A long-form deep dive into Microsoft Purview for Australian small and mid-sized businesses. Explains sensitivity labels, Data Loss Prevention, retention and records management, eDiscovery and audit, insider risk and Compliance Manager in plain English. Makes the split between what Microsoft 365 Business Premium already includes and what needs E5 Compliance very clear, covers Australian Privacy Act and cyber insurance relevance, indicative AUD pricing, deployment best practice and a side-by-side scenario showing five everyday moments with and without Purview configured.

    Product Deep Dive
    Recommended for Perth businesses handling client, patient or financial data

    Microsoft Purview: labelling, protecting and governing your business data

    Where does your sensitive data actually live, and what stops it walking out the door? Most Perth businesses cannot answer that. Purview is the set of rules and labels that follow your data around and answer it for you.

    StartCloud15 July 202612 min read
    TL;DR

    The short version

    Microsoft Purview is Microsoft's data governance and compliance suite that sits across Microsoft 365. In plain terms, it helps you find where your sensitive data is, label it, stop it leaking, and keep or delete it on a schedule.

    Think of it as rules and labels that follow your data around automatically. Its main pieces are sensitivity labels, Data Loss Prevention (DLP), retention and records management, eDiscovery and audit, insider risk, and Compliance Manager.

    Here is the honest bit. Microsoft 365 Business Premium already includes a genuinely useful baseline. The more advanced features need Microsoft 365 E5 Compliance or add-ons, which most SMEs will not have and often do not need. This guide makes that split clear.

    Prices in this guide are indicative AUD figures current as of July 2026, exclude GST, and are subject to change. Purview is mostly bundled with your Microsoft 365 licence, so always confirm what you have with your licensing partner.

    What it is

    Six tools that keep your data in line

    Microsoft Purview is not one product. It is a family of tools that all do one broad job: help you understand, protect and govern the data sitting inside Microsoft 365. Your emails, your files in SharePoint and OneDrive, your Teams chats. All of it.

    You do not have to use every piece. Most Perth SMEs start with two or three and grow from there. Here is what each one does, in plain English.

    Sensitivity labels

    Labels like 'Public', 'Internal' or 'Confidential' that you attach to files and emails. A label can just mark a document, or it can encrypt it so only the right people can open it. Once a file is labelled, the protection travels with it, even if it is emailed outside the business or copied to a USB stick.

    Data Loss Prevention (DLP)

    Rules that watch for sensitive information leaving the business. If a staff member tries to email a credit card number, a Tax File Number or a Medicare number out to an external address, DLP can warn them, ask them to justify it, or block it outright. It works across Outlook, Teams, SharePoint and OneDrive.

    Retention and records management

    A schedule for how long things are kept and when they are deleted. Keep client contracts for seven years, then delete them. Keep nothing longer than it needs to be kept. This reduces your risk surface and helps meet legal and industry obligations without anyone having to remember.

    eDiscovery and Audit

    The ability to search across all your Microsoft 365 content and export it for a legal matter, an HR investigation or a complaint. Audit logs record who did what and when: who opened a file, who deleted an email, who changed a permission. Invaluable when something goes wrong and you need to reconstruct events.

    Insider Risk Management

    Watches for risky behaviour from inside the business, such as a departing staff member downloading large volumes of client data before they leave. This is an advanced feature and needs the right licence, but it fills a gap most SMEs have never been able to cover.

    Compliance Manager

    A scored checklist that measures your Microsoft 365 setup against standards like the Australian Privacy Principles, ISO 27001 or the Essential Eight. It gives you a compliance score, tells you what to fix, and tracks your progress. A genuinely useful starting point for a business that does not know where it stands.

    The data lifecycle Purview manages

    At its heart, Purview runs a simple loop for every piece of sensitive information: classify it, protect it, keep an eye on it, then retain or delete it on schedule.

    1. Classify

    A file or email gets a label

    Staff apply a label like 'Confidential', or Purview applies one automatically when it spots sensitive content.

    2. Protect

    The label enforces rules

    The label can encrypt the file, restrict who opens it, and add a watermark. Protection travels with the file.

    3. Monitor

    DLP and audit watch it

    DLP stops the file leaking to the wrong place. Audit logs record who touched it and when.

    4. Retain or delete

    Retention runs the schedule

    The file is kept for as long as you need it, then deleted automatically. No manual clean-up, no keeping things forever.

    Audit runs quietly across all four stages, recording who touched what and when.

    Features that matter

    What Purview actually does for you

    Stripped of the product marketing, here is what Purview puts within reach of a normal business.

    Labels that follow your data

    Once a document is labelled 'Confidential' with encryption, that protection stays with it. Email it to a personal Gmail account and the recipient still cannot open it without permission. This is the single most useful thing Purview does for a small business worried about client data walking out the door.

    Stop sensitive data leaving by accident

    Most data leaks are honest mistakes: the wrong attachment, an autocomplete address, a client list pasted into the wrong chat. DLP catches these before they leave. You can start with a gentle warning and tighten to a hard block once staff are used to it.

    Keep what you must, bin what you should not

    Retention policies mean tax records are kept for the required years and old junk is cleared out on schedule. Holding data you no longer need is a liability, both for privacy risk and for the size of any future breach. Purview handles the housekeeping quietly in the background.

    Find content fast when it matters

    When a lawyer, an auditor or HR asks 'show me every email and document about this person or this matter', content search finds it across the whole tenant and exports it. Doing this by hand across mailboxes and SharePoint would take days and still miss things.

    A clear audit trail

    Audit logs answer the awkward questions after an incident: who deleted that folder, who shared that file externally, who signed in from an unusual location. For a business facing a privacy complaint or an insurance claim, having this record is the difference between guessing and knowing.

    Know where you stand on compliance

    Compliance Manager scores your setup against real standards and gives you a prioritised to-do list. It will not make you compliant on its own, but it turns a vague worry ('are we doing enough?') into a concrete, trackable checklist.

    How DLP handles a risky email

    A staff member tries to email a spreadsheet with a Tax File Number to an outside address. Here is what Purview does before it leaves.

    Email with a TFN, addressed externally
    DLP scans the message and attachment
    Sensitive data found?
    YES →NO →

    DLP steps in

    Warn the sender, require a business justification, or block the email entirely. Your rule decides. The event is logged either way.

    Email sends normally

    No sensitive data detected, so nothing gets in the way. Staff never notice DLP when they are doing ordinary work.

    Start rules in warn-only mode. Watch what they catch, tune out the false positives, then decide whether to move to blocking.
    The licensing reality

    What you already have vs what needs an upgrade

    This is the part most articles gloss over. A lot of Purview is already sitting inside Microsoft 365 Business Premium, waiting to be switched on. The advanced pieces need Microsoft 365 E5 Compliance. Here is the honest split.

    Capability Business Premium E5 Compliance
    Sensitivity labels (classify and encrypt files and emails) Manual labelling by staff, plus some auto-labelling Adds automatic labelling at scale and labelling of data at rest
    Message encryption (secure external email) Encrypt and rights-protect outbound email Same, plus richer controls
    Data Loss Prevention (DLP) for email, SharePoint, OneDrive and Teams Full DLP across Microsoft 365 workloads Adds endpoint DLP (Windows and Mac devices) and DLP in more places
    Retention policies and labels (keep or delete on a schedule) Basic retention across mailboxes, sites and Teams Adds full records management, event-based retention and disposition review
    Audit (who did what, when) Standard audit, roughly 180 days of log retention Advanced audit, up to a year or more, plus high-value crucial events
    Compliance Manager (scored checklist) Score and improvement actions More templates and premium assessments
    Content search and basic eDiscovery Search and export content for a matter Standard eDiscovery included
    Advanced eDiscovery (legal holds, review sets, analytics) Not included Full eDiscovery workflow for serious legal matters
    Insider Risk Management Not included Detect risky insider activity
    Communication Compliance (monitor internal messages for policy breaches) Not included Flag harassment, conflicts of interest, regulatory breaches

    The takeaway: if you are on Business Premium, you already own the tools most SMEs need. Labels, DLP, retention, audit and Compliance Manager are all there. E5 Compliance is worth it when you have a real need for advanced eDiscovery, insider risk or communication compliance, which is the exception, not the rule, for a typical Perth SME.

    The honest take

    Pros and cons

    What works well

    • A useful baseline is already in Microsoft 365 Business Premium. Sensitivity labels, message encryption, DLP across Exchange, SharePoint, OneDrive and Teams, basic retention, standard audit and Compliance Manager are all there. For many SMEs the question is whether it has been switched on, not whether to buy it.
    • Protection travels with the file. A labelled and encrypted document stays protected wherever it goes, including outside your business. This is real control over data you have shared, not just data sitting on your servers.
    • It helps with obligations you already have. The Australian Privacy Act, cyber insurance questionnaires and client contracts increasingly ask how you protect and govern data. Purview gives you real answers and an audit trail to back them up.
    • You can start small. Turn on message encryption and one or two DLP rules first. Add labels next. You do not have to deploy everything at once, and you should not.
    • It sits inside tools your team already uses. Labels appear in Word, Excel, Outlook and Teams. DLP works quietly in the background. For staff, a good deployment barely changes their day.

    Where to be careful

    • It is easy to over-engineer. A wall of ten labels and dozens of DLP rules confuses staff and generates noise. The businesses that succeed with Purview start with a handful of clear labels and a few high-value rules, then grow from there.
    • Labels and DLP need real policy decisions. Someone has to decide what 'Confidential' means, what should be blocked, and who can override a warning. This is a business conversation, not a technical toggle, and it cannot be skipped.
    • False positives frustrate staff. A DLP rule set too tightly will flag legitimate work and annoy people until they look for ways around it. Rules need testing in warn-only mode before you switch to blocking.
    • The advanced features are locked behind expensive licences. Advanced eDiscovery, insider risk, communication compliance, advanced audit and full records management need Microsoft 365 E5 Compliance or add-ons. Most SMEs will not have these, and that is usually a reasonable call.
    • It is not set-and-forget. Labels, rules and retention schedules need review as the business changes, as staff give feedback, and as Microsoft updates the platform. Purview rewards ongoing attention and punishes neglect.Our Managed Security service keeps labels and DLP rules tuned so they help rather than hinder.
    What it costs

    Pricing in real Perth dollars

    Purview is not usually a separate purchase. Its capabilities are bundled into your Microsoft 365 licence, so the real question is which licence you are on. For most Perth SMEs, Business Premium already covers what they need.

    Licence Approximate AUD cost What it gives you for Purview
    Microsoft 365 Business Premium (the baseline most SMEs want) ≈ $32.90/user/month Includes the useful Purview baseline: sensitivity labels, message encryption, DLP across Exchange, SharePoint, OneDrive and Teams, basic retention, standard audit and Compliance Manager. Plus the full Microsoft 365 productivity and security stack.
    Microsoft 365 E5 Compliance (add-on) ≈ $18/user/month add-on (indicative) Adds the advanced pieces: advanced eDiscovery, insider risk management, communication compliance, advanced audit, endpoint DLP and full records management. Sits on top of a base Microsoft 365 licence. Most SMEs do not need it.
    Microsoft 365 E5 (full enterprise licence) ≈ $90+/user/month The complete enterprise bundle with all compliance and advanced security features included. Aimed at larger or highly regulated organisations, not a typical 30-person Perth business.

    For a 30-person business already on Business Premium, deploying the Purview baseline costs nothing extra in licensing. The investment is in the setup: designing labels, building and testing DLP rules, agreeing retention schedules and keeping it all tuned. That is where a good managed provider earns its keep.

    Indicative figures only, in AUD and excluding GST. Prices current as of July 2026 and subject to change. Microsoft licensing changes often, so confirm with your licensing partner before any purchase decision.

    Real-world use cases

    Who gets the most from it

    Businesses handling client or patient data

    Accounting firms, medical practices, legal and financial services all hold data that must not leak. Sensitivity labels and DLP give you a real way to keep TFNs, health records and client files inside the business, and to prove you are doing so if a client or regulator asks.

    Meeting Australian Privacy Act obligations

    The Privacy Act and the Australian Privacy Principles expect you to protect personal information and not keep it longer than needed. Purview's labels, DLP and retention map directly onto those expectations, and Compliance Manager helps you track where you stand. It pairs naturally with a broader compliance program.

    Businesses working toward the Essential Eight

    Purview is not one of the eight controls itself, but it sits right alongside them. Data classification, retention and audit support the visibility and record-keeping that a mature Essential Eight posture assumes. If you are lifting your security maturity, governing your data is part of the picture.

    Businesses answering cyber insurance questions

    Cyber insurance renewals now ask pointed questions about how you classify data, prevent leaks and log activity. Being able to answer 'yes, we label sensitive data, we have DLP rules, and we keep an audit trail' can affect both whether you are covered and what you pay.

    Businesses with staff coming and going

    Retention and audit mean that when a staff member leaves, their content is governed, searchable and kept only as long as needed. If a departing employee's activity later becomes a question, the audit log gives you a factual record rather than a shrug.

    Five moments every business faces

    What happens with and without Purview

    These are the everyday situations where good data governance either protects you or exposes you. They happen in every business. The question is which column you are in when they do.

    Situation Without Purview With Purview configured
    A staff member emails a client list to a personal address The email leaves without a second look. You have no record it happened, no way to recall it, and no idea the client list is now sitting in someone's personal inbox. You may only find out if it causes a problem later. DLP spots the personal information in the attachment. Depending on your rule, the staff member gets a warning asking them to reconsider, has to give a business justification, or is blocked outright. Either way, the event is logged.
    A confidential quote is forwarded outside the business Once it is sent, it is gone. Anyone the recipient forwards it to can open it. You are relying entirely on trust and good manners to keep your pricing private. The document carries a 'Confidential' label with encryption. The external recipient can only open it if they are authorised, and forwarding it further does not remove the protection. Your pricing stays yours.
    You need to prove what happened after a data scare You piece together events from memory and half-remembered emails. There is no reliable record of who accessed what, who shared a file, or when. Your incident report is full of 'we think'. Audit logs show exactly who opened, shared, moved or deleted the content, and when. Your response to the client, the insurer or the regulator is based on facts, not guesswork.
    A lawyer asks for every document about a matter Someone spends days searching individual mailboxes and SharePoint sites by hand, exporting bits and pieces, and hoping nothing important was missed. The result is slow, incomplete and stressful. Content search runs across the whole tenant in one go, finds every relevant email and document, and exports them together. What took days now takes an afternoon and is far more thorough.
    Old records pile up year after year Nothing is ever deleted, because deleting things is scary and nobody owns the decision. Ten years of data sits there, growing your risk and making any future breach bigger. Retention policies keep records for exactly as long as you decide, then delete them automatically. You hold what you should and quietly let go of what you should not. The housekeeping happens on its own.

    A staff member emails a client list to a personal address

    Without Purview

    The email leaves without a second look. You have no record it happened, no way to recall it, and no idea the client list is now sitting in someone's personal inbox. You may only find out if it causes a problem later.

    With Purview

    DLP spots the personal information in the attachment. Depending on your rule, the staff member gets a warning asking them to reconsider, has to give a business justification, or is blocked outright. Either way, the event is logged.

    A confidential quote is forwarded outside the business

    Without Purview

    Once it is sent, it is gone. Anyone the recipient forwards it to can open it. You are relying entirely on trust and good manners to keep your pricing private.

    With Purview

    The document carries a 'Confidential' label with encryption. The external recipient can only open it if they are authorised, and forwarding it further does not remove the protection. Your pricing stays yours.

    You need to prove what happened after a data scare

    Without Purview

    You piece together events from memory and half-remembered emails. There is no reliable record of who accessed what, who shared a file, or when. Your incident report is full of 'we think'.

    With Purview

    Audit logs show exactly who opened, shared, moved or deleted the content, and when. Your response to the client, the insurer or the regulator is based on facts, not guesswork.

    A lawyer asks for every document about a matter

    Without Purview

    Someone spends days searching individual mailboxes and SharePoint sites by hand, exporting bits and pieces, and hoping nothing important was missed. The result is slow, incomplete and stressful.

    With Purview

    Content search runs across the whole tenant in one go, finds every relevant email and document, and exports them together. What took days now takes an afternoon and is far more thorough.

    Old records pile up year after year

    Without Purview

    Nothing is ever deleted, because deleting things is scary and nobody owns the decision. Ten years of data sits there, growing your risk and making any future breach bigger.

    With Purview

    Retention policies keep records for exactly as long as you decide, then delete them automatically. You hold what you should and quietly let go of what you should not. The housekeeping happens on its own.

    In practice

    What Purview looks like day-to-day

    Done well, Purview is nearly invisible to most staff. That is the goal. Governance should work in the background and only surface when it needs to, with a helpful nudge rather than a brick wall.

    Who Their experience
    A staff member writing a document They see a small label picker in Word or Outlook: 'Public', 'Internal', 'Confidential'. They pick the right one and carry on. If they forget, Purview can suggest or apply one automatically when it detects sensitive content.
    A staff member about to send a risky email A gentle prompt appears: 'This looks like it contains a Tax File Number. Are you sure you want to send it externally?' They think twice, fix the mistake, and move on. Most of the time that nudge is all it takes.
    A manager or business owner They see the Compliance Manager score and know at a glance whether things are improving. They can ask for a report on DLP matches or labelled documents without needing to touch the technical settings.
    StartCloud (managed governance) StartCloud designs the label set with you, configures and tests DLP rules in warn-only mode first, sets retention schedules, reviews false positives, and reports on what the rules are catching. We tune it so it protects without getting in the way.
    A lawyer, auditor or HR investigator When they need content for a matter, StartCloud runs a content search, exports the results and hands over a complete, defensible set. No frantic mailbox-by-mailbox hunting.
    How StartCloud deploys Purview

    From vague worry to a governed environment

    The businesses that get value from Purview keep it simple and roll it out in the right order. Blocking DLP before you have tested it, or drowning staff in labels, is how good intentions turn into daily friction. Here is how we approach it.

    Step 1. Licence check and data discovery

    We confirm what your Microsoft 365 licence already includes (Business Premium covers a lot) and get a picture of where your sensitive data actually lives: which SharePoint sites, which mailboxes, which shared drives. You cannot govern what you have not found.

    Step 2. Design a simple label set

    We agree on a small number of clear labels, usually something like Public, Internal and Confidential, and decide which ones encrypt. Fewer, well-understood labels beat a long list nobody can tell apart. We keep it human.

    Step 3. DLP rules in warn-only mode first

    We build DLP rules for the things that matter most to you: TFNs, credit card numbers, client identifiers. We start in warn-only mode so we can see what they would catch, tune out false positives, and only then move to blocking. No nasty surprises for staff.

    Step 4. Retention and records schedule

    We set retention policies that match your legal and industry obligations: how long to keep contracts, financials, client records, and when to delete them. This shrinks your risk surface and stops data hoarding.

    Step 5. Compliance Manager baseline

    We run Compliance Manager against the standards relevant to you, record your starting score, and work through the high-value improvement actions. This gives you a clear, trackable picture of your data governance posture.

    Step 6. Staff communication and ongoing tuning

    We explain to your team, in plain English, what the labels mean and why the prompts appear. Then we review false positives, adjust rules and update retention as the business changes. Purview works best with a light, steady hand on it.

    Watch out

    Common pitfalls

    • Turning on blocking DLP rules on day one. If you start by hard-blocking, you will catch a wave of legitimate work and frustrate staff immediately. Always run new rules in warn-only mode first, watch what they catch, then tighten.

    • Creating too many labels. Ten labels with overlapping meanings leave staff guessing and applying them wrongly. Start with three or four crisp labels. You can always add more once the basics stick.

    • Assuming you have the advanced features when you do not. Insider risk, advanced eDiscovery and communication compliance need E5 Compliance or an add-on. Check your licence before you promise a capability you cannot actually deliver.

    • Setting retention to delete before anyone has agreed to it. Automatic deletion is powerful and permanent. Retention schedules must be signed off by someone who understands the legal and business obligations, not configured on a hunch.

    • Labelling and forgetting. Labels only help if staff understand and use them. Without a short explanation and the occasional reminder, adoption drifts and the whole exercise loses value.

    • Treating Purview as a one-off project. It needs periodic review: new data types, new staff feedback, new Microsoft features. Assign someone to own it, or have your provider own it for you.

      StartCloud provides that ongoing oversight as part of Managed Security.

    The verdict

    Should your business turn on Purview?

    Yes, at least the baseline, especially if you handle client, patient or financial data. If you are already on Microsoft 365 Business Premium, you have paid for sensitivity labels, DLP, retention and audit. Leaving them switched off is leaving real protection on the table.

    The sensible approach is to start small. Turn on message encryption and a couple of high-value DLP rules. Add a short list of labels. Set retention on the records that matter. Test everything in warn-only mode first so staff are helped, not blocked. Then grow it as the business gets comfortable.

    The advanced tier, E5 Compliance, is a genuine yes for a smaller group: businesses with real legal exposure, strict regulatory obligations, or a concrete need for insider risk and advanced eDiscovery. For most Perth SMEs, the Business Premium baseline, configured well and kept tuned, is exactly the right amount of Purview.

    Not sure where your sensitive data is?

    If you already run Microsoft 365 Business Premium, you have paid for a lot of Purview. StartCloud finds your sensitive data, sets up labels and DLP that fit how your team works, and keeps it tuned so it protects without getting in the way.

    Book a data governance review

    No obligation. Straight answers. Perth-based team.

    Sources

    References

    1. Microsoft Purview product page
      https://www.microsoft.com/en-au/security/business/microsoft-purview
    2. Microsoft Purview documentation
      https://learn.microsoft.com/en-us/purview/
    3. Sensitivity labels in Microsoft Purview
      https://learn.microsoft.com/en-us/purview/sensitivity-labels
    4. Learn about Data Loss Prevention
      https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp
    5. Learn about retention policies and labels
      https://learn.microsoft.com/en-us/purview/retention
    6. Microsoft 365 Business Premium plans and pricing (Australia)
      https://www.microsoft.com/en-au/microsoft-365/business/microsoft-365-plans-and-pricing
    7. Microsoft 365 licensing for security and compliance
      https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance
    8. Office of the Australian Information Commissioner: Australian Privacy Principles
      https://www.oaic.gov.au/privacy/australian-privacy-principles

    Document prepared July 2026 by StartCloud (Start Technologies Pty Ltd). Pricing and feature information is indicative only and current as of the date of preparation. Microsoft licensing changes frequently, so confirm with your licensing partner before any purchase decision.

    StartCloud Assistant

    Online

    G'day! 👋 I'm the StartCloud Assistant. How can I help you today?