Implement legally defensible records management with regulatory records and event-based retention, enforce Chinese walls between conflicting business divisions with Information Barriers, and assess your compliance posture against 300+ regulatory templates with Compliance Manager.
This lab covers three advanced Microsoft Purview solutions that enforce regulatory obligations across your organisation. Records Management lets you declare, retain, and dispose of business records with legally defensible processes. including immutable regulatory records that cannot be modified or deleted before their retention period expires. Information Barriers prevent communication and collaboration between conflicting groups, such as investment banking and equity research, enforcing ethical walls required by financial regulations. Compliance Manager helps you assess and improve your compliance posture with over 300 built-in regulatory assessment templates covering frameworks like ISO 27001, SOC 2, GDPR, HIPAA, and more.
A global investment bank with 25,000 employees needs to comply with multiple regulatory frameworks simultaneously. SEC Rule 17a-4, MiFID II, and GDPR. They must maintain Chinese walls between their Investment Banking and Equity Research divisions to prevent insider trading. Trading communications and deal records must be declared as regulatory records that cannot be modified or deleted for seven years. The Chief Compliance Officer must demonstrate to auditors that the organisation’s compliance posture exceeds an 85% compliance score across all applicable regulatory frameworks, with clear evidence of improvement actions assigned and completed.
Regulatory penalties for non-compliance can be devastating. GDPR fines reach up to €20 million or 4% of global revenue, and SEC enforcement actions regularly exceed $100 million. Without records management, organisations cannot prove legally defensible retention or disposal of business records, leaving them exposed during litigation and regulatory investigations. Information Barriers are legally mandated in financial services to prevent conflicts of interest; failure to enforce ethical walls can result in criminal charges for insider trading. Compliance Manager provides the continuous assessment framework that auditors and regulators expect, transforming compliance from a point-in-time exercise into an ongoing, measurable programme.
Begin by exploring the Records Management solution in the Microsoft Purview compliance portal. Review the file plan to understand how retention labels and record declarations are organised.
# Connect to Security & Compliance PowerShell
# WHY: Required session for all Records Management and retention label cmdlets
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# List all existing retention labels in the tenant
# WHAT: Shows every retention label with its retention settings and record status
# OUTPUT: Name, RetentionDuration (days), RetentionAction (Keep/Delete),
# IsRecordLabel (True/False), Regulatory (True = immutable regulatory record)
# WHY: Review existing labels before creating new ones to avoid duplicates
Get-ComplianceTag | Format-Table Name, RetentionDuration, RetentionAction, IsRecordLabel, Regulatory
# Check if any retention labels are currently published to users via policies
# WHAT: Lists all retention compliance policies and the labels they publish
# OUTPUT: Policy name, enabled status, mode, and published label names
# WHY: Labels must be published before users can apply them in Office apps
Get-RetentionCompliancePolicy | Format-Table Name, Enabled, Mode, @{
N='Labels'; E={ ($_ | Get-RetentionComplianceRule).PublishComplianceTag -join ', ' }
}
# View existing event types for event-based retention
# WHAT: Lists all defined retention event types (e.g., Employee Departure, Contract Expiration)
# OUTPUT: Event type name, who created it, and when
# WHY: Event types must exist before creating event-based retention labels
Get-ComplianceRetentionEventType | Format-Table Name, CreatedBy, CreatedDateTimeCreate file plan descriptors that categorise your retention labels by business function, category, and regulatory citation. Then create record labels. both standard records (users can unlock) and regulatory records (immutable, nobody can unlock).
RM-DealDocumentation-7YRM-TradingRecords-7Y-Regulatory# Create a standard record label with file plan descriptors
# WHAT: Creates a 7-year record label for deal documentation with metadata
# -RetentionDuration 2555: 7 years in days (365 x 7)
# -RetentionAction KeepAndDelete: Retain for 7 years, then trigger disposition review
# -RetentionType CreationAgeInDays: Retention clock starts from item creation date
# -ReviewerEmail: Compliance team receives disposition notifications when retention expires
# -IsRecordLabel $true: Items labeled become RECORDS (locked from editing/deletion)
# -Regulatory $false: Standard record - admins can unlock if needed (unlike regulatory records)
# -FilePlanProperty: Metadata descriptors for audit and governance documentation
# Department, Category, Citation, and ReferenceId provide classification context
New-ComplianceTag -Name "RM-DealDocumentation-7Y" `
-Comment "Retain deal documentation for 7 years. standard record" `
-RetentionDuration 2555 `
-RetentionAction KeepAndDelete `
-RetentionType CreationAgeInDays `
-ReviewerEmail "compliance-team@contoso.com" `
-IsRecordLabel $true `
-Regulatory $false `
-FilePlanProperty @{
FilePlanPropertyDepartment = "Investment Banking";
FilePlanPropertyCategory = "Deal Documentation";
FilePlanPropertyCitation = "SEC Rule 17a-4";
FilePlanPropertyReferenceId = "RM-DD-001"
}
# Create a regulatory record label (IMMUTABLE - cannot be unlocked by anyone)
# WHAT: Creates a 7-year immutable regulatory record for trading communications
# -Regulatory $true: CRITICAL - once applied, NO ONE (not even Global Admin) can:
# - Remove the label
# - Delete the item
# - Modify the content
# until the 7-year retention period expires
# WHY: SEC Rule 17a-4 requires WORM (Write Once Read Many) storage for trading records
# WARNING: Test with standard records first. Regulatory records are PERMANENT and IRREVERSIBLE.
New-ComplianceTag -Name "RM-TradingRecords-7Y-Regulatory" `
-Comment "Trading records. 7 year regulatory record. immutable" `
-RetentionDuration 2555 `
-RetentionAction KeepAndDelete `
-RetentionType CreationAgeInDays `
-ReviewerEmail "compliance-team@contoso.com" `
-IsRecordLabel $true `
-Regulatory $true
# Publish both record labels via a retention label policy
# WHAT: Makes the labels available for manual application across all M365 locations
# NOTE: Labels become visible to users within 7 days of publishing
New-RetentionCompliancePolicy -Name "RM-InvestmentBanking-Policy" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-ModernGroupLocation All
# Attach the record labels to the policy
New-RetentionComplianceRule -Name "RM-IB-PublishLabels" `
-Policy "RM-InvestmentBanking-Policy" `
-PublishComplianceTag "RM-DealDocumentation-7Y","RM-TradingRecords-7Y-Regulatory"Apply regulatory record labels to critical business documents to enforce immutability. Once declared as a regulatory record, the item cannot be modified, deleted, or relabelled by anyone until the retention period expires.
RM-TradingRecords-7Y-Regulatory# Connect to SharePoint Online using PnP PowerShell
# WHY: PnP module provides granular access to SharePoint items for label application
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/TradingDesk" -Interactive
# Apply regulatory record label to all documents in the Trading Communications library
# WHAT: Iterates through every document and applies the immutable regulatory record label
# WHY: Bulk application ensures comprehensive record declaration across the entire library
# WARNING: Once applied, these documents become PERMANENTLY read-only for 7 years
$items = Get-PnPListItem -List "Trading Communications" -Fields "FileLeafRef"
foreach ($item in $items) {
# Apply the regulatory record label to each document
Set-PnPListItem -List "Trading Communications" `
-Identity $item.Id `
-Label "RM-TradingRecords-7Y-Regulatory"
Write-Host "Labelled: $($item.FieldValues.FileLeafRef)" -ForegroundColor Green
}
# Verify record status by checking the compliance tag on each document
# WHAT: Reads the applied retention label and application timestamp for each file
# OUTPUT: File name, applied label name, and the date/time the label was applied
# USE: Provides evidence for auditors that records were properly declared
# EXPECT: All files should show the regulatory record label with a recent timestamp
Get-PnPListItem -List "Trading Communications" -Fields "_ComplianceTag","_ComplianceTagWrittenTime" |
Select-Object @{N='File';E={$_.FieldValues.FileLeafRef}},
@{N='Label';E={$_.FieldValues._ComplianceTag}},
@{N='Applied';E={$_.FieldValues._ComplianceTagWrittenTime}} |
Format-Table -AutoSizeEvent-based retention starts the retention clock when a specific business event occurs. such as an employee leaving the company, a contract expiring, or a product reaching end of life. rather than from the date the content was created or modified.
Employee DepartureContract ExpirationRM-EmployeeRecords-5Y-EventBased# Create event types for business events that trigger retention
# WHAT: Defines named event types used to start the retention clock on labeled content
# WHY: Event-based retention ensures records are kept for a fixed period AFTER a business
# event occurs (e.g., keep employee records for 5 years after they leave)
# Employee Departure event - triggers retention when an employee leaves
New-ComplianceRetentionEventType -Name "Employee Departure" `
-Comment "Triggers retention for employee-related records when an employee leaves"
# Contract Expiration event - triggers retention when a contract ends
New-ComplianceRetentionEventType -Name "Contract Expiration" `
-Comment "Triggers retention for contract-related records when a contract expires"
# Create a retention label triggered by the Employee Departure event
# WHAT: 5-year retention label that starts counting when the departure event fires
# -RetentionType EventAgeInDays: Retention starts from the EVENT date, not creation date
# -EventType: Links this label to the "Employee Departure" event type
# -IsRecordLabel $true: Items are locked as records once labeled
# -Regulatory $false: Standard record - admins can unlock if needed
New-ComplianceTag -Name "RM-EmployeeRecords-5Y-EventBased" `
-Comment "Retain employee records for 5 years after departure" `
-RetentionDuration 1825 `
-RetentionAction KeepAndDelete `
-RetentionType EventAgeInDays `
-EventType "Employee Departure" `
-IsRecordLabel $true `
-Regulatory $false
# Trigger a retention event when an employee departs
# WHAT: Fires the "Employee Departure" event, starting the 5-year retention clock
# for all items tagged with the corresponding label AND matching Asset ID
# -SharePointAssetIdQuery: Matches items where ComplianceAssetId = EMP-004521
# -EventDateTime: The actual departure date (used to calculate retention expiry)
# WHY: This is typically automated via Power Automate or HR system integration
New-ComplianceRetentionEvent -Name "John Smith Departure" `
-EventType "Employee Departure" `
-SharePointAssetIdQuery "ComplianceAssetId:EMP-004521" `
-EventDateTime "2026-03-07T00:00:00Z" `
-Comment "Employee EMP-004521 departed on 2026-03-07"
# Verify the event was created and is being processed
# OUTPUT: Event name, type, date, and processing status (InProgress/Completed)
# EXPECT: Status should transition to "Completed" once all matching items are processed
Get-ComplianceRetentionEvent | Format-Table Name, EventType, EventDateTime, StatusWhen records reach the end of their retention period, disposition review allows designated reviewers to approve or extend retention before items are permanently deleted. Multi-stage disposition adds multiple approval layers for high-value records.
RM-TradingRecords-7Y-Regulatory > click Disposition settingsrecords-manager@contoso.com (Records Management team)legal-team@contoso.com (Legal department)cco@contoso.com (Chief Compliance Officer. final approval)# Update a label to add multi-stage disposition reviewers
# WHAT: Configures three-stage approval for record destruction
# -ReviewerEmail: Array of reviewers who approve in sequence:
# Stage 1: Records Manager (initial review)
# Stage 2: Legal team (legal compliance check)
# Stage 3: Chief Compliance Officer (final sign-off)
# WHY: Multi-stage disposition ensures no records are destroyed without
# cross-functional approval - critical for regulated industries
Set-ComplianceTag -Identity "RM-TradingRecords-7Y-Regulatory" `
-ReviewerEmail @(
"records-manager@contoso.com",
"legal-team@contoso.com",
"cco@contoso.com"
) `
-RetentionAction KeepAndDelete
# Check which labels have disposition reviewers assigned
# OUTPUT: Label name, retention duration, reviewer emails, and record status
# WHY: Validates that all record labels requiring review have reviewers assigned
Get-ComplianceTagStorage | Get-ComplianceTag |
Where-Object { $_.ReviewerEmail -ne $null } |
Format-Table Name, RetentionDuration, ReviewerEmail
# Export disposition audit log for compliance evidence
# WHAT: Retrieves all disposition decisions from the last 90 days
# -Operations: Captures both completed reviews and approved disposals
# OUTPUT: CSV file documenting every disposition decision for auditors
# WHY: Proof of disposal is legally required - auditors need evidence that
# records were reviewed and approved before deletion
Search-UnifiedAuditLog `
-StartDate (Get-Date).AddDays(-90) `
-EndDate (Get-Date) `
-Operations "DispositionReviewCompleted","DispositionApproved" `
-ResultSize 5000 |
Export-Csv -Path "DispositionAudit-90Days.csv" -NoTypeInformationInformation Barriers (IB) enforce ethical walls by preventing communication and collaboration between specific groups of users. Before creating policies, you must understand the prerequisites and architecture of segments and policies.
Department attribute (or other segmenting attribute) is populated for all usersDefine user segments based on Azure AD attributes. Each segment represents a group of users who share an attribute value. typically the Department attribute. Every user in your organisation should belong to exactly one segment.
Investment Banking
Investment BankingEquity Research (Department = Equity Research)Compliance (Department = Compliance)Legal (Department = Legal)General Staff (Department = General. for all other employees)# Connect to Security & Compliance PowerShell
# WHY: Required for creating Information Barrier segments and policies
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Create user segments based on Azure AD Department attribute
# WHAT: Defines user groups for Information Barrier enforcement
# -UserGroupFilter: Matches users whose Department attribute equals the specified value
# WHY: Segments are the building blocks of Information Barriers - policies reference
# these segments to define which groups can or cannot communicate
# PREREQUISITE: The Department attribute must be populated for ALL users in Entra ID
# Investment Banking segment - must be isolated from Equity Research
New-OrganizationSegment -Name "Investment Banking" `
-UserGroupFilter "Department -eq 'Investment Banking'"
# Equity Research segment - must be isolated from Investment Banking
New-OrganizationSegment -Name "Equity Research" `
-UserGroupFilter "Department -eq 'Equity Research'"
# Compliance segment - can communicate with ALL segments (shared service)
New-OrganizationSegment -Name "Compliance" `
-UserGroupFilter "Department -eq 'Compliance'"
# Legal segment - can communicate with ALL segments (shared service)
New-OrganizationSegment -Name "Legal" `
-UserGroupFilter "Department -eq 'Legal'"
# General Staff segment - all other employees
New-OrganizationSegment -Name "General Staff" `
-UserGroupFilter "Department -eq 'General'"
# Verify all segments were created successfully
# OUTPUT: Segment name, filter query, and who created it
# CONCERN: Every user should fall into exactly ONE segment. Run:
# Get-AzureADUser | Where-Object { -not $_.Department } to find unassigned users
Get-OrganizationSegment | Format-Table Name, UserGroupFilter, CreatedByGet-AzureADUser | Where-Object { -not $_.Department } to find users without a department set.Create policies that block communication between conflicting segments (e.g., Investment Banking and Equity Research) and allow communication with shared services segments (e.g., Compliance and Legal). Then apply the policies to enforce the barriers.
IB-Block-IB-ERIB-Block-ER-IBIB-Allow-Compliance-All# Block policy: Investment Banking CANNOT communicate with Equity Research
# WHAT: Creates an ethical wall preventing IB users from messaging ER users
# WHY: Financial regulations (MiFID II, SEC) require Chinese walls between
# deal-making and research divisions to prevent insider trading
# -SegmentsBlocked: The target segment that the assigned segment cannot reach
# -State Active: Policy is immediately enforceable (pending application)
New-InformationBarrierPolicy -Name "IB-Block-IB-ER" `
-AssignedSegment "Investment Banking" `
-SegmentsBlocked "Equity Research" `
-State Active
# Reciprocal block: Equity Research CANNOT communicate with Investment Banking
# WHY: IB policies are NOT bidirectional by default. Without this reciprocal policy,
# ER users could still initiate contact with IB users. Always create BOTH sides.
New-InformationBarrierPolicy -Name "IB-Block-ER-IB" `
-AssignedSegment "Equity Research" `
-SegmentsBlocked "Investment Banking" `
-State Active
# Allow policy: Compliance can communicate with ALL segments
# WHAT: Explicitly allows Compliance users to communicate across all barriers
# WHY: Compliance and Legal are "shared service" departments that must reach
# all divisions to perform their oversight and investigation functions
# -SegmentsAllowed: List of all segments this group can communicate with
New-InformationBarrierPolicy -Name "IB-Allow-Compliance-All" `
-AssignedSegment "Compliance" `
-SegmentsAllowed "Investment Banking","Equity Research","Legal","General Staff" `
-State Active
# Allow policy: Legal can communicate with ALL segments
New-InformationBarrierPolicy -Name "IB-Allow-Legal-All" `
-AssignedSegment "Legal" `
-SegmentsAllowed "Investment Banking","Equity Research","Compliance","General Staff" `
-State Active
# CRITICAL: Apply all policies to begin enforcement
# WHAT: Triggers the actual enforcement of all Active policies across M365
# WHY: Policies are NOT enforced until this command is run. Creating policies
# only defines them; this command activates barrier enforcement.
# NOTE: Application can take 30-60 minutes to propagate across all services
Start-InformationBarrierPoliciesApplication
# Check the application status - monitor until Status = "Completed"
# OUTPUT: Identity, Status (NotStarted/InProgress/Completed), and timestamp
# CONCERN: If Status stays at "Failed", check for segment conflicts or missing attributes
Get-InformationBarrierPoliciesApplicationStatus |
Format-Table Identity, Status, LastModifiedTimeAfter policies are applied, validate that barriers are enforced across Microsoft Teams, SharePoint Online, and OneDrive for Business. Test both blocked and allowed communication patterns.
# Check which IB policies apply to a specific user
# WHAT: Shows the user's segment membership and applied barrier policies
# WHY: Troubleshooting tool - verify a user is in the correct segment
# and has the expected policies before/after testing
# OUTPUT: User identity, assigned segments, and applied IB policies
# CONCERN: If ExoSegments is empty, the user's Department attribute may not be set
Get-InformationBarrierRecipientStatus -Identity "john.smith@contoso.com" |
Format-List Identity, ExoSegments, InformationBarrierPoliciesApplied
# Search audit logs for IB enforcement events
# WHAT: Retrieves all Information Barrier enforcement actions from the last 7 days
# WHY: Documents barrier enforcement for regulatory auditors and validates
# that the policies are actually blocking communication as expected
# -RecordType InformationBarrierPolicyApplication: Filters to IB-specific events
# OUTPUT: Timestamp, affected user, operation type, policy name, and result
# CONCERN: Watch for "Failed" results - indicates enforcement issues
Search-UnifiedAuditLog `
-StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-RecordType InformationBarrierPolicyApplication `
-ResultSize 500 |
ForEach-Object {
$data = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{
Timestamp = $_.CreationDate
User = $_.UserIds
Operation = $data.Operation
PolicyName = $data.PolicyName
Result = $data.ResultStatus
}
} | Format-Table -AutoSize
# List all IB policies with their current configuration
# OUTPUT: Policy name, assigned segment, blocked/allowed segments, and state
# EXPECT: All policies should show State = Active
Get-InformationBarrierPolicy |
Format-Table Name, AssignedSegment, SegmentsBlocked, SegmentsAllowed, StateStart-InformationBarrierPoliciesApplication cmdlet not run after policy changes.Compliance Manager provides a centralised dashboard to assess your organisation’s compliance posture against over 300 regulatory templates. It calculates a compliance score based on improvement actions you’ve implemented.
Create assessments against specific regulatory frameworks your organisation must comply with. Assign improvement actions to responsible teams, track completion status, and export assessment reports for auditors.
ISO 27001. Annual Assessment 20262026 Regulatory Assessments# Note: Compliance Manager data is primarily managed via the portal.
# Use the Microsoft Graph API for programmatic access to compliance data.
# Install Microsoft Graph PowerShell module for API access
Install-Module Microsoft.Graph -Scope CurrentUser -Force
# Connect to Microsoft Graph with Compliance Manager read permissions
# -Scopes: Requests read-only access to Compliance Manager data
Connect-MgGraph -Scopes "ComplianceManager.Read.All"
# List compliance assessments via Graph API
# NOTE: Compliance Manager API availability may vary; check current Graph API docs
$assessments = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/compliance/ediscovery/cases" `
-OutputType PSObject
# Retrieve sensitivity label information via Graph API
$actions = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/security/informationProtection/sensitivityLabels" `
-OutputType PSObject
# RECOMMENDED: Use the Compliance Manager portal for comprehensive reporting
# The portal provides richer export options than the API currently supports
Write-Host "For comprehensive reporting, use the Compliance Manager portal:" -ForegroundColor Cyan
Write-Host " 1. Open Compliance Manager > Assessments" -ForegroundColor White
Write-Host " 2. Select your assessment (e.g., ISO 27001)" -ForegroundColor White
Write-Host " 3. Click 'Generate report' for PDF or 'Export to Excel'" -ForegroundColor White
Write-Host " 4. Share the report with auditors and leadership" -ForegroundColor WhiteReview your deployment across all three solutions and establish ongoing operational procedures.
# FULL DEPLOYMENT VERIFICATION SCRIPT
# Run this after completing all steps to confirm everything is configured correctly
# --- Records Management Verification ---
Write-Host "=== Records Management ===" -ForegroundColor Cyan
# List all record labels (standard and regulatory)
# OUTPUT: Label name, retention duration, whether it's a regulatory record, and reviewer
# EXPECT: At least 2 record labels (deal documentation and trading records)
Get-ComplianceTag |
Where-Object { $_.IsRecordLabel -eq $true } |
Format-Table Name, RetentionDuration, Regulatory, ReviewerEmail
# List all event types for event-based retention
# OUTPUT: Event type names and creation dates
# EXPECT: "Employee Departure" and "Contract Expiration" events
Get-ComplianceRetentionEventType | Format-Table Name, CreatedDateTime
# --- Information Barriers Verification ---
Write-Host "`n=== Information Barriers ===" -ForegroundColor Cyan
# List all user segments and their filter queries
# OUTPUT: Segment names and the Azure AD attribute filters
# EXPECT: 5 segments (IB, ER, Compliance, Legal, General Staff)
Get-OrganizationSegment | Format-Table Name, UserGroupFilter
# List all IB policies with their block/allow configuration
# OUTPUT: Policy name, assigned segment, blocked/allowed segments, and state
# EXPECT: 2 block policies (IB-ER bidirectional) and 2 allow policies (Compliance, Legal)
Get-InformationBarrierPolicy |
Format-Table Name, AssignedSegment, SegmentsBlocked, SegmentsAllowed, State
# Confirm policy application completed successfully
# OUTPUT: Application status and timestamp
# EXPECT: Status = "Completed" (if still "InProgress", wait and re-check)
Get-InformationBarrierPoliciesApplicationStatus |
Format-List Identity, Status, LastModifiedTime
# --- Summary ---
Write-Host "`n=== Deployment Complete ===" -ForegroundColor Green
Write-Host "Records Management: File plan with regulatory records deployed" -ForegroundColor White
Write-Host "Information Barriers: Chinese walls enforced between IB and ER" -ForegroundColor White
Write-Host "Compliance Manager: Assessments configured via portal" -ForegroundColor White| Resource | Description |
|---|---|
| Learn about records management | Overview of records management in Microsoft Purview |
| Declare records | Declare standard and regulatory records with retention labels |
| Start retention with an event | Event-based retention for records management |
| Disposition of content | Multi-stage disposition review and proof of disposal |
| Learn about information barriers | Overview of Information Barriers in Microsoft 365 |
| Define information barrier policies | Create segments and policies for Information Barriers |
| Microsoft Purview Compliance Manager | Overview of Compliance Manager and compliance score |
| Build and manage assessments | Create assessments from regulatory templates |