Microsoft Purview is Microsoft’s data governance and compliance suite inside Microsoft 365 — the rebranded, expanded successor to what used to be called the Microsoft 365 Compliance Centre. It is how you classify, protect, retain and audit your organisation’s data, and it is the layer that decides what Copilot is allowed to see.
For a Melbourne SME, the practical question is not “what is Purview” but “which bits do I already pay for, and what should I switch on first?” This post answers both, without the marketing gloss.
What Microsoft Purview actually is
Purview is an umbrella brand. Under it sit a set of tools that used to be scattered across separate portals. They are now grouped at purview.microsoft.com and broadly cover two jobs: knowing where your sensitive data is, and controlling what happens to it.
The capabilities that matter to most small and mid-sized businesses are:
- Sensitivity labels — tags like Confidential or Internal that travel with a file or email and can enforce encryption and access rules.
- Data Loss Prevention (DLP) — rules that stop sensitive data, such as credit card or Tax File Numbers, from leaving the organisation by email, Teams or to USB.
- Retention policies and labels — rules that keep records for a set period and delete them when they expire, which is how you meet records-keeping obligations without hoarding everything forever.
- eDiscovery — the ability to search across mailboxes, SharePoint and Teams to find content for a legal matter, dispute or regulator request.
- Audit — a searchable log of who did what: who opened a file, who deleted a mailbox item, who changed a permission.
- Insider risk management — analytics that flag risky behaviour, such as a departing employee mass-downloading client files.
- Communication compliance — monitoring of internal messaging for harassment, code-of-conduct breaches or regulated-industry conduct rules.
You will not use all of these on day one, and you should not try to. The point is that Purview is where data governance lives once you decide to take it seriously.
What you get with Business Premium, and what needs E5
This is where most decisions get made, because the licensing split is real and it is easy to overspend or assume you have features you do not.
Microsoft 365 Business Premium — the plan most Melbourne SMEs land on — includes a genuinely useful slice of Purview. You get manual sensitivity labels, basic DLP for Exchange, SharePoint, OneDrive and Teams, basic retention policies, standard audit logging, and basic eDiscovery (search and export). For a business under 300 seats, that is enough to make a real difference.
The advanced tier sits behind Microsoft 365 E5, the E5 Compliance add-on, or standalone Purview add-ons. That is where you find automatic labelling, DLP that extends to endpoints and browsers, communication compliance, insider risk management, eDiscovery (Premium) with legal hold and review sets, and longer audit retention.
| Capability | Business Premium | E5 / E5 Compliance |
|---|---|---|
| Sensitivity labels (manual) | Yes | Yes |
| Automatic labelling | No | Yes |
| DLP for Exchange, SharePoint, OneDrive, Teams | Yes (basic) | Yes |
| Endpoint DLP (USB, browser, copy) | No | Yes |
| Retention policies and labels | Yes (basic) | Yes (auto-apply, event-based) |
| eDiscovery | Standard (search and export) | Premium (legal hold, review sets) |
| Audit | Standard | Long-term retention |
| Insider risk management | No | Yes |
| Communication compliance | No | Yes |
The honest advice: do not buy E5 because the feature list looks impressive. Buy it when you have a specific obligation — a regulator, an insurer, a contract — that needs automatic labelling, endpoint DLP or insider risk. Most SMEs get years of value out of the Business Premium tier first. If you are weighing up the plans, our guide to what is included with Microsoft 365 support in Melbourne sets out where the lines fall.
What to do first: labels and DLP
If you take one thing from this post, take this. Start with sensitivity labels and DLP. They give you the most protection for the least effort, and everything else builds on them.
Sensitivity labels
A sensitivity label is a tag a user applies to a document or email. A typical SME set is three or four labels: Public, Internal, Confidential, and perhaps Highly Confidential. The label can be cosmetic (a footer marking) or it can enforce real controls — encryption, a watermark, blocking external sharing.
Start cosmetic, get people used to choosing a label, then add enforcement to the top one or two. A label that encrypts Confidential files means a document forwarded to the wrong address is unreadable to the recipient. That single control has saved more SMEs than any firewall rule.
Data Loss Prevention
DLP inspects content against patterns and conditions you set, then acts. The patterns Australian businesses care about are built in or easy to define: Tax File Numbers, Medicare numbers, credit card numbers, ABNs, driver licence details. A starter DLP policy might warn a user — or block outright — when they try to email a spreadsheet containing more than a handful of TFNs to an external address.
Begin every DLP rule in audit-only mode. Let it run for a fortnight, see what it would have flagged, and tune out the false positives before you switch to blocking. Turn DLP straight to block on day one and you will have the finance team locked out of legitimate work by Tuesday. DLP sits naturally alongside the rest of your cyber security services stack — it is the data-layer complement to identity controls like conditional access.
Retention, eDiscovery and audit: the records side
The governance half of Purview is about keeping the right things for the right length of time, and being able to find them.
Retention answers a question every business eventually faces: how long do we keep this? Some records have legal minimums — employee records under the Fair Work Act, financial records under the Corporations Act, health records under state health-records legislation. Retention policies enforce those minimums automatically and, just as importantly, delete data once the obligation lapses so you are not holding a decade of client files that are now pure liability.
eDiscovery earns its keep the day you receive a subpoena, a Fair Work claim or an OAIC enquiry. Instead of an engineer manually trawling mailboxes, you run a content search across Exchange, SharePoint and Teams and export exactly what is in scope. Standard eDiscovery in Business Premium handles most SME needs.
Audit is the quiet hero. When something goes wrong — a deleted file, a mailbox rule someone did not set, a permissions change — the audit log tells you who and when. It is also frequently the first thing a cyber insurer or incident responder asks for. If you are thinking about coverage, audit logging is part of what makes a claim defensible; our cyber insurance guide for Australian SMEs covers the broader picture.
Governance before AI: Purview and Copilot
This is the use case pushing Purview up the priority list for 2026. Microsoft 365 Copilot answers questions using your organisation’s data — every file, email and chat the asking user already has permission to see. That is the catch. Copilot does not break permissions; it surfaces what loose permissions already expose.
If your SharePoint has a “Company” site everyone can read, and someone parked the payroll spreadsheet there three years ago, Copilot will happily summarise salaries when an employee asks. The file was always accessible — nobody ever browsed to it. Copilot removes that friction.
This is why governance comes before AI, not after. Sensitivity labels let you mark and encrypt the data Copilot should never reuse. DLP and retention reduce the volume of stale, mislabelled data sitting in shared locations. Auditing tells you what Copilot has been asked. Switching on Copilot without doing this first is how a tidy-looking rollout becomes a quiet data-exposure incident.
The same logic applies to the Privacy Act 1988. Under the Australian Privacy Principles, you are obliged to take reasonable steps to protect personal information and to not keep it longer than needed. Reforms now working through Parliament are tightening those expectations, including around automated decision-making and data minimisation. Purview’s labelling, DLP and retention are precisely the “reasonable steps” the Office of the Australian Information Commissioner (OAIC) expects you to be able to demonstrate.
A Hawthorn scenario
A professional services firm in Hawthorn we work with wanted to roll out Copilot across forty staff. Before flicking it on, we ran a labelling and permissions review. We found three SharePoint sites with broad read access holding client financials and a folder of scanned passports from an old onboarding process. We applied Confidential labels with encryption to the sensitive sites, tightened the permissions, set a DLP rule on TFNs and Medicare numbers, and added a retention policy that purged the passport scans that should have been deleted years earlier. Copilot went live two weeks later — on data that was actually governed. The firm now has something concrete to show their professional indemnity insurer.
That sequence — govern, then enable — is the whole game. TechAssist has run Microsoft 365 for Melbourne SMEs since 2014, with thirteen Australian-employed engineers and a 24/7 NOC in Tecoma, and the Purview-before-Copilot review has become one of the more common pieces of work we do.
Frequently asked questions
Is Microsoft Purview a separate product I have to buy?
No. Purview is the brand for governance and compliance tools built into Microsoft 365. A meaningful set is already included with Business Premium. You only pay extra — through E5 or the E5 Compliance add-on — for advanced features such as automatic labelling, endpoint DLP and insider risk management.
What is the difference between sensitivity labels and retention labels?
Sensitivity labels control protection — encryption, access and markings on a file. Retention labels control lifecycle — how long an item is kept and when it is deleted. They solve different problems and you typically use both: sensitivity to protect, retention to keep or dispose.
Do I need Purview before turning on Copilot?
You should. Copilot surfaces anything the asking user can already access, so existing over-permissioned data becomes far easier to stumble across. Sorting out labels, permissions and DLP first stops Copilot turning a hidden exposure into an obvious one.
Does Purview help with the Privacy Act?
It helps you demonstrate compliance. The Australian Privacy Principles require reasonable steps to protect personal information and to not retain it beyond need. Purview’s DLP, sensitivity labels and retention policies are practical, auditable controls that show the OAIC you have taken those steps.
Where to start
Do not boil the ocean. Pick three or four sensitivity labels, switch on a couple of DLP rules in audit mode, and set retention on your one or two most regulated record types. That alone puts you ahead of most SMEs and gives you a defensible governance baseline — and the foundation you need before any AI tool touches your data.
If you would like a hand scoping a Purview rollout, sorting your Microsoft 365 licensing, or running a governance review before you enable Copilot, get in touch with TechAssist. We will tell you plainly what you already have, what is worth turning on, and what you can safely leave alone.
