Senior Consultant - Microsoft Purview & M365 Compliance Governance

The role in one sentence

Lead the Microsoft Purview and M365 compliance lane of a 90-day governance engagement that turns a Fortune-class regulated enterprise’s data, DLP, and Copilot exposure surface into a classified, labeled, retained, audited capability — and convert into a PTM Fusion full-time hire on successful delivery. 

Why this role exists

Proactive Technology Management (PTM) Fusion has committed to a 90-day governance program for a Fortune-class regulated enterprise client. The program has two delivery lanes running in parallel —  Power Platform / Copilot Studio CoE & ALM and Microsoft Purview / M365 Compliance. This posting is for the Purview / M365 lane. 

The engagement runs in two phases: 

• Phase 1 — Discovery & Assess (30 days). Inventory the client’s M365 information protection posture: existing sensitivity labels, DLP policies, retention framework, audit configuration, classification accuracy, and Copilot AI exposure. Map current state against PTM and Microsoft baselines. Quantify the risk and ROI of remediation. Deliver a prioritized governance backlog.

• Phase 2 — Implement & Govern (60 days). Stand up a label taxonomy and auto-labeling policy. Deploy or tune DLP across Exchange, SharePoint, OneDrive, Teams, and Endpoint. Operationalize retention, records management, and audit. Configure Purview-for-Copilot DSPM-for-AI controls. Wire the whole estate into Azure Monitor and Log Analytics so governance posture is observable, not assumed.

You will work in lockstep with a Power Platform CoE / ALM specialist who owns the Power Platform side. The two lanes share a Solution Architecture Document, a milestone roadmap, and a value metric — so coordination matters. 

What you'll deliver

• A complete inventory of existing Purview, DLP, retention, and audit configuration, with a risk-ranked gap analysis against PTM and Microsoft reference architectures.
• A sensitivity label taxonomy the business actually understands, with manual labeling guidance and auto-labeling policies (client-side and service-side) tuned for low false-positive rate.
• DLP policies across Exchange, SharePoint, OneDrive, Teams, and Endpoint DLP , with explicit incident triage, exception, and override workflows. Coordination with Power Platform DLP through the Power Platform lane.
• A retention label and policy framework covering record categories, disposition review, and litigation-hold posture.
• Microsoft Purview Audit configuration (Standard or Premium tier as scoped), audit log retention, and export pipeline to the client’s downstream SIEM.
• Microsoft Compliance Manager assessment selection, improvement-action plan, and executive reporting cadence.
• Purview for Copilot governance — DSPM-for-AI configuration, sensitivity-aware grounding rules, prompt and response audit, and red-team review of high-exposure agents in coordination with the Power Platform lane.
• Azure Monitor and Log Analytics observability — diagnostic settings on M365 audit and DLP signals, KQL workbooks for label coverage, DLP incident rate, retention drift, and AI prompt-risk indicators, alert rules on policy drift, and an executive dashboard reporting against the value metric agreed during Discovery.
• Solution Architecture Document (SAD), Solution Design Document (SDD), and milestone roadmap authored against PTM templates and reviewed under our Maker-Checker discipline.

Who you are

You can sit with a Chief Information Security Officer at 9 a.m., a records-management lead at 11 a.m., and a SharePoint admin at 2 p.m. — and leave each conversation with the same coherent governance picture in mind. You communicate in plain language to business owners and in precise technical terms to engineers, often in the same meeting. 

You believe a label taxonomy is a product, not a deliverable. You measure success in incidents avoided, audits passed, and ROI delivered — not in policies authored. 

Requirements

Microsoft Purview & M365 governance (depth required)

• 5+ years delivering Microsoft Purview / M365 information protection in enterprise or mid-market environments, with at least 2 full lifecycles of label taxonomy design and deployment.
• Microsoft Purview Information Protection — label taxonomy design, manual labeling, auto-labeling policies (client-side and service-side) , label-driven encryption, and rights management.
• Microsoft Purview Data Loss Prevention across Exchange, SharePoint, OneDrive, Teams, and Endpoint DLP — policy authoring, simulation mode, incident triage, exception workflow, and tuning to keep false-positive rate inside a defensible band.
• Data classification using built-in, custom keyword, custom regex, exact-data-match , and trainable classifiers — including the data-engineering work to seed and validate them.
• Retention labels and retention policies, records management , disposition review, and litigation-hold posture.
• Microsoft Purview Audit (Standard and Premium)— audit log search, export, retention, and downstream SIEM integration.
• SailPoint - Proven expertise with Identity Governance & Administration (IGA) platforms, specifically SailPoint
• Hands-on experience implementing, configuring, and maintaining SailPoint solutions (e.g., IdentityIQ, IdentityNow)
• Microsoft Compliance Manager — assessment selection, improvement actions, control implementation evidence, and executive reporting.
• Purview for Copilot — DSPM-for-AI configuration, sensitivity-aware grounding, prompt and response auditing for Microsoft Copilot for M365 and Copilot Studio agents.

Identity & adjacent surfaces (depth required)

• Microsoft Entra ID — conditional access, sensitivity-label-bound access policies, and the binding between identity, label, and DLP enforcement.
• Working knowledge of Power Platform DLP so the M365 and Power Platform DLP surfaces compose coherently — you will partner with the Power Platform lane on this, but you must be able to reason about it end-to-end.
• Microsoft Defender for Cloud Apps for shadow-IT discovery and SaaS DLP enrichment, where in scope.

Observability (depth required)

• Azure Monitor and Log Analytics — workspace design, diagnostic settings for M365 audit and Purview signals, KQL fluency, workbook authoring, alert rules, and action groups.
• Microsoft Sentinel integration for governance signals and audit-log SIEM tier — connector deployment, analytic rule authoring, and incident workflow.
• Power BI dashboards that report a value metric a non-technical executive can act on (label coverage, DLP incident rate, retention drift, AI prompt-risk).

Consulting craft (depth required)

• Demonstrated ability to author and present architecture artifacts to a CTO-level audience: C4 diagrams, SADs, SDDs, milestone roadmaps.
• A discovery toolkit you actually use — Lean UX, BPMN, Event Storming, or comparable methods for translating ambiguous client problems into a prioritized backlog with measurable outcomes.

Strongly Preferred

• Microsoft certifications: SC-400 (Information Protection & Compliance Administrator), SC-100 (Cybersecurity Architect Expert), SC-200 (Security Operations Analyst), SC-300 (Identity & Access Administrator).
• Hands-on with Microsoft Priva for privacy management, data subject requests, and privacy risk policies.
• eDiscovery (Standard and Premium) — case management, custodian holds, advanced indexing, and review-set culling.
• Insider Risk Management and Communication Compliance policy design.
• Experience with regulated frameworks — HIPAA, HITRUST, SOC 2, ISO 27001, FDA 21 CFR Part 11, GDPR, GLBA — and the documentation discipline they require.
• Prior delivery in regulated environments (medical device, life sciences, healthcare, or financial services).
• Experience as a subcontractor or partner-of-partner — you know how to represent PTM cleanly inside multi-vendor delivery teams and inside the end client’s governance forums.

How you work

• Search before assumptions. You verify against current docs, the client tenant, and runtime evidence before recommending. Confidence without evidence is not a substitute for either.
• Contracts before code. You define the interface — label taxonomy, DLP policy, retention schedule, audit retention — before anyone publishes against it.
• V alidators before delivery. Every label, every DLP rule, every retention policy ships with a test that proves it works and an alert that fires when it stops working.
• Maker-Checker over solo heroics. You welcome a second pair of eyes on every material design decision, and you give the same in return.
• Plain language. A 12-year-old can follow your milestone narrative. A CISO trusts your governance posture. A business owner sees the ROI line.

Engagement details

• Engagement structure. Contract-to-hire. Initial term covers the full 90-day engagement (30 days Discovery + 60 days Implementation). Conversion to PTM Fusion full-time hire on successful delivery and mutual fit.
• Capacity. One full-time-equivalent role, paired with a Power Platform CoE / ALM specialist on the same engagement.
• Location. Remote, US-based. Occasional travel to client sites; expect no more than one trip per month during Implementation.
• Compensation. Competitive contract rate during the engagement; market-aligned base, performance bonus, and benefits package on conversion. Final terms commensurate with experience and certifications.
• Start. Immediate. Discovery kicks off as soon as the right candidate is in seat.

Benefits

Possibility of contract-to-hire