Compliance monitoring in Microsoft 365 is more than just a checkbox for regulated organizations—today it’s an essential part of business operations. With growing data privacy laws and evolving cyber risks, IT and compliance professionals need reliable, scalable solutions that offer both control and visibility across their digital environments.

This guide explores the end-to-end journey of compliance monitoring within Microsoft 365, focusing on real-world best practices and actionable strategies. You’ll find clear explanations of core tools like the Compliance Center, Microsoft Purview, Data Loss Prevention (DLP), sensitivity labels, and audit logs. We’ll dig into advanced tactics for managing insider risk, eDiscovery, retention policies, and seamless integration with Microsoft Defender to unify security and compliance workflows.

We also address emerging challenges—like hybrid cloud compliance, multi-cloud integration, access control auditing, and third-party app governance—that are increasingly important in today’s complex IT landscapes. Whether you’re overseeing compliance programs or looking to automate and scale your security posture, this guide will help you confidently manage regulatory requirements and safeguard your Microsoft 365 environment.

Getting Started With Microsoft 365 Compliance Center

Launching any compliance initiative in Microsoft 365 begins with orienting yourself to the Microsoft 365 Compliance Center. This secure, web-based portal is essentially the nerve center for monitoring, configuring, and managing compliance across your organization’s digital assets. From a single dashboard, you can access high-level summaries, swiftly investigate alerts, and navigate deeper into specialized areas like data governance, privacy, insider risk, and eDiscovery.

The Compliance Center’s appeal lies in its ability to centralize everything from policy management to workflow automation. It’s designed to help you track the ever-changing risk landscape and stay ahead of regulatory shifts, all without bouncing between different tools or dashboards. The experience is role-driven—so whether you’re an information governance expert, risk analyst, or legal administrator, you’ll see interfaces and options catered to your responsibilities.

While the Compliance Center surfaces detailed reports and recommendations, navigating it effectively means understanding its layout and knowing where to start. You’ll find integrated access to solutions like Data Loss Prevention, retention policies, and audit logs, making it easier to get a holistic picture and act proactively. As you explore the next sections, you’ll see how these tools fit together to secure your data, simplify compliance efforts, and prepare for audits or investigations.

And remember, even with powerful native controls, effective governance is a disciplined practice involving both technology and people. For a deeper look, the podcast episode debunking the governance illusion in Microsoft 365 is an excellent primer on why intentional design and accountability matter beyond what the dashboard shows.

Microsoft Purview for Unified Data Governance

Microsoft Purview serves as the unified solution for data governance, compliance, and risk management throughout Microsoft 365. It consolidates key features that once lived in separate silos—classification, protection, audit, and information lifecycle management—into a single portal. Whether you’re aiming for regulatory alignment or simply want to ensure secure collaboration, Purview streamlines oversight across email, documents, Teams, and even cloud-connected platforms.

With Purview, you can automate sensitive data discovery, classify content using standardized labels, and set up policies to prevent unauthorized data sharing. The platform supports proactive risk monitoring, from suspicious user activity to potential leaks triggered by Copilot or other AI integrations. Advanced auditing features allow you to keep detailed records, supporting both routine compliance checks and forensic investigations.

For organizations seeking to prevent “document chaos” and build an audit-ready environment, Microsoft Purview is at the core of an enterprise content management system that meets strict regulatory demands. A closer look at document management and compliance practices using Microsoft Purview shows how to preserve sensitive information and improve cross-team collaboration between HR, legal, and IT.

Purview’s support for role-based access, data loss prevention across the Power Platform, and fine-grained connector policies gives you precise control without sacrificing user productivity. To see how governance extends into new workloads, read about advanced Copilot agent governance using Purview, and learn how DLP and connector controls mitigate modern insider risks. Ultimately, Microsoft Purview is designed for mature compliance programs where consistency, auditability, and reduced manual effort make all the difference.

Core Compliance Monitoring Tools in Microsoft 365

At the core of Microsoft 365’s compliance program are specialized monitoring tools purpose-built for today’s complex risk and regulatory environments. These tools help organizations move beyond reactive compliance and toward proactive, continuous monitoring of sensitive data, user activities, and content classification.

Microsoft 365 offers native solutions to prevent data leaks, classify and encrypt content, and maintain detailed audit trails. In large organizations or hybrid environments, visibility and enforcement become even more critical—making these tools indispensable for maintaining consistent policy application, spotting anomalous behavior, and preparing for regulatory audits.

The section ahead spotlights practical approaches for implementing and managing these compliance essentials. You’ll discover how to leverage Data Loss Prevention policies to protect sensitive information, utilize sensitivity labels for robust data classification, and use audit logs for real-time and historical activity tracking. If you’re looking for practical guidance on setup, strategy, and troubleshooting, the podcast episode on setting up Data Loss Prevention in Microsoft 365 is a great resource for hands-on insights.

Whether your goal is to satisfy industry-specific obligations or simply reduce the risk of accidental exposure, these tools work in concert to support defensible policies and simplify your compliance workload. As you dive deeper, you’ll see how each capability can be configured and tailored to your unique business needs.

Data Loss Prevention Policies and Monitoring

Data Loss Prevention (DLP) in Microsoft 365 offers a flexible, policy-driven way to protect sensitive data from unauthorized sharing or accidental exposure. By establishing DLP policies, you define rules that scan email, files, and conversations across Exchange Online, SharePoint, OneDrive, and Teams for sensitive information—like credit card numbers or personal identifiers—and automatically enforce protective actions.

When a DLP policy match is detected, the system can block sharing, encrypt content, or alert administrators before potentially risky data leaves your environment. This real-time detection is invaluable for meeting legal and regulatory requirements, especially in industries with strict privacy mandates. Monitoring DLP alerts helps you spot trends, investigate incidents, and tune your policies for evolving threats and user behaviors.

Effective DLP management goes beyond simply switching on templates. You need to align rules with business contexts and unique data flows, paying special attention to exceptions and cross-platform sharing. As highlighted in this podcast episode about DLP in Power Platform environments, most data leaks actually stem from unmanaged areas or “default environments,” not missing rules. This makes continuous monitoring and periodic policy reviews essential.

If you’re setting up DLP for the first time, this DLP setup guide is a practical resource for navigating configurations and assessing business risks. In summary, DLP in Microsoft 365 forms a proactive, scalable defense against data exposure, supporting organization-wide regulatory alignment and risk reduction.

Using Sensitivity Labels for Data Classification

Sensitivity labels in Microsoft 365 are fundamental to classifying and protecting your organization’s sensitive information. By applying labels—such as “Confidential” or “Internal”—to emails, documents, and Teams messages, you define how content should be handled, shared, and secured throughout its lifecycle.

Labels can be assigned manually by users or automatically through built-in machine learning, which scans for defined patterns (like financial data or health records). When labels are applied, they trigger actions like encryption, watermarking, or restrictions on external sharing. This promotes consistency, enables compliance with regulations such as GDPR, and simplifies audit preparation.

The real strength of sensitivity labels comes from their integration with other compliance tools and lifecycle management policies. If you’re aiming for smoother audits and better alignment between teams, best practices in building an audit-ready document management system using Purview and SharePoint are worth exploring. Proper use of labels ensures there’s clear ownership, traceability, and defensible controls over organizational data.

Admins should keep in mind common pitfalls, like overcomplicating label hierarchies or failing to educate users on the importance of correct classification. Automation helps, but periodic reviews are vital to adapt labels to changing regulatory or business needs. Used effectively, sensitivity labels strengthen both security and compliance across your Microsoft 365 estate.

Monitoring User Activities With Audit Logs

Audit logs in Microsoft 365 are your window into who did what, when, and where across your tenant. Every key activity—whether it’s file access, configuration changes, or admin privilege assignments—is recorded to provide a trustworthy trail for compliance, security, and incident response.

Enabling auditing starts from the Microsoft Purview portal and integrates with broader compliance dashboards. Logs can be searched and filtered by user, action type, or service, making it straightforward to pinpoint suspicious activities or run regular compliance checks without drowning in noise. For legal, HR, and IT teams, the ability to export and retain these records is critical during investigations or audits.

Advanced capabilities—especially with Premium licensing—extend retention periods and add richer insights, which are especially beneficial for regulated or high-risk industries. As explained in this guide to auditing user activity with Microsoft Purview, forensic-quality logs give you the detail needed to close security gaps, satisfy evidence requirements, and support robust insider risk monitoring.

Whether responding to an incident, documenting access for compliance reporting, or proactively flagging risky patterns, audit logs bring transparency and accountability into your compliance program. Investing in continuous log monitoring with alerting ensures you’re prepared for both day-to-day governance and unexpected events.

Advanced Compliance and Risk Management Strategies

As organizations grow and adapt to new technologies, compliance in Microsoft 365 becomes a matter not just of ticking boxes, but of actively managing risk on all fronts. The platform’s advanced capabilities support more than regulatory requirements—they enable granular control over insider risk, litigation readiness, and information lifecycle automation.

At this level, your compliance strategy is about anticipating and remediating threats from within and outside the organization. You can tailor policies and escalation workflows, monitor sensitive communications, and place data on legal hold in response to regulatory actions or internal investigations. Automation and integration play central roles, reducing manual effort and the risk of human error while supporting business agility.

Whether you’re dealing with policy customization for industry-specific needs or building workflows to meet frequent audit requests, Microsoft 365 provides the flexibility to align controls with your risk profile. Tools that once required extensive manual oversight can now guide employees, document decisions, and enforce retention behind the scenes.

Real-world challenges—like preventing compliance drift and keeping up with user-driven content creation—require constant vigilance. For additional insights on aligning compliance tools and addressing hidden gaps, check out the podcast episodes on compliance drift and governing Copilot and AI-driven content in Microsoft 365.

Managing Insider Risk in Microsoft 365

Insider risk management in Microsoft 365 focuses on identifying and mitigating potential threats from users within your organization—whether those risks arise from negligence, accidents, or malicious intent. Microsoft provides built-in tools like Insider Risk Management and Communication Compliance, allowing administrators to detect policy violations, monitor sensitive conversations, and escalate concerns efficiently.

Policies can be crafted to flag risky behaviors: for example, downloading large volumes of sensitive files, unusual sharing patterns, or attempts to circumvent established controls. Alerts and insights empower compliance teams to intervene quickly before minor issues spiral into major data breaches or regulatory infractions.

Layered monitoring combines activity logging, DLP triggers, and user behavior analytics to provide context for each event. Case management features let you document the steps from detection through to remediation—supporting organizational transparency and defensible action.

Insider threats are not limited to careless employees; today, shadow IT (unapproved apps and cloud services) and autonomous AI agents can introduce compliance blind spots. Tackling these risks means leveraging Microsoft-native tools, including Defender for Cloud Apps and Purview policies, to enforce ownership and visibility. The episode on managing Shadow IT in Microsoft 365 and the warning about AI-driven Shadow IT risks emphasize the importance of governance that spans both known and emerging technologies.

eDiscovery and Legal Compliance in Microsoft 365

eDiscovery (electronic discovery) is an essential component for legal compliance in Microsoft 365, enabling organizations to identify, preserve, and export electronically stored information in response to audits, investigations, or litigation. Using Microsoft’s built-in eDiscovery tools, compliance teams can search emails, documents, chats, and even deleted items across Exchange Online, SharePoint, Teams, and more.

Core workflows involve setting up eDiscovery cases, placing relevant mailboxes or sites on legal hold, and executing precise queries to locate responsive content. Advanced eDiscovery capabilities add deeper analytics, custodianship management, and review sets—features that streamline large-scale legal requests and support defensible policies for evidence handling.

Efficient eDiscovery can make the difference between a routine legal inquiry and a costly, disruptive process. Microsoft 365 is designed to ensure chain of custody, complete audit trails, and compliance with data privacy requirements through proper retention and export controls.

For organizations that need to audit user activity as part of legal response, Microsoft Purview Audit offers forensic-level tracking and extended data retention. Leveraging these tools helps your organization meet regulatory deadlines, respond transparently to legal challenges, and reduce legal exposure by automating routine discovery tasks.

Retention Policies for Data Lifecycle Management

Retention policies in Microsoft 365 automate the governance of information lifecycle—from creation to final deletion—in order to meet both business and regulatory requirements. By configuring rules at the tenant or content level, you can ensure that emails, documents, and Teams messages are retained for a specific period, placed on legal hold, or permanently deleted in a defensible manner.

This automation reduces the burden on end users and administrators, ensuring compliance without disrupting everyday workflows. Retention policies allow you to manage data bloat, reduce storage costs, and minimize the risks associated with keeping unnecessary information—while also supporting timely response to compliance requests or litigation holds.

Organizations can set up nuanced policies that differentiate between content types, business units, or jurisdictions, striking the right balance between operational flexibility and regulatory rigor. Defensible deletion is especially critical for demonstrating to auditors and regulators that your data handling is both intentional and automatic.

It’s important to remember that governance is not automatic by default. As discussed in this episode on the “governance illusion”, true compliance relies on intentional design, accountability, and integrated processes across technology and people—not just policy settings. Regular reviews help ensure your retention rules keep pace with evolving legal obligations and internal policies.

Common Mistakes About Microsoft 365 Compliance Center & Compliance Manager

This list highlights frequent misunderstandings and pitfalls related to compliance monitoring in Microsoft 365, focusing on the Compliance Center and Compliance Manager.

1. Confusing Compliance Center and Compliance Manager

• Assuming they are the same: Compliance Center is a unified portal for tools and policies; Compliance Manager is an assessment and improvement tool within that ecosystem.
• Expecting Compliance Manager to enforce controls automatically: It provides assessments, control guidance, and improvement actions but does not replace configuration or enforcement by admins.

2. Relying Solely on Microsoft’s Tools for Compliance

• Believing built-in controls alone guarantee regulatory compliance: Organizations must implement policies, processes, and evidence collection beyond Microsoft 365 features.
• Ignoring shared responsibility: Microsoft covers cloud infrastructure and baseline services; customers are responsible for data classification, user access, and applying configurations.

3. Misinterpreting Assessment Scores

• Treating score as absolute certification: Compliance Manager scores indicate progress toward recommended controls, not legal compliance or audit readiness by themselves.
• Overlooking control details: Low or high scores require reviewing control implementation details and evidence, not just the aggregate number.

4. Skipping Regular Reviews and Updates

• Assuming one-time setup is sufficient: Policies, assessments, and evidence need continuous review as services, regulations, and business needs change.
• Failing to update templates and assessments: Regulatory requirements and Microsoft capabilities evolve; use current templates and reassess periodically.

5. Poor Evidence Collection and Documentation

• Not capturing or mapping evidence: Compliance Manager expects documented evidence for implemented controls; missing evidence lowers assessment accuracy.
• Storing evidence insecurely or inconsistently: Evidence should be retained in a controlled, auditable manner aligned with organizational retention policies.

6. Inadequate Role Segregation and Permissions

• Giving broad admin rights: Over-permissioned accounts can introduce risks and obscure who made control changes tracked by Compliance Center.
• Not using least-privilege roles: Configure Compliance Center and Compliance Manager roles so users only access necessary functions.

7. Misunderstanding Data Loss Prevention (DLP) and Sensitivity Labels

• Assuming labels/DLP are automatically applied everywhere: Sensitivity labels and DLP policies require proper configuration, user training, and sometimes client-side support.
• Ignoring label taxonomy and policy scope: Misapplied labels or overly broad DLP rules can block legitimate business processes or miss protected data.

8. Underestimating Monitoring and Alerting Configuration

• Using default alerts without tuning: Default thresholds can produce noise; tune alerts to reduce false positives and ensure actionable signals.
• Not integrating incident response: Alerts should map to an established investigation and remediation workflow.

9. Failing to Map Controls to Regulatory Requirements

• Assuming Microsoft 365 controls map one-to-one with regulations: Use Compliance Manager templates and manual mapping to show how controls address specific requirements.
• Neglecting jurisdictional differences: Regulatory obligations vary by country/industry; customize assessments accordingly.

10. Ignoring User Training and Change Management

• Deploying controls without user guidance: Security and compliance features fail without end-user awareness and training.
• Not documenting process changes: Compliance evidence should include documented procedures and training records.

11. Overlooking Integration with Third-Party Tools

• Assuming Microsoft alone covers all telemetry: Some environments require third-party monitoring, CASB, or SIEM integration for full visibility.
• Failing to ingest external evidence: Consolidate relevant logs and evidence into compliance workflows when required.

12. Neglecting Audit Logs and Retention Policies

• Not enabling or retaining audit logs long enough: Regulatory audits often require historical logs; configure retention to meet requirements.
• Trusting default retention periods: Adjust retention policies for records, audit logs, and eDiscovery to match legal needs.

Practical Recommendations

• Understand shared responsibility, and document roles and responsibilities.
• Use Compliance Manager assessments as guidance, not a full compliance certificate.
• Maintain regular review cycles, evidence repositories, and tuned alerting.
• Train users and apply least-privilege access controls.
• Map controls to specific regulations and integrate external tools where needed.

Integrating Microsoft Defender With Compliance Monitoring

Microsoft Defender’s advanced security features play a crucial role in amplifying compliance monitoring and enforcing policy boundaries throughout Microsoft 365. By bringing together real-time threat protection and compliance analytics, organizations can detect, investigate, and remediate suspicious activity before it impacts sensitive data or regulatory obligations.

Defender is not only about blocking malware and ransomware—it provides dynamic alerting for policy violations, risky behaviors, and unusual login patterns that could signal insider threats or attacks in progress. These alerts are surfaced directly in compliance dashboards, enabling a holistic view that spans both security and compliance responsibilities.

Integrating Defender with compliance workflows means your organization can automate remediation, reduce response times, and improve the consistency of enforcement across cloud, hybrid, or multi-cloud environments. Whether you’re facing configuration drift, credential theft, or OAuth abuse, Defender brings practical context and prioritization to every incident review.

For practical tips on leveraging Defender to its fullest in hybrid or multi-cloud setups—and how automation reduces compliance drift—see this guide to continuous compliance monitoring in Microsoft Defender for Cloud. As your risk landscape expands, harmonizing Defender’s real-time insights with compliance controls provides a unified, audit-ready defense.

Threat Monitoring and Response With Microsoft Defender

Microsoft Defender for Microsoft 365 is a comprehensive threat monitoring solution for cloud and hybrid environments, combining advanced analytics, real-time alerts, and cross-domain correlation to detect, investigate, and respond to attacks. It examines a broad threat landscape—including phishing, malware, cloud app abuse, and privilege escalation—ensuring compliance teams have a complete picture when responding to incidents.

Defender’s incident queue centralizes and enriches alert data, making it easier to trace attack chains and enforce evidence-driven remediation steps. Automation capabilities mean policy violations and high-risk activities trigger direct notifications and workflow escalations, minimizing the time between detection and response.

To maintain compliance, Defender provides integration points with audit logging, role-based access controls, and SIEM platforms for continuous oversight. You can align security and compliance teams through unified dashboards and actionable investigations—all enhancing risk management and regulatory defense.

Real-world examples of integrated compliance monitoring, including multi-cloud environments, are detailed in this continuous compliance monitoring guide with Microsoft Defender for Cloud. The emphasis is on automated remediation, actionable reporting, and unified visibility across your organization’s most sensitive workflows.

Applying Zero Trust and Least Privilege Principles

Zero Trust and least privilege models are foundational to compliance and risk reduction in Microsoft 365. Zero Trust assumes no user or device is inherently trusted—continuous verification is enforced at every access point, adopting a "never trust, always verify" stance. Least privilege means every account or application receives only the explicit permissions needed for its role, minimizing risk from overexposure or privilege creep.

Implementing Zero Trust involves unified policies across Microsoft 365 and connected services—strong authentication, device compliance checks, adaptive MFA, and session monitoring. Role-based access models (RBAC) segment administrative responsibilities and ensure access to data is strictly controlled and auditable. Automated reviews and anomaly detection prevent “drift” and quickly surface unauthorized or risky privilege changes.

Applying these principles is not a one-time process but requires periodic policy reviews, alert tuning, and continuous monitoring. Base your policy design on least privilege and risk-aware segmentation, updating rules as users, devices, and integrations evolve.

To learn more about practical Zero Trust implementation in Microsoft 365 and Dynamics 365, and how to strengthen authentication contexts for compliance, review this in-depth Zero Trust podcast episode and the guide on Conditional Access best practices. These resources highlight the need for baseline policies, inclusive controls, and ongoing oversight—a must for closing the gaps that attackers exploit and keeping your compliance program resilient.

Best Practices and Automation for Ongoing Compliance

Ensuring ongoing compliance in Microsoft 365 means weaving together best practices that address not only what you configure today, but how you keep pace with change. This isn’t just about ticking boxes—it’s about creating a sustainable, proactive compliance culture that reduces manual workloads, prevents alert fatigue, and stands up to regulatory scrutiny.

Scaling compliance across complex or growing environments requires the right blend of foundational policies, clear documentation, and continuous training for admins and users. By mapping regulations directly to technical controls, you can identify security and compliance gaps before they turn into audit findings or security incidents.

Automation emerges as a key enabler, streamlining routine monitoring, policy enforcement, and alert triage for large-scale tenants. By leveraging analytics, SIEM/SOAR integrations, and contextual alerting, compliance professionals keep oversight manageable—and focus efforts on true risks rather than chasing endless notifications.

Risks evolve—including those tied to emerging technologies like AI agents or Copilot—so periodic reviews and adaptive policies are essential. For insights on how least-privilege controls and continuous audit monitoring can govern new AI features, check out the guide to Copilot governance and M365 automation. The following best practices and automation strategies are practical steps your team can implement for resilient, audit-ready compliance operations.

Compliance Best Practices for Microsoft 365

1. Review and update compliance policies periodically. Regulations and business models change, so it’s vital to revisit policy settings at regular intervals. Schedule annual or biannual reviews to keep documentation and technical controls aligned with the latest risk landscape, legal requirements, and industry best practices.
2. Maintain comprehensive documentation. Accurate, up-to-date records of your compliance policies, procedures, training materials, and workflow diagrams make audits faster and reduce the risk of overlooked gaps. Accessible documentation enables onboarding, cross-team collaboration, and rapid response to regulatory inquiries.
3. Deliver ongoing training for admins and users. Empower your team with consistent, role-based training on security, data handling, and compliance responsibilities. This builds a culture of accountability while reducing unintentional risks from poor user habits or misunderstandings.
4. Map regulatory obligations to technical controls. Translate each regulation—GDPR, HIPAA, CCPA, etc.—into specific DLP rules, retention policies, or access restrictions within Microsoft 365. Doing so ensures you have a defensible strategy for every requirement, minimizing compliance gaps and oversights.
5. Conduct routine internal audits. Proactively test and validate your compliance controls. Run mock audits, test eDiscovery workflows, and review audit logs to identify issues before they escalate. Internal audits are crucial for evidence collection and continuous improvement.
6. Balance empowerment with control in platforms like Power Platform. Effective governance, as discussed in Power Platform security and governance best practices, means giving citizen developers room to innovate while enforcing connector oversight and identity management to prevent uncontrolled data flows.
7. Establish a governance board for AI and high-risk workloads. Formal boards, featured in episodes like AI operational defense and risk management, ensure there’s accountability and structured decision-making as technology evolves. Responsible AI dashboards, regular risk reviews, and documented approvals are the new must-haves for operational resilience.

Automated Monitoring and Effective Alert Management

1. Configure automated compliance workflows. Use Microsoft 365 features and integrations to automate repetitive compliance checks, policy enforcement, and escalation paths. Automated workflows reduce manual oversight, improve response time, and standardize governance across all business units.
2. Integrate compliance monitoring with SIEM/SOAR platforms. Centralize alert management by feeding Microsoft 365 logs and alerts into tools like Microsoft Sentinel or your preferred SIEM/SOAR solution. This enables correlation, incident enrichment, and coordinated response—scaling oversight for larger or regulated organizations.
3. Fine-tune alert criteria to reduce false positives. Overly broad alerting leads to “alert fatigue,” causing real issues to be overlooked. Regularly review thresholds, suppression rules, and anomaly detection logic so that only actionable, high-priority incidents escalate to the compliance team.
4. Leverage analytics for risk-based prioritization. Apply contextual analytics to evaluate the severity, impact, and relevance of each compliance alert. Prioritize investigations based on risk scores, user behavior history, and data sensitivity—ensuring critical incidents are addressed first.
5. Ensure scalability and operational excellence. As your Microsoft 365 environment grows, automate policy rollouts, monitor configuration drift, and measure alert response metrics. Continuous evaluation helps you adapt to new workloads, compliance scenarios, and business objectives with minimal disruption.

If you’re interested in operationalizing these approaches—or looking for guidance as technology evolves and page links disappear—stay up to date with the latest podcasts on Microsoft 365 automation and governance. Automation is not just efficiency—it’s a strategic defense against both compliance risk and operational burnout.

Checklist: Microsoft 365 Compliance Center & Compliance Manager

Checklist focused on compliance monitoring in Microsoft 365 using Compliance Center and Compliance Manager.