Deploy three critical Microsoft Purview compliance solutions: Communication Compliance to monitor emails, Teams, and third-party chats for policy violations; Audit (Standard & Premium) to track user and admin activities for forensic investigations; and Data Lifecycle Management to automate retention and deletion of content across Microsoft 365.
This lab covers three critical Microsoft Purview compliance solutions. Communication Compliance monitors emails, Microsoft Teams messages, and third-party chat platforms for policy violations such as offensive language, insider trading signals, and regulatory non-compliance. Audit (Standard & Premium) tracks user and admin activities across Microsoft 365 services, providing forensic-grade logs with up to 10 years of retention for regulatory investigations. Data Lifecycle Management automates retention and deletion of content through retention policies, retention labels, adaptive scopes, and disposition reviews. ensuring organisations keep data as long as required and delete it when no longer needed.
A financial services firm subject to SEC and FINRA regulations must monitor all broker-dealer communications for compliance violations, including insider trading language, market manipulation signals, and unsuitable investment recommendations. The firm is required to retain all business records. including emails, Teams chats, and trade confirmations. for a minimum of 7 years under SEC Rule 17a-4. During regulatory examinations, the compliance team must produce comprehensive audit trails demonstrating who accessed what data, when, and from where. Without these controls, the firm faces multi-million-dollar fines, suspension of broker-dealer licences, and reputational damage.
Regulatory fines for communication compliance failures are severe: FINRA issued over $100 million in fines in a single year for supervisory failures related to off-channel communications. SEC Rule 17a-4 mandates immutable retention of broker-dealer records. violations can result in licence revocation. GDPR’s right to erasure (Article 17) requires organisations to delete personal data when no longer needed, creating tension with retention mandates that only a well-designed lifecycle management strategy can resolve. Audit logs are the foundation of every forensic investigation and regulatory examination. without comprehensive, tamper-proof audit data, organisations cannot demonstrate compliance or investigate incidents. Together, these three solutions form the backbone of an enterprise compliance programme.
ExchangeOnlineManagement module installedConnect-IPPSSessionStart by accessing the Microsoft Purview compliance portal and establishing a PowerShell session. You will use both the portal and PowerShell throughout this lab.
# Install the Exchange Online Management module (if not already installed)
# WHAT: Installs the PowerShell module required for Security & Compliance cmdlets
# -Force: Overwrites any existing version; -AllowClobber: Resolves command name conflicts
Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
# Connect to Security & Compliance PowerShell
# WHY: Establishes a remote session using modern authentication (supports MFA)
# NOTE: Use Connect-IPPSSession, NOT the deprecated Connect-SecurityComplianceCenter
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Verify connection by listing available compliance cmdlets
# WHAT: Searches for cmdlets containing "Compliance" in the temporary module
# WHY: Confirms the session is active and cmdlets are loaded. If empty, reconnect.
# OUTPUT: List of available compliance commands (New-DlpCompliancePolicy, etc.)
Get-Command -Module tmp_* | Where-Object { $_.Name -like "*Compliance*" } |
Select-Object Name | Sort-Object Name | Format-Table -AutoSize
# Verify your admin account has the required compliance roles
# WHAT: Lists your role assignments filtered to Compliance, Audit, and Records roles
# WHY: Without proper roles, you won't be able to create policies or access audit data
# OUTPUT: Role name and assignee - confirm you have Compliance Administrator or equivalent
# CONCERN: If no results appear, ask a Global Admin to assign the required roles
Get-ManagementRoleAssignment -RoleAssignee admin@contoso.com |
Where-Object { $_.Role -like "*Compliance*" -or $_.Role -like "*Audit*" -or $_.Role -like "*Records*" } |
Format-Table Role, RoleAssignee -AutoSizeConnect-IPPSSession rather than the deprecated Connect-SecurityComplianceCenter cmdlet. The IPPS session supports modern authentication and multi-factor authentication (MFA) out of the box.Microsoft Purview Audit provides two tiers: Audit (Standard) with 180-day log retention, and Audit (Premium) with up to 10 years of retention, high-value event logging, and higher API bandwidth. Enable and configure both for comprehensive forensic coverage.
Audit-7Year-AllActivities# Verify unified audit log is enabled in the tenant
# WHAT: Checks whether M365 audit log ingestion is turned on
# OUTPUT: UnifiedAuditLogIngestionEnabled = True means audit is active
# CONCERN: If False, no user or admin activities are being recorded
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
# Enable unified audit logging if not already active
# WHY: Audit logs are the foundation of security investigations, compliance
# evidence, and insider risk detection. Without them, you have no visibility.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
# Create an Audit Premium retention policy - 7 years for all activities
# WHAT: Extends audit log retention from the default 180 days to 7 years
# WHY: SEC Rule 17a-4 requires financial firms to retain records for 7 years.
# Standard audit retains only 180 days - insufficient for regulatory compliance.
# -RecordTypes @("All"): Covers ALL audit event types (Exchange, SharePoint, Teams, etc.)
# -Priority 1: Highest priority - overrides the default 180-day retention
# REQUIRES: Microsoft 365 E5 or E5 Compliance licence for affected users
New-UnifiedAuditLogRetentionPolicy -Name "Audit-7Year-AllActivities" `
-Description "Retain all audit records for 7 years. SEC 17a-4" `
-RetentionDuration "SevenYears" `
-RecordTypes @("All") `
-Priority 1
# Create a targeted retention policy for Exchange events - 10 years
# WHAT: Retains Exchange-specific audit events for 10 years
# WHY: Email is the primary communication channel in financial services;
# 10-year retention covers extended regulatory and litigation requirements
# -RecordTypes: ExchangeAdmin (admin changes), ExchangeItem (mailbox access),
# ExchangeItemGroup (bulk operations)
New-UnifiedAuditLogRetentionPolicy -Name "Audit-10Year-Exchange" `
-Description "Retain Exchange audit records for 10 years" `
-RetentionDuration "TenYears" `
-RecordTypes @("ExchangeAdmin","ExchangeItem","ExchangeItemGroup") `
-Priority 2
# Verify all retention policies are configured correctly
# OUTPUT: Policy name, retention duration, and priority order
# EXPECT: Two policies with 7-year and 10-year durations
Get-UnifiedAuditLogRetentionPolicy | Format-Table Name, RetentionDuration, PrioritySearch audit logs to investigate user activities, admin changes, and security events. Use the portal for interactive searches and PowerShell for automated or large-scale queries.
// Find all file downloads by a specific user in the last 30 days
// WHAT: Tracks every file download by a specific user across cloud apps
// WHY: Detects potential data exfiltration - departing employees or insiders
// often download large volumes of files before leaving the organisation
// OUTPUT: Timestamp, user name, action type, file name, and source IP address
// CONCERN: Review IPAddress for unusual locations (personal VPN, foreign IPs)
CloudAppEvents
| where Timestamp > ago(30d)
| where AccountObjectId == "user-object-id"
| where ActionType == "FileDownloaded"
| project Timestamp, AccountDisplayName, ActionType, ObjectName, IPAddress
// Detect mass file downloads (potential data exfiltration)
// WHAT: Identifies users who downloaded more than 50 files in a single hour
// WHY: Mass downloads are the #1 indicator of data theft - normal users
// rarely download 50+ files in one hour. Flag for immediate investigation.
// THRESHOLD: >50 downloads/hour is suspicious; adjust based on your baseline
// OUTPUT: User name, time window, and download count (sorted by highest first)
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "FileDownloaded"
| summarize DownloadCount = count() by AccountDisplayName, bin(Timestamp, 1h)
| where DownloadCount > 50
| order by DownloadCount desc
// Track admin role changes in Azure AD / Entra ID
// WHAT: Detects when admin roles are added or removed from user accounts
// WHY: Unauthorised role assignment is a key persistence technique - attackers
// grant themselves Global Admin to maintain access. Internal governance
// also requires tracking all privilege changes.
// OUTPUT: Timestamp, who made the change, what role was added/removed
// CONCERN: Any unexpected role additions outside change management should be investigated
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Add member to role.", "Remove member from role.")
| project Timestamp, AccountDisplayName, ActionType, ObjectName# Search for all file access events in the last 7 days
# WHAT: Queries the unified audit log for file-related activities across M365
# -Operations: Filters to file access, download, and preview events only
# WHY: Monitors who is accessing documents - critical for insider risk detection
# and regulatory compliance investigations
# OUTPUT: Date, user (UPN), and operation type for each file access event
# USE: Run daily to establish baseline file access patterns for your organisation
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-Operations "FileAccessed","FileDownloaded","FilePreviewed" `
-ResultSize 100 |
Select-Object CreationDate, UserIds, Operations |
Format-Table -AutoSize
# Search for admin role assignments in Azure AD / Entra ID
# WHAT: Finds all events where a user was added to an admin role in the last 30 days
# WHY: Unauthorised role assignments are a high-severity security event
# -RecordType AzureActiveDirectory: Limits to Entra ID / Azure AD events
# Pipeline: Parses the JSON AuditData to extract the target user and assigned role
# OUTPUT: Date, who made the change, target user, and the role assigned
# CONCERN: Any role assignment outside of change management processes needs investigation
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) `
-EndDate (Get-Date) `
-RecordType AzureActiveDirectory `
-Operations "Add member to role." `
-ResultSize 50 |
ForEach-Object {
$auditData = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{
Date = $_.CreationDate
User = $_.UserIds
Target = $auditData.ObjectId
Role = $auditData.ModifiedProperties | Where-Object { $_.Name -eq "Role.DisplayName" } | Select-Object -ExpandProperty NewValue
}
} | Format-Table -AutoSize
# Export large result sets with paging for comprehensive audit reports
# WHAT: Uses session-based paging to retrieve ALL SharePoint file operation audit records
# WHY: Single calls return max 5,000 records. Paging ensures you capture every event
# for complete audit coverage (required for regulatory compliance reporting).
# -SessionCommand ReturnLargeSet: Enables server-side paging across multiple batches
# -SessionId: Must be consistent across all calls in the same paging session
# OUTPUT: CSV file containing all SharePoint file operations over the last 90 days
# NOTE: This loop continues until no more records are returned
$results = @()
$sessionId = [Guid]::NewGuid().ToString()
do {
$batch = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) `
-EndDate (Get-Date) `
-RecordType SharePointFileOperation `
-SessionId $sessionId `
-SessionCommand ReturnLargeSet `
-ResultSize 5000
$results += $batch
} while ($batch.Count -gt 0)
$results | Export-Csv -Path "AuditLog-90Days.csv" -NoTypeInformation
Write-Host "Exported $($results.Count) audit records"-SessionCommand ReturnLargeSet parameter with a consistent -SessionId to page through large result sets. Without paging, Search-UnifiedAuditLog returns a maximum of 5,000 records per call.Communication Compliance policies monitor emails, Teams messages, and third-party chat platforms for content that violates organisational policies. Start with pre-built templates, then create custom policies for your specific requirements.
CC-RegulatoryCompliance-BrokerDealersCC-InappropriateContent-AllEmployees# Create a supervisory review policy for broker-dealer communications
# WHAT: Deploys a Communication Compliance policy to monitor regulated users
# WHY: FINRA Rule 3110 mandates supervisory review of broker-dealer communications
# to detect market manipulation, insider trading, and unsuitable recommendations
# -Reviewers: Compliance officers who will triage flagged communications
New-SupervisoryReviewPolicyV2 -Name "CC-RegulatoryCompliance-BrokerDealers" `
-Reviewers "compliance-reviewer1@contoso.com","compliance-reviewer2@contoso.com" `
-Comment "Monitor broker-dealer communications for regulatory compliance"
# Create the supervisory review rule for the policy
# WHAT: Defines which communications to monitor and at what sampling rate
# -SamplingRate 100: Reviews 100% of matching messages (required for regulatory compliance)
# -Condition: Captures messages sent to or from the broker-dealers distribution group
# WHY: 100% sampling ensures no regulated communication is missed during audits
New-SupervisoryReviewRule -Name "CC-RegCompliance-Rule" `
-Policy "CC-RegulatoryCompliance-BrokerDealers" `
-SamplingRate 100 `
-Condition "(SentTo -eq 'broker-dealers@contoso.com') -or (From -eq 'broker-dealers@contoso.com')"
# Create a policy for inappropriate content using trainable classifiers
# WHAT: Monitors all employee communications for threatening, harassing, or
# discriminatory content using Microsoft's built-in AI classifiers
# WHY: Protects the organisation from workplace harassment liability and
# creates a safer communication environment
New-SupervisoryReviewPolicyV2 -Name "CC-InappropriateContent-AllEmployees" `
-Reviewers "hr-compliance@contoso.com" `
-Comment "Detect threatening, harassing, or discriminatory content"
# Verify all Communication Compliance policies are created and active
# OUTPUT: Policy name, enabled status, and description
Get-SupervisoryReviewPolicyV2 | Format-Table Name, IsEnabled, CommentFinancial services firms are subject to SEC Rule 17a-4 (record retention), FINRA Rule 3110 (supervisory review), and FINRA Rule 3120 (supervisory control system). Configure Communication Compliance to address these specific requirements.
Financial-Insider-Trading-KeywordsCC-FINRA3110-SupervisoryReviewFinancial-Insider-Trading-Keywords# Create keyword dictionary for insider trading signals
# WHAT: Defines a list of terms that indicate potential regulatory violations
# WHY: Financial regulators require firms to detect and investigate communications
# containing language suggestive of insider trading or market manipulation
# Terms include: solicitation of non-public info, evidence destruction, front-running
$keywords = @(
"guaranteed returns", "can't lose money", "sure thing",
"inside information", "don't tell compliance", "delete this message",
"material non-public", "MNPI", "front-running", "cherry-picking",
"buy before the announcement", "off the books", "this stock is about to explode"
)
# Create a custom sensitive information type using the keyword dictionary
# WHAT: Converts the keyword array into a DLP-compatible keyword dictionary
# WHY: This SIT can be used in both Communication Compliance and DLP policies
# to detect insider trading language across email, Teams, and SharePoint
# OUTPUT: A reusable keyword dictionary SIT named "Financial-Insider-Trading-Keywords"
$keywordString = $keywords -join ","
New-DlpKeywordDictionary -Name "Financial-Insider-Trading-Keywords" `
-Description "Keywords indicating potential insider trading or market manipulation" `
-FileData ([System.Text.Encoding]::UTF8.GetBytes($keywordString))
# Create the FINRA 3110 supervisory review policy
# WHAT: Creates a Communication Compliance policy specifically for FINRA Rule 3110
# WHY: FINRA 3110 requires broker-dealers to have a supervisory system that reviews
# communications for compliance violations. This policy provides that system.
# -Reviewers: Senior compliance staff who have authority to escalate violations
New-SupervisoryReviewPolicyV2 -Name "CC-FINRA3110-SupervisoryReview" `
-Reviewers "chief-compliance-officer@contoso.com","sr-compliance-analyst@contoso.com" `
-Comment "FINRA Rule 3110 supervisory review of broker-dealer communications"
# Create a rule with keyword conditions for the FINRA policy
# WHAT: Flags communications containing any of the insider trading keywords
# -SamplingRate 100: Monitors 100% of matching messages (no statistical sampling)
# WHY: Regulatory compliance requires demonstrating comprehensive surveillance;
# sampling is insufficient for SEC/FINRA supervisory obligations
New-SupervisoryReviewRule -Name "FINRA3110-KeywordDetection" `
-Policy "CC-FINRA3110-SupervisoryReview" `
-SamplingRate 100 `
-Condition "(ContentContainsWords -eq 'guaranteed returns,inside information,material non-public,front-running,cherry-picking,MNPI')"
# Verify the FINRA policy is active and correctly configured
# OUTPUT: Policy name, whether it's enabled, assigned reviewers, and description
# CONCERN: If IsEnabled is False, the policy was created but is not monitoring yet
Get-SupervisoryReviewPolicyV2 -Identity "CC-FINRA3110-SupervisoryReview" |
Format-List Name, IsEnabled, Reviewers, CommentWhen Communication Compliance policies flag content, reviewers must triage, investigate, and take remediation actions. Establish a consistent workflow for alert review.
# List all Communication Compliance policies and their status
# WHAT: Shows every supervisory review policy with its enabled state and reviewers
# OUTPUT: Policy name, IsEnabled (True/False), and assigned reviewer email addresses
# WHY: Confirms all policies are active and properly staffed with reviewers
Get-SupervisoryReviewPolicyV2 |
Format-Table Name, IsEnabled, @{N="Reviewers";E={$_.Reviewers -join ", "}}
# Get policy report summary for the last 30 days
# WHAT: Retrieves Communication Compliance activity metrics grouped by policy
# OUTPUT: Policy name and the number of flagged communications
# USE: Track alert volume trends - sudden spikes may indicate a real compliance issue;
# gradual increases may mean the policy needs tuning to reduce false positives
Get-SupervisoryReviewReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
Group-Object PolicyName |
Select-Object Name, Count |
Format-Table -AutoSize
# Export flagged items for offline review and documentation
# WHAT: Exports all CC alert data from the past 7 days to CSV
# OUTPUT: Date, policy that triggered, message subject, sender, assigned reviewer,
# and the action taken (Resolved, Escalated, Pending)
# WHY: Provides auditable evidence of supervisory review for FINRA examinations
Get-SupervisoryReviewReport -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) |
Select-Object Date, PolicyName, MessageSubject, Sender, Reviewer, ReviewAction |
Export-Csv -Path "CC-AlertReport-7Days.csv" -NoTypeInformationRetention policies automate the retention and deletion of content across Microsoft 365. Create organisation-wide policies for baseline retention and location-specific policies for targeted compliance requirements.
Retention-OrgWide-3YearsRetention-Finance-7Years# Create organisation-wide retention policy (3 years retain, then delete)
# WHAT: Applies a baseline retention policy across all major M365 workloads
# WHY: Ensures no business content is deleted before 3 years - the minimum
# retention period for most regulatory and legal hold requirements
# LOCATIONS: Covers Exchange, SharePoint, OneDrive, M365 Groups, Teams channels and chats
# NOTE: This is a BASELINE; location-specific policies with longer retention override this
New-RetentionCompliancePolicy -Name "Retention-OrgWide-3Years" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-ModernGroupLocation All `
-TeamsChannelLocation All `
-TeamsChatLocation All `
-Comment "Organisation-wide 3-year retention baseline"
# Create the retention rule - 3 years from creation date, then auto-delete
# -RetentionDuration 1095: 3 years in days (365 x 3)
# -RetentionComplianceAction Delete: Permanently deletes content after retention expires
# -ExpirationDateOption CreatedDate: Retention clock starts from when the item was created
New-RetentionComplianceRule -Name "Retention-OrgWide-3Years-Rule" `
-Policy "Retention-OrgWide-3Years" `
-RetentionDuration 1095 `
-RetentionComplianceAction Delete `
-ExpirationDateOption CreatedDate
# Create finance-specific retention policy (7 years retain, no auto-delete)
# WHAT: Extends retention to 7 years for the Finance department only
# WHY: SEC Rule 17a-4 requires financial records to be retained for 7 years;
# this policy overrides the 3-year baseline for finance content
# -ExchangeLocation: Targets only the finance group mailbox
# -SharePointLocation: Targets only the Finance SharePoint site
New-RetentionCompliancePolicy -Name "Retention-Finance-7Years" `
-ExchangeLocation "finance-group@contoso.com" `
-SharePointLocation "https://contoso.sharepoint.com/sites/Finance" `
-Comment "7-year retention for financial records. SEC 17a-4"
# Create the retention rule - 7 years from last modification, retain only (no auto-delete)
# -RetentionDuration 2555: 7 years in days (365 x 7)
# -RetentionComplianceAction Keep: Retains content but does NOT auto-delete when period expires
# -ExpirationDateOption ModificationAgeInDays: Clock starts from last modification date
# WHY: "Keep" without delete lets admins manually review and decide on deletion
New-RetentionComplianceRule -Name "Retention-Finance-7Years-Rule" `
-Policy "Retention-Finance-7Years" `
-RetentionDuration 2555 `
-RetentionComplianceAction Keep `
-ExpirationDateOption ModificationAgeInDays
# Verify all retention policies are configured correctly
# OUTPUT: Policy names, enabled status, mode, and covered locations
Get-RetentionCompliancePolicy | Format-Table Name, Enabled, Mode, ExchangeLocation
# OUTPUT: Rule names, retention duration in days, and action (Keep/Delete)
Get-RetentionComplianceRule | Format-Table Name, RetentionDuration, RetentionComplianceActionRetention labels provide item-level retention control. Unlike retention policies (which apply broadly), labels are applied to individual items. either manually by users or automatically based on conditions. Labels can also declare items as records, making them immutable.
Business Record. 7 Years:
Regulatory Record. 10 Years:
Delete After 1 Year:
LabelPolicy-BusinessRecordsBusiness Record. 7 YearsAutoLabel-FinancialRecords# Create retention label: Business Record (7 years, with disposition review)
# WHAT: Creates a retention label that users can manually apply to declare business records
# -RetentionAction Keep: Retains content for the specified duration
# -RetentionDuration 2555: 7 years in days
# -RetentionType TaggedAgeInDays: Retention starts when the label is APPLIED (not created)
# -ReviewerEmail: Designated reviewer for disposition review when retention expires
# -IsRecordLabel $true: Marks items as RECORDS - prevents editing and deletion
# WHY: Records cannot be modified or deleted by users until the retention period expires,
# providing legal defensibility for regulatory compliance
New-ComplianceTag -Name "Business Record. 7 Years" `
-RetentionAction Keep `
-RetentionDuration 2555 `
-RetentionType TaggedAgeInDays `
-ReviewerEmail "records-manager@contoso.com" `
-IsRecordLabel $true `
-Comment "7-year business record with disposition review"
# Create retention label: Regulatory Record (10 years, IMMUTABLE)
# WHAT: Creates an immutable regulatory record label - the strongest record type
# -Regulatory: Makes this a REGULATORY record - once applied, NOBODY can remove the label,
# delete the item, or modify its content until the 10-year retention period expires
# WARNING: This is irreversible. Test thoroughly before deploying in production.
# WHY: SEC Rule 17a-4 and MiFID II require certain records to be stored in
# non-rewritable, non-erasable (WORM) format
New-ComplianceTag -Name "Regulatory Record. 10 Years" `
-RetentionAction Keep `
-RetentionDuration 3650 `
-RetentionType TaggedAgeInDays `
-ReviewerEmail "chief-compliance-officer@contoso.com" `
-IsRecordLabel $true `
-Regulatory `
-Comment "10-year regulatory record. immutable"
# Create retention label: Auto-delete after 1 year (not a record)
# WHAT: Creates a non-record label that auto-deletes content after 1 year
# -RetentionAction Delete: Permanently removes content when retention expires
# -RetentionType CreationAgeInDays: Retention starts from the item's creation date
# USE: Apply to transient content like meeting notes or draft documents
New-ComplianceTag -Name "Delete After 1 Year" `
-RetentionAction Delete `
-RetentionDuration 365 `
-RetentionType CreationAgeInDays `
-Comment "Auto-delete after 1 year"
# Publish labels to users via a label policy
# WHAT: Makes the retention labels available for manual application in Office apps
# -PublishComplianceTag: Lists the labels to publish to users
# NOTE: Published labels appear in SharePoint, OneDrive, and Exchange within 7 days
New-RetentionCompliancePolicy -Name "LabelPolicy-BusinessRecords" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-ModernGroupLocation All `
-PublishComplianceTag "Business Record. 7 Years","Regulatory Record. 10 Years","Delete After 1 Year"
# Create an auto-apply label policy for financial content
# WHAT: Automatically applies the "Business Record. 7 Years" label to content
# containing U.S. Financial Data (credit cards, bank accounts, etc.)
# WHY: Auto-labeling ensures records are declared without relying on user action
New-RetentionCompliancePolicy -Name "AutoLabel-FinancialRecords" `
-ExchangeLocation All `
-SharePointLocation All `
-PublishComplianceTag "Business Record. 7 Years"
# Define the auto-apply rule with SIT condition
# -ContentContainsSensitiveInformation: Triggers when U.S. Financial Data is detected
# at high confidence with at least 1 instance
New-RetentionComplianceRule -Name "AutoLabel-FinancialRecords-Rule" `
-Policy "AutoLabel-FinancialRecords" `
-ContentContainsSensitiveInformation @{
Name = "U.S. Financial Data";
minCount = 1;
confidencelevel = "High"
} `
-PublishComplianceTag "Business Record. 7 Years"
# Verify all retention labels are created correctly
# OUTPUT: Label name, action (Keep/Delete), duration in days, and record status
Get-ComplianceTag | Format-Table Name, RetentionAction, RetentionDuration, IsRecordLabelAdaptive scopes dynamically target retention policies based on user, group, or site attributes in Azure AD / Entra ID. Instead of manually adding users to a policy, adaptive scopes automatically include/exclude based on properties like department, country, or job title.
AdaptiveScope-Finance-UsersAdaptiveScope-Finance-SitesRetention-AdaptiveScope-FinanceAdaptiveScope-Finance-Users for Exchange and OneDriveAdaptiveScope-Finance-Sites for SharePoint# Create an adaptive scope targeting Finance department users in the US
# WHAT: Defines a dynamic user group based on Azure AD / Entra ID attributes
# -ScopeType User: Targets individual user mailboxes and OneDrive accounts
# -RawQuery: Filters to users where Department=Finance AND Country=United States
# WHY: Adaptive scopes re-evaluate every 24 hours - new Finance hires are
# automatically included without manual policy updates
New-AdaptiveScope -Name "AdaptiveScope-Finance-Users" `
-ScopeType User `
-RawQuery "(Department -eq 'Finance') -and (Country -eq 'United States')" `
-Comment "Dynamic scope for Finance department users in the US"
# Create an adaptive scope targeting Finance SharePoint sites
# WHAT: Dynamically targets SharePoint sites whose name contains "Finance"
# -ScopeType Site: Applies to SharePoint Online site collections
# WHY: New Finance sites are automatically covered without updating policies manually
New-AdaptiveScope -Name "AdaptiveScope-Finance-Sites" `
-ScopeType Site `
-RawQuery "(SiteName -like '*Finance*')" `
-Comment "Dynamic scope for Finance SharePoint sites"
# Create a retention policy using the adaptive scopes
# WHAT: Applies 7-year retention to all content within the adaptive scope
# WHY: Combines dynamic user and site targeting with the 7-year SEC requirement
# NOTE: When an employee transfers out of Finance, they're automatically removed
# from this policy's scope at the next 24-hour evaluation cycle
New-RetentionCompliancePolicy -Name "Retention-AdaptiveScope-Finance" `
-AdaptiveScopeLocation "AdaptiveScope-Finance-Users","AdaptiveScope-Finance-Sites" `
-Comment "7-year retention for Finance using adaptive scopes"
# Create the retention rule for the adaptive scope policy
# -RetentionDuration 2555: 7 years in days
# -RetentionComplianceAction Keep: Retain without auto-deleting
# -ExpirationDateOption ModificationAgeInDays: Clock starts from last modification
New-RetentionComplianceRule -Name "Retention-AdaptiveScope-Finance-Rule" `
-Policy "Retention-AdaptiveScope-Finance" `
-RetentionDuration 2555 `
-RetentionComplianceAction Keep `
-ExpirationDateOption ModificationAgeInDays
# Verify adaptive scopes were created with the correct queries
# OUTPUT: Scope name, type (User/Site), and the raw query used for targeting
Get-AdaptiveScope | Format-Table Name, ScopeType, RawQueryDisposition reviews require a human reviewer to approve the deletion of content when a retention period expires. This is critical for regulated records where premature deletion could result in compliance violations.
Business Record. 7 Years label in Step 8Regulatory Record. 10 Years label# Verify which retention labels have disposition review configured
# WHAT: Lists labels that require human approval before content is deleted
# WHERE-OBJECT: Filters to labels with a reviewer email assigned
# OUTPUT: Label name, retention duration, reviewer email, and record status
# WHY: Confirms disposition reviewers are assigned - unassigned labels will
# leave content in limbo when retention expires
Get-ComplianceTag | Where-Object { $_.ReviewerEmail -ne $null } |
Format-Table Name, RetentionDuration, ReviewerEmail, IsRecordLabel
# Check detailed configuration of a specific label with disposition
# OUTPUT: Full property list including retention action, duration, type,
# reviewer email, and whether it's a record label
Get-ComplianceTag -Identity "Business Record. 7 Years" |
Format-List Name, RetentionAction, RetentionDuration, RetentionType, ReviewerEmail, IsRecordLabel
# Monitor audit log for disposition actions taken by reviewers
# WHAT: Searches for disposition-related events in the last 90 days
# -Operations: DispositionReviewCompleted (review finished),
# DispositionApproved (deletion approved), DispositionExtended (retention extended)
# WHY: Provides auditable evidence that disposition reviews are being performed
# and records the decision made for each item
# OUTPUT: Date, reviewer who made the decision, and the action taken
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) `
-EndDate (Get-Date) `
-Operations "DispositionReviewCompleted","DispositionApproved","DispositionExtended" `
-ResultSize 100 |
Select-Object CreationDate, UserIds, Operations |
Format-Table -AutoSizeUse Microsoft Purview’s built-in monitoring tools to track compliance posture across Communication Compliance, Audit, and Data Lifecycle Management.
# COMPREHENSIVE COMPLIANCE STATUS REPORT
# WHAT: Generates a multi-section report covering all compliance solutions deployed
# Report Section 1: All retention policies and their current status
# OUTPUT: Policy name, enabled state, mode (Enable/Test), and scoped locations
# WHY: Confirms all retention policies are active and covering the intended locations
Get-RetentionCompliancePolicy |
Select-Object Name, Enabled, Mode, ExchangeLocation, SharePointLocation, TeamsChannelLocation |
Format-Table -AutoSize
# Report Section 2: All retention labels and their properties
# OUTPUT: Label name, action (Keep/Delete), duration in days, record status, regulatory flag
# WHY: Provides a complete inventory of all retention labels for audit documentation
Get-ComplianceTag |
Select-Object Name, RetentionAction, RetentionDuration, IsRecordLabel, @{N="Regulatory";E={$_.Regulatory}} |
Format-Table -AutoSize
# Report Section 3: Communication Compliance policies and reviewers
# OUTPUT: Policy name, enabled status, and assigned reviewers
# WHY: Demonstrates supervisory review coverage for regulatory examinations
Get-SupervisoryReviewPolicyV2 |
Select-Object Name, IsEnabled, @{N="Reviewers";E={$_.Reviewers -join ", "}} |
Format-Table -AutoSize
# Report Section 4: Audit retention policies
# OUTPUT: Policy name, retention duration (180 days to 10 years), and priority
# WHY: Proves audit log retention meets regulatory requirements (e.g., 7-year SEC 17a-4)
Get-UnifiedAuditLogRetentionPolicy |
Select-Object Name, RetentionDuration, Priority, RecordTypes |
Format-Table -AutoSize
# Report Section 5: Most frequent audit operations in the last 7 days
# WHAT: Groups audit events by operation type and shows the top 20
# WHY: Identifies the most common activities - useful for baseline analysis
# OUTPUT: Operation name and count (e.g., FileAccessed: 12,345)
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-ResultSize 5000 |
Group-Object Operations |
Sort-Object Count -Descending |
Select-Object -First 20 Name, Count |
Format-Table -AutoSize
# Generate a summary report object and export to CSV
# WHAT: Creates a single-row summary with key compliance metrics
# OUTPUT: Date, total counts of retention policies, labels, CC policies, and audit policies
# USE: Share this summary in monthly compliance review meetings
$report = [PSCustomObject]@{
Date = Get-Date -Format "yyyy-MM-dd"
RetentionPolicies = (Get-RetentionCompliancePolicy | Measure-Object).Count
RetentionLabels = (Get-ComplianceTag | Measure-Object).Count
CCPolicies = (Get-SupervisoryReviewPolicyV2 | Measure-Object).Count
AuditRetention = (Get-UnifiedAuditLogRetentionPolicy | Measure-Object).Count
}
$report | Export-Csv -Path "ComplianceStatusReport.csv" -NoTypeInformation
$report | Format-ListReview your deployment across all three compliance solutions and plan ongoing operations.
| Resource | Description |
|---|---|
| Communication compliance overview | Monitor communications for policy violations across email, Teams, and third-party platforms |
| Create communication compliance policies | Step-by-step guide to creating and managing Communication Compliance policies |
| Audit solutions in Microsoft Purview | Overview of Audit (Standard) and Audit (Premium) capabilities |
| Audit (Premium) | High-value events, long-term retention, and higher API bandwidth for forensic investigations |
| Data lifecycle management | Automate retention and deletion of content across Microsoft 365 |
| Retention policies and retention labels | Comprehensive reference for retention policies, labels, and records management |
| Regulatory records | Immutable record management for SEC 17a-4 and similar regulations |
| Disposition of content | Configure and manage disposition reviews for retained records |