Foundation & Governance

This section establishes the strategic and technical foundation for your Purview implementation. Complete this section first before moving to Classification.

Leadership and Policy Decisions {#leadership-decisions}

Objective

Establish the strategic foundation for your Purview implementation by documenting leadership decisions on data classification, security posture, DLP philosophy, retention strategy, AI governance, monitoring scope, and platform role assignments. These decisions directly drive all subsequent technical configuration.

**Decision Point**

This is the most critical phase of the entire implementation. The technical configuration in subsequent phases is a direct translation of the strategic decisions made here. Without clear, documented answers from leadership, the project risks being misaligned with the unique needs of a Tier 1 Research University (compliance with FERPA, HIPAA, NIST 800-171/CMMC, ITAR) and state laws (Texas Public Information Act).

Decision 1: Define the Data Classification Standard

Why It Matters: In a university environment, "one size fits all" fails. A simple corporate "Confidential" label is insufficient when you must distinguish between student records (FERPA), health data (HIPAA), and export-controlled research (ITAR). This decision defines the "Digital Price Tags" for your data, directly impacting how research is shared and protected.

Best Practice / Recommendation: Adopt a Higher Education Model that balances openness for fundamental research with strict controls for regulated data.

The Decision to be Made: Choose a classification taxonomy.

Option	Pros	Cons	Recommended For
A: Corporate Simple (e.g., `Public`, `Internal`, `Confidential`)	Simple for general staff. Fast adoption.	Fails to distinguish between types of regulated data (e.g., FERPA vs. HIPAA), making it hard to apply specific encryption rules required for grants.	Administrative departments with no research or student data handling.
B: Higher Ed & Research (e.g., `Public`, `General`, `Confidential - FERPA`, `Restricted - Research/HIPAA`)	Allows granular control: "Confidential" restricts external sharing but allows internal access; "Restricted" applies heavy encryption for CUI/ITAR. Aligns with grant requirements.	Requires training users to distinguish between "Confidential" and "Restricted."	Strongly Recommended for Texas A&M. This supports both open collaboration and strict compliance.

Decision 2: Establish the Default Security Posture

Why It Matters: Universities are collaborative by nature, but "Open by Default" creates massive liability. With the rise of AI (Copilot) and ransomware, a permissive environment allows threats to spread laterally. This decision determines if new SharePoint sites and Teams are "fortresses" or "public squares."

Best Practice / Recommendation: Adopt a Balanced Default. While "Secure by Default" is ideal for corporate, it can stifle academic collaboration. A balanced approach protects identity but allows controlled collaboration.

The Decision to be Made: Define your baseline security settings.

Option	Pros	Cons	Recommended For
A: Permissive (Open) (Sharing: "Anyone" links allowed; Default Label: None)	Zero friction for faculty collaboration.	High risk of data leaks (e.g., Student UINs exposed). AI tools will surface sensitive data to unauthorized users.	Not Recommended. Creates unacceptable risk for a state institution.
B: Balanced (Identity-Based) (Sharing: "New/existing guests"; Default Label: "General")	Requires authentication for all access (no anonymous links). Allows external collaboration with peers.	Users must invite collaborators explicitly.	Recommended. Balances the need for global research collaboration with the requirement to audit access.
C: Restrictive (Fortress) (Sharing: "Internal only"; Default Label: "Restricted")	Maximum security. Aligns with NIST 800-171.	Breaks fundamental research workflows. Faculty will move data to non-approved IT (Shadow IT) to get work done.	Only for specific Secure Enclaves handling CUI/ITAR data.

Decision 3: Determine the Data Loss Prevention (DLP) Philosophy

Why It Matters: Faculty often share large datasets. If a DLP policy blocks a legitimate grant proposal because it "looks like" PII, IT becomes the enemy. Conversely, failing to block SSN exfiltration is negligence.

Best Practice / Recommendation: Warn with Override. This approach respects the user's intent while creating an immutable audit trail.

The Decision to be Made: Choose an enforcement model.

Option	Pros	Cons	Recommended For
A: Strict Block	Zero tolerance for data egress.	High false positives will disrupt grant applications and faculty work.	Only for SSNs and Credit Card Numbers.
B: Warn with Override	Educates users ("Did you mean to send this?"). Allows legitimate business/research to proceed. Logs the justification for audit.	Relies on user honesty.	Recommended for most data types (FERPA, Intellectual Property).

Decision 4: Define Retention & Records Strategy

Why It Matters: As a state entity, Texas A&M is subject to the Texas Public Information Act (FOIA) and State Records Retention schedules. Keeping everything forever ("Digital Hoarding") makes FOIA requests expensive and exposes the university to liability. Deleting too soon violates state law.

Best Practice / Recommendation: Automated Lifecycle. Differentiate between "transient" communication and "official" records.

The Decision to be Made: Choose a lifecycle strategy.

Option	Pros	Cons	Recommended For
A: Hoard Everything (Retain Forever)	"Safe" from accidental deletion.	Massive storage costs. Nightmare scenario for FOIA/eDiscovery search and review costs.	Not Recommended.
B: Targeted Retention (Teams Chats: 1 Year; Official Records: 7+ Years)	Reduces "noise" in legal searches. Aligns with the informal nature of Chat vs. formal Records.	Users must understand that Chat is not a filing cabinet.	Recommended. Treat Teams Chat as ephemeral (1 year) and Email/SharePoint as long-term storage (State Record retention).

Decision 5: AI & Copilot Governance Stance

Why It Matters: Microsoft Copilot respects user permissions too well. If a sensitive HR document is shared with "Everyone" (a common error), Copilot will summarize it for any student worker who asks. We must "sanitize" the environment before unleashing AI.

Best Practice / Recommendation: Restricted Content Discovery (RCD). Identify high-risk sites (HR, Legal, Dean's Offices) and strictly hide them from AI indexing.

The Decision to be Made: Choose an AI readiness posture.

Option	Pros	Cons	Recommended For
A: Open Access	Instant ROI on Copilot features.	High risk of internal data leakage (Salary data, Student grades).	Only for environments with perfect permission hygiene (Rare).
B: Restricted Discovery	Proactively hides sensitive sites from AI/Search. Prevents accidental oversharing.	Users must navigate directly to sensitive files; they won't appear in general search.	Strongly Recommended. Secure the "Crown Jewels" (HR/Legal) immediately using RCD policies.

Decision 6: Insider Risk & Communication Monitoring Scope

Why It Matters: Microsoft Purview includes powerful tools to detect insider threats (Insider Risk Management) and monitor communications for policy violations (Communication Compliance). However, these tools raise significant privacy concerns that must be addressed by leadership before deployment.

Best Practice / Recommendation: Targeted Deployment with Privacy Controls. Start with high-risk scenarios (departing employees, export-controlled research) and enable pseudonymization to protect user privacy during investigations.

The Decision to be Made: Define the monitoring scope and privacy posture.

Option	Pros	Cons	Recommended For
A: No Monitoring	Maximum privacy. No risk of misuse.	Blind to insider threats. Cannot detect data exfiltration by departing employees.	Not Recommended given regulatory requirements.
B: Targeted High-Risk	Focuses on departing users, CUI handlers, and specific policy violations. Pseudonymizes identities until escalation.	Requires HR integration for departure signals.	Recommended. Balances security with privacy expectations.
C: Broad Monitoring	Maximum visibility across all users and communications.	Privacy concerns. May create hostile environment if perceived as surveillance. Faculty governance issues.	Only for specific regulated enclaves with explicit consent.

Decision 7: Purview Platform Role Assignments

Why It Matters: Microsoft Purview has its own Role-Based Access Control (RBAC) system that is separate from Entra ID administrative roles. These Purview-specific roles control who can configure policies, investigate cases, view sensitive content, and manage compliance features.

Best Practice / Recommendation: Adopt a Functional Role Separation model where roles align to job functions. Use Privileged Identity Management (PIM) for just-in-time access to high-privilege roles.

The Decision to be Made: Define your Purview RBAC strategy and identify role holders.

Role	Capability	Typical Assignees	Privacy Consideration
`Compliance Administrator`	Full Purview access - policies, labels, DLP, retention	Compliance Lead (1-2 people max)	Can configure all policies
`Information Protection Admin`	Sensitivity labels, DLP policies, auto-labeling	Security/Compliance analysts	Cannot see content, only policy config
`eDiscovery Manager`	Case-level investigation access	Legal team members	Can see content within assigned cases
`eDiscovery Administrator`	All cases + case administration	Legal IT liaison (1-2 people)	Can access ALL eDiscovery cases
`Records Management`	Retention policies, file plans, disposition	Records Management team	Can manage lifecycle but not content
`Insider Risk Management Analyst`	IRM case investigation	HR Security liaison	Can see behavioral patterns; enable pseudonymization
`Communication Compliance Analyst`	Review flagged communications	HR/Compliance reviewers	Can read flagged messages
`Content Explorer List Viewer`	See where sensitive data exists (file names only)	Auditors, compliance staff	Cannot see actual content
`Content Explorer Content Viewer`	See actual sensitive content in Content Explorer	Limited investigators	High privilege - assign sparingly
`Audit Manager`	Search and export audit logs	Security Operations	Can see all activity logs

Critical Considerations:

Content Explorer Content Viewer grants the ability to see the actual sensitive content discovered by Purview—assign this role only to personnel with a demonstrated need
eDiscovery Administrator can access ALL cases across the organization—typically limit to 1-2 people with documented justification
Consider Privileged Identity Management (PIM) for just-in-time activation of high-privilege roles

Approach	Description	When to Use
A: Minimal	Only 2-3 people with Compliance Administrator	Small teams, limited compliance staff
B: Functional (Recommended)	Roles aligned to job functions (Legal→eDiscovery, HR→IRM, Records→Retention)	Medium to large organizations with clear separation of duties
C: Granular	Detailed role assignments with strict content viewer separation and PIM	Large organizations with strict least-privilege requirements

Tenant Preparation & Licensing {#tenant-setup}

**Decision Point**

This phase implements the Roles & Responsibilities decisions made in Phase 0, including Decision 7 (Purview Platform Role Assignments). Leadership must identify the personnel who will be assigned powerful administrative roles.

Background & Context

Think of this phase as checking the foundation of a house before you start building. For a Purview implementation, the foundation consists of three pillars:

Licensing (The "Tools"): Verify the Microsoft 365 A5 licenses are in place
Auditing (The "Security Cameras"): The Unified Audit Log is the central security camera system
Permissions (The "Keys"): Assign specific admin roles using least privilege

Prerequisites

Requirement	Minimum / Version	Notes
Role / Permission	`Global Administrator`	Required for initial role assignment only
PowerShell Module	`ExchangeOnlineManagement`	V3.0.0+ for Audit Log configuration
PowerShell Module	`Microsoft.Graph`	For Identity and Group management

Implementation Steps

Step 1 – Verify and Assign Licenses

Goal: Ensure the admin account and pilot users have the A5 license required to test advanced features.

Click-Ops (Microsoft 365 Admin Center):

Navigate to https://admin.microsoft.com
Go to Users > Active users
Select your admin account
Click the Licenses and apps tab
Verify Microsoft 365 A5 for Faculty (or Student) is checked

PowerShell (Bulk Verification):

Connect-MgGraph -Scopes User.Read.All

# Check License for a specific user
$User = Get-MgUser -UserId "admin@tamu.edu" -Property AssignedLicenses
$User.AssignedLicenses | Select-Object SkuId

# Use Get-MgSubscribedSku to map IDs to Names

Step 2 – Enable the Unified Audit Log (Premium)

Goal: Turn on the "Black Box" recorder and enable Audit (Premium) features for 1-year retention.

Click-Ops (Purview Portal):

Navigate to https://purview.microsoft.com
Select Audit in the left navigation
If you see a banner: "Start recording user and admin activity", click Start recording

PowerShell (Enable & Configure Premium):

Connect-ExchangeOnline

# Enable Root Log Ingestion
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

# Enable Audit Premium for all users (1-year retention)
$HighValueUsers = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"}

foreach ($User in $HighValueUsers) {
    Set-Mailbox -Identity $User.Identity -AuditEnabled $true -AuditLogAgeLimit 365.00:00:00
}

Write-Host " Audit Log Enabled with 1-Year Retention" -ForegroundColor Green

Step 3 – Assign Purview Roles (Least Privilege)

Goal: Stop using Global Admin. Assign dedicated Purview Administrator or Compliance Administrator roles.

Click-Ops (Purview Portal):

Go to Settings > Roles & scopes > Role groups
Search for Purview Administrator
Click Edit > Choose users > Add
Select your admin account

PowerShell (Microsoft Graph):

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

$RoleName = "Compliance Administrator"
$UserUPN = "admin_compliance@tamu.edu"

$Role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleName'"
$User = Get-MgUser -UserId $UserUPN

New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $User.Id -RoleDefinitionId $Role.Id -DirectoryScopeId "/"

Write-Host " User $UserUPN assigned to $RoleName" -ForegroundColor Green

Step 4 – Enable Customer Lockbox (A5 Feature)

Goal: Ensure Microsoft engineers cannot access your tenant data during support requests without explicit approval.

Why It Matters for Higher Ed: When Microsoft support troubleshoots an issue, they may need to access your tenant data. Customer Lockbox ensures you maintain control—critical for FERPA and HIPAA compliance.

Click-Ops (Microsoft 365 Admin Center):

Navigate to https://admin.microsoft.com
Go to Settings > Org settings > Security & privacy
Select Customer Lockbox
Toggle Require approval for all data access requests to On
Designate approvers (senior IT staff or Compliance Officers)

Step 5 – Enable Privileged Access Management (PAM)

Goal: Implement just-in-time, just-enough access for high-risk administrative tasks.

What is PAM?

Privileged Access Management creates an additional approval layer for sensitive admin tasks. Even Global Admins must request and receive approval before executing sensitive operations.

Higher Ed Tasks to Protect with PAM:

Task	Risk	PAM Protection
eDiscovery searches	Bulk access to emails/files	Require approval before search
Mailbox export	Complete mailbox access	Time-limited export permission
Retention policy changes	Could delete evidence	Multi-approver required
Sensitivity label admin changes	Could weaken protection	Approval + audit

Click-Ops:

Navigate to https://admin.microsoft.com
Go to Settings > Org settings > Security & privacy
Select Privileged access
Click Create policy and enable privileged access
Configure Default Approval Group (e.g., PAM-Approvers@tamu.edu)

PowerShell:

Connect-ExchangeOnline

# Enable PAM at the organization level
Enable-ElevatedAccessControl -AdminGroup "PAM-Approvers@tamu.edu" -SystemAccounts @()

# Create policy for eDiscovery role
New-ElevatedAccessApprovalPolicy -Name "eDiscovery Access" `
    -Type RoleGroup `
    -RoleGroupName "eDiscovery Manager" `
    -ApprovalType AutoApproval `
    -ApproverGroup "PAM-Approvers@tamu.edu" `
    -MaxElapsedAccessTime 04:00:00

Validation Checklist

#	Validation Item	Test Method	Success Criteria
1	Audit Log Active	Check Purview Audit portal	"Start recording" banner is gone
2	Premium Configured	`Get-Mailbox <user> \| FL Audit*`	`AuditLogAgeLimit` = `365.00:00:00`
3	Role Verification	Sign in as Compliance Administrator	Can access Purview portal
4	Customer Lockbox	Check Admin Center > Org settings	Toggle shows On

Compliance Manager Setup {#compliance-manager}

What is Compliance Manager?

Compliance Manager is your compliance command center—a dashboard that tracks your organization's compliance posture against regulatory frameworks, recommends improvement actions, and provides a quantifiable Compliance Score.

Understanding Compliance Score

Score Component	Description
Microsoft-Managed	Actions Microsoft performs for you (data encryption at rest)
Customer-Managed	Actions you must configure/document (DLP policies, training)
Total Score	Combined score out of possible maximum (e.g., 650/1000 = 65%)

Step 1 – Access Compliance Manager and Review Baseline

Goal: Access Compliance Manager and understand your current baseline score.

Click-Ops:

Navigate to Compliance Manager from the Purview portal home
Review your Compliance Score (shown prominently at top)
Note the score breakdown (Microsoft-managed vs. Customer-managed)
Click on the score to drill into contributing assessments

Step 2 – Add Assessment Templates for Your Regulations

Goal: Add regulatory assessment templates relevant to higher education.

Recommended Templates for Higher Education:

Template	Regulation	Who Needs It
FERPA	Student privacy	All institutions
HIPAA	Health data	Institutions with health services
NIST 800-171	CUI protection	Institutions with DoD research
NIST CSF	Cybersecurity framework	Recommended for all
CMMC	Defense contractor requirements	DoD research institutions
GDPR	EU data protection	Institutions with EU students/partners

Click-Ops:

Navigate to Compliance Manager > Assessments
Click + Add assessment
Select Template (e.g., "FERPA Baseline")
Select Group (create a group like "Higher Education Compliance")
Review and Create assessment

A5 Includes Premium Templates

Your Microsoft 365 A5 license includes access to 3 premium assessment templates at no additional cost.

Step 3 – Assign Improvement Actions to Stakeholders

Goal: Assign improvement actions to appropriate team members.

Click-Ops:

Navigate to Compliance Manager > Improvement actions
Filter by Status: Not started and Your actions (Customer-managed)
For each high-impact action, click Assign and select appropriate user
Set Implementation status and add target completion date

Common Action Assignments:

Action Category	Assign To
Configure DLP policies	Security Team
Enable MFA	Identity Team
Document retention policies	Records Manager
Complete privacy training	HR / Training Team

Step 4 – Configure Automatic Testing

Goal: Enable continuous testing so Compliance Manager automatically detects implemented controls.

What Gets Auto-Tested:

Control	Auto-Tested?
DLP policies enabled	Yes
Sensitivity labels published	Yes
Retention policies configured	Yes
Audit logging enabled	Yes
User training completed	Manual - upload records
Written policies documented	Manual - upload documents

Track Progress Throughout Implementation

As you complete each phase in this guide, return to Compliance Manager to:

Verify your score increased
Update improvement action statuses
Upload any required evidence

Expected Score Increases:

After Classification (Labels): +100-150 points
After Discovery & DSPM: +50-100 points
After Prevention (DLP): +150-200 points

Next Steps

With your foundation in place, proceed to Classification to deploy sensitivity labels.

Continue to Classification →