← PS C:\Blog\rksolutions> cd ..

The MSP License Ladder — Part 2

The MSP License Ladder #2: The Data Gap

April 25, 2026 · 10 min read · Roy Klooster

Compliance Security PowerShell Automation M365

A team lead hands in their notice on Friday. By Monday morning they have downloaded three months of client proposals from SharePoint, forwarded a pricing sheet to a personal Gmail, and copied the customer database to a USB stick. You find out two weeks later when the new employer starts undercutting your customer’s bids.

On Business Premium and Microsoft 365 E3, you had no signal for any of that. No alert when the download volume spiked. No block when the USB was mounted. No flag when the email left the tenant. That is the gap this post is about: base Purview covers more than people expect, but the moment data leaves email and files, you are blind.

This post is part of The MSP License Ladder, a series on what Business Premium and E3 don’t give you, and how to build on top of them. Every post covers one gap: what’s missing from the base SKU, what it costs to close, and what you can actually build with it. Previous: #1, The Hunting Gap.

A few terms up front:

• DLP (Data Loss Prevention): policies that detect and protect sensitive content based on patterns, sensitive information types, or trainable classifiers.
• SIT (Sensitive Information Type): a pattern definition (regex, keyword list, or function) that Purview uses to identify sensitive data. Examples: credit card numbers, national IDs, IBAN numbers.
• IRM (Insider Risk Management): behavioural analytics that detect risky user activity patterns like unusual download spikes, data exfiltration sequences, or policy violations.

Table of Contents

• What you actually get today
• The concrete gaps
  • DLP scope
  • Insider Risk Management
  • eDiscovery Premium
  • Communication Compliance
  • Records Management
• The upgrade paths
• What you unlock
• How to deploy this across your customer base
  • Step 1: Build the baseline in your own tenant
  • Step 2: Deploy across tenants
  • Step 3: Map the output to frameworks
• When not to bother
• How to pitch it
• Conclusion

What you actually get today

Before jumping to what is missing, be honest about what the base gives you. Both SKUs include more Purview than most customers assume.

Business Premium ships with Purview Information Protection and Purview DLP. You can create sensitivity labels (manual application), build DLP policies that scan Exchange, SharePoint, and OneDrive, and set basic retention policies. That is real data governance. If a user attaches a spreadsheet with 50 credit card numbers to an email, base DLP can catch it.

Microsoft 365 E3 has a similar shape. Manual sensitivity labels, DLP for email and files, basic retention and data lifecycle management. Slightly broader admin tooling but the same ceiling on scope.

The gap is not “you have nothing.” The gap is scope, automation, and workflow tooling. Here is what that looks like side by side:

DLP capability	Business Premium	E3	Purview Suite add-on
Sensitivity labels (manual)	✅	✅	✅
Sensitivity labels (auto-labelling)	❌	❌	✅
DLP for Exchange	✅	✅	✅
DLP for SharePoint and OneDrive	✅	✅	✅
DLP for Teams chat and channels	⚠️*	⚠️*	✅
DLP for endpoints (USB, clipboard, print)	❌	❌	✅
DLP for third-party cloud apps	❌	❌	✅
DLP for browsers (Edge, Chrome)	❌	❌	✅
Insider Risk Management	❌	❌	✅
Adaptive Protection (dynamic DLP)	❌	❌	✅
Litigation Hold	✅	✅	✅
eDiscovery Standard	✅	✅	✅
eDiscovery Premium	❌	❌	✅
Communication Compliance	❌	❌	✅
Records Management (file plan, event-based)	❌	❌	✅
Audit Standard	✅	✅	✅
Audit Premium	❌	❌	✅
Compliance Manager	Limited	Limited	Full
Copilot-aware DLP policies	⚠️**	⚠️**	✅

*Teams DLP is a grey area on both Business Premium and E3. The Purview portal lets you enable “Teams chat and channel messages” as a DLP location, and the policy will enforce. But Microsoft’s licensing docs state that DLP for Teams chat requires E5 or equivalent. Microsoft’s Purview Licensing Guidance is explicit about why:

“Some services check for a license before granting access or allow you to restrict access to licensed users via your admin portal. Others may not enforce this yet but could in the future. You must appropriately license the use of a service regardless of technical enforcement.”

This is the same per-user-covered pattern as Entra ID P2: the feature activates tenant-wide, but compliance requires every scoped user to be licensed. If you rely on it without the E5 licence, an audit could flag it. Files shared in Teams are a different story: those live in SharePoint/OneDrive and are covered by base DLP regardless.

**Copilot DLP: if users on Business Premium or E3 have a Microsoft 365 Copilot license, they get DLP for the M365 Copilot location (prompt safeguarding). The full Copilot-aware DLP (restricting Copilot from processing sensitive files and emails) requires the Purview Suite add-on.

Base DLP covers email and files. Teams chat DLP works in practice on Business Premium and E3 but is not officially licensed there. Endpoints, third-party cloud apps, and browsers are firmly out of scope. Auto-labelling does not exist. Insider Risk Management, eDiscovery Premium, Communication Compliance, and Records Management are all locked behind the next tier.

For the full breakdown of what each SKU includes, see the Microsoft Purview service description.

The concrete gaps

Five scenarios that come up on real customer calls and leave you reaching for something you do not have.

DLP scope

Your DLP policies scan email and files in Exchange, SharePoint, and OneDrive. An employee pastes a client’s bank details into a Teams chat. Another copies a PII spreadsheet to a USB stick. A third uploads customer data to a personal Dropbox via the browser. Base Purview does not see any of it. Teams chat DLP, endpoint DLP, and cloud app DLP are all out of scope on Business Premium and E3.

Auto-labelling is the other half of this gap. On base SKUs, sensitivity labels are manual only. If users forget to label (and they will), the data sits unclassified and unprotected. Auto-labelling based on content inspection closes that loop.

Insider Risk Management

A departing employee downloads 50% more files than usual in their last two weeks. A contractor accesses a SharePoint site they have never touched before and exports its contents. On base Purview, these patterns generate no signal. Insider Risk Management uses behavioural analytics to detect sequences like download spikes, access anomalies, and data exfiltration patterns. It can feed into Adaptive Protection, which automatically tightens DLP policies for risky users.

Worth noting: if a leaver is smart, they steal data before handing in their notice, not after. IRM handles this because you can configure the policy timeframe to look back at up to 90 days of past behaviour, surfacing risky activity sequences that happened well before HR was notified. None of this exists below Purview Suite.

eDiscovery Premium

A legal hold needs to include Teams chat, not just mailboxes and SharePoint. A regulatory investigation requires custodian management, advanced review sets, and conversation threading. On base eDiscovery (Standard), you can place holds on mailboxes and sites, but Teams chat coverage, custodian workflows, review sets with analytics, and predictive coding are all Premium features. When the legal team calls, you either have them or you don’t.

Communication Compliance

Regulated sectors (financial services under DORA, healthcare, legal) have obligations to review communications for insider trading language, conflicts of interest, harassment, or regulatory violations. On base Purview there is no mechanism to scan Teams messages, email, or Viva Engage at scale for these patterns. Communication Compliance provides policy-based scanning with built-in classifiers for threat, harassment, discrimination, and regulatory language. Without it, the compliance team is relying on manual spot checks.

Records Management

Base retention policies are time-based: keep everything for X years, then delete. Real records management needs a file plan, event-based retention (start the clock when a contract ends, not when the file was created), and disposition review before deletion. On base Purview you get the timer. You do not get the workflow.

The upgrade paths

Three paths to close the data gap, depending on the customer’s base SKU and budget.

Path	Best for	List price	Main constraint
Purview Suite add-on	BP or E3 customers who need compliance	$10/user/mo	300-user cap on BP
Microsoft 365 E5	Customers who want security + compliance together	Full E5 price	Largest upfront spend

Prices are Microsoft list per user per month, as of April 2026. CSP, NCE, and Enterprise Agreement pricing differs. Check with your licensing partner for the real customer number.

The Purview Suite add-on is available for both Business Premium and E3 customers. It launched September 2025 and adds the full Purview feature set: DLP extended to endpoints, Teams, apps, and cloud; Insider Risk Management; eDiscovery Premium; Records Management; Communication Compliance; Audit Premium; Compliance Manager; Information Barriers; Privileged Access Management; Customer Lockbox; Customer Key; and policy-based controls for Copilot and AI experiences. For the full contents, see the Microsoft Purview Suite for Business Premium page.

Combined with Defender Suite for Business Premium (also $10), the bundle drops to $15/user/month for both, versus $20 if bought separately. If the customer needs both security and compliance (and most do), this is the value pick.

One caveat. Purview features are per-user-covered, not per-tenant-enabled. The features activate once licensed somewhere in the tenant, but compliance-wise every user whose activity is covered by DLP, IRM, eDiscovery, or Communication Compliance needs the license. An IRM policy scoped to “all users” means all users need the license. Do not let a customer assume one license turns it on for the tenant. This is the same grey-area pattern as Entra ID P2 and it comes up in audits.

What you unlock

Outcomes, not features. With the Purview Suite add-on in place:

Capability	What changes
DLP across the full surface	Teams chat, endpoint, cloud apps, and browsers added to email and files. One policy covers everywhere.
Auto-labelling	Sensitivity labels applied automatically based on content. Users no longer have to remember.
Insider Risk Management	Behavioural signals detect download spikes, access anomalies, and exfiltration sequences.
Adaptive Protection	High-risk users automatically get stricter DLP policies based on their IRM risk score.
eDiscovery Premium	Legal holds across Teams chat. Custodian management, review sets, conversation threading.
Records Management	File plans, event-based retention, disposition review before deletion.
Communication Compliance	Policy-based scanning of Teams, email, Viva Engage for regulatory language patterns.
Audit Premium	One-year retention (up from 180 days) and high-bandwidth events. 10-year retention requires a separate add-on.
Compliance Manager	Assessment templates for GDPR, ISO 27001, NIST. Pre-mapped improvement actions.
Copilot-aware policies	DLP and sensitivity labels extend into Copilot interactions and grounding.

The practical difference: a single policy that says “block credit card numbers from leaving the tenant” now actually means everywhere. The leaving-with-data scenario from the opening of this post generates an IRM alert before the damage is done. When the legal team calls for a hold that includes Teams chat, you have the workflow. When the auditor asks for disposition proof, you have event-based retention with reviewed disposal.

How to deploy this across your customer base

The scenario: you manage 15 customer tenants. You need a consistent DLP baseline across all of them, and you need proof that each tenant satisfies the relevant framework controls. The approach: build once in your own tenant, then replicate.

Step 1: Build the baseline in your own tenant

Start in your MSP tenant or a dedicated baseline tenant. This is your template environment. Configure the DLP policies you want every customer to have:

Policy	Sensitive information types	Action	Framework controls
EU PII	EU National ID, EU Passport, EU SSN, IBAN	Block	NIS2 Art.21(2)(d), DORA Art.9(4)(c), CIS 3.3, NIST PR.DS-01
Payment card data	Credit Card Number, EU Debit Card Number	Block	DORA Art.9(4)(c), CIS 3.10, NIST PR.DS-01
Health data	ICD-10-CM, ICD-9-CM codes	Notify	NIS2 Art.21(2)(d), NIST PR.DS-01
Financial identifiers	SWIFT Code, EU Tax ID, ABA Routing Number	Notify	NIS2 Art.21(2)(d), DORA Art.11(1), CIS 3.3

For each policy, configure the locations (Exchange, SharePoint, OneDrive, and Teams/Endpoints if the customer has Purview Suite), the detection thresholds, and the actions (block or notify). Test the policies in simulation mode first. Purview’s simulation mode shows you what would trigger without enforcing, so you can tune the thresholds before going live.

A few design decisions worth making upfront:

• PII and payment card data get hard blocks. These are the highest-risk categories. A false positive is cheaper than a breach.
• Health and financial data start as notify-only. These have more partial-match noise. Set a minCount threshold of 2 or higher and tighten after you have real data on false positive rates.
• Tag every policy with the framework controls it satisfies. Use the policy description field or a separate tracking sheet. When the auditor asks “how do you satisfy NIS2 Article 21(2)(d)?”, the answer should be a row in a table, not a slide deck.

Step 2: Deploy across tenants

Once the baseline is working in your template tenant, the next step is rolling it out to every customer. You can do this manually per tenant, script it with PowerShell (Post #1 showed the multi-tenant GDAP pattern), or use a multi-tenancy tool.

A tool I use for this is Inforcer. It is a multi-tenancy platform for MSPs that connects to customer tenants through enterprise app registrations (manual onboarding or GDAP). You deploy your baseline policy set across tenants from one place, and when you later change a policy, Inforcer flags which tenants are out of alignment so you can push the update. It takes the manual per-tenant work out of the equation.

Step 3: Map the output to frameworks

Whether you deploy via Inforcer or PowerShell, the end result should be the same: a coverage matrix that shows which policies satisfy which controls in which tenants.

Framework	Control	What satisfies it
NIS2	Art.21(2)(d)	EU PII, Health, Financial policies
DORA	Art.9(4)(c)	EU PII, PCI, Financial policies
CIS v8	3.10	PCI policy
NIST CSF 2.0	PR.DS-01	All 4 policies

That is the audit artefact. Export it as a CSV, attach it to the customer’s compliance record, and move on. When the next audit cycle comes, re-export and diff.

When not to bother

Purview Suite rewards customers who already care about data governance. Two cases where the upgrade sits idle:

No data classification scheme. If the customer has no idea what data they have, where it lives, or who should access it, deploying DLP policies generates noise, not protection. Start with a data classification exercise. Map the sensitive data types that actually exist in their tenant, decide what “sensitive” means for their business, and then deploy policies to enforce it. Purview Suite is the automation layer once the program exists, not the starting point.

No one to triage. IRM signals, Communication Compliance alerts, and eDiscovery workflows all require human review. If the customer has no compliance function, no legal team, and no appetite to build one, you are licensing tooling that will generate alerts nobody reads. That is worse than not having it, because unreviewed alerts create liability. If they are not ready to staff the process, they are not ready for the tooling.

How to pitch it

Lead with a regulatory obligation, a post-incident trigger, or an audit finding. Do not lead with “data is important.”

Three openers that work:

• Regulatory driver. “NIS2 Article 21 requires measures for data handling and access control. Your current DLP covers email and files. It does not cover endpoints, Teams, or cloud apps. Purview Suite closes that scope gap and gives you a framework-mapped artefact to show the auditor.”

• Post-incident trigger. “The data leak last quarter was a USB copy that base DLP could not see. Endpoint DLP would have blocked it. IRM would have flagged the download spike before the USB was even mounted.”

• Audit finding. “Your last audit flagged that retention policies are time-based only, with no disposition review. Records Management in Purview Suite adds file plans, event-based retention, and reviewed disposal. That closes the finding.”

Price it as part of a managed governance service, not a licence passthrough. The $10/user/month is the floor. The value is the baseline you deploy across every customer, the framework-mapped coverage matrix, and the triage capacity behind the alerts.

Conclusion

Business Premium and E3 give you more Purview than most people realise. You can label, you can DLP email and files, you can retain. But the moment data moves to an endpoint, a browser, or a cloud app, base Purview stops watching. The employee from the opening of this post walks out with the data, and you find out from the customer’s competitor.

The Purview Suite add-on ($10/user/month) closes that gap. Build a baseline policy set in your own tenant, validate it in simulation mode, deploy it across your customers, and keep it aligned. When the auditor asks what controls you satisfy, hand them the framework matrix instead of a conversation.

Start with one customer tenant. Get the SIT detections right for their data. Then scale out.

Resource	What it covers
Purview service description	Authoritative SKU-by-SKU feature matrix (updated April 2026)
Purview Licensing Guidance	Official licensing FAQ, source of the “technical enforcement” caveat
M365 compliance licensing guidance	Broader security and compliance licensing overview
Purview Suite for Business Premium	Product page with full contents and pricing
DLP and Microsoft Teams	Teams DLP setup, licensing requirements, and scope
Purview DLP documentation	Getting started with DLP policies
Insider Risk Management	IRM overview and configuration
eDiscovery Premium overview	Premium eDiscovery capabilities and workflows

Next up: #3, The Identity Gap, on what Entra ID P2 and Defender for Identity unlock across your cloud and on-prem identity surface, and why they are almost always bought together.

---

Part of The MSP License Ladder series. Previous: #1, The Hunting Gap. Next: #3, The Identity Gap.

Last verified: April 2026

Related

• The MSP License Ladder #1: The Hunting Gap – what Defender for Endpoint Plan 2 unlocks for proactive threat hunting across your customer fleet.

The MSP License Ladder Series

Part 1 The MSP License Ladder #1: The Hunting Gap Part 2 The MSP License Ladder #2: The Data Gap

← back to all posts next: The MSP License Ladder #1: The... →