A long-form deep dive into Microsoft Purview for Australian small and mid-sized businesses. Explains sensitivity labels, Data Loss Prevention, retention and records management, eDiscovery and audit, insider risk and Compliance Manager in plain English. Makes the split between what Microsoft 365 Business Premium already includes and what needs E5 Compliance very clear, covers Australian Privacy Act and cyber insurance relevance, indicative AUD pricing, deployment best practice and a side-by-side scenario showing five everyday moments with and without Purview configured.
Microsoft Purview: labelling, protecting and governing your business data
Where does your sensitive data actually live, and what stops it walking out the door? Most Perth businesses cannot answer that. Purview is the set of rules and labels that follow your data around and answer it for you.
The short version
Microsoft Purview is Microsoft's data governance and compliance suite that sits across Microsoft 365. In plain terms, it helps you find where your sensitive data is, label it, stop it leaking, and keep or delete it on a schedule.
Think of it as rules and labels that follow your data around automatically. Its main pieces are sensitivity labels, Data Loss Prevention (DLP), retention and records management, eDiscovery and audit, insider risk, and Compliance Manager.
Here is the honest bit. Microsoft 365 Business Premium already includes a genuinely useful baseline. The more advanced features need Microsoft 365 E5 Compliance or add-ons, which most SMEs will not have and often do not need. This guide makes that split clear.
Prices in this guide are indicative AUD figures current as of July 2026, exclude GST, and are subject to change. Purview is mostly bundled with your Microsoft 365 licence, so always confirm what you have with your licensing partner.
Six tools that keep your data in line
Microsoft Purview is not one product. It is a family of tools that all do one broad job: help you understand, protect and govern the data sitting inside Microsoft 365. Your emails, your files in SharePoint and OneDrive, your Teams chats. All of it.
You do not have to use every piece. Most Perth SMEs start with two or three and grow from there. Here is what each one does, in plain English.
Sensitivity labels
Labels like 'Public', 'Internal' or 'Confidential' that you attach to files and emails. A label can just mark a document, or it can encrypt it so only the right people can open it. Once a file is labelled, the protection travels with it, even if it is emailed outside the business or copied to a USB stick.
Data Loss Prevention (DLP)
Rules that watch for sensitive information leaving the business. If a staff member tries to email a credit card number, a Tax File Number or a Medicare number out to an external address, DLP can warn them, ask them to justify it, or block it outright. It works across Outlook, Teams, SharePoint and OneDrive.
Retention and records management
A schedule for how long things are kept and when they are deleted. Keep client contracts for seven years, then delete them. Keep nothing longer than it needs to be kept. This reduces your risk surface and helps meet legal and industry obligations without anyone having to remember.
eDiscovery and Audit
The ability to search across all your Microsoft 365 content and export it for a legal matter, an HR investigation or a complaint. Audit logs record who did what and when: who opened a file, who deleted an email, who changed a permission. Invaluable when something goes wrong and you need to reconstruct events.
Insider Risk Management
Watches for risky behaviour from inside the business, such as a departing staff member downloading large volumes of client data before they leave. This is an advanced feature and needs the right licence, but it fills a gap most SMEs have never been able to cover.
Compliance Manager
A scored checklist that measures your Microsoft 365 setup against standards like the Australian Privacy Principles, ISO 27001 or the Essential Eight. It gives you a compliance score, tells you what to fix, and tracks your progress. A genuinely useful starting point for a business that does not know where it stands.
The data lifecycle Purview manages
At its heart, Purview runs a simple loop for every piece of sensitive information: classify it, protect it, keep an eye on it, then retain or delete it on schedule.
1. Classify
A file or email gets a label
Staff apply a label like 'Confidential', or Purview applies one automatically when it spots sensitive content.
2. Protect
The label enforces rules
The label can encrypt the file, restrict who opens it, and add a watermark. Protection travels with the file.
3. Monitor
DLP and audit watch it
DLP stops the file leaking to the wrong place. Audit logs record who touched it and when.
4. Retain or delete
Retention runs the schedule
The file is kept for as long as you need it, then deleted automatically. No manual clean-up, no keeping things forever.
Audit runs quietly across all four stages, recording who touched what and when.
What Purview actually does for you
Stripped of the product marketing, here is what Purview puts within reach of a normal business.
Labels that follow your data
Once a document is labelled 'Confidential' with encryption, that protection stays with it. Email it to a personal Gmail account and the recipient still cannot open it without permission. This is the single most useful thing Purview does for a small business worried about client data walking out the door.
Stop sensitive data leaving by accident
Most data leaks are honest mistakes: the wrong attachment, an autocomplete address, a client list pasted into the wrong chat. DLP catches these before they leave. You can start with a gentle warning and tighten to a hard block once staff are used to it.
Keep what you must, bin what you should not
Retention policies mean tax records are kept for the required years and old junk is cleared out on schedule. Holding data you no longer need is a liability, both for privacy risk and for the size of any future breach. Purview handles the housekeeping quietly in the background.
Find content fast when it matters
When a lawyer, an auditor or HR asks 'show me every email and document about this person or this matter', content search finds it across the whole tenant and exports it. Doing this by hand across mailboxes and SharePoint would take days and still miss things.
A clear audit trail
Audit logs answer the awkward questions after an incident: who deleted that folder, who shared that file externally, who signed in from an unusual location. For a business facing a privacy complaint or an insurance claim, having this record is the difference between guessing and knowing.
Know where you stand on compliance
Compliance Manager scores your setup against real standards and gives you a prioritised to-do list. It will not make you compliant on its own, but it turns a vague worry ('are we doing enough?') into a concrete, trackable checklist.
How DLP handles a risky email
A staff member tries to email a spreadsheet with a Tax File Number to an outside address. Here is what Purview does before it leaves.
DLP steps in
Warn the sender, require a business justification, or block the email entirely. Your rule decides. The event is logged either way.
Email sends normally
No sensitive data detected, so nothing gets in the way. Staff never notice DLP when they are doing ordinary work.
What you already have vs what needs an upgrade
This is the part most articles gloss over. A lot of Purview is already sitting inside Microsoft 365 Business Premium, waiting to be switched on. The advanced pieces need Microsoft 365 E5 Compliance. Here is the honest split.
| Capability | Business Premium | E5 Compliance |
|---|---|---|
| Sensitivity labels (classify and encrypt files and emails) | Manual labelling by staff, plus some auto-labelling | Adds automatic labelling at scale and labelling of data at rest |
| Message encryption (secure external email) | Encrypt and rights-protect outbound email | Same, plus richer controls |
| Data Loss Prevention (DLP) for email, SharePoint, OneDrive and Teams | Full DLP across Microsoft 365 workloads | Adds endpoint DLP (Windows and Mac devices) and DLP in more places |
| Retention policies and labels (keep or delete on a schedule) | Basic retention across mailboxes, sites and Teams | Adds full records management, event-based retention and disposition review |
| Audit (who did what, when) | Standard audit, roughly 180 days of log retention | Advanced audit, up to a year or more, plus high-value crucial events |
| Compliance Manager (scored checklist) | Score and improvement actions | More templates and premium assessments |
| Content search and basic eDiscovery | Search and export content for a matter | Standard eDiscovery included |
| Advanced eDiscovery (legal holds, review sets, analytics) | Not included | Full eDiscovery workflow for serious legal matters |
| Insider Risk Management | Not included | Detect risky insider activity |
| Communication Compliance (monitor internal messages for policy breaches) | Not included | Flag harassment, conflicts of interest, regulatory breaches |
The takeaway: if you are on Business Premium, you already own the tools most SMEs need. Labels, DLP, retention, audit and Compliance Manager are all there. E5 Compliance is worth it when you have a real need for advanced eDiscovery, insider risk or communication compliance, which is the exception, not the rule, for a typical Perth SME.
Pros and cons
What works well
- A useful baseline is already in Microsoft 365 Business Premium. Sensitivity labels, message encryption, DLP across Exchange, SharePoint, OneDrive and Teams, basic retention, standard audit and Compliance Manager are all there. For many SMEs the question is whether it has been switched on, not whether to buy it.
- Protection travels with the file. A labelled and encrypted document stays protected wherever it goes, including outside your business. This is real control over data you have shared, not just data sitting on your servers.
- It helps with obligations you already have. The Australian Privacy Act, cyber insurance questionnaires and client contracts increasingly ask how you protect and govern data. Purview gives you real answers and an audit trail to back them up.
- You can start small. Turn on message encryption and one or two DLP rules first. Add labels next. You do not have to deploy everything at once, and you should not.
- It sits inside tools your team already uses. Labels appear in Word, Excel, Outlook and Teams. DLP works quietly in the background. For staff, a good deployment barely changes their day.
Where to be careful
- It is easy to over-engineer. A wall of ten labels and dozens of DLP rules confuses staff and generates noise. The businesses that succeed with Purview start with a handful of clear labels and a few high-value rules, then grow from there.
- Labels and DLP need real policy decisions. Someone has to decide what 'Confidential' means, what should be blocked, and who can override a warning. This is a business conversation, not a technical toggle, and it cannot be skipped.
- False positives frustrate staff. A DLP rule set too tightly will flag legitimate work and annoy people until they look for ways around it. Rules need testing in warn-only mode before you switch to blocking.
- The advanced features are locked behind expensive licences. Advanced eDiscovery, insider risk, communication compliance, advanced audit and full records management need Microsoft 365 E5 Compliance or add-ons. Most SMEs will not have these, and that is usually a reasonable call.
- It is not set-and-forget. Labels, rules and retention schedules need review as the business changes, as staff give feedback, and as Microsoft updates the platform. Purview rewards ongoing attention and punishes neglect.Our Managed Security service keeps labels and DLP rules tuned so they help rather than hinder.
Pricing in real Perth dollars
Purview is not usually a separate purchase. Its capabilities are bundled into your Microsoft 365 licence, so the real question is which licence you are on. For most Perth SMEs, Business Premium already covers what they need.
| Licence | Approximate AUD cost | What it gives you for Purview |
|---|---|---|
| Microsoft 365 Business Premium (the baseline most SMEs want) | ≈ $32.90/user/month | Includes the useful Purview baseline: sensitivity labels, message encryption, DLP across Exchange, SharePoint, OneDrive and Teams, basic retention, standard audit and Compliance Manager. Plus the full Microsoft 365 productivity and security stack. |
| Microsoft 365 E5 Compliance (add-on) | ≈ $18/user/month add-on (indicative) | Adds the advanced pieces: advanced eDiscovery, insider risk management, communication compliance, advanced audit, endpoint DLP and full records management. Sits on top of a base Microsoft 365 licence. Most SMEs do not need it. |
| Microsoft 365 E5 (full enterprise licence) | ≈ $90+/user/month | The complete enterprise bundle with all compliance and advanced security features included. Aimed at larger or highly regulated organisations, not a typical 30-person Perth business. |
For a 30-person business already on Business Premium, deploying the Purview baseline costs nothing extra in licensing. The investment is in the setup: designing labels, building and testing DLP rules, agreeing retention schedules and keeping it all tuned. That is where a good managed provider earns its keep.
Indicative figures only, in AUD and excluding GST. Prices current as of July 2026 and subject to change. Microsoft licensing changes often, so confirm with your licensing partner before any purchase decision.
Who gets the most from it
Businesses handling client or patient data
Accounting firms, medical practices, legal and financial services all hold data that must not leak. Sensitivity labels and DLP give you a real way to keep TFNs, health records and client files inside the business, and to prove you are doing so if a client or regulator asks.
Meeting Australian Privacy Act obligations
The Privacy Act and the Australian Privacy Principles expect you to protect personal information and not keep it longer than needed. Purview's labels, DLP and retention map directly onto those expectations, and Compliance Manager helps you track where you stand. It pairs naturally with a broader compliance program.
Businesses working toward the Essential Eight
Purview is not one of the eight controls itself, but it sits right alongside them. Data classification, retention and audit support the visibility and record-keeping that a mature Essential Eight posture assumes. If you are lifting your security maturity, governing your data is part of the picture.
Businesses answering cyber insurance questions
Cyber insurance renewals now ask pointed questions about how you classify data, prevent leaks and log activity. Being able to answer 'yes, we label sensitive data, we have DLP rules, and we keep an audit trail' can affect both whether you are covered and what you pay.
Businesses with staff coming and going
Retention and audit mean that when a staff member leaves, their content is governed, searchable and kept only as long as needed. If a departing employee's activity later becomes a question, the audit log gives you a factual record rather than a shrug.
What happens with and without Purview
These are the everyday situations where good data governance either protects you or exposes you. They happen in every business. The question is which column you are in when they do.
| Situation | Without Purview | With Purview configured |
|---|---|---|
| A staff member emails a client list to a personal address | The email leaves without a second look. You have no record it happened, no way to recall it, and no idea the client list is now sitting in someone's personal inbox. You may only find out if it causes a problem later. | DLP spots the personal information in the attachment. Depending on your rule, the staff member gets a warning asking them to reconsider, has to give a business justification, or is blocked outright. Either way, the event is logged. |
| A confidential quote is forwarded outside the business | Once it is sent, it is gone. Anyone the recipient forwards it to can open it. You are relying entirely on trust and good manners to keep your pricing private. | The document carries a 'Confidential' label with encryption. The external recipient can only open it if they are authorised, and forwarding it further does not remove the protection. Your pricing stays yours. |
| You need to prove what happened after a data scare | You piece together events from memory and half-remembered emails. There is no reliable record of who accessed what, who shared a file, or when. Your incident report is full of 'we think'. | Audit logs show exactly who opened, shared, moved or deleted the content, and when. Your response to the client, the insurer or the regulator is based on facts, not guesswork. |
| A lawyer asks for every document about a matter | Someone spends days searching individual mailboxes and SharePoint sites by hand, exporting bits and pieces, and hoping nothing important was missed. The result is slow, incomplete and stressful. | Content search runs across the whole tenant in one go, finds every relevant email and document, and exports them together. What took days now takes an afternoon and is far more thorough. |
| Old records pile up year after year | Nothing is ever deleted, because deleting things is scary and nobody owns the decision. Ten years of data sits there, growing your risk and making any future breach bigger. | Retention policies keep records for exactly as long as you decide, then delete them automatically. You hold what you should and quietly let go of what you should not. The housekeeping happens on its own. |
A staff member emails a client list to a personal address
Without Purview
The email leaves without a second look. You have no record it happened, no way to recall it, and no idea the client list is now sitting in someone's personal inbox. You may only find out if it causes a problem later.
With Purview
DLP spots the personal information in the attachment. Depending on your rule, the staff member gets a warning asking them to reconsider, has to give a business justification, or is blocked outright. Either way, the event is logged.
A confidential quote is forwarded outside the business
Without Purview
Once it is sent, it is gone. Anyone the recipient forwards it to can open it. You are relying entirely on trust and good manners to keep your pricing private.
With Purview
The document carries a 'Confidential' label with encryption. The external recipient can only open it if they are authorised, and forwarding it further does not remove the protection. Your pricing stays yours.
You need to prove what happened after a data scare
Without Purview
You piece together events from memory and half-remembered emails. There is no reliable record of who accessed what, who shared a file, or when. Your incident report is full of 'we think'.
With Purview
Audit logs show exactly who opened, shared, moved or deleted the content, and when. Your response to the client, the insurer or the regulator is based on facts, not guesswork.
A lawyer asks for every document about a matter
Without Purview
Someone spends days searching individual mailboxes and SharePoint sites by hand, exporting bits and pieces, and hoping nothing important was missed. The result is slow, incomplete and stressful.
With Purview
Content search runs across the whole tenant in one go, finds every relevant email and document, and exports them together. What took days now takes an afternoon and is far more thorough.
Old records pile up year after year
Without Purview
Nothing is ever deleted, because deleting things is scary and nobody owns the decision. Ten years of data sits there, growing your risk and making any future breach bigger.
With Purview
Retention policies keep records for exactly as long as you decide, then delete them automatically. You hold what you should and quietly let go of what you should not. The housekeeping happens on its own.
What Purview looks like day-to-day
Done well, Purview is nearly invisible to most staff. That is the goal. Governance should work in the background and only surface when it needs to, with a helpful nudge rather than a brick wall.
| Who | Their experience |
|---|---|
| A staff member writing a document | They see a small label picker in Word or Outlook: 'Public', 'Internal', 'Confidential'. They pick the right one and carry on. If they forget, Purview can suggest or apply one automatically when it detects sensitive content. |
| A staff member about to send a risky email | A gentle prompt appears: 'This looks like it contains a Tax File Number. Are you sure you want to send it externally?' They think twice, fix the mistake, and move on. Most of the time that nudge is all it takes. |
| A manager or business owner | They see the Compliance Manager score and know at a glance whether things are improving. They can ask for a report on DLP matches or labelled documents without needing to touch the technical settings. |
| StartCloud (managed governance) | StartCloud designs the label set with you, configures and tests DLP rules in warn-only mode first, sets retention schedules, reviews false positives, and reports on what the rules are catching. We tune it so it protects without getting in the way. |
| A lawyer, auditor or HR investigator | When they need content for a matter, StartCloud runs a content search, exports the results and hands over a complete, defensible set. No frantic mailbox-by-mailbox hunting. |
From vague worry to a governed environment
The businesses that get value from Purview keep it simple and roll it out in the right order. Blocking DLP before you have tested it, or drowning staff in labels, is how good intentions turn into daily friction. Here is how we approach it.
Step 1. Licence check and data discovery
We confirm what your Microsoft 365 licence already includes (Business Premium covers a lot) and get a picture of where your sensitive data actually lives: which SharePoint sites, which mailboxes, which shared drives. You cannot govern what you have not found.
Step 2. Design a simple label set
We agree on a small number of clear labels, usually something like Public, Internal and Confidential, and decide which ones encrypt. Fewer, well-understood labels beat a long list nobody can tell apart. We keep it human.
Step 3. DLP rules in warn-only mode first
We build DLP rules for the things that matter most to you: TFNs, credit card numbers, client identifiers. We start in warn-only mode so we can see what they would catch, tune out false positives, and only then move to blocking. No nasty surprises for staff.
Step 4. Retention and records schedule
We set retention policies that match your legal and industry obligations: how long to keep contracts, financials, client records, and when to delete them. This shrinks your risk surface and stops data hoarding.
Step 5. Compliance Manager baseline
We run Compliance Manager against the standards relevant to you, record your starting score, and work through the high-value improvement actions. This gives you a clear, trackable picture of your data governance posture.
Step 6. Staff communication and ongoing tuning
We explain to your team, in plain English, what the labels mean and why the prompts appear. Then we review false positives, adjust rules and update retention as the business changes. Purview works best with a light, steady hand on it.
Common pitfalls
-
Turning on blocking DLP rules on day one. If you start by hard-blocking, you will catch a wave of legitimate work and frustrate staff immediately. Always run new rules in warn-only mode first, watch what they catch, then tighten.
-
Creating too many labels. Ten labels with overlapping meanings leave staff guessing and applying them wrongly. Start with three or four crisp labels. You can always add more once the basics stick.
-
Assuming you have the advanced features when you do not. Insider risk, advanced eDiscovery and communication compliance need E5 Compliance or an add-on. Check your licence before you promise a capability you cannot actually deliver.
-
Setting retention to delete before anyone has agreed to it. Automatic deletion is powerful and permanent. Retention schedules must be signed off by someone who understands the legal and business obligations, not configured on a hunch.
-
Labelling and forgetting. Labels only help if staff understand and use them. Without a short explanation and the occasional reminder, adoption drifts and the whole exercise loses value.
-
Treating Purview as a one-off project. It needs periodic review: new data types, new staff feedback, new Microsoft features. Assign someone to own it, or have your provider own it for you.
StartCloud provides that ongoing oversight as part of Managed Security.
Should your business turn on Purview?
Yes, at least the baseline, especially if you handle client, patient or financial data. If you are already on Microsoft 365 Business Premium, you have paid for sensitivity labels, DLP, retention and audit. Leaving them switched off is leaving real protection on the table.
The sensible approach is to start small. Turn on message encryption and a couple of high-value DLP rules. Add a short list of labels. Set retention on the records that matter. Test everything in warn-only mode first so staff are helped, not blocked. Then grow it as the business gets comfortable.
The advanced tier, E5 Compliance, is a genuine yes for a smaller group: businesses with real legal exposure, strict regulatory obligations, or a concrete need for insider risk and advanced eDiscovery. For most Perth SMEs, the Business Premium baseline, configured well and kept tuned, is exactly the right amount of Purview.
Where StartCloud fits in
The licence is the start. Here is where we plug in next.
Turn on and configure the Purview baseline
Microsoft 365 data governance setup
Design labels and test DLP rules
Sensitivity labels and Data Loss Prevention
Map data governance to your obligations
Compliance program support
See what your DLP and audit are catching
Security reporting and visibility
Protect the identity layer alongside your data
Microsoft Entra ID deep dive
Talk to the Perth team
Get in touch
Not sure where your sensitive data is?
If you already run Microsoft 365 Business Premium, you have paid for a lot of Purview. StartCloud finds your sensitive data, sets up labels and DLP that fit how your team works, and keeps it tuned so it protects without getting in the way.
Book a data governance reviewNo obligation. Straight answers. Perth-based team.
References
- Microsoft Purview product page
https://www.microsoft.com/en-au/security/business/microsoft-purview - Microsoft Purview documentation
https://learn.microsoft.com/en-us/purview/ - Sensitivity labels in Microsoft Purview
https://learn.microsoft.com/en-us/purview/sensitivity-labels - Learn about Data Loss Prevention
https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp - Learn about retention policies and labels
https://learn.microsoft.com/en-us/purview/retention - Microsoft 365 Business Premium plans and pricing (Australia)
https://www.microsoft.com/en-au/microsoft-365/business/microsoft-365-plans-and-pricing - Microsoft 365 licensing for security and compliance
https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance - Office of the Australian Information Commissioner: Australian Privacy Principles
https://www.oaic.gov.au/privacy/australian-privacy-principles
Document prepared July 2026 by StartCloud (Start Technologies Pty Ltd). Pricing and feature information is indicative only and current as of the date of preparation. Microsoft licensing changes frequently, so confirm with your licensing partner before any purchase decision.