On this page

Microsoft Purview is Microsoft’s umbrella name for the data security, governance and compliance tooling built into Microsoft 365 — sensitivity labels, data loss prevention (DLP), retention, eDiscovery, audit and insider-risk controls, managed from a single portal. If you run Microsoft 365, you already own part of it: Business Premium and E3 include the everyday controls, while the premium tooling sits in E5. This guide explains what Purview actually does day to day, which licence includes what (checked against Microsoft’s own documentation, as at July 2026), when an SME genuinely needs it — and where it fits Hong Kong obligations such as the PDPO and SFC record-keeping.
Key point
Purview is less a product you buy than a set of controls you switch on. Most Hong Kong SMEs get the best return from configuring what Business Premium or E3 already includes — labels, DLP and retention — properly, before spending anything on E5.
What is Microsoft Purview?
As at July 2026, Microsoft describes Purview as “a comprehensive set of solutions that helps your organization govern, protect, and manage data in the era of AI, wherever your data lives.” In practice it is three families of tools under one name and one portal:
- Data security — Information Protection (sensitivity labels), Data Loss Prevention, Insider Risk Management, information barriers and related controls.
- Data compliance — Audit, eDiscovery, Data Lifecycle Management (retention), Records Management, Communication Compliance and Compliance Manager.
- Data governance — Data Map and Unified Catalog, for cataloguing databases and analytics estates in Azure and beyond.
The name dates from Microsoft folding Azure Purview and the Microsoft 365 compliance tools into one family; the tooling now lives in the unified Microsoft Purview portal rather than the old compliance centre. One source of confusion is worth clearing up early: the data governance pillar is aimed at organisations running data platforms and warehouses. Unless that is you, the Purview you will actually touch is the security and compliance side — and that is what the rest of this guide covers.
What Purview actually does day to day
Sensitivity labels (Information Protection)
Labels — Public, Internal, Confidential — that travel with a document or email and can enforce encryption and access restrictions wherever the file goes, including outside your tenant. Manual labelling is included from Business Premium up; automatic labelling, where Purview applies labels based on what it finds in the content, needs E5.
Data loss prevention (DLP)
Policies that recognise sensitive content — HKID numbers, credit-card numbers, client identifiers — and warn or block when someone tries to email it out or over-share it from SharePoint or OneDrive. DLP for email and files is included from Business Premium up. Extending it to Teams chat, or to the devices themselves (blocking USB copies, printing and uploads at the endpoint), is E5 territory.
Retention and deletion (Data Lifecycle Management)
Retention policies keep content for as long as you need it and delete it when you no longer should have it — both halves matter. Basic retention policies and manually applied retention labels are included in Business Premium and E3. Records management — regulatory records, event-based retention, disposition reviews — and auto-applied retention labels are E5 features.
eDiscovery and legal hold
When a dispute, investigation or regulatory request lands, eDiscovery finds and preserves the relevant email, files and Teams messages. Business Premium supports litigation hold on mailboxes; the case-based eDiscovery (Standard) workflow — cases, holds, search and export — starts at E3; eDiscovery (Premium) adds custodian management, review sets and analytics at E5.
Audit
The unified audit log records user and admin activity across the tenant and is enabled by default on all plans. Standard audit retains records for 180 days; Audit (Premium), an E5 feature, keeps records for the key workloads for a year by default and up to ten years with an add-on licence. That retention window is often the difference between being able to answer “who accessed this mailbox in March” and not.
Insider Risk Management and Communication Compliance
E5-tier tools that flag risky behaviour — a resigning employee bulk-downloading client files — and scan communications for policy violations. Genuinely useful in regulated firms with something to lose; overkill for most SMEs.
Compliance Manager
Assessment templates and a risk-based compliance score for standards and regulations. Available in some form across Microsoft 365 plans including Business Premium; the depth of assessments depends on your licence.
Which Microsoft 365 licences include what
The licensing question matters more than the feature list, because much of Purview is already paid for. As at July 2026, per Microsoft’s Purview service description:
| Purview capability | Business Premium | Microsoft 365 E3 | Microsoft 365 E5 |
|---|---|---|---|
| Sensitivity labels (manual) | Yes | Yes | Yes |
| Automatic sensitivity labelling | — | — | Yes |
| DLP for email and files | Yes | Yes | Yes |
| DLP for Teams chat and endpoints | — | — | Yes |
| Retention policies and manual retention labels | Yes | Yes | Yes |
| Records management, auto-applied retention | — | — | Yes |
| Litigation hold | Yes | Yes | Yes |
| eDiscovery (Standard) — cases and holds | — | Yes | Yes |
| eDiscovery (Premium) | — | — | Yes |
| Audit (Standard) — 180-day log | Yes | Yes | Yes |
| Audit (Premium) — 1-year, 10 with add-on | — | — | Yes |
| Insider Risk Management, Communication Compliance | — | — | Yes |
Two practical notes. First, licensing is per-user, so the standard pattern is E5-tier compliance for the few users who need it and Business Premium or E3 for everyone else. Second, Microsoft also sells the E5 compliance stack as Purview Suite add-ons — including a version that bolts onto Business Premium (capped, like all Business plans, at 300 seats) — so you can buy the premium tooling without relicensing the whole tenant. For prices and the wider plan decision, see our guide to Business Premium vs E3 vs E5.
Getting your Microsoft 365 security and compliance right?
Configuration, hardening and sensible policy — sized for SMEs
When an SME actually needs Purview — and when it is overkill
Signals that it is time to configure Purview properly:
- Client security questionnaires or cyber-insurance renewals ask how you classify data and prevent leaks — labels and DLP are the expected answers.
- You hold personal data at volume — HR records, customer databases, patient or member lists — and could not currently say where it all sits.
- You operate in a regulated sector — fund management, insurance, legal — where record-keeping and supervision expectations are explicit.
- Staff turnover worries you. A common data-loss event is not a hacker; it is a departing employee and a client list.
- Data crosses the border. If information moves between Hong Kong, the Mainland and a global HQ, you need to know what is moving and control it.
And the overkill cases: buying E5 across a 20-person firm for insider-risk tooling nobody will operate; a seven-level label taxonomy no one applies; automatic labelling before manual labelling has bedded in. Purview rewards restraint — a handful of controls used consistently beats a full deployment used badly.
The Hong Kong angle: PDPO, SFC and cross-border data
- PDPO. Purview’s discovery, labels and DLP map naturally onto the Personal Data (Privacy) Ordinance’s data-security and use-limitation principles — you can only protect personal data you have found and classified. Relevant to compliance, not a substitute for it: no tool makes you PDPO-compliant by itself.
- SFC-licensed firms. Fund managers are expected to keep proper records, and the SFC’s external electronic data storage circular attaches conditions when regulatory records live in the cloud — which, for most managers, means Microsoft 365. Purview’s retention and audit tooling is directly relevant to evidencing that; see our guide to SFC cybersecurity requirements.
- China operations. The Mainland’s PIPL imposes strict consent, minimisation and cross-border transfer rules. Classification and DLP help you locate regulated personal information and control where it flows — the groundwork for any transfer assessment. Our China and Hong Kong data-laws guide covers the wider picture.
Rolling it out without boiling the ocean
- Start with what you already own. Inventory your licences before buying anything — most tenants have unused Purview entitlements.
- Keep the label taxonomy small. Three or four labels people understand beat a compliance-grade hierarchy they ignore.
- Run DLP in monitor mode first. See what would have been blocked for a few weeks, tune the policies, then enforce. Going straight to blocking generates helpdesk noise and workarounds.
- Set retention deliberately. Decide what to keep and for how long per workload — email, SharePoint, Teams — rather than accepting defaults you have never read.
- Only then price the E5 question, per user group rather than tenant-wide.
Microsoft Purview FAQs
Is Microsoft Purview included in Microsoft 365?
Partly, and that is the point. Business Premium and E3 include manual sensitivity labels, DLP for email and files, retention policies and the standard audit log. The premium tier — automatic labelling, Teams and endpoint DLP, eDiscovery Premium, extended audit, Insider Risk Management — requires E5 or a Purview add-on. There is no separate “Purview licence” to buy for the Microsoft 365 features (as at July 2026).
Do I need E5 to use Microsoft Purview?
No. The controls that deliver most of the everyday value — labels, DLP, retention, litigation hold, audit — are in Business Premium and E3. E5 matters when you need automation at scale, case-based legal discovery, year-plus audit retention or insider-risk monitoring — and it can be bought for a subset of users or via add-ons rather than tenant-wide.
What is the difference between Microsoft Purview and Microsoft Defender?
Defender is Microsoft’s threat-protection family — it defends against attackers, malware and phishing. Purview governs the data itself — classifying it, controlling where it goes, retaining it and evidencing who touched it. A well-run tenant needs both, which is why we assess them together in a Microsoft 365 security review.
Does Microsoft Purview make us PDPO compliant?
No tool does. The PDPO’s principles are obligations on your organisation, not settings in a portal. What Purview provides is the practical machinery — finding personal data, restricting its use and securing it — that makes those obligations achievable and demonstrable.
How PTS helps
PTS configures Microsoft Purview as part of securing and running Microsoft 365 for businesses across Hong Kong, Mainland China and Singapore — from the first label taxonomy and DLP policy through to retention designed around SFC and cross-border requirements, delivered and supported under our managed IT service. If you need help or advice on this topic, get in touch with us here.
PTS Consulting provides managed IT support, structured cabling, audiovisual design and installation, and IT consultancy services for businesses across Hong Kong, Mainland China and Singapore.
Tags:
Relevant service
Cybersecurity Services
ISO 27001-aligned defence — monitoring, hardening, training and incident response.