Share via


Microsoft Purview service description

Microsoft Purview is a comprehensive set of solutions that can help your organization govern, protect, and manage data, wherever it lives. Microsoft Purview solutions provide integrated coverage and help address the fragmentation of data across organizations, the lack of visibility that hampers data protection and governance, and the blurring of traditional IT management roles.

Available plans

For the purposes of this article, a tenant-level service is an online service that is activated in part or in full for all users in the tenant (standalone license and/or as part of a Microsoft 365 or Office 365 plan). Though some tenant services are currently not capable of limiting benefits to specific users, appropriate subscription licenses are required for use of each online service. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

To view how users benefit from Microsoft 365 features, download the Microsoft 365 Comparison table for Enterprise and Frontline Workers Plans or the Microsoft 365 Comparison table for Small and Medium Business Plans.

Which users need a license?

Any user benefiting from the service requires a license. For more information about service terms & conditions, see the Product Terms. Following are some examples of users benefiting from the service in Microsoft Purview; however, this list isn't exhaustive:

  • Users with a Purview role assigned for use in the Microsoft Purview portal.
  • Exchange user mailboxes, OneDrive accounts, Teams chats, and devices are associated with a user account, so the user must have the required license assigned when a Purview policy or feature is used in these locations.
  • For shared locations, such as SharePoint sites, Microsoft 365 Groups, and Teams channel messages, users with the owner or member role must have the required license assigned when a Purview policy or feature is used on the site, mailbox, or Team. Users with visitor or view-only roles don't need a license.
  • For features requiring one of the following licenses, a shared or resource mailbox does need one of the following licenses to provide usage rights:
    • Microsoft 365 E5/A5/G5
    • Microsoft 365 E5/A5/G5/F5 Compliance
    • Microsoft 365 F5 Security & Compliance
    • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
    • Microsoft 365 E5/A5/G5/F5 eDiscovery and Audit
    • Microsoft 365 E5/A5/G5/F5 Insider Risk Management
    • Office 365 E5/A5/G5
  • Inactive mailboxes don't require a usage license.
  • For information about licensing about Microsoft Purview Data Security Posture Management for AI, see Considerations for deploying Microsoft Purview Data Security Posture Management for AI & data security and compliance protections for Microsoft Copilot and other generative AI apps | Microsoft Learn.

Feature availability

Microsoft Purview Audit (Standard)**

Microsoft Purview Audit (Standard) provides you with the ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations. To learn more, see Learn about auditing solutions in Microsoft Purview.

Feature Microsoft 365 E5 + Microsoft 365 Copilot Microsoft 365 E3 + Microsoft 365 Copilot Microsoft 365 E5/A5/G5
Audit (Standard) Yes Yes Yes
Audit (Standard) for Microsoft 365 Copilot interactions Yes Yes No

Microsoft Purview Audit (Premium)

Audit (Premium) (formerly named Microsoft 365 Advanced Audit) provides one-year retention of audit logs for user and admin activities and provides the ability to create custom audit log retention policies to manage audit log retention for other Microsoft 365 services. It also provides access to crucial events for investigations and high-bandwidth access to the Office 365 Management Activity API.

Users benefit from Audit (Premium) because audit records related to user activity in Microsoft 365 services can be retained for up to one year. Additionally, high-value auditing events are logged, such as when items in a user's mailbox are accessed or read.

By default, Audit (Premium) is enabled at the tenant level for all users that benefit from the service, and automatically provides one-year retention of audit logs for activities (performed by users with the appropriate license) in Microsoft Entra ID, Exchange, and SharePoint.

Additionally, organizations can use audit log retention policies to manage the retention period for audit records generated by activity in other Microsoft 365 services.

One-year retention of audit logs and the auditing of crucial events only apply to users with the appropriate license. Additionally, admins can use audit log retention policies to specify shorter retention durations for the audit logs of specific users.

10-year retention of audit logs only applies to users with the appropriate add-on license.

Feature Microsoft 365 E5 + Microsoft 365 Copilot Microsoft 365 E3 + Microsoft 365 Copilot Microsoft 365 Purview Suite + Copilot1 Microsoft 365 E5 eDiscovery & Audit + Copilot1 Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 eDiscovery and Audit, Office 365 E5/A5/G5
Audit (Premium) Yes No Yes Yes
Audit (Premium) for Microsoft 365 Copilot interactions Yes No Yes No

For more information about Audit, check out the following resources:

  • For more information, see Audit (Premium) and Audit (Standard).
  • Users benefit from Audit (Premium) because audit records related to user activity in Microsoft 365 services can be retained for up to one year. Additionally, high-value auditing events are logged, such as when items in a user's mailbox are accessed or read.
  • The 10-year Audit Log Retention functionality is also enabled using the same retention policies. For more information, see Manage audit log retention policies.

Microsoft Purview Collection Policies

Collection policies are a configuration option in the Microsoft Purview portal that allows administrators to fine-tune what are the signals and data that are available to Purview solutions at the tenant level. This fine-tuning includes specifying which Sensitive Information Types (SITs) are classified, what activities are collected, and what AI prompts/responses are stored. Collection policies fine-tuning also scope the signals sent to other Purview solutions including Data Security Posture Management, Insider Risk Management, Communication Compliance, eDiscovery, and more.

Collection Policies are designed to streamline discovery of relevant information rather than to apply enforcement on that information. The key benefits of Collection Policies include granular control for regulatory compliance, noise reduction, resource efficiency, and expanded coverage to cloud apps.

There are no licensing requirements to apply collection policies. Instead, you must be licensed for the workload for which you're creating the policy. For example, creating a collection policy that includes devices requires endpoint DLP licensing, as the device data source is available under that licensing tier. Similarly, creating a collection policy with network data protection requires the tenant to be linked to an Azure subscription as a prerequisite, since network-based enforcement is a pay-as-you-go feature.

Microsoft Purview Communications Compliance

Microsoft Purview Communication Compliance is an insider risk solution that helps you detect, capture, and act on inappropriate messages that can lead to potential data security or compliance incidents within your organization. Communication compliance evaluates text and image-based messages in Microsoft and third-party apps (Teams, Copilot for Microsoft 365, Viva Engage, Outlook, WhatsApp, etc.) for potential business policy violations including inappropriate sharing of sensitive information, threatening or harassing language as well as potential regulatory violations (such as stock and capital manipulations).

Communication compliance's mission is to foster safe and compliant communications across customers' enterprise communication channels. With role-based access controls, human investigators can take remediation actions such as removing a message from Teams or notifying senders of potentially inappropriate conduct.

Communication compliance uses machine learning models and keyword matching to identify messages containing potential business conduct or regulatory policy violations that are then reviewed by an investigator. Communication compliance cultivates user privacy with pseudonymization and responsible use of the product by providing role-based access controls.

Feature Microsoft 365 E5 + Microsoft 365 Copilot Microsoft 365 Purview Suite + Microsoft 365 Copilot Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5/G5 Insider Risk Management Office 365 E5/A5/G5
Communication Compliance Yes Yes Yes Yes
Microsoft Copilot for Microsoft 365 prompt and response analysis Yes Yes No No
Microsoft Teams chats Yes Yes Yes Yes
Viva Engage conversations Yes Yes Yes Yes
Exchange Online emails Yes Yes Yes Yes

For more information, see Get started with communication compliance.

Microsoft Purview Compliance Manager

Compliance Manager is a feature in the Microsoft Purview that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments for common industry and regional standards and regulations. 
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions managed by Microsoft, you’ll see implementation details and audit results.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Compliance Manager is available to organizations with Office 365 and Microsoft 365 licenses (incl. Business Premium), and to US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) customers. Assessment availability and management capabilities depend on your licensing agreement.

Feature Office 365 and Microsoft 365 licenses (incl. Business Premium), and to US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) customers
Compliance Manager  Yes

Learn more about the list of premium templates for Compliance Manager.

Microsoft Purview Customer Lockbox

Customer Lockbox provides an extra layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox can also help organizations meet certain compliance obligations such as HIPAA and FedRAMP.

Customer Lockbox ensures that no one at Microsoft can access customer content to perform a service operation without the customer's explicit approval. Customer Lockbox brings the customer into the approval workflow for requests to access their content. Occasionally, Microsoft engineers are involved during the support process to troubleshoot and fix customer-reported issues. In most cases, issues are fixed through extensive telemetry and debugging tools that Microsoft has in place for its services. However, there can be cases that require a Microsoft engineer to access customer content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. This access gives organizations the option to approve or deny these requests, which gives them direct control over whether a Microsoft engineer can access the organizations' end-user data. Admins can turn on Customer Lockbox in the Microsoft 365 admin center.

When Customer Lockbox is turned on, Microsoft is required to obtain an organization's approval before accessing any of their content.

Feature Office 365 E5/A5/G5 Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5/G5 Insider Risk Management
Customer Lockbox Yes Yes

For more information, see Customer Lockbox.

Microsoft Purview Data Connectors

Microsoft provides third-party data connectors that can be configured in the Microsoft Purview portal. For a list of data connectors provided by Microsoft, see the Third-party data connectors table. This table also summarizes the compliance solutions that you can apply to third-party data after you import and archive data in Microsoft 365, and links to the step-by-step instructions for each connector.

The primary benefit of using Data Connectors (formerly named Microsoft 365 Data Connectors) to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft Purview solutions to the data after importing it. This helps ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization.

For data connectors in the Microsoft Purview portal that are provided by a Microsoft partner, your organization needs a business relationship with the partner before you can deploy those connectors.

Data Connectors services are a tenant-level value. Every user intended to benefit from this service must be licensed.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Information Protection & Governance, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Insider Risk Management, Microsoft 365 E5/A5/F5/G5 eDiscovery and Audit Office 365 E5/A5/G5
Data Connectors Yes Yes

Microsoft Purview Data Lifecycle & Records Management

For more information, see: Microsoft Purview Data Lifecycle and Records Management service description - Service Descriptions | Microsoft Learn

Microsoft Data Loss Prevention Endpoint Data Loss Protection (DLP)

Endpoint data loss prevention (Endpoint DLP) extends the activity detection and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices.

Organizations can use Microsoft Purview Data Loss Prevention (DLP) to detect activity on items determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see Learn about data loss prevention.

Endpoint data loss prevention (Endpoint DLP) extends the activity detection and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection & Governance
Endpoint Data Loss Prevention (DLP) Yes

For more information, see Get started with Endpoint data loss prevention - Microsoft Purview (compliance) | Microsoft Docs and Learn about data loss prevention - Microsoft Purview (compliance) | Microsoft Docs.

With the help of Microsoft Purview compliance portal, Endpoint DLP policies can be scoped to users logging into onboarded devices. Policies are evaluated when a scoped user logs onto an onboarded device. Review the Microsoft Endpoint DLP interactive guide for devices for more details.

For more information about using DLP policies, see Overview of data loss prevention.

Microsoft Purview Data Loss Prevention (DLP) for Teams

With DLP for Teams, organizations can block chats and channel messages that contain sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

Senders benefit by having sensitive information in their outgoing chat and channel messages inspected for sensitive information, as configured in the organization's DLP policy.

By default, Teams chat and channel messages are an enabled Location (workload) for these DLP features for all users within the tenant. To enable Data Loss Prevention for Teams, the "Microsoft Communications DLP" service must be selected under one of the above licenses in the Microsoft 365 Administration portal.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5/G5
Purview Data Loss Prevention (DLP) for Teams Yes

Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business

For the purposes of this article, a tenant-level service is an online service that is activated in part or in full for all users in the tenant (standalone license and/or as part of a Microsoft 365 or Office 365 plan). Appropriate subscription licenses are required for customer use of online services. To see the options for licensing your users to benefit from Microsoft 365 security features, download the Microsoft 365 Comparison table for Enterprise and Frontline Workers Plans or the Microsoft 365 Comparison table for Small and Medium Business Plans.

Some tenant services aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

With Microsoft Purview Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business (formerly named Microsoft Office 365 Data Loss Prevention), organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5/E3/A3/G3, Microsoft 365 Business Premium, SharePoint Online Plan 2, OneDrive for Business (Plan 2), Exchange Online Plan 2
  • Office 365 E5/A5/G5/E3/A3/G3
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), include users, and exclude users in the Microsoft Purview compliance portal.

Data loss prevention (DLP) policy tips for Outlook for Microsoft 365

For advanced DLP policy tip support, which makes additional DLP conditions, advanced classifiers, oversharing dialog, and more available, these licenses are required for each scoped user:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection & Governance

For more information, see Data loss prevention policy tip reference for Outlook for Microsoft 365.

Learn more

For more information, see Learn about data loss prevention.

Microsoft Purview Data Loss Prevention Graph APIs for Teams Data Loss Prevention (DLP) and for Teams Export

These APIs let developers build Security and Compliance apps that can “listen” to Microsoft Teams messages in near-real time or export teams messages in 1:1/group chat or Teams channels. These APIs enable DLP and other Information Protection and Governance scenarios for both customers and ISVs. Additionally, Microsoft Graph Patch API allows applying DLP actions to Teams messages.

Data loss prevention (DLP) capabilities are widely used in Microsoft Teams, particularly as organizations have shifted to remote work. If your organization has DLP, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.

Information protection and governance capabilities are widely used in Microsoft Teams, particularly as organizations have shifted to remote work. With Teams Export API, data can be exported to a third-party eDiscovery or Compliance Archiving application to ensure compliance practices are met.

API access is configured at the tenant level. To enable Microsoft Graph APIs for Teams DLP, the “Microsoft Communications DLP” service must be selected under one of the above licenses in the Microsoft 365 Administration.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5/G5
Purview Data Loss Prevention Graph APIs for Teams Data Loss Prevention (DLP) and for Teams Export Yes

For more information on the seeded capacity and consumption fees, see Graph requirements for accessing chat messages.

Microsoft Purview Data Loss Prevention (DLP) for Microsoft 365 Copilot

In Microsoft Purview, organizations can implement data loss prevention by defining and applying DLP policies. With a DLP policy, admins can identify, monitor, and automatically protect sensitive items across different locations. DLP for Microsoft 365 Copilot as a location allows organizations to identify sensitive content based on sensitivity labels and exclude them from Copilot processing.

Using the Microsoft Purview portal, admins can configure DLP policies and scope Microsoft 365 Copilot as a location. Learn more about Microsoft 365 Copilot as a policy location.

Feature Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/F5 Information Protection and Governance Office 365 E5/A5
Purview Data Loss Prevention (DLP) for Copilot Yes Yes

Microsoft Purview eDiscovery

eDiscovery (Standard) enables you to create eDiscovery cases and assign eDiscovery managers to specific cases. eDiscovery managers can only access the cases of which they're members. eDiscovery (Standard) also lets you associate searches and exports with a case and lets you place an eDiscovery hold on content locations relevant to the case.

eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.

In Microsoft Purview eDiscovery, a custodian refers to the individual whose content is subject to search, hold, or review as part of a legal, regulatory, or investigative process. A custodian is typically an employee or user whose data (e.g., email, documents, Teams messages) may be relevant to the matter under investigation. This is distinct from the IT administrators or compliance officers who perform searches or manage eDiscovery cases. Licensing requirements apply both to custodians (whose data is preserved or reviewed) and to users performing eDiscovery activities, as defined in the Microsoft Purview licensing terms.

By default, eDiscovery features are enabled at the tenant level for all users within the tenant when admins assign eDiscovery permissions in the Microsoft Purview compliance portal.

Though some tenant services aren't currently capable of limiting benefits to specific users, appropriate subscription licenses are required for use of each online service. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

Here are examples of users in your organization benefiting from the service:

  • Custodians (any users) that are part of a case that's placed on hold or who are custodians of data sources that are part of a Search, Collection, or Review set.
  • Owners and members of a SharePoint site that is on hold or contains content that is part of a Search, Collection, or Review set.
  • Owners of Exchange mailboxes that are placed on hold or contain content that is part of a Search, Collection, or Review set.
  • Owners and members of Teams chats, channels or private channels that are placed on hold or contain content that is part of a Search, Collection, or Review set.
Feature Microsoft 365 E5 + Microsoft 365 Copilot Microsoft 365 E3 + Microsoft 365 Copilot Microsoft 365 Purview Suite + Copilot 1 Microsoft 365 E5 eDiscovery & Audit + Copilot 1 E5/A5/F5/G5, Microsoft 365 E5/A5/F5/G5 Compliance, Microsoft 365 E5/A5/F5/G5 eDiscovery and Audit, Office 365 E5/A5/G5 Microsoft Office 365 E3/A3/G3/F3
eDiscovery (Premium) Yes No Yes Yes No
Premium search for Copilot interactions Yes No Yes No No
eDiscovery content search, legal hold, export search results for Copilot interactions Yes Yes Yes No No
eDiscovery (Standard) for sites and files Yes Yes Yes Yes Yes
eDiscovery (Standard) for email Yes Yes Yes Yes Yes

1 Requires Microsoft 365 E3.

For more information about eDiscovery, check out the following resources:

Microsoft Purview Information Barriers

Information Barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you shouldn't be communicating with, you won't find that user in the people picker.

Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. Information barriers policies can be defined to prevent a certain segment of users from communicating with each or allow specific segments to communicate only with certain other segments. For more information on defining information barrier policies, see Define information barrier (IB) policies. While defining IB Policy (Block or Allow), users belonging to segments defined under "Assigned Segments" require licenses.

For more information about information barriers, see Learn about information barriers | Microsoft Learn.

Microsoft Purview Information Protection

This feature lets SharePoint Online document library owners set a new type of protection label on document libraries. This protection label is applied automatically to all unlabeled files or files that don’t have an existing label-based protection applied.

When files with these labels are downloaded from SharePoint Online, protection is applied. Only users authorized to view the file in SharePoint Online will be able to view the downloaded file. Further, if the user’s permissions are removed from the document or document library, the downloaded copy becomes inaccessible.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
and
SharePoint Advanced Management
Configure SharePoint with a sensitivity label to extend permissions to downloaded documents Yes

For more information, see Configure SharePoint with a sensitivity label to extend permissions to downloaded documents | Microsoft Learn.

Microsoft Purview Information Protection Advanced Message Encryption

Microsoft Purview Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Purview Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time. Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption. Admins create and manage Advanced Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

Feature availability

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5/G5
Advanced Message Encryption Yes Yes

Microsoft Purview Information Protection Customer Key

With Customer Key (formerly named Customer Key for Microsoft 365), you control your organization's encryption keys and configure Microsoft 365 to use them to encrypt your data at rest in Microsoft data centers. In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. Customer Key provides data-at-rest encryption support for multiple Microsoft 365 workloads through Microsoft 365 Data-At-Rest Encryption Service. In addition, Customer Key provides encryption for SharePoint Online and OneDrive for Business data as well as Exchange Online mailbox level encryption.

Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

Microsoft 365 data-at-rest service that provides multi-workload encryption support is a tenant level service. Although some unlicensed users can technically be able to access the service, a license is required for any user that you intend to benefit from the service. For Exchange Online mailbox level encryption, the user mailbox needs to be licensed to assign a data encryption policy.

The following table lists Customer Key availability across plans. The Set up Customer Key article describes the steps you need to follow to create and configure the required Azure resources and then provides the steps for setting up Customer Key.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5/G5
Customer Key Yes Yes

To enable Customer Key within your tenant: Set up Customer Key - Microsoft Purview | Microsoft Learn

Availability Key uses in Customer Key: Learn about the availability key for Customer Key - Microsoft Purview | Microsoft Learn

Manage your Customer Key configuration: Manage Customer Key - Microsoft Purview | Microsoft Learn

Microsoft Purview Information Protection: Data classification analytics: Overview Content & Activity Explorer

Data classification analytic capabilities are available within Microsoft Purview compliance portal. Overview shows the locations of digital content and most common sensitive information types and labels present. Content Explorer provides visibility into amount and types of sensitive data and allows users to filter by label or sensitivity type to get a detailed view of locations where the sensitive data is stored. Activity Explorer show activities related to sensitive data and labels, such as label downgrades or external sharing that could expose your content to risk.

Activity Explorer provides a single pane of glass for admins to get visibility about activities that are related to sensitive information that is being used by end users. These data include label activities, data loss prevention (DLP) logs, auto-labeling, Endpoint DLP and more.

Content Explorer provides admins the ability to index the sensitive documents that are stored within supported Microsoft 365 workloads and identify the sensitive information that they're storing. In addition, Content Explorer helps identify documents that are classified with sensitivity and retention labels.

Information protection and compliance admins can access the service to get access to these logs and indexed data to understand where sensitive data are stored, and which activities are related to this data and performed by end users.

Feature availability

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5/G5 Information Protection & Governance Office 365 E5
Data classification analytics Yes Yes
Feature Microsoft 365 E3/A3/G3 Office 365 E3/A3/G3
Content Explorer data aggregation Yes Yes

Microsoft Purview Information Protection Double Key Encryption

Double Key Encryption (formerly named Double Key Encryption for Microsoft 365) lets you protect your highly sensitive data to meet specialized requirements and maintain full control of your encryption key. Double Key Encryption uses two keys to protect your data, with one key in your control and the second key stored securely by Microsoft Azure. To view the data, you must have access to both keys. Since Microsoft can access only one key, your key and also your data are unavailable to Microsoft, ensuring that you have full control over the privacy and security of your data.

Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud, which prevents third-party access as long as the key remains in control of the users. Users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance EMS E5
Double Key Encryption Yes Yes

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions https://aka.ms/dke.

Microsoft Purview Information Protection Message Encryption

Microsoft Purview Message Encryption is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

To view encrypted messages, recipients can either get a one-time passcode and sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a subscription to view encrypted messages or send encrypted replies.

Message senders benefit from the added control over sensitive emails provided by Office 365 Message Encryption.

Feature availability

Feature Microsoft 365 F3/E3/A3/G3/E5/A5/G5 and Microsoft Business Premium Office 365 A1/E3/A3/G3/E5/A5/G5 1
Message Encryption Yes Yes

1 Azure Information Protection Plan 1 also provides the rights for an organization to benefit from Office 365 Message Encryption when added to the following plans: Exchange Online Kiosk, Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F3, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.

Microsoft Purview Information Protection sensitivity labeling

Information Protection helps organizations discover, classify, label, and protect sensitive documents, emails and meetings, and groups and sites. Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

Users benefit by having the ability to create, manually apply or automatically apply sensitivity labels, and consume content that has sensitivity labels applied.

By default, Information Protection features are enabled at the tenant level for all users within the tenant. This means the administrator creating and managing Information Protection features must have the appropriate licenses for the following subscription plans to configure the functionality. Similarly, end users also need the appropriate licenses to use the functionality in their respective client applications. For more information, see Create and configure sensitivity labels and their policies or Apply a sensitivity label to content automatically.

Feature Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium OneDrive for Business (Plan 2) Enterprise Mobility + Security E3/E5 Office 365 E5/A5/E3/A3 AIP Plan 1, AIP Plan 2
Manual Sensitivity Labeling Yes  Yes  Yes  Yes  Yes 
Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5
Manual Sensitivity Labeling for scheduled meetings Yes  Yes 
Feature Microsoft 365 E5/A5/G5 + Teams Premium, Microsoft 365 E5/A5/G5/F5 Compliance + Teams Premium, Microsoft 365 F5 Security & Compliance + Teams Premium, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance Office 365 E5/A5 + Teams Premium
Manual Sensitivity Labeling for Teams online meetings Yes  Yes 
Feature Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium + Microsoft 365 Copilot OneDrive for Business (Plan 2) + Microsoft 365 Copilot Enterprise Mobility + Security E3/E5 + Microsoft 365 Copilot Office 365 E5/A5/E3/A3 + Microsoft 365 Copilot AIP Plan 1, AIP Plan 2 + Microsoft 365 Copilot
Inheriting labels from input to output for Microsoft 365 Yes Yes Yes Yes Yes
Feature Microsoft 365 E5/A5/G5, Microsoft E5/F5/G5 Compliance, Microsoft F5 Security & Compliance, Microsoft 365 E5 Information Protection and Governance Office 365 E5/A5/G5
Client and service-side automatic sensitivity labeling Yes Yes
Feature Enterprise Mobility + Security E5/A5/G5
Client-side automatic sensitivity labeling only Yes
Feature Microsoft 365 E5/A5/G5, Microsoft E5/F5/G5 Compliance, Microsoft F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance Office 365 E5/A5/G5 Enterprise Mobility + Security E5/A5/G5
Client-side labeling to automatically apply pre-configured S/MIME protection in Outlook Yes Yes Yes
Feature Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium Enterprise Mobility + Security E3/E5
Apply and view sensitivity labels in Power BI and to protect data when it's exported from Power BI to Excel, PowerPoint, or PDF  Yes Yes
Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security and Compliance, Microsoft 365 E5/A5/G5/F5 Information Protection and Governance Office 365 E5/A5/G5
Apply default sensitivity labeling for SharePoint Document library Yes Yes
Feature Microsoft 365 E5/A5/G5, Microsoft 365 A5/E5/F5/G5 Information Protection and Governance Office 365 E5/A5/G5
Apply conditional access policies via authentication context to SharePoint sites using Sensitivity Labels Yes Yes
Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/G5/F5 Compliance, Microsoft 365 F5 Security and Compliance, Microsoft 365 E5 Information Protection and Governance Office 365 E5/A5/G5
Configure dynamic watermarking for sensitivity labels Yes Yes

For information on how a user can benefit from the AIPService PowerShell module to administer the Azure Rights Management protection service for Azure Information Protection, see Information Protection.

For information on how to create and publish sensitivity labels, see.

When using the Microsoft Purview information protection scanner (formerly known as AIP scanner and accessible now via the Purview Compliance Portal) feature, policies can be scoped to specific groups or users and registries can be edited to prevent unlicensed users from running classification or labeling features.

Note

You can also apply conditional access policies via authentication context to SharePoint sites directly via Set-SPOSite PowerShell cmdlet and the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/F5 Compliance
  • Microsoft 365 E5 Information Protection and Governance
  • Office 365 E5/A5/G5
  • Microsoft Syntex - SharePoint Advanced Management

Note

In addition to the licensing information above:

  • A standard/Plan 1 license must be assigned in addition to the premium/P2 license for users to have access to sensitivity labeling for Information Protection for Office 365 and AIP, even if the premium licenses/Plan 2 are assigned. For example, if Information Protection for Office 365 Premium is assigned to a user, that user must also have Information Protection for Office 365 Standard assigned for sensitivity labeling to be available. And if AIP P2 is assigned to a user, that user must also have AIP P1 assigned.
  • Power BI is included with Microsoft 365 E5/A5/G5; in all other plans, Power BI must be licensed separately.
  • For user benefit information regarding automatic classification based on Machine Learning (trainable classifiers), see Data Lifecycle Management and/or Records Management.

Microsoft Purview Insider Risk Management

Insider Risk Management (formerly named Microsoft 365 Insider Risk Management) is a solution that helps minimize internal risks by letting you detect, investigate, and take action on risky activities in your organization.

Custom policies allow you to detect and take action on malicious and inadvertently risky activities in your organization, including escalating cases to Microsoft Purview eDiscovery (Premium) (formerly named Microsoft Advanced eDiscovery), if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Users benefit by having their activities monitored for risk. Insider Risk Management policies must be created in the Microsoft Purview compliance portal and assigned to users.

Feature Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5/G5 Insider Risk Management
Insider Risk Management Yes

For more information, see Get started with insider risk management.

Microsoft Purview Insider Risk Management Forensic Evidence

Forensic evidence is an opt-in, capacity add-on feature in Microsoft Purview Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in.

Customers can purchase the forensic evidence add-on in units of 100 GB per month. The purchased capacity will be metered based on forensic evidence ingestion at the tenant level for the users scoped in forensic evidence policies configured by admins.

Customers can access the service in the Microsoft Purview compliance portal.

You can learn more about forensic evidence in our technical documentation.

Messaging

To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message Center. For more information, see Message center.

Licensing terms

For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.

Accessibility

Microsoft remains committed to the security of your data and the accessibility of our services. For more information, see the Microsoft Trust Center and the Office Accessibility Center.