Make an Inquiry
IBRS AI Search
Login

Key Elements for a Successful M365 Information Governance Program

Download PDF
Successful M365 information governance ensures data security, compliance, and ROI. Implement a phased approach, align licensing with your risk, and manage all data types.

Conclusion

A successful Microsoft 365 (M365) information governance (IG) program is critical for ensuring data security, compliance, productivity, and investment value. By incorporating the necessary elements, such as identifying stakeholders, defining policies, and implementing the right tools, you can develop a comprehensive IG program that is tailored to your unique business needs.

To achieve this, we provide a program of best practice for a phased approach to implement your IG model. Microsoft licensing options are provided to help you choose the license models needed to support your IG model. Finally, we address each data type in detail to ensure compliance requirements are met.

Observations

Elements of a Robust Microsoft 365 (M365) Information Governance Program

A robust IG program is essential for any M365 deployment. At IBRS, we believe these are the three essential elements to creating and managing M365 data:

  1. The program structure and deliverables.
  2. Choosing the M365 licence model that manages the risk profile of your information management posture.
  3. The program governance functions encompass all aspects of managing structured, semi-structured, and unstructured information.

Best Practice to Implement a Successful M365 Information Governance Program

Implementing a successful M365 IG program involves creating a practical program structure to execute all key elements. At IBRS, our proven approach centres on the following phases, which include ownership and deliverables.

Phase Typical Owner(s) Key Deliverables
1. Define Program Mission and Scope
  • IG Lead
  • Steering Committee (Senior Management, Legal, IT)
  • Program Mission Statement
  • Program Charter
  • Defined Scope and Boundaries
  • Stakeholder Register
2. Confirm Compliance and Legal Requirements
  • Legal
  • Compliance Officer
  • Data Protection Officer
  • Records Manager
  • Privacy Officer
  • Documented List of Applicable Regulations (e. g., GDPR, HIPAA, industry-specific)
  • Internal Policies Inventory
3. Establish Program Goals and Objectives
  • IG Lead
  • Steering Committee
  • Key Stakeholders
  • SMART (Specific, Measurable, Achievable, Relevant, Time-bound) Program Goals and Objectives
  • Success Metrics
4. Discover and Inventory Information Assets
  • IT
  • Data Owners
  • Business Units
  • Records Management
  • Information Asset Register (detailing location, type, volume, owner)
  • Data Flow Maps
  • eDiscovery summary report
5. Design the Future Information Architecture
  • IT Architecture
  • IG Lead
  • Business Units
  • Records Management
  • Future State Information Architecture Design
  • Proposed Structure for M365 (e. g., SharePoint, Teams)
  • Migration Plan (High-level)
6. Develop Data Classification Scheme
  • IG Lead
  • Data Owners
  • Compliance
  • Legal
  • Security
  • Defined Sensitivity Labels
  • Retention Labels
  • Sensitive Information Types (SITs)
  • Classification Guidelines
7. Develop Information Management Policies and Procedures
  • IG Lead
  • Records Management
  • Legal
  • Compliance
  • Data Owners
  • Information Retention Schedule
  • Data Handling Policies (e. g., Sharing, Storage)
  • Data Disposal Procedures
  • Acceptable Use Policy (relevant sections)
8. Plan Training and Awareness Programs
  • IG Lead
  • HR
  • Internal Communications
  • IT Training
  • Training Needs Analysis
  • Training Plan (covering roles and responsibilities)
  • Training Materials (Modules, Guides)
  • Communication Plan
9. Define Monitoring and Evaluation Mechanisms
  • IG Lead
  • IT
  • Audit Team
  • Monitoring Plan (including tools and metrics)
  • Audit Procedures
  • Reporting Framework (to stakeholders)
  • Program Evaluation Criteria
10. Implement and Rollout (Execution Phase – not explicitly listed, but critical)
  • Project Manager
  • IT Implementation Teams
  • Business Change Managers
  • IG Lead
  • Deployed M365 Configurations (Labels, DLP Policies, Retention Policies)
  • User Training Delivery
  • Communication Rollout
  • Initial Monitoring Reports
11. Operate and Maintain (Ongoing Phase – not explicitly listed)
  • IG Team
  • IT Operations
  • Business Units
  • Ongoing Monitoring Reports
  • Regular Policy Reviews and Updates
  • Incident Response Procedures
  • Periodic Training Refresher

Choose the M365 Licence Model for Your Data Management Risk Profile

Some elements of M365 are designed to help organisations automate their IG processes. However, the playing field is not even, so choose the licence capability that covers your organisation’s data management risk profile whilst meeting your compliance and funding model.

When deciding on the licence type, factors to consider include making data governance easier by using data discovery, data quality, data residency, data sharing, data mobility, and data governance orchestration.

Here are the main capabilities of both M365

Data Governance Capability M365 E3 Licence Feature Alignment M365 E5 Licence Feature Alignment
Microsoft Purview Integration Includes foundational Microsoft Purview capabilities, generally aligning with Microsoft Purview Plan 1 features (or integrated core functions).

Covers basic information protection, DLP, data lifecycle management, core eDiscovery & Audit.

 Includes advanced Microsoft Purview capabilities, generally aligning with Microsoft Purview Plan 2 features (often via the E5 Compliance component).

Adds advanced features across the board, plus Insider Risk Management, Communication Compliance, Information Barriers, Advanced Records Management, etc.
Information Protection
  • Manual sensitivity labelling for documents and emails.
  • Basic Office 365 Message Encryption (OME).
  • Basic information protection policies.
  • Includes capabilities equivalent to Azure Information Protection Plan 1.
 All E3 features, plus:
  • Automatic and recommended sensitivity labelling (client-side and service-side based on content inspection, encrypted watermarks and footer using Principal Name convention).
  • Machine learning-based trainable classifiers.
  • Advanced Office 365 Message Encryption (e. g., expiration, revocation).
  • Double Key Encryption.
  • Set default sensitivity labels for SharePoint sites.
  • Conditional Access policies based on sensitivity label.
  • Includes capabilities equivalent to Azure Information Protection Plan 2.
Data Loss Prevention (DLP)
  • DLP policies for Exchange Online, SharePoint Online, and OneDrive for Business.
  • Basic content inspection (standard sensitive information types).
  • Policy Tips in Outlook to educate users.
  • Basic reporting.
 All E3 features, plus:
  • DLP extended to Microsoft Teams chat and channel messages.
  • Endpoint DLP (monitoring and preventing risky actions on Windows/macOS devices).
  • DLP for non-Microsoft Cloud applications (requires Microsoft Defender for Cloud Apps integration).
  • Advanced detection methods (e. g., Exact Data Matching, credential detection).
  • Enhanced context and reporting (Activity Explorer).
Data Lifecycle & Records Management
  • Basic retention policies and labels (often manually applied).
  • Content Search for finding data.
  • Basic event-based retention triggers.
  • Basic Records Management features (manually declare items as records).
 All E3 features, plus:
  • Automatic application of retention labels based on sensitive info types, keywords, trainable classifiers, or specific events.
  • Advanced Records Management: File plan management, disposition review processes, proof of disposal, immutability locks.
  • Advanced event-based retention.
eDiscovery & Audit
  • Core eDiscovery: Search and export content from Exchange, SharePoint, OneDrive, Teams; place Litigation Holds.
  • Standard Auditing: Access to basic audit logs (typically 90-day retention), basic search capabilities.
 All E3 features, plus:
  • Advanced eDiscovery: End-to-end workflow for managing legal cases, custodian management, legal hold notifications, data processing (deduplication, near-duplicates), review sets with analytics and tagging.
  • Advanced Audit: Longer audit log retention (up to 1 year by default, 10 years via add-on), access to more crucial audit events (e. g., mail access), higher bandwidth access to logs.
Compliance Manager
  • Access to Compliance Manager dashboard.
  • Track compliance score against common regulations and standards.
  • Utilise built-in assessment templates (basic).
 All E3 features, plus:
  • Use of premium assessment templates.
  • Create custom assessments.
  • Automated testing and continuous monitoring of control implementation status.
  • Enhanced workflow capabilities for managing improvement actions.
Insider Risk Management Not Included

Requires E5 or E5 Compliance add-on.

 Included

Detects potential internal risks (e. g., data theft, leaks, security policy violations) using signals from M365 activity. Provides investigation workflows and anonymisation options.
Communication Compliance Not Included

Requires E5 or E5 Compliance add-on.

 Included

Monitors communications (Exchange email, Teams messages, etc.) for policy violations (e. g., offensive language, sharing sensitive data). Uses classifiers and provides remediation workflows.
Information Barriers Not Included

Requires E5 or E5 Compliance add-on.

 Included

Allows organisations to define policies to restrict communication and collaboration between specific groups of users (e. g., to meet regulatory requirements or avoid conflicts of interest).
Customer Lockbox Not Included

Requires E5 or E5 Compliance add-on.

 Included

Ensures Microsoft engineers must request explicit approval before accessing your organisation’s content during rare service operation scenarios.
Privileged Access Management Not Included

Requires E5 or E5 Compliance add-on.

 Included

Provides time-limited, approval-based, just-in-time access controls for high-privilege administrative tasks within Microsoft 365 services, reducing risks associated with standing admin privileges.

Governance-Related Security Add-Ons to M365 E3 Licences

The table above provides clarity on the data management capability included in M365 E3 or E5 license models. However, a variant for many organisations is to start with M365 E3 and select standalone add-ons as needed to meet specific data management compliance requirements. Where the choice leads to selecting all add-ons, the investment decision to upgrade to an E5 license model becomes more apparent. Microsoft will often deliberately steer organisations to a cost-effective outcome with comparison pricing. Choosing a minimal approach to the add-ons below may be a cost-effective option in the short term.

  • Microsoft Purview Compliance Solutions.
  • Microsoft Defender for Endpoint (Plan 2),
  • Microsoft Defender for Office 365 (Plan 2),
  • Microsoft Defender for Identity,
  • Microsoft Defender for Cloud Apps.

Each licence type will grant access to the relevant sections within the Microsoft Defender XDR portal.

At IBRS, we observe that many organisations have transitioned to M365 E5 licensing bundles for simplicity, as well as to enhance their data compliance capabilities. This investment needs to measure the ROI to determine whether there is a value add.

Other factors that contribute to the choice of licensing include assessing the data risk profile of your organisation.

Mapping Information Governance Functions to Microsoft 365 Solutions and Data Types

In the following table, we examine specific examples where IG functions and data structures intersect to address information management using the relevant Microsoft Data Governance solution.

IG Function Relevant Microsoft 365 Software Package(s)/ Feature(s) Example:

Support for Structured Data

 Example:

Support for Semi-Structured Data

 Example:

Support for Unstructured Data
Data Discovery and Classification Microsoft Purview Data Map

Microsoft Purview Unified Catalogue

Microsoft Purview Information Protection

  • Sensitivity Labels & Classifiers
 Purview Data Map scans Azure SQL DB, classifies ‘SSN‘ column using system classifier.

Cataloguing SharePoint lists with employee PII.

 Purview Data Map scans JSON files in Azure Data Lake, classifies ‘medical_record_id‘ field.

Classifying XML order files in OneDrive by ‘OrderID’ pattern.

 Purview Data Map scans Word docs in SharePoint, applies a “Confidential” label based on “Project Alpha” keyword.

Identifying PDFs in Teams with scientific terms via custom classifiers.
Information Protection Microsoft Purview Information Protection
  • Sensitivity Labels
  • Azure Rights Management

Microsoft Purview Data Loss Prevention

 Applying “Highly Confidential – Finance” sensitivity label to an Excel file in SharePoint, encrypting it and restricting access to the Finance group. Using MIP SDK to apply “Internal Use Only” label to JSON files with API keys, encrypting them, applying labels to XML config files in OneDrive, and encrypting and watermarking. User applies the “Confidential – Legal” label to a Word contract in OneDrive, encrypting it, watermarking it, and preventing external forwarding.

Auto-labelling PDF medical reports in SharePoint.
Data Loss Prevention (DLP) Microsoft Purview Data Loss Prevention DLP policy blocks emailing an Excel file with >50 credit card numbers externally.

Alerts on sharing a SharePoint list with SSNs to “Everyone except external users.

 DLP policy blocks emailing a JSON file with “API_SECRET_KEY” pattern externally.

Preventing upload of XML files with patient diagnostic codes to unapproved Cloud storage.

 DLP policy blocks copying a Word doc labelled “Highly Confidential – M&A” to USB.

Teams DLP redacts patient names/IDs pasted in chats with external users.
Data Lifecycle Management (Non-Records) Microsoft Purview Data Lifecycle Management
  • Retention Labels
  • Retention Policies

Dataverse Long-Term Retention

 Retention label on SharePoint list items in “Old Projects” deletes them 2 years after the project completion date.

Dataverse policy moves closed case records to long-term storage after 180 days.

 Retention policy auto-deletes temporary JSON log files in a OneDrive folder older than 30 days.

Default label on the SharePoint library with XML survey responses deletes them 1 year after last modification.

 Retention policy auto-deletes Teams chat messages older than 6 months.

Label on draft Word docs in OneDrive deletes them 90 days after the project end date.
Records Management Microsoft Purview Records Management
  • (Retention Labels for Records
  • File Plan
  • Event-Based Retention
  • Disposition Reviews
 Declaring SharePoint list items (e. g., approved financial transactions) as records with a 7-year retention label; immutable, then disposition review. Applying “Contract Record” label to an XML customer agreement in SharePoint; locked, retained 10 years post-expiry (event-based).

Archiving JSON audit logs as records for legal hold.

 User applies “Final Report – Record” label to a PDF in SharePoint; non-deletable by user, retained 5 years, then disposition review.

Auto-labeling patent PDFs as regulatory records.
eDiscovery Microsoft Purview eDiscovery
  • Standard & Premium

Content Search

Legal Hold

Review Sets

 KQL search in eDiscovery for SharePoint list items where ‘Status’=”Approved” AND ‘Amount’>$10k. Placing legal hold on specific Dataverse rows for customer complaints. eDiscovery search for JSON files in OneDrive with “ProjectCode“: “Alpha” AND keyword “confidential“.

Collecting XML email attachments with specific metadata tags and date ranges.

 eDiscovery search across Teams chats for “insider trading” between specific users.

Collecting Word/PDFs from SharePoint site by date/project codename for the review set.
Auditing and Reporting Microsoft Purview Audit
  • Standard & Premium

Unified Audit Log

Office 365 Management Activity API

 Auditing access/modification of a SharePoint list with sensitive financial data.

Tracking DDL/DML ops on a critical Azure SQL DB catalogued in Purview.

 Investigating views/downloads of a specific JSON config file in SharePoint.

Auditing changes to XML workflow definitions in Power Automate.

 Audit report of all “Highly Confidential” documents shared externally from OneDrive.

Audit (Premium) investigation into when specific sensitive emails were accessed or forwarded.
Insider Risk Management Microsoft Purview Insider Risk Management Detecting departing employees downloading large customer data from SharePoint list/Dynamics 365.

Alert on priority user exporting financial DB to personal email.

 Flagging user downloading proprietary JSON algorithm details and uploading to personal Cloud storage.

Identifying employees emailing multiple XML project blueprints externally.

 Alert when a user copies confidential Word/PDFs from a restricted SharePoint site to USB.

Detecting a user accessing sensitive docs then browsing risky websites.
Communication Compliance Microsoft Purview Communication Compliance (Indirectly) Policy detects emails with pasted rows from sensitive customer DB (structured) sent to unauthorised recipients, flagged by keywords/email patterns. Policy flags email with XML attachment containing “insider trading tip” and stock symbols.

Detecting Teams messages that share JSON snippets with API keys and passwords.

 Policy identifies Teams chats with harassing language using “Targeted Harassment” classifier.

Detecting emails discussing “Project Sparta” with external parties.
Compliance Management Microsoft Purview Compliance Manager Improvement action for GDPR: implement access controls on Azure SQL DBs with customer PII.

PCI DSS control: review protection of credit card numbers in SharePoint lists/Dataverse tables.

 HIPAA assessment: review audit trails for systems processing ePHI in JSON files in Azure Blob.

Control for data minimisation in custom app generating XML logs: review log content/retention.

 ISO 27001 action: implement DLP for “Confidential” Word/PDFs in SharePoint/OneDrive.

Internal policy: ensure Teams conversations for “Project Titan” are retained for a specific period.

Next Steps

  1. Evaluate your compliance, tools and data security posture.
  2. Determine if a detailed review is required.
  3. Seek stakeholder input on what type of data governance review is needed.

Submit an Inquiry

Trouble viewing this article?

Search
Related Content

Search

Register for complimentary membership where you will receive:
  • Complimentary research
  • Free vendor analysis
  • Invitations to events and webinars
Delivered to your inbox each week
Register Here
Already an IBRS client? Sign in here