← Back to blog
Microsoft 365

Microsoft Purview for SMEs: email archiving, DLP and retention policies without a compliance department

By Zarioh Digital Solutions6 min read
Share
Microsoft Purview for SMEs: email archiving, DLP and retention policies without a compliance department

Most SMEs are already paying for Microsoft Purview through their Microsoft 365 subscription but rarely use it. Email archiving, data loss prevention and retention policies are not a luxury for large enterprises — they are achievable and necessary for any organisation handling customer data, contracts or personal information.

When an employee returns a company laptop or a client engagement ends, years of email and documents sometimes disappear along with them. Or conversely: a departing employee emails customer data to their personal address. Or a data breach hits the organisation and there is no audit trail available to understand exactly what happened.

These are scenarios that affect SMEs every day, yet most organisations have no technical answer to them — even though that answer is already available, included in the Microsoft 365 licence they are already paying for: Microsoft Purview.

What is Microsoft Purview?

Microsoft Purview is the umbrella name for the compliance and information governance tools in Microsoft 365. It includes email archiving via Exchange Online Archiving, retention policies for email and documents, data loss prevention (DLP), sensitivity labels for documents, and audit and search capabilities for legal and compliance purposes.

Purview is not a separate product you need to purchase. The core features are available in Microsoft 365 Business Basic, Standard and Premium. More advanced features such as Purview Information Protection and Insider Risk Management are available in E3 and E5 licences and as add-ons for Business plans. Most SMEs can go a long way with what is already available in their current licence.

Email archiving: never lose evidence again

Exchange Online Archiving adds a separate archive mailbox to every user. Emails older than a configured period are automatically moved to this archive, which is stored separately and remains fully searchable. The archive is invisible to end users who do not need it but fully searchable by IT administrators and compliance officers.

Why does this matter? First, for legal protection. If an employment dispute, complaint procedure or regulatory inspection ever occurs, you can demonstrate what was communicated and when. Second, for GDPR compliance: you maintain a demonstrable record of which personal data has been processed via email. Third, for operational continuity: when an employee leaves and their mailbox is closed, the business communication is preserved.

The setup is straightforward. In the Microsoft Purview portal, you enable archiving per user or for the entire organisation. You then configure a retention policy that determines how long emails are kept. For most sectors, seven years is a standard period aligned with statutory record-keeping obligations.

Retention policies: knowing what is kept and what is deleted

Retention policies go beyond email. In Purview, you can create policies for SharePoint documents, Teams messages, OneDrive files and Yammer posts. For each type of content, you define whether it must be retained for a minimum period, automatically deleted after a set time, or manually reviewed before deletion.

For an SME, two basic policy types add value. The first is a preservation policy for business-critical documents. Contracts, invoices, quotations and client correspondence must be retained for at least seven years under Dutch and EU legislation. A retention policy in Purview ensures these documents are not accidentally deleted, even if the employee who created them left long ago.

The second type is a deletion policy for privacy-sensitive communications. Not all data needs to be kept forever. Deleting HR-related emails after five years, clearing temporary project files after two years: a clear deletion policy reduces exposure in the event of a breach, because data that no longer exists cannot be stolen.

Data loss prevention: data that must not leave the organisation

DLP policies in Purview detect sensitive information in emails, files and Teams messages, and can act automatically. Consider an email containing a social security number, an IBAN or a large number of email addresses being sent to an external address. Purview can block that email, warn the sender, allow delivery but log it, or send an alert to the compliance officer.

Purview contains built-in detection templates for dozens of types of sensitive information, including Dutch citizen service numbers, EU payment card data, IBAN numbers, passport numbers and medical information. You can also define custom patterns, such as your internal order numbers or client reference codes.

A practical starting point for SMEs is a DLP policy that flags emails with more than ten email addresses in the attachment and asks the sender to confirm that the send was intentional. This simple policy catches one of the most common data leak scenarios: accidentally forwarding a customer list. Most initial settings are configured in 'test mode', where violations are logged but not yet blocked. This allows you to understand your organisation's behavioural patterns before enforcing policy.

Sensitivity labels: protection that follows the document

Sensitivity labels are markers attached to documents and emails that enforce security settings regardless of where the file ends up. A document labelled 'Confidential' can be configured so it cannot be printed, forwarded outside the organisation, and is automatically encrypted. If the document ends up on a USB stick, unsecured cloud storage or a personal laptop, the encryption remains active.

For SMEs, the recommended approach is to start with three labels. 'Internal' for standard business documents, 'Confidential' for customer data, contracts and financial documents, and 'Strictly Confidential' for executive information, merger and acquisition documents or personnel files. Labels can be applied by users themselves, automatically based on document content, or mandated for specific document types.

Audit log: what happened and when?

Purview maintains a detailed audit log of activity in Microsoft 365: who opened which file, who forwarded an email, who deleted a document, who signed in from which country. This log is searchable and can be exported for incident investigation or auditor review.

The audit log is not only useful when incidents occur. It also provides insight into behavioural patterns: who is downloading an unusually large number of files before leaving? Which employees regularly send attachments to external addresses? These are signals that Insider Risk Management analyses further in higher licence tiers.

How to get started with Purview without a compliance department

Five steps that every SME can complete in the next six weeks. First, enable email archiving for all users and set a default retention period of seven years. This takes thirty minutes and pays for itself immediately.

Second, create a retention policy for SharePoint and OneDrive with the same seven years for business documents and two years for project folders and temporary files. Third, activate the audit log if it is not already enabled. The log stores 90 days by default; extend this to at least one year with a Purview Audit licence.

Fourth, introduce a DLP policy in test mode for the most obvious scenarios: citizen service numbers, IBAN numbers and large volumes of email addresses in outbound email. Review the test results after two weeks and activate enforcement. Fifth, define three sensitivity labels and train employees who work with customer data in correctly labelling documents.

Purview is not a one-time project but an ongoing management process. Once you start, you quickly discover that it not only reduces risk but also provides operational visibility that was previously missing. Want help setting up Purview in your Microsoft 365 environment or drafting a tailored retention and DLP policy? Contact Zarioh for a no-obligation conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share