Tenant Security and Compliance
Microsoft Purview Introduction
Purview is M365's unified compliance platform, integrating:
- Data Loss Prevention (DLP)
- Sensitivity Labels
- Information Protection
- eDiscovery
- Audit
Data Loss Prevention (DLP)
DLP Policy Example: Prevent Credit Card Number Leakage
# Connect to Security & Compliance Center
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Create DLP policy to detect credit card numbers
$rule = New-DlpComplianceRule -Name "Block Credit Card" `
-Policy "Financial Data Protection" `
-ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount=1} `
-BlockAccess $true `
-NotifyUser Owner `
-NotifyUserType NotSet
# Apply to Exchange, SharePoint, OneDrive
New-DlpCompliancePolicy -Name "Financial Data Protection" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-Mode Enable
Sensitivity Labels
Create Labels
# Create parent label
New-Label -DisplayName "Confidential" `
-Name "Confidential" `
-Tooltip "Confidential information" `
-Comment "For internal use only"
# Create sub-label
New-Label -DisplayName "Confidential - Finance" `
-Name "Confidential-Finance" `
-ParentId (Get-Label -Identity "Confidential").ImmutableId `
-EncryptionEnabled $true `
-EncryptionProtectionType Template `
-EncryptionTemplateId "<RMS_TEMPLATE_ID>"
# Publish label
New-LabelPolicy -Name "Confidential Policy" `
-Labels "Confidential", "Confidential-Finance" `
-ExchangeLocation All `
-SharePointLocation All
Conditional Access
Enforce MFA Example
Policy Name: Require MFA for All Users
Conditions:
- Users: All users
- Cloud apps: All cloud apps
- Locations: Any location
Access Controls:
- Grant access
- Require: Multi-factor authentication
State: Report-only (testing) → On (enabled)
Best Practice
Test Conditional Access policies in "Report-only" mode first to ensure users won't be accidentally locked out.
Next Steps
- Exchange Online: Mail compliance settings
- Intune/Entra: Device compliance policies