3.3. Identifying and Responding to Governance Risks

💡 First Principle: Microsoft Purview's risk and compliance tools don't prevent incidents — they help you find them, investigate them, and prove you were compliant. Compliance Manager tells you where you stand. Data Explorer shows you what's at risk. Activity Explorer shows you what happened. eDiscovery finds the evidence.

Think of these tools as the compliance "cockpit" — each instrument shows you something different. Compliance Manager is the altitude indicator (how high is your compliance posture?). Content Explorer is the radar (what's out there?). Activity Explorer is the flight recorder (what happened?). eDiscovery is the search-and-rescue kit (find specific things for legal reasons).

⚠️ Exam Trap: Content Explorer and Activity Explorer are different. Content Explorer shows the current state of labeled content. Activity Explorer shows the history of actions on that content. Mixing them up is the exam's most common distractor for these tools.

Without these tools, governance is theoretical. You can have the right policies — but without visibility into whether they're working, you're operating blind. An auditor asks: "Show me evidence that sensitive customer data wasn't inappropriately accessed." You need these tools to answer that question.

The exam tests your ability to match a compliance investigation scenario to the right tool. The decision rule: are you measuring posture (Compliance Manager), discovering data (Data Explorer), monitoring behavior (Activity Explorer, DLP alerts, IRM), or finding specific content for legal (eDiscovery)?

⚠️ Common Misconception: Compliance Manager monitors and enforces compliance in real time. In reality, Compliance Manager is a scorecard and recommendation engine — it doesn't monitor activity or enforce policies. It measures how well your configurations align with compliance frameworks (GDPR, ISO 27001, etc.) and suggests improvements.