Microsoft recently announced new security and compliance add-ons for Microsoft 365 Business Premium, and one of them deserves more attention than it's getting in Australia: the Microsoft Purview Suite add-on. For businesses under 200 users, this closes a gap that has bothered me for years.
The licensing gap nobody liked
Here's the dilemma as it stood until now. If you're an Australian business on Business Premium, you face the same data risks as an enterprise. Copilot can surface documents your sharing settings never should have allowed. Your cyber insurer is asking questions about data governance. A departing staff member can walk out with your client list on a USB stick or in their personal OneDrive. None of that cares how many seats you have.
But the tooling Microsoft built to deal with those risks, the advanced Purview capabilities, sat behind E5 licensing. E5 was never designed for a 40-person accounting firm or a 120-person manufacturer. It bundles capabilities a 50-seat business would never use, and the commercial jump from Business Premium to E5 never stacked up for organisations that size. So most simply went without. They knew the risk existed, they just couldn't justify the licence built for a 5,000-seat bank to manage it.
The Purview Suite add-on changes that. You keep Business Premium, which I've long argued is the right foundation for most SA small businesses, and you bolt the data security layer on top.
What the add-on actually includes
The add-on bundles the advanced Purview capabilities into a single licence. The list is long, so it helps to group it by what each piece does for you.
Knowing where your sensitive data is and keeping it protected. Information Protection lets you apply sensitivity labels to documents and emails. Think of a label as a security tag that stays attached to the file whether it's sitting in OneDrive, shared in Teams, or emailed to someone outside the business. Extended data loss prevention builds on that with custom policy templates, so you can stop credit card numbers, health records or tax file numbers being shared accidentally. Message Encryption protects sensitive email in transit, and Customer Key lets organisations with strict regulatory requirements hold their own encryption keys.
Watching for risk inside the business. Insider Risk Management uses behavioural analytics to flag unusual activity, the classic example being an employee downloading large volumes of files in the weeks before they resign. Privacy is built into the design: users are pseudonymised by default and identities are only revealed when an alert becomes a genuine case. Communication Compliance does similar work for messages, picking up policy breaches in Teams and email.
Managing how AI touches your data. Data Security Posture Management for AI gives you visibility into how Copilot and third-party AI tools interact with sensitive information: which files are overshared, which prompts are risky, with real-time alerts when something crosses a line. I covered why DSPM for AI matters in an earlier post, and at the time the licensing was the sticking point for smaller businesses. That objection is now gone.
Compliance and legal readiness. Records Management and Data Lifecycle Management automate retention and deletion, so records are kept as long as the law requires and disposed of when they shouldn't be kept. eDiscovery Premium gives you search, legal holds and export in one place when a dispute or investigation lands. Audit Premium provides the deeper, longer-retained logs that incident response and forensics depend on. Compliance Manager rounds it out with a single dashboard for tracking your regulatory obligations.
Why Australian businesses should care now
Four things make this timely rather than just interesting.
First, Copilot adoption. Copilot doesn't create oversharing problems, it makes existing ones visible. Every permission mistake from the past decade becomes searchable in plain English. Businesses rolling out Copilot without data classification are discovering this the uncomfortable way.
Second, the questions are already being asked. Cyber insurance questionnaires increasingly probe data classification, DLP and insider risk controls. Frameworks like the Essential Eight get you a long way on system hardening, but ISO 27001 and most insurer expectations go further into how data itself is governed, and that's exactly the territory Purview covers.
Third, the Privacy Act. Australian businesses with turnover above the threshold carry notifiable data breach obligations, and you can't assess or report a breach properly if you don't know what data you held and who touched it. Audit logs and classification turn that from guesswork into evidence.
Fourth, the resignation window. In our experience the riskiest fortnight for company data is the one between an employee deciding to leave and their last day. Most small businesses have no visibility into that window at all. Insider Risk Management is built for precisely this pattern.
The add-on is the licence, not the outcome
One caution before you call your licensing provider. Buying the add-on switches nothing on. Sensitivity labels need a taxonomy your staff will actually use, which means a handful of clear labels rather than a dozen confusing ones. DLP policies need tuning, because an untuned policy drowns you in false positives until everyone learns to ignore the alerts. Insider Risk Management needs to be configured deliberately, with privacy settings and escalation paths agreed up front, or it becomes a staff trust problem instead of a security control.
This is the same lesson as Business Premium itself: the licence gives you access to the tools, and the value comes from deploying them properly. We've put together a Microsoft Purview implementation page that walks through what a proper rollout covers, from data discovery through label design to DLP tuning and ongoing management.
For years the honest advice to a 50-seat business asking about advanced data security was that the licensing didn't make sense for them. That advice has now changed. If you hold client data worth protecting, this add-on is worth a serious look.