Most Microsoft 365 tenants I walk into are flying blind on data.
The sensitivity labels exist. A couple of DLP policies exist. Someone once turned on Insider Risk Management because a consultant said so. And then nothing. Nobody knows what’s working, what’s exposed, or which sensitive files are sitting wide open in a SharePoint site shared with half the planet.
That’s not a security posture. That’s a guess.
The tool that finally ends the guessing is Microsoft Purview Data Security Posture Management. If you’ve got E5 or the Purview Suite and you’re not showing this to your clients, you’re leaving value on the table.
What is DSPM, really?
DSPM is the dashboard that tells you, in plain English, where your sensitive data is sitting unprotected and which users are handling it carelessly. It pulls signals from the tools you already pay for — DLP, Information Protection, Insider Risk Management, Adaptive Protection — and stitches them into one view.
The clever bit is the correlation. Before DSPM, you’d open five different blades, cross-reference three different reports, and still miss half of it. Now the findings and recommendations land on one page, with a one-click path to spin up the matching policy.
That’s not a report. That’s a to-do list with context.
Step-by-Step: turning DSPM on
Portal only. Stay in the GUI — easier for you, easier to hand off to the next admin.
Open the Purview portal
Sign in to the Microsoft Purview portal as a member of the Data Security Management role group, an Insider Risk Admin, or a Compliance Administrator. Global Admin works too, but please don’t use it if you can help it.
Open the DSPM solution
From the home page, go to Solutions → Data Security Posture Management → Overview.
Turn on analytics
On the Overview page, click Turn on analytics. That one switch also enables DLP analytics and Insider Risk analytics behind the scenes if they aren’t already on. One click, three switches. The full checklist is in the Get started with DSPM article.
Wait
Yes, really. The automated scan across your tenant can take up to three days on anything larger than a handful of users. Walk away. Brew a coffee. Come back on Thursday.
Review the recommendations
Back on the DSPM dashboard, open Recommendations. Each one tells you what was found, why it matters, and offers a one-click path to create the DLP or Insider Risk policy that fixes it. You don’t start from a blank policy screen anymore — you start from your tenant’s real gaps.
Track trends over time
Use the Analytics and Reports tabs in client reviews. A trend line of risky activity going down beats any invoice justification I’ve ever tried to write.
Why this actually changes behaviour
“Are we protected?”
That’s the question every SMB owner asks. Most of us have been answering with vibes. Good vibes, educated vibes, but vibes.
DSPM changes the answer. You can point at a number. You can point at a recommendation you actioned last month and the unprotected file count that dropped because of it. You can show, not tell.
For MSPs, that’s a QBR slide that sells itself. For internal IT, it’s the evidence you need when the CFO asks what the Microsoft Purview licence is actually doing for the business.
And if Copilot is already in the tenant — which, let’s be honest, it increasingly is — then DSPM for AI is your next stop. Same lens, pointed at what people are pasting into Copilot prompts and what’s flowing back out.
Copilot doesn’t slow down. Neither does your data sprawl. Use something that keeps up.
DSPM isn’t there to create more work. It’s there to stop the guessing.
A practical readiness checklist for SMBs using Microsoft 365
Purpose: Microsoft 365 Copilot works only within the permissions, data, and policies you already have. This checklist helps confirm whether your tenant is ready—or whether Copilot will simply surface problems faster.
You don’t need to score 100%. You do need to know where the risks are.
1️ Identity & Access (Foundation)
✅ We have Entra ID (Azure AD) accounts for all staff ✅ Multi‑factor authentication (MFA) is enforced for all users ✅ Admin roles are limited and reviewed periodically ✅ Former employees and guest users are removed promptly ✅ Conditional Access is in place for risky sign‑ins or devices
If “No” appears here: Copilot will still work—but with higher security risk.
2️ Licensing Reality Check
✅ We understand the difference between:
Copilot Chat (Basic)
Microsoft 365 Copilot (Paid / Premium)
✅ We know which roles actually need Copilot licences ✅ We are not assuming “everyone gets it for free” ✅ Business Premium (or E3/E5) is in place for users handling sensitive data
If unclear: Expect confusion, helpdesk tickets, and poor adoption.
3️ SharePoint & OneDrive Permissions (The Big One)
✅ SharePoint sites have clear owners ✅ Access is based on need, not convenience ✅ “Everyone” or “Anyone with the link” sharing is controlled ✅ Old project sites are archived or cleaned up ✅ We’re comfortable with Copilot summarising what users can access
Reality check: Copilot doesn’t break permissions—it makes them obvious.
4️ Sensitivity Labels & Data Classification
✅ Sensitivity labels exist (even if only a few) ✅ Labels are applied to key documents and libraries ✅ Staff understand “Public vs Confidential” at a basic level ✅ We know Copilot respects sensitivity labels ✅ We are aware auto‑labelling may change labels automatically
Minimum viable setup: Public / Internal / Confidential is often enough to start.
5️ Data Loss Prevention (DLP) Basics
✅ DLP is enabled for email and files ✅ Alerts or user warnings exist for sensitive data sharing ✅ We accept that Copilot follows the same DLP rules ✅ IT monitors DLP incidents (not just blocks them)
Without DLP: Copilot can still answer—but may summarise data you’d rather it didn’t.
6️ Devices & Work Locations
✅ Devices are managed (Intune or equivalent) ✅ We know which devices are corporate vs personal ✅ Business data access is restricted on unknown or unmanaged devices ✅ Staff regularly work from approved locations
Why this matters: Copilot uses the same trust signals as Outlook, Teams, and SharePoint.
7 Governance & Change Management
✅ Someone owns Copilot decisions (not “everyone”) ✅ We have user guidance for:
What Copilot is
What Copilot is not ✅ Staff know they remain responsible for final output ✅ We are prepared to say “not yet” to some AI use cases
Copilot readiness is organisational, not just technical.
8 Helpdesk & User Expectations
✅ Helpdesk knows Copilot behaviour changed in April 2026 ✅ We can explain “why Copilot looks different now” ✅ We know where Copilot is expected to work (and where it won’t) ✅ We’ve set expectations around quality, limitations, and review
Silence here = frustration later.
✅ Copilot‑Ready Summary
Mostly ✅ → You’re ready to enable Copilot safely
Several ⚠️ → Fix fundamentals first
Many ❌ → Copilot will amplify risk and confusion
Rule of thumb:
If you wouldn’t be comfortable with an intern reading and summarising your Microsoft 365 data, Copilot isn’t the problem—your tenant is.
GRC is one of those acronyms that gets thrown around a lot, usually right before everyone in the room quietly switches off.
Governance, Risk Management, and Compliance sounds like paperwork, policy binders, and audit pain. But done properly, GRC is none of those things. It’s simply the mechanism that turns business intent into repeatable, defensible security outcomes.
And this is where Microsoft 365 quietly does a lot more heavy lifting than most organisations realise.
GRC isn’t about eliminating risk
Let’s get this out of the way early.
The goal of GRC is not to eliminate risk. That’s impossible. If your business uses email, cloud services, mobile devices, or people, risk exists.
What GRC is really about is:
Understanding what level of risk the business is willing to accept
Translating that appetite into practical controls
Measuring how well those controls are working
And getting explicit agreement on the residual risk that remains
That last point is critical. Security isn’t an IT problem — it’s a business decision. GRC gives the business a way to make that decision consciously, instead of by accident.
Governance: turning intent into guardrails
Governance is where most organisations stumble, because it’s often confused with documentation.
In reality, governance is simply the process of answering:
“How do we want things to work around here?”
In Microsoft 365, governance is expressed through configuration, not policy PDFs.
Examples:
Conditional Access defines who can access what, from where, and under what conditions
Intune defines how devices must be configured before they’re trusted
Sensitivity labels define how information is classified and handled
Retention policies define how long data should exist — and when it shouldn’t
This is governance as code. Once it’s configured, it applies consistently, silently, and at scale. No training session or reminder email can compete with that.
Risk management: making security measurable
Risk management is where GRC starts to pay for itself.
Instead of vague statements like “we take security seriously”, Microsoft 365 gives you evidence:
Secure Score shows how your tenant compares to recommended security baselines
Defender surfaces real‑world attack activity, not theoretical threats
Compliance Manager maps controls to recognised frameworks and highlights gaps
This matters because risk that isn’t measured can’t be discussed meaningfully with the business. Microsoft 365 turns risk into dashboards, trends, and improvement actions — which means security conversations can finally move beyond fear and anecdotes.
Compliance: a by‑product, not the goal
One of the biggest mistakes I see is organisations chasing compliance as the end goal.
Compliance should be the output of good governance and risk management, not the driver.
Microsoft 365 reflects this approach well. Whether you’re aligning to Essential Eight, ISO, or internal standards, the same core controls keep showing up:
Strong identity protection
Device compliance
Data classification and protection
Logging, auditing, and retention
When these are in place, compliance reporting becomes far less painful — because you’re proving what you already do, not scrambling to justify what you don’t.
Residual risk: the most important conversation
Here’s the part that rarely happens, but should.
After controls are implemented and compliance is measured, there will always be risk left over. Budget limits, usability trade‑offs, legacy requirements — they all create gaps.
GRC forces the right question:
“Are we comfortable accepting this remaining risk?”
Microsoft 365 makes that conversation possible because it provides clarity:
What’s protected
What isn’t
And what it would take to close the gap
That enables informed decisions instead of hand‑waving. Sometimes the answer is “yes, we accept that risk”. And that’s perfectly valid — as long as it’s a conscious choice.
Why this matters now
With Copilot, automation, and cloud‑first operations accelerating, risk is no longer something that can be managed annually or ad‑hoc.
Microsoft 365 gives organisations a living GRC platform:
Governance enforced through configuration
Risk surfaced through telemetry
Compliance evidenced continuously
The organisations that thrive won’t be the ones chasing perfect security. They’ll be the ones who understand their risk, manage it deliberately, and can explain — clearly — why they’ve made the choices they have.
And that, in a nutshell, is what GRC is supposed to do.
GRC mapped to Microsoft 365 (at a glance)
GRC Element
What it means in plain English
How Microsoft 365 supports it
Governance
Define how the business wants security, access, and data handling to work.
Conditional Access and identity controls set who can access what and under which conditions.
Intune enforces device standards. Sensitivity labels and retention policies define how data is
classified and handled across Exchange, SharePoint, OneDrive, and Teams.
Risk Management
Identify, measure, and prioritise real security risks.
Secure Score and Defender telemetry expose gaps and active threats. Intune and Entra ID reporting
provide visibility into configuration drift and access risk. Microsoft Sentinel and Defender XDR
(where used) correlate signals to show material risk rather than noise.
Compliance
Demonstrate alignment to standards, regulations, or internal controls.
Microsoft Purview Compliance Manager maps controls to frameworks and tracks implementation status.
Audit logs, eDiscovery, and retention provide evidence without manual data gathering. Built-in
compliance reporting supports regulatory and contractual requirements.
Residual Risk
Explicitly accept what remains after controls are applied.
Microsoft 365 reporting clarifies what is protected and what isn’t, allowing business leaders to
make informed trade-offs between usability, cost, and security.
Unlock Your Path to SMB1001:2026 Certification—The Definitive Guide for Modern Cybersecurity Excellence
Are you ready to elevate your business’s cybersecurity posture and achieve the new SMB1001:2026 standard? This publication, Achieving SMB1001:2026 Compliance with Microsoft 365 Business Premium, is your essential roadmap to mastering the latest requirements from Dynamic Standards International (DSI), released in September 2025.
Why Choose This Guide?
Comprehensive Coverage of the Latest 2026 Standard: Stay ahead with detailed explanations of all new controls, refinements, and tier changes introduced in SMB1001:2026. Learn how to implement advanced requirements like DMARC email authentication, Endpoint Detection & Response (EDR), AI governance, and enhanced supplier security—features not found in previous editions1.
Step-by-Step Implementation: Benefit from practical, actionable guidance for every control across Bronze to Diamond levels. Each section provides clear instructions for leveraging Microsoft 365 Business Premium tools—Intune, Defender for Business, Purview, and more—to meet compliance efficiently and confidently.
Gap Analysis & Control Mapping: Instantly identify what’s changed from SMB1001:2025 to 2026. The publication includes side-by-side tables and checklists, so you can pinpoint new, relocated, and updated controls, ensuring your compliance journey is audit-ready and future-proof1.
Real-World Solutions: Discover how to use Microsoft 365’s integrated security features to satisfy every requirement—from patch management and password hygiene to advanced backup strategies and supplier trust programs. Includes tips for evidence collection, policy documentation, and ongoing compliance management.
Focused on the Latest Threats: The 2026 standard responds to today’s evolving cyber risks, including email-based attacks, AI misuse, and supply chain vulnerabilities. This guide shows you how to implement controls that directly address these challenges, protecting your business from costly incidents and regulatory penalties.
Accelerate Your Certification: Whether you’re starting at Bronze or aiming for Diamond, this publication provides a clear, phased roadmap. Achieve certification faster, reduce audit stress, and gain a competitive edge with a security posture aligned to global best practices.
Who Should Buy This Guide?
IT Managers, MSPs, and Security Professionals seeking a practical, up-to-date reference for SMB1001:2026 implementation.
Business Owners and Executives wanting to understand the value and process of certification, and how it strengthens business resilience.
Compliance Officers and Auditors needing authoritative guidance on evidence collection, policy updates, and audit preparation.
Key Benefits
Save Time and Resources: Avoid costly trial-and-error with proven, step-by-step instructions and ready-to-use checklists.
Reduce Risk: Implement controls that directly mitigate ransomware, phishing, and supply chain threats.
Future-Proof Your Business: Stay compliant with the latest cybersecurity standard, ensuring your organization is prepared for evolving regulations and threats.
Don’t settle for outdated guidance—choose the publication that’s fully aligned with SMB1001:2026 and unlock your path to certification and cyber resilience.
that reads the online JSON file (or uses a local version if you want to use that) and compares the recommended ASD settings to those in your own Intune environment. Note, the script makes NO CHANGES to your environment, it simply reads the current settings.
It then produces the console output you see above and a HTML report like this:
that reads the online JSON file (or uses a local version if you want to use that) and compares the recommended ASD settings to those in your own Intune environment. Note, the script makes NO CHANGES to your environment, it simply reads the current settings.
It then produces the console output you see above and a HTML report like this:
Overview: What is Microsoft Purview Audit (Premium)?
Microsoft Purview Audit is a unified logging solution that captures user and admin activities across Microsoft 365 services, enabling organizations to track security events, investigate incidents, and meet compliance obligations[1]. Audit (Standard) refers to the baseline auditing features included by default in Microsoft 365 plans, while Audit (Premium) is an enhanced auditing tier providing longer log retention, advanced event insights, and custom retention policies beyond the standard offering[1][1]. In practice, Audit (Standard) gives you searchable audit logs for the last 180 days of activities, whereas Audit (Premium) extends that retention to 1 year (or more with add-ons) and logs additional detailed events (like when a user reads an email or searches content) useful for deeper forensic analysis[1][1].
For small and medium-sized businesses (SMBs) using Microsoft 365 Business Premium, Audit (Standard) is already enabled by default – no setup or licensing is needed to start recording basic audit logs[1]. Administrators can search these logs (e.g. who accessed a file, deleted a SharePoint item, or logged into Teams) to monitor user activity and verify policies. However, out-of-the-box Business Premium only includes Audit (Standard) capabilities. Audit (Premium) features are not included in Business Premium by default and require additional licensing (as detailed below)[2]. Upgrading to Audit (Premium) can be extremely valuable for an SMB: it provides a full year of audit history (instead of 6 months), the ability to retain certain logs up to 10 years, and captures high-value events that help investigate insider risks or security incidents more effectively[1][1].
In summary, Microsoft Purview Audit (Premium) is an advanced auditing solution tailored for organizations with heightened security or compliance needs. It builds upon Audit (Standard) by offering longer log retention, richer analytics, and granular policy control[1]. For an SMB already on Business Premium, enabling Audit (Premium) means bringing enterprise-grade audit and forensics capabilities into your environment – useful for scenarios like in-depth insider threat investigations, detailed tracking of data access, and meeting strict regulatory audit requirements.
Audit (Standard) vs Audit (Premium): Key Differences
Audit (Premium) includes all the functionality of Audit (Standard) and adds important enhancements. The table below compares their features, availability, and licensing:
Capability
Audit (Standard)
Audit (Premium)
Included by default?
Yes – enabled by default for all Microsoft 365 organisations[1]. No extra setup needed.
Partially – available only for licensed users (e.g. those with an E5 or add-on). Requires enabling Advanced Auditing for those users[2].
Audit log retention (default)
180 days (6 months) for all activities[1]. ⃣ (Pre-Oct 2023: was 90 days, now extended to 180) [1]
1 year for core workloads (Exchange, SharePoint, OneDrive, Entra ID) by default[1]; 180 days for other services unless extended.
Extended retention options
None beyond 180 days. (Logs expire after 6 months)
Yes – can retain logs up to 1 year via custom policies. Up to 10 years with an add-on license for specific users[1][1].
Custom audit retention policies
Not available. All activities use default retention.
Available. Create policies to retain certain audit records longer (e.g. by service, user, or activity) up to 1 year (or 10 years with add-on)[1][1].
“Intelligent” audit events (detailed insights)
Not included. Only standard events logged.
Included. Logs detailed events like when emails are read/accessed, replied or forwarded, and when users perform searches[1]. These insights help investigate insider actions (e.g. mass document access)[3].
Audit log search tools
Yes – same tools in Purview portal, PowerShell (Search-UnifiedAuditLog), Graph API, CSV export[1][1].
Yes – uses the same search interfaces as Standard. (Premium just ensures more data is available to search, for a longer period.)
Office 365 Management API access
Yes – baseline access (throttled at standard rate)[1].
Yes – higher bandwidth access (roughly double the API throughput for faster log export)[1]. Useful if exporting logs to SIEM.
Licensing – Business Premium
Included in Microsoft 365 Business Premium (and all M365 plans) with no additional cost[1].
Not included in Business Premium by default. Requires an add-on or upgrade (e.g. Purview Suite or E5 Compliance add-on) to license Audit (Premium) features[2].
Licensing – Enterprise
Included in E1/E3 plans (Standard only).
Included in E5 plans out of the box[4]. Also available with E3 + add-ons (e.g. Microsoft 365 E5 Compliance or E5 eDiscovery & Audit)[5].
*⃣ Note: The default retention for Audit (Standard) was extended from 90 to 180 days in late 2023[1]. All organisations now get six months of audit history without needing E5. Audit (Premium) further extends this to one year for certain services by default, with options for more.
As shown above, the main advantages of Audit (Premium) for an SMB are the longer retention period (12 months) and additional audit data that can be crucial in investigations (for example, the ability to see if a user merely read a file or email, not just that they accessed it)[1]. Audit (Standard) is sufficient for basic admin tracking and recent activity checks, but if you need to investigate incidents over a longer term or require detailed logs for compliance, Audit (Premium) is essential. In particular, regulated industries or scenarios involving potential insider misuse will greatly benefit from the extra visibility and history that Audit (Premium) provides.
Licensing Audit (Premium) in a Business Premium Environment
Microsoft 365 Business Premium includes Audit (Standard) for all users by default, but does not include Audit (Premium) features on its own[2]. To get Audit (Premium) capabilities in an SMB environment with Business Premium, you will need to augment your licensing. Here are the ways to access Audit (Premium) and how each maps to Australian pricing (AUD):
Microsoft Purview Suite Add-on for Business Premium: Introduced in September 2025, this is a new add-on designed for SMBs on Business Premium. For approximately A$15 per user/month (roughly US$10) you can add the Purview Suite, which unlocks Audit (Premium) along with other Microsoft Purview compliance features (like eDiscovery Premium, Insider Risk Management, Information Protection, etc.)[3][3]. The Purview Suite add-on is limited to tenants with 25–300 users (same scope as Business Premium) and offers a cost-effective way to get E5-level compliance capabilities without upgrading fully to E5. Licensing note: The Purview Suite is purchased through your Microsoft 365 admin center or partner as an add-on SKU and requires that all users who need Audit Premium (or other Purview features) have the add-on assigned.
Microsoft 365 E5 Compliance Add-on (or E5 eDiscovery and Audit Add-on): Prior to the Purview Suite bundle, the common way to get advanced auditing on non-E5 plans was to purchase an E5 Compliance add-on. This add-on similarly provides Audit (Premium) rights (as well as the full suite of E5 Compliance features) to users on an E3 or Business Premium plan[5]. The pricing is in the same ballpark, roughly A$18–20 per user/month for the compliance add-on (the Microsoft 365 E5 Compliance license is listed at ~A$216 per user/year in Australia, i.e. about A$18 per month). Functionally, if you have Business Premium + the E5 Compliance add-on for a user, that user will have Audit (Premium) logging enabled (after activating the Advanced Auditing service plan as described later). Similarly, Microsoft offers a more targeted E5 eDiscovery and Audit add-on (which is a subset just focusing on those features). Any of these E5-level add-ons will meet the requirement for Audit Premium.
Microsoft 365 E5 license: A full Microsoft 365 E5 subscription per user includes Audit (Premium) by default[4]. However, E5 is a much more expensive plan (roughly A$80–$90+ per user/month in Australia for the full suite) and is generally outside the budget or seat limit of most SMBs. If an organisation already has some E5 licenses (or the older Office 365 E5) for key users, those users automatically get Audit Premium capability (e.g. audit log retention for their activities goes to 1 year). For an SMB with Business Premium, adopting E5 licenses wholesale is usually not cost-effective; hence the introduction of the SMB-focused add-ons above.
Microsoft Defender and Purview Suite Bundle: For completeness, Microsoft also offers a bundled add-on that combines the Purview Suite and the Defender Suite for Business Premium for around A$22–23 per user/month (US$15)[3]. This includes Audit (Premium) (via the Purview portion) as well as advanced security (via Defender for Endpoint P2, Defender for Office 365 P2, etc.). SMBs that need both advanced compliance and security could opt for this bundle to save costs. However, if your primary goal is enabling Audit (Premium) and related compliance features, the standalone Purview Suite add-on is sufficient.
In summary, an SMB on Business Premium will require an add-on license to use Audit (Premium). The most straightforward path in 2025 is to obtain the Microsoft Purview Suite for Business Premium add-on, which is tailored for organisations of your size and offers the advanced auditing capability at a relatively affordable price point[3]. Each user who needs their activities retained for a year or to generate premium audit events should be assigned the add-on. Once licensed appropriately, those users’ actions will be recorded under the Audit (Premium) tier. (Users without the add-on will continue to be covered only by Audit Standard logs.)
Tip: If you want to try out Audit (Premium) before committing to additional licenses, Microsoft offers a 90-day free trial of Microsoft Purview solutions (which can enable E5 Compliance features like advanced audit during the trial)[2]. This can be activated from the Purview compliance portal trials hub and is a good way to evaluate the benefits (e.g. see if the additional audit log data is valuable for your organisation) before purchase.
Step-by-Step: Setting Up Microsoft Purview Audit (Premium)
Enabling Audit (Premium) in your Business Premium environment involves a few configuration steps. Below is a step-by-step guide to set up and use Audit (Premium) effectively, assuming you have already acquired the necessary licenses (e.g. Purview add-on or trial):
Note: If you ever need to disable Audit (Premium) or auditing generally (for example, in rare cases for troubleshooting), you can turn off audit log ingestion using the PowerShell command in Step 4 with $false. However, this is not recommended in production as it means you will stop capturing activity logs. In almost all cases, keep auditing enabled at all times for security and compliance continuity.
At this stage, you have set up Audit (Premium) in your Business Premium environment. You should have: the proper licenses in place, appropriate admin permissions, extended audit events (like search logs and mailbox reads) enabled, and custom retention policies (if needed) configured. Now you can leverage these logs to strengthen your organisation’s security monitoring and compliance reporting. In the next section, we’ll discuss how to use these audit logs effectively in common SMB scenarios like detecting insider threats, preventing data leaks, and fulfilling regulatory requirements.
Effective Use Cases for SMBs Using Audit (Premium)
Microsoft Purview Audit (Premium) equips SMBs with powerful capabilities that were once the domain of large enterprises. Here are some key use cases and scenarios where Audit (Premium) can be especially valuable for a Business Premium organisation:
Insider Risk Detection and User Activity Monitoring
Insider threats are a concern for organisations of all sizes. Whether it’s a disgruntled employee or simply an honest employee taking company data home out of misunderstanding, Audit (Premium) can be a critical tool for detection. In an SMB, IT staff can use audit logs to monitor tell-tale signs of risky behavior:
Mass download or access of files: With standard audit, you could see file download events, but only for 180 days. Audit (Premium) ensures you have a full year of file access records. If an employee is leaving and suddenly downloads hundreds of files from SharePoint or OneDrive, you’ll catch that in the logs. You can even set up an alert policy (in the Compliance portal’s Alert section) to notify you of unusual download activity. For example, if user X downloads >N files in an hour, trigger an alert. The audit data (file names, timestamps) will help confirm if they took sensitive information.
MailItemsAccessed (Premium insight): This is a special Audit (Premium) log that records when emails in a mailbox are read/accessed, even by the mailbox owner. Why is this useful? Imagine a scenario where an attacker compromises a user’s email account. They quietly read through the mailbox looking for valuable info. In standard audit logs, if the attacker didn’t send or delete anything, you might not have a clear trail. MailItemsAccessed, however, would show that a large number of emails were opened/read at odd hours[6][6]. This can be an early indicator of compromise or misuse. SMBs can utilize this to detect if, say, a terminated employee’s mailbox was accessed after departure or if a delegated admin is snooping on others’ emails.
Search queries: As enabled in the setup, Audit (Premium) can log what content a user searched for in Exchange or SharePoint. This can be useful in insider investigations – for instance, if an employee was searching SharePoint for “salary data” or other sensitive info before a leak. It’s a niche signal, but in certain cases provides insight into user intent. Insider Risk Management (as a higher-level tool) uses many of these audit signals to score risk, but even without IRM, an admin can manually look at audit logs for such patterns.
Privileged user monitoring: Audit logs also track admin actions (e.g., an admin downloading a mailbox via eDiscovery, or changing a configuration). With longer retention, you can periodically review admin activity. In an SMB, IT admins wear many hats – but it’s good practice to have oversight. For example, you could search the audit log for “Added mailbox permission” or “File deleted” activities over the last year to ensure no unauthorised or unexplained changes were made. This helps with separation-of-duties even in a small IT team.
By actively reviewing these logs or setting up alerts, an SMB can spot internal issues early – before they become major incidents. Microsoft Purview Audit (Premium) essentially provides an “activity DVR” for your organisation: you can rewind and see exactly what a user did, which is invaluable for both deterrence and investigation.
Data Loss Prevention and Forensic Investigations
When it comes to data leaks or policy violations, Audit (Premium) proves its worth by providing a detailed audit trail:
Suppose your company has set up Data Loss Prevention (DLP) policies (available in Business Premium for Exchange/SharePoint/OneDrive). If a DLP policy flags an attempted sharing of sensitive information (e.g. someone tried to email out a list of customer credit card numbers, which was blocked), you can use audit logs to investigate further. The audit log would show the “DLP rule match” event as well as the user’s subsequent activities. Did they attempt another method to send the data? Did they save it to a personal device? Audit logs will show file access, print events (if recorded by Windows and fed into audit logs via AIP), etc., giving a full picture around the incident.
In case of a confirmed data breach or cyber-incident, time is of the essence to understand what happened. Audit (Premium) lets you triage and scope incidents effectively. For example, if a rogue third-party application was discovered (perhaps a user installed an OAuth app that siphoned data), you can search audit logs for activities that app performed or what the user did under its influence. If ransomware hit your SharePoint, audit logs can show which files were mass-deleted or encrypted and by which account. With 1-year retention, you might find the initial entry point which could have been many months ago (some breaches aren’t discovered until long after the fact). Without Audit (Premium), those older breadcrumbs might be gone.
Forensic detail: Audit (Premium) records include useful information such as IP addresses, user agents, object details, etc., for each event[5]. After an incident, you can export relevant logs and hand them to forensic analysts or authorities. For example, after a suspected insider data theft, you could export all audit events of that user for the last 12 months – giving a timeline of their activities (file downloads, email sent, USB device insertions if those were captured by Defender and fed to audit, etc.). This can serve as evidence if needed and guide your response (e.g., which systems to secure or which partners to notify).
One thing to note is that Audit (Premium) isn’t a real-time blocking tool – it’s investigatory. For proactive protection, you’d rely on things like DLP policies, Defender for Cloud Apps (for anomaly detection), etc. But the audit logs are the backbone of investigating any alerts those systems raise. They often answer the questions “what exactly happened?” and “when and who did it?”. For an SMB, having this level of detail can be the difference in confidently handling an incident or being in the dark.
Compliance, Audit Trails, and Reporting
For organisations subject to compliance standards or client security assessments, Audit (Premium) provides assurance that you have robust audit trails in place:
Regulatory audits: If you need to comply with standards like HIPAA, ISO 27001, or various government regulations, auditors may ask for proof of controls. Audit logs can demonstrate controls like data access governance. For example, under GDPR, you should be able to trace who accessed personal data. With Audit (Premium), if a European customer exercises their right to know who accessed their data, you could query the audit log for any access events related to that data over the last year. Many SMBs struggle with these requests, but having the audit log makes it feasible. It shows a commitment to transparency and control.
Retention requirements: Some industries require logs to be kept for longer than 6 months. If you fall under such a rule (or your customers contractually require it), enabling Audit (Premium) is necessary. Moreover, the 10-year audit log retention (with add-on) might be relevant for, say, financial services or healthcare where legal proceedings or investigations can occur years later. SMBs like accounting firms or clinics, for instance, might consider using the 10-year retention for certain high-risk user accounts. Audit (Premium) allows you to meet these needs, whereas without it you’d have to implement an external log archive solution.
Internal audits and policy compliance: Even outside formal regulation, an organisation may have internal policies (“we review admin access every year” or “we ensure only authorised people accessed Project X files”). Audit logs are how you verify and report on these. With the ability to export to CSV and analyze in Excel or Power BI, you can generate internal audit reports. For example, you might periodically review all “File accessed” events on a confidential SharePoint site to ensure only the intended team accessed it. If someone outside the team shows up in the logs, that’s a flag to investigate permissions. Audit (Premium) giving 12 months of data means you can do a thorough annual review, not just a snapshot of recent activity.
Legal eDiscovery synergy: Often, when there’s litigation, you perform eDiscovery (searching across mailboxes and documents for relevant content). Audit logs complement this by showing audit trails of content. E.g., if a legal case questions whether a document was seen by certain people at a certain time, the audit log can confirm access. Interestingly, Microsoft’s eDiscovery (Premium) (also included in the Purview Suite add-on) can leverage audit logs to track views/edits of content. So, Audit (Premium) feeds into a stronger eDiscovery process. For an SMB, this level of preparedness can save a lot of time and cost if a legal situation arises.
In essence, Audit (Premium) helps SMBs operate with enterprise-level diligence. You can confidently answer “Who did what, when, and how” for most actions in your Microsoft 365 environment, even up to a year ago or more. This instills confidence not only within your security team but also for any external parties evaluating your IT controls.
Best Practices for Audit Policy Configuration and Usage
Enabling Audit (Premium) is powerful, but to get the most value (and avoid being overwhelmed by data), consider these best practices for configuring and using your audit logs:
🌳 Define clear audit retention policies: Don’t just blindly keep everything for one year. Decide which activities are most critical to retain longer. For example, Exchange, SharePoint, OneDrive, and Azure AD logs are already kept 1 year by default with Audit Premium[1]. You might not need to extend all other activities to 1 year. Perhaps extend Teams chat audit events or Power BI events if those are important, but maybe you don’t need year-long logs for, say, Sway or Yammer. Tailor the retention policies (Step 5 in setup) to balance useful data vs. clutter. Also, keep in mind storage – although Microsoft stores audit logs in the cloud and it’s not in your tenant data quota, extremely large volumes can affect export and search speed. So retain what you need for compliance/forensics, not just everything.
🔒 Limit and monitor access to audit logs: Audit logs contain sensitive information (they can reveal user activities, email subjects, file names, etc.). Only assign the Audit Reader/Manager roles to trusted personnel. In a small business, this might just be the IT manager or security officer. Consider enabling Multi-Factor Authentication on those accounts (as you should for all admins). Microsoft Purview doesn’t currently generate alerts for audit log access, but you as an admin could manually audit the auditors – e.g., check if someone outside the expected roles ran an audit search (that itself is an auditable event). This ensures privacy and security of the audit data itself.
📊 Use tools to analyze the logs: The Purview portal search is great for interactive queries, but for deeper analysis use export and other tools. For instance, export a month of logs to CSV and use Excel PivotTables or Power BI to spot trends (failed logins over time, most accessed files, etc.). There are also Microsoft Graph APIs to programmatically retrieve audit events, which could feed into a SIEM like Microsoft Sentinel or a custom dashboard[1]. If your SMB uses Sentinel or another security monitoring solution, configuring the Office 365 Management Activity API to pull your audit logs is a good idea[1]. With Audit Premium, you have higher API bandwidth, meaning such integrations will run more smoothly[1]. This way, you can get automated anomaly detection on top of your audit data.
🚦 Set up alert policies for critical events: Within the Compliance portal, under Alerts (or in the older Security & Compliance Center under Alert policies), you can define rules that trigger alerts based on audit events. Common ones to create:
Alert when an admin privilege is granted (e.g., someone added to a role group).
Alert when mass deletion of files occurs.
Alert on eDiscovery searches or content exports (to catch any misuse of those tools).
Alert on downgrading audit or disabling the log (if someone tried to turn off auditing, you want to know immediately). Many default alerts exist (like suspicious logins via Azure AD), but custom ones for these audit events can significantly improve your security oversight.
📆 Periodic audit reviews: Make audit log review a routine. For example, monthly spot checks on different areas: one month review sharing activities on OneDrive, next month review mailbox access logs, etc. In a small business, dedicating a couple of hours per month to this can help you catch issues proactively. It’s like doing an internal audit continuously. You may rarely find issues, but when you do, you’ll be glad you looked. Plus, it familiarizes your team with the logs, so in a crisis you’re already comfortable with the data format and tools.
✍️ Document and communicate audit practices: Let your users know, at least in broad terms, that activities are logged for security and compliance. This can be part of an IT policy users accept. It creates a deterrent effect for malicious behavior (“my actions might be traced”) and also assures well-meaning employees that the company is keeping track in case something goes wrong (“if someone accessed my account, it would be recorded”). Of course, be mindful of privacy laws – in some jurisdictions, you must disclose if you monitor employee communications. Microsoft Purview Audit is generally considered a security log, but transparency is still a good practice.
🤝 Combine Audit with other Purview solutions: If you have invested in the Purview Suite, you likely have tools like Insider Risk Management (IRM), Communication Compliance, etc. These tools use signals from audit logs but provide a layer of AI or policy-driven analysis on top. For example, IRM can create risk scores if an employee downloads a lot of files (as seen in audit logs) and also resigns (HR insight). It might then automatically flag that user. While our focus is audit logs, remember to explore these additional Purview features – they can amplify the value of your auditing by proactively identifying risks using the same data. For an SMB, even a simple policy in Communication Compliance (like flagging rude or threatening language internally) might be beneficial; and audit logs would be the evidence when investigating those flags.
Stay updated on new audit log capabilities: Microsoft occasionally expands auditing functionality. For instance, in late 2023 and early 2024, they made more audit log types available to Standard that were previously Premium-only (increasing the baseline logs all customers get)[6][6]. And they continue to add new event types as Microsoft 365 services evolve (e.g., new collaboration features might generate new kinds of audit records). Keep an eye on the Microsoft 365 Roadmap or TechCommunity blogs for announcements related to Purview Audit. This ensures you’re aware of any new logs you might want to incorporate or new settings to configure. For example, if Microsoft enables some new audit event (like Teams message reactions logging) you might need to adjust retention policies or decide if it’s useful to you.
By following these best practices, you’ll maintain an efficient and secure auditing process. Microsoft Purview Audit (Premium) can significantly strengthen your security posture and compliance readiness, but it should be managed deliberately. The goal is to have the right data, in the right hands, retained for the right amount of time.
Conclusion
Microsoft Purview Audit (Premium) brings enterprise-grade auditing to organisations of all sizes – and with the recent availability of compliance add-ons for Microsoft 365 Business Premium, SMBs can now leverage these advanced capabilities without a full E5 licensing upgrade. By enabling Audit (Premium) in your Business Premium environment, you gain a longer memory of events (crucial for investigations that surface months later) and deeper insight into user behaviors (crucial for detecting insider risks and misuses). This investment helps an SMB to proactively identify security issues, thoroughly investigate incidents or anomalies, and confidently meet compliance obligations with a detailed audit trail[5][1].
In practical terms, after following the setup steps, you will have a robust system where virtually every important action in Microsoft 365 – whether it’s a file read, an email sent, a permission changed, or a login attempt – is being recorded and retained for analysis. The combination of Business Premium’s security features and Purview’s Audit (Premium) gives you a comprehensive view of your digital workplace activities.
Remember that technology is just one part of the equation: ensure your team knows how to use these audit tools (consider Microsoft’s free training modules on Purview Audit) and integrate audit review into your IT processes. With that in place, your small or mid-sized business can enjoy many of the same benefits that large enterprises count on to secure and govern their data – all while using familiar Microsoft 365 interfaces and tools.
By prioritising audit and compliance now, you are not only reducing the risk of incidents but also putting your organisation in a position of strength – able to demonstrate accountability and respond to challenges swiftly. Microsoft Purview Audit (Premium) is a powerful ally in that journey, and with careful setup and use, it will significantly enhance your organisation’s security and compliance maturity.
Microsoft Purview eDiscovery (Premium) is an advanced electronic discovery tool in Microsoft 365 that provides an end-to-end workflow for internal and external investigations. It enables organisations to identify, preserve, collect, review, analyse, and export electronic information from across Microsoft 365 (Exchange emails, SharePoint/OneDrive files, Teams chats, etc.) for legal or compliance purposes[1]. This solution builds upon the basic eDiscovery features that come with Microsoft 365 Business Premium (also known as Core eDiscovery or eDiscovery (Standard)), adding powerful capabilities such as dedicated cases, custodian management, legal hold notifications, review sets, and analytics with machine learning. In this report, we’ll explain what Purview eDiscovery (Premium) offers, how to set it up and use it effectively in a small or medium-sized business (SMB), and how it fits into the Microsoft 365 Business Premium licensing. All prices are provided in Australian dollars (AUD), and the content is tailored for an SMB already using Microsoft 365 Business Premium.
Overview of Microsoft Purview eDiscovery (Premium)
Microsoft Purview eDiscovery (Premium) (formerly Advanced eDiscovery) is part of the Microsoft Purview compliance suite. It is designed to facilitate legal discovery and investigations by providing a one-stop solution within Microsoft 365. Key features and benefits include:
Why is this important for an SMB? Even smaller organisations must occasionally respond to legal matters – such as employee disputes, client litigation, or regulatory inquiries. Purview eDiscovery (Premium) brings enterprise-grade eDiscovery capabilities to your business without requiring you to export data out of Microsoft’s secure cloud until necessary. It ensures that if you are ever faced with an investigation or lawsuit, you can respond quickly and defensibly by collecting exactly the information needed (and nothing more) and preserving its integrity. The advanced tools (like machine learning analysis) can be especially helpful for SMBs who may not have large legal teams – by automating part of the review, the tool can help a small team find the important needles in the haystack of emails and files.
Note: Microsoft Purview eDiscovery (Premium) is an upgrade to the standard eDiscovery capabilities that are already available in Microsoft 365. In Microsoft’s lineup of eDiscovery solutions: Content Search (basic searching across data), Core eDiscovery (Standard) (cases, legal hold, basic search/export), and eDiscovery (Premium) (full advanced suite) – the Premium offering is the most feature-rich[1][1]. Business Premium includes the Standard eDiscovery features by default, as we discuss next.
Licensing Considerations and Comparisons (Business Premium vs E5)
Before enabling eDiscovery (Premium), it’s critical to understand the licensing requirements, especially since our scenario is an SMB on Microsoft 365 Business Premium. Microsoft 365 plans differ in which eDiscovery features are included:
Microsoft 365 Business Premium – includes Core eDiscovery (Standard) features. This means you get Content Search, the ability to create eDiscovery cases, place content on hold, and export data[1][1]. In fact, Business Premium (like the comparable Office 365 E3 plan) includes Exchange Online Plan 2, which provides mailbox archiving and litigation hold capabilities out-of-the-box. However, eDiscovery (Premium) is not included in Business Premium; it requires additional licensing. Business Premium, being an SMB-focused plan (up to 300 users), is limited to standard compliance tools like basic eDiscovery, audit, retention, sensitivity labels, etc.[2].
Microsoft 365 E5 (Enterprise) – includes eDiscovery (Premium) by default (along with all E5 advanced compliance features). If a business has M365 E5 or Office 365 E5 licenses for its users, those users can utilise the full advanced eDiscovery capabilities[1]. E5 is an enterprise-grade plan (no user limit) that adds all the advanced compliance, security, and analytics features on top of E3. For SMBs, E5 may be beyond needs and budget, but it’s the plan where eDiscovery Premium is bundled.
Add-On Licensing (E5 Compliance or eDiscovery & Audit) – Microsoft offers the advanced compliance features as add-ons so that organisations on lower plans (like Business Premium or E3) can get eDiscovery (Premium) without migrating everyone to E5.[2] Two common add-ons:
Microsoft 365 E5 Compliance – this add-on includes eDiscovery (Premium), plus other compliance features like Advanced Audit, Records Management, Communication Compliance, etc. It essentially lights up the entire Purview compliance suite for a user. This add-on can be added to a user licensed with Business Premium (or E3)[2].
Microsoft 365 E5 eDiscovery and Audit – a more targeted add-on that includes just the eDiscovery (Premium) and Advanced Audit capabilities (without some of the other E5 Compliance features). This is often a slightly lower-cost way to get eDiscovery Premium for specific users[2]. This can also be added on top of Business Premium or E3 licenses for those users who need advanced eDiscovery.
In our SMB scenario, since the company is already on Business Premium, you have two main options to gain eDiscovery (Premium) features: either upgrade certain users to an E5 plan, or (more cost-effectively) purchase the E5 Compliance or E5 eDiscovery\&Audit add-on for those users. Typically, you would buy the add-on for each user who will be a custodian (i.e. whose mailbox and data you need to search in a case) or who will actively use the eDiscovery Premium tools. Microsoft licensing requires that any user whose content is being processed with eDiscovery (Premium) (e.g. placed on hold and added to a review set) must be licensed for it[1]. In practice, you might start by licensing a small number of users (perhaps your IT admin or compliance officer and any employees likely to be involved in legal matters) with the add-on, rather than all 300 users.
The table below compares the relevant plans and costs, focusing on eDiscovery:
Core eDiscovery (Standard) – Content Search across M365, create cases, place holds, basic search and export.[2]Advanced eDiscovery (Premium) not included.
Up to 300 users. Great built-in compliance basics (audit log, retention, DLP, etc.), but no AI analytics or custodian management without add-ons.
Adds eDiscovery (Premium) – Full advanced eDiscovery capabilities (custodian management, review sets, analytics) plus Advanced Audit and other compliance features.
Attach this to Business Premium users who need advanced eDiscovery. More affordable than full E5; can pick specific users (e.g. IT, HR, Legal).
Microsoft 365 E5 (full suite)
~AU$78.30 (per user)3
eDiscovery (Premium) included (also includes all E5-level security & compliance features, e.g. Defender, Insider Risk, etc.).
Unlimited users. Expensive for SMB; typically not necessary if only compliance is needed – an add-on is usually preferred for SMBs.
*Pricing is approximate per-user, in Australian dollars (excluding GST). Microsoft prices are subject to change and may vary by provider or term.\ 1 AU$32.90 user/month is the annual subscription price for Business Premium, billed per year (approx AU$394.8/year). Monthly commitment pricing may be slightly higher. [3]\ 2 AU$216 per user/year noted for E5 Compliance in an Australian vendor listing[4] (~$18/month). Microsoft does not always list add-on prices publicly, but this is in the correct range.\ 3 AU$78.30 is a referenced price for Microsoft 365 E5 plan. This likely corresponds to the base price per month per user (approx $861/year) for the full E5 plan in Australia.
What does this mean for our SMB? Since you already have Business Premium, you do not need to upgrade everyone to E5. The most cost-effective approach is to identify which users will be involved in eDiscovery cases and assign an add-on license to those individuals. For example, you might purchase 5x E5 Compliance add-on licenses and assign them to: the Global admin or IT manager who will run eDiscovery, your HR manager in case of employee investigations, your CEO or legal counsel, etc. This way, if any of these people’s data needs to be put on hold or analysed, or if they need to perform the investigation, you’re properly licensed. (Other users not licensed can still have their data searched using Core eDiscovery if needed, but they cannot be added as custodians in an advanced case or have their content analysed with the advanced tools without license compliance issues.)
Additionally, Microsoft offers a 90-day trial of the full Purview compliance features for up to 25 users[1]. This trial can be used if you want to evaluate eDiscovery (Premium) or if you have a one-off urgent need (for instance, an unexpected legal case) and prefer to try the capabilities before committing to purchase. Keep in mind after 90 days the trial ends, so for ongoing needs an add-on is required.
Enabling and Setting Up eDiscovery (Premium)
Once the appropriate licenses are in place for the necessary users, you can proceed to enable and configure eDiscovery (Premium) in your Microsoft 365 tenant. The setup involves granting permissions, adjusting some settings, and then using the eDiscovery tools to create cases and perform investigations. Below is a step-by-step guide tailored for an SMB admin:
Step 1: Verify Licensing Prerequisites\ Ensure that any user who will either manage eDiscovery cases or be a custodian in a case has the right license. In a Business Premium environment, this typically means assigning the Microsoft 365 E5 Compliance add-on (or the more targeted E5 eDiscovery and Audit add-on) to those users[1]. For example, if Jane Doe (HR Manager) will run eDiscovery searches and you plan to collect data from John Smith (an employee under investigation), both Jane and John should have the add-on. This licensing step is crucial for the eDiscovery (Premium) features to be accessible in the Purview portal and to comply with Microsoft’s requirements. (If you attempt to add an unlicensed user as a custodian in a Premium case, the system may not stop you, but you would be out of compliance – so do this right before proceeding.)
Step 2: Assign eDiscovery Permissions\ By default, even a global admin cannot access eDiscovery (Premium) cases until permissions are assigned. As an admin, go to the Microsoft Purview compliance portal (Compliance Center) and add the relevant users to the eDiscovery Manager role group[4]. There are two main roles:
eDiscovery Manager – can create and manage cases, add custodians, perform searches, etc. Members of this role group will actually conduct eDiscovery operations.
eDiscovery Administrator – (optional) can access all cases in the organisation (typically reserved for compliance officers or very high-level oversight).
For a small business, you might simply add yourself (IT admin) and perhaps one other trusted individual (like a compliance manager or legal advisor) as eDiscovery Managers. This will give you the ability to create cases and use all eDiscovery (Premium) functions[4]. (You can do this under Compliance Portal > Permissions > eDiscovery Manager: add users as Members.)
Step 3: Configure Global eDiscovery Settings (Optional)\ Microsoft Purview eDiscovery (Premium) has a few tenant-wide settings you might want to configure. The primary one is Attorney-Client Privilege (ACP) detection. If your investigations might involve communications with attorneys, you can enable the ACP detection model: this uses machine learning to flag documents that likely contain attorney-client privileged information[4]. Enabling it involves uploading a list of your organisation’s attorney emails so the system knows what correspondents might be lawyers. This step is optional – not enabling it won’t prevent using eDiscovery, it only means you won’t get automated privilege tagging. As an SMB, you might skip this unless you have in-house counsel or frequent legal communications. If needed, you can turn it on later via Compliance Portal > eDiscovery (Premium) > Settings.
Additionally, verify that certain enterprise applications required for eDiscovery are active in your tenant (they usually are enabled by default). These include “ComplianceWorkbenchApp” and “MicrosoftPurviewEDiscovery” among others[4]. In most cases, you won’t need to touch this, but if someone had previously disabled any Purview apps, you’d re-enable them in Azure AD’s Enterprise Applications settings.
Step 4: Create a New eDiscovery (Premium) Case\ With permissions in place, you can now create a case. In the Purview Compliance portal, navigate to eDiscovery > eDiscovery (Premium). Click “Create case” and give it a name and description (e.g., “Employee Separation – John Smith – Sept 2025”). This sets up a secure container for all the eDiscovery activities related to that matter. Only users added as case members (which initially will be you, since you created it) can access the case data. Once the case is created, you’ll enter the case dashboard which has several tabs: Data Sources, Holds, Collections, Review Sets, Analytics, Exports, etc.
Step 5: Add Custodians (Data Sources) and Apply Holds\ Identify the people (and/or teams or sites) that are relevant to the case – these are your custodians. In our example, if investigating John Smith’s communications, John is a custodian. Go to the “Data Sources” or “Custodians” section of the case and add the user accounts, SharePoint sites, or Teams you need to include[1]. When you add a person as a custodian, eDiscovery (Premium) will automatically detect all content locations associated with that user (their Exchange mailbox, OneDrive, Teams chats, etc.).
After adding custodians, set up a Legal Hold on their content locations (Exchange mailbox, OneDrive, SharePoint sites, etc.)[1]. In the Holds tab within the case, create a hold, give it a name, and choose the custodians or specific locations to preserve. You can optionally narrow the scope (for example, only hold items from after a certain date or only specific keywords), but generally for a legal hold you preserve everything for that user during the relevant time frame. Placing content on hold ensures that even if the user deletes emails or files, or if retention policies would normally purge data, the content is preserved immutably for the case’s duration[1]. In an SMB, you might not have elaborate deletion policies, but it’s still wise to apply a hold so nothing relevant can disappear.
If required, you can also add non-custodial data sources – for example, if you need to collect data from a SharePoint site or mailbox that isn’t tied to a specific user/custodian (like a shared mailbox or public folder), you can add those separately in eDiscovery (Premium).
Step 6: (Optional) Send Notifications to Custodians\ One feature of eDiscovery (Premium) is the ability to manage custodian communication. If your legal team requires that custodians (employees) are notified that they must not delete anything related to the case, you can use the built-in notification workflow[1]. This will send an email to the user (using a template you can customise) saying, for example, “You are on legal hold for case XYZ – here are instructions…”. The system can track who has acknowledged the notice and even send reminders or escalate if someone doesn’t respond. For a small company, this formal process might or might not be needed – often HR or management will inform the person directly if appropriate. But if you do use it, it ensures a documented trail that John Smith was told to preserve data. You can manage these under the Communications or Notices section within the case (depending on the UI updates).
Step 7: Search for Relevant Content (Collections)\ Now comes the discovery part – finding the data you need. Under Collections (or Search in some interface layouts), create a search query within the case. You can search across all custodians added to the case or specific ones, and across various content types: Exchange email, SharePoint documents, OneDrive files, Teams chats, etc., all in one go[1]. Use keywords, phrases, and query conditions to narrow down the results. For example, if we are looking for emails John Smith sent to a specific client about “Project X”, we might add query parameters like: keywords: "Project X" AND sender: john.smith@ourcompany.com AND recipient: client@partner.com. You can also use conditions like date ranges, specific SharePoint site paths, message types, etc. The interface provides filters to help build these. After running the search, eDiscovery will show statistics – e.g. “500 items found, 300 from Exchange, 200 from OneDrive” – so you can gauge if your query is on target[1]. You can refine the query as needed to reduce or expand results.
Once satisfied, save the search and then collect the data. “Collection” in eDiscovery (Premium) essentially means copying the responsive content into the case’s Review Set for analysis. When you initiate a collection, the system will copy all the items that matched your query from their live locations into a secure Azure storage area associated with the case[1]. Importantly, this does not remove or alter the originals (they remain in mailbox, etc., and also on hold); it’s just making a static copy for us to review. You can choose to collect all results or only a sample, and you can have multiple searches/collections per case (e.g. one search for emails, a separate one for Teams chats, etc., each added to the review set).
Step 8: Review and Analyse Collected Data\ Now switch to the Review Sets tab of the case. Here you’ll see one or more review sets (create a new one if the wizard hasn’t already). In most cases, a single review set per case is used, containing all collected content. In the review set, you can view and triage the documents and communications that were collected. The interface provides a document viewer and query builder: you can filter items by custodian, date, keyword, or other metadata. You can also apply tags to mark items (for example, tag some as “Relevant”, “Privileged”, or “Irrelevant”) to organise your review.
This is where advanced analytics come into play, making the review process more efficient:
You can enable Threading to group email conversations, so you see whole threads instead of duplicate individual messages[1].
Use Near-Duplicate Detection to have the system find documents that are very similar (perhaps different versions of the same file).
Leverage Predictive Coding (Training): you review and tag a set of documents (marking which are relevant to your case), then you can have the system train a machine learning model to predict relevance for the remaining documents[1]. This can help prioritize which documents to review next – a big time-saver if you have thousands of items. In a small case, you might not need this, but it’s there for larger data sets.
Keyword Statistics and Analytics: eDiscovery Premium will show you things like the top keywords, email senders, etc., in the review set. It can also flag anomalies or hidden content (for example, if an email had an encoded attachment that wasn’t indexed before, advanced indexing helps surface that[1]).
During review, you might decide some search results were noise. You can refine your searches and perform additional collections, or you can simply tag and filter out irrelevant items. The goal is to narrow down to the truly important materials.
Step 9: Export Data for External Use\ After reviewing, you will likely need to export the data (e.g. to provide to a requesting party, or to load into a legal review tool for outside counsel). In the Exports section of the case, you can create an export job. You’ll choose which review set (and optionally which filters or tags) to include in the export. You can output everything or only items tagged “Relevant”, for instance.
Microsoft provides a couple of export options:
Download via Browser: The system prepares the data (staging it in Azure Blob storage) and then you download a compressed package with the results. This can include the original files/emails, plus metadata and load files (CSV/Excel or format for eDiscovery review platforms). Email messages can be exported as PST or individual MSG files, documents in their native format, etc. You’ll also get a report summarising the export.
Export to Azure Storage: You can directly export the data to a customer-provided Azure Blob Storage container[1]. This is useful if the data set is huge (many GBs) or if you want to directly transfer it to another environment. You would specify an Azure storage SAS URL, and eDiscovery will copy the data there instead of you downloading it. This is often used by larger enterprises, but an SMB might simply use the download method for convenience.
Once exported, verify the data and reports. The audit log in Microsoft 365 will have records of the searches, holds, and export actions performed, which is good for compliance traceability.
Step 10: Close or Manage the Case\ After the investigation is concluded, you can close the eDiscovery case (which lifts any holds placed via that case, allowing normal data lifecycle to resume). Typically, you’d only close it once you’re sure all legal duties to preserve are complete. You can also keep the case open for future if it’s an ongoing matter. Microsoft allows you to keep multiple cases and they don’t count against any quota (though there are limits like each case can hold up to a certain number of custodians, etc., but an SMB is unlikely to hit those limits). It’s good practice to document in the case notes what was done, for future reference. Keep exported data in a secure location as needed by your legal/compliance policy.
The above steps represent a full lifecycle of using eDiscovery (Premium) in an SMB scenario. Not every case will require every step (for example, minor internal searches might not require hold notices or predictive coding), but the setup ensures you have the capability ready.
Policy Configuration: Holds, Retention, and Permissions
The term “policy configuration” in the context of eDiscovery primarily refers to how you preserve and manage data for discovery. We’ve touched on legal holds configured within eDiscovery cases – these are essentially case-specific preservation policies. A few additional points on policies and configuration for effective eDiscovery:
Retention Policies vs. eDiscovery Holds: As a Business Premium subscriber, you likely have some Microsoft Purview Data Lifecycle Management capabilities (like retention policies). A retention policy (outside of eDiscovery) might, for example, say “Keep all Exchange email for 7 years.” If such a policy exists, it ensures data is available for eDiscovery, but it’s broad. An eDiscovery hold is more targeted – e.g. “Preserve John Smith’s mailbox and OneDrive indefinitely for this legal case.” It’s worth reviewing your retention policies in the Purview Data section. For SMBs, many simply rely on default (which is to keep everything until deleted by user). We recommend enabling at least basic default retention for critical data if possible (so that if a user deletes something, it’s still recoverable). However, even without that, once you know of an issue, applying an eDiscovery hold will override deletions[1]. Decide based on your compliance needs if you want proactive retention policies configured (this can complement eDiscovery by reducing risk of losing data before a hold is placed).
Holds Scope and Performance: When configuring holds in a case, be mindful of scope. Holding an entire mailbox is simplest (and ensures nothing slips through), but it also means a lot of data might be preserved that is irrelevant (e.g. personal emails, unrelated projects). In eDiscovery (Premium) you have the option to apply query-based holds (e.g. only items with certain keywords). Use this carefully – if you know precisely the date range or keywords of interest, a narrower hold can reduce noise. But if unsure, it’s safer to hold more broadly to avoid accidentally allowing deletion of a relevant item. Also note that too many wide holds could impact storage (held data is retained in the Recoverable Items of Exchange, for instance). In an SMB, this is rarely a problem unless you’re tight on mailbox storage or have many lengthy cases.
Roles and Access Control: We already set up the eDiscovery Manager roles. As a best practice, limit the number of people with eDiscovery permissions. The ability to search through all company communications is powerful and sensitive. In a small business, maybe only one or two admins should have that capability[4]. If you have a separate security or compliance officer, use the role groups to segregate duties (e.g. IT admin can prepare data, but perhaps only the HR manager or an external lawyer actually reviews the content). Such role segregation can help maintain confidentiality. Microsoft also offers an audit log of eDiscovery activities, so any searches or data access are recorded.
eDiscovery Case Settings: Within each case, you can configure some settings, such as adding case members (if you want to allow, say, an external legal counsel who has a Microsoft account to review the case, or multiple internal reviewers). You might also configure search indexes re-indexing for custodians (the system does this automatically – it’s called Advanced Indexing – where it reprocesses any unindexed items when you add a custodian[1], so that nearly all content becomes searchable). Not much needs manual config here, just be aware it happens.
Monitor Compliance Center: After enabling eDiscovery Premium, keep an eye on the Microsoft Purview Compliance Center home or reports. Business Premium gives you access to Compliance Manager and audit logs. You’ll find an overview of alerts or any issues. If an eDiscovery search is too broad (returning many results) or if someone without permission tries to access a case, you could get alerts. It’s a good habit to check the Compliance portal regularly, even when you’re not actively doing eDiscovery, to ensure things like audit logging are enabled (which they usually are by default in M365)[5].
Effective Use of eDiscovery (Premium) in an SMB: Best Practices and Use Cases
Implementing eDiscovery (Premium) in a smaller organisation requires some planning and process to get the best results. Below are common use cases for eDiscovery in SMBs, followed by best practice recommendations to ensure you use the tool effectively and stay compliant.
These scenarios show that even in a smaller business, eDiscovery capabilities are valuable – they enable you to react promptly to serious issues or requirements. To make the most of eDiscovery (Premium) and avoid pitfalls, consider the following best practices:
Plan Licensing Strategically: Don’t overpay for licenses you don’t need, but ensure coverage for key individuals. Identify ahead of time who would spearhead an investigation (IT admin, HR, etc.) and which user data is most likely to be subject to discovery (executives, managers). License those with the E5 Compliance add-on in advance if possible. This way, if an incident arises, you’re ready to go. Remember that if you only occasionally need eDiscovery Premium features, you could opt to start a 90-day trial during an incident[1] – but use that option carefully (one trial per tenant) and track when it expires.
Prepare with Retention Policies: As mentioned, having a baseline retention policy for email and files can be a lifesaver. For example, setting Exchange Online to retain all emails for at least 1 year (even if deleted by user) means you have a one-year safety net to discover issues after the fact. Business Premium allows configuring such retention at no extra cost. This isn’t directly part of eDiscovery, but it complements it by ensuring data exists to be discovered. Avoid overly aggressive deletion policies on mail or Teams that could thwart your ability to investigate – or if you have them for compliance (say, deleting Teams chats after 30 days for privacy), be aware you’d need to act quickly with eDiscovery holds in an incident.
Act Quickly When Issues Arise: The sooner you create an eDiscovery case and place holds after learning of a potential issue, the better. Once a legal trigger (like a threat of litigation or a formal complaint) is known, promptly put relevant content on hold. This prevents any accidental or intentional deletion. Even if you’re not yet sure of scope, it’s better to hold a few extra mailboxes than to lose data. eDiscovery (Premium) can scale down to even a single mailbox case – it’s fine to use it for small matters.
Use Search Filters to Reduce Noise: SMB data sets might be smaller, but you also might not have staff to sift through hundreds of irrelevant items. Take advantage of the search query options. For instance, limit the date range to when the incident occurred, or filter to only communications with certain domains (like the customer’s domain in a client dispute). The goal is to make the review set as focused as possible, so your small team can manage the review. The analytics features (threading, deduplication) will help cull duplicates automatically, so enable them.
Leverage Tagging and Queries in Review: Develop a simple tagging scheme when reviewing documents, even if it’s just you doing it. For example, tag items as “Relevant” versus “Irrelevant”, and perhaps “Privileged” if some communications involve a lawyer. This will help if you need to hand off to someone else or revisit the case later. You can quickly filter on tags to collect what needs to be exported. It also provides documentation of what you considered relevant, which is useful if questions come up later.
Protect Sensitive Information: While conducting eDiscovery, you might come across very sensitive data (personal info, confidential contracts, etc.). Ensure that the case access is limited to only those who need to know. For instance, if you’re investigating an executive, maybe don’t add a junior IT person as a case member unless necessary. The content in eDiscovery is not visible to others by default – only case members – so maintain that discipline. Also, when exporting data, handle it securely (use encryption if sending to external counsel, etc.).
Audit and Document the Process: After a case, record what steps were taken. Microsoft’s audit log will automatically have entries for searches run, holds placed, and exports[6]. You can download these audit entries for the case if needed, or at least note the export report. This creates a defensible documentation that your SMB performed discovery properly (should it ever be challenged in legal proceedings). In small orgs, it’s easy to be informal, but when legal matters are involved, formality pays off.
Stay Updated on Features: Microsoft Purview is evolving. New features (or UI changes) might appear, especially as Microsoft retired the “classic” eDiscovery earlier and is all-in on the new Purview interface[1]. Keep an eye on Microsoft 365 Message Center and Purview blog updates. For example, Microsoft might roll out new analytics or support for new data types (like Viva Engage/Yammer content, which is now included[1]). Being aware ensures you can make use of improvements that could benefit an SMB (perhaps making eDiscovery easier or more automated).
Consider Training or Drills: It may sound excessive for a small business, but it’s worth doing a dry run of an eDiscovery case. For instance, imagine a scenario (an employee departure with possible IP theft) and try using eDiscovery Standard or Premium to retrieve related emails/files. This practice run will make you comfortable with the interface before a high-stakes situation occurs. Microsoft Learn has free modules on using Purview eDiscovery which can guide you through the process in a tutorial manner (those resources refer to “Advanced eDiscovery” – which is the earlier name for eDiscovery Premium).
By following these best practices, an SMB can effectively use Microsoft Purview eDiscovery (Premium) to its advantage – minimising the impact of legal or compliance inquiries and responding to them with confidence. You will be leveraging enterprise-grade tools to protect your small business, which is exactly the promise of Microsoft 365 Business Premium: bringing advanced capabilities in a cost-effective package for smaller organisations.
Licensing Summary & Conclusion
To recap, Microsoft Purview eDiscovery (Premium) is a powerful tool for electronic discovery that is available to Business Premium customers through an add-on or upgrade. Business Premium includes the essentials (Standard eDiscovery) such as content search and hold, which may suffice for basic needs. But when deeper investigation capability is needed – like managing custodians, running AI-driven analyses, and handling complex legal workflows – eDiscovery (Premium) provides those features[1][1]. We’ve outlined how to set it up step-by-step, from licensing and permissions to case creation and exporting results, with a focus on practicality in an SMB setting.
In terms of cost, an SMB already on Business Premium can enable eDiscovery (Premium) for a subset of users at roughly AU$18 per user/month via the E5 Compliance add-on[4], rather than paying ~AU$78 per user for a full E5 license. This makes advanced compliance affordable and scalable to your needs – you pay only for the employees who need these capabilities. Given that Business Premium users have many compliance features (like audit logging, DLP, sensitivity labels) included[7][8], adding eDiscovery Premium fills one of the few gaps in Business Premium when it comes to compliance tools.
In conclusion, Microsoft 365 Business Premium plus Purview eDiscovery (Premium) gives small and medium businesses a robust ability to respond to legal and regulatory challenges. By following the guidance on setup and best practices, your organisation can ensure that if a situation arises – whether it’s an internal investigation or external litigation – you can handle it in a defensible, efficient manner using tools built into your Microsoft 365 environment. This not only saves potential costs of outsourcing eDiscovery, but also keeps your sensitive data under your control during the discovery process.
CIAOPS 