, and email archiving at their premium tiers. If your business faces targeted phishing attacks or needs immutable legal-grade email archiving with full chain of custody, those platforms are worth the extra cost.

For most small businesses, Microsoft Purview covers 80% of email compliance needs at no additional cost. Proofpoint and Mimecast make sense when you need advanced threat protection or legal archiving.

Frequently Asked Questions

  • Yes. Microsoft rebranded and expanded the Microsoft 365 Compliance Center as part of the Microsoft Purview launch in 2022. The URL changed to compliance.microsoft.com and several features were renamed, but if you used the old Compliance Center, you are working inside Purview today.
  • No. Core Purview features come bundled with Microsoft 365 Business Premium, E3, and E5. You only pay extra for advanced features like insider risk management or premium eDiscovery, which require the Microsoft Purview compliance add-on (around $12/user/month) or an E5 license.
  • Microsoft Purview Message Encryption lets you send encrypted emails to external recipients — clients, vendors, or partners — who do not have Microsoft accounts. The recipient gets a link to open the message in a secure viewer. It replaces older OME (Office Message Encryption) branding but works the same way.
  • Yes, for core features. The Compliance Portal has setup wizards for DLP policies, sensitivity labels, and retention policies. Microsoft's Compliance Score dashboard gives you a prioritized to-do list. Most small businesses can configure the basics in a few hours. Complex scenarios — like custom sensitive information types or insider risk rules — may benefit from outside help.

Need Help Configuring Microsoft Purview?

Layer3 Labs helps small businesses set up Microsoft Purview, configure DLP policies, and automate compliance workflows — without the enterprise IT budget. We can have your core Purview controls live in a single week.

Get a Free Compliance Audit