Data Security / Purview ยท Modern Endpoint Guides
๐ก๏ธ Microsoft Purview
Purview Information Protection & DSPM
End-to-end data security posture management โ from sensitivity labels and DLP policies to Information Rights Management, Endpoint DLP, and DSPM for AI (Microsoft Copilot protection).
๐ Overview & Licensing
Microsoft Purview is a unified data governance and compliance platform. It covers information protection (labels, DLP), data lifecycle management (retention, records), insider risk, eDiscovery, and the new DSPM for AI to secure Copilot interactions.
๐ฏ Core Capabilities
- Sensitivity Labels: Classify and protect files/emails
- DLP Policies: Prevent data exfiltration
- Endpoint DLP: Control data on Windows endpoints
- IRM/Encryption: Rights management via Azure RMS
- Retention Policies: Keep or delete data per regulation
- DSPM for AI: Protect data in Copilot queries
๐ Licensing Matrix
| Feature | License |
|---|---|
| Sensitivity Labels (manual) | M365 E3 / AIP P1 |
| Auto-labeling | M365 E5 / AIP P2 |
| DLP (Exchange, Teams) | M365 E3 |
| Endpoint DLP | M365 E5 |
| Insider Risk Mgmt | M365 E5 Compliance |
| DSPM for AI | M365 E5 Compliance |
๐ท๏ธ Sensitivity Labels
๐จ Recommended Label Taxonomy
Public
General
Confidential
Highly Confidential
| Label | Applies To | Protection | Visual Marking |
|---|---|---|---|
| Public | Press releases, public docs | None | Footer: "Public" |
| General | Internal communications | None (internal only) | Footer: "General โ Internal" |
| Confidential โ All Employees | HR, Finance, internal projects | Encryption (all users in org) | Header + Footer + Watermark |
| Confidential โ Specific Groups | M&A, Legal, Executive | Encryption (specific AAD group) | Header + Watermark |
| Highly Confidential | PII, financial data, regulated data | Encryption + no external sharing | Full visual marking + block external |
โ๏ธ Label Settings
- Encryption: Azure RMS / Rights Management
- Mark content: Headers, footers, watermarks
- Auto-labeling: Based on content inspection
- Protect SharePoint sites: Container labels
- Mandatory labeling: Users must choose a label
๐ Auto-Labeling
- Simulate mode first โ see what would be labeled
- Client-side: labels in Office apps while editing
- Service-side: scans SharePoint, OneDrive, Exchange at rest
- Trigger: SIT match (e.g., Credit Card, SSN)
- Recommendation vs. automatic application
๐ Sensitive Information Types (SIT)
๐ Built-in SIT Examples
- Credit Card Number (PCI-DSS)
- US Social Security Number (SSN)
- EU National Identification Numbers
- Israel ID Number / Passport
- SWIFT Code / IBAN
- Azure Storage Account Key
- AWS Access Key
๐ ๏ธ Custom SIT (Regex + Keywords)
# Example: Custom Employee ID SIT
{
"name": "Contoso Employee ID",
"pattern": {
"regex": "EMP-\\d{6}",
"confidence": "High",
"minCount": 1
},
"keywords": [
"employee id", "staff id", "emp id"
],
"confidenceLevel": "High"
}๐ซ Data Loss Prevention (DLP)
Always deploy DLP policies in Simulation mode first. Review alerts in Activity Explorer for 1โ2 weeks before switching to block mode to avoid false positive disruption.
๐ฌ Communication
- Exchange email (inbound/outbound)
- Teams messages and channels
- Yammer
โ๏ธ Cloud Storage
- SharePoint Online
- OneDrive for Business
- Microsoft 365 Groups
๐ป Endpoint
- Windows 10/11 (requires onboarding)
- USB device activities
- Cloud app upload controls
| Action | Scope | User Experience |
|---|---|---|
| Block sending / sharing | Exchange, SharePoint, Teams | Error message; policy tip shown |
| Block with override | All | User can override with business justification |
| Notify user only | All | Policy tip shown; no blocking |
| Quarantine email | Exchange | Admin reviews before delivery |
| Apply RMS encryption | Exchange | Email encrypted automatically |
| Generate alert | All | Alert to security team; no user impact |
โ๏ธ Rule Construction
- Conditions: SIT match, label match, sender/recipient, domain
- Exceptions: Exclude specific users, groups, or domains
- Confidence: Low (65%), Medium (75%), High (85%)
- Instance count: Trigger on 1 match or 5+ matches (different severity)
- Priority: Lower number = higher priority (processed first)
๐ Information Rights Management (IRM)
๐ Azure Rights Management (RMS)
- Encryption travels with the file โ protects anywhere
- Online (Office apps) and offline (protected view)
- Revoke access at any time, even after sharing
- Track who opens protected documents
- Rights: View, Edit, Print, Copy, Forward, Reply All
๐ Permission Templates
| Template | Rights |
|---|---|
| Company Confidential | View, Print (internal users only) |
| Do Not Forward | View only; no forward/print/copy |
| Encrypt Only | All rights (just encrypted in transit) |
| Custom | Any combination of rights |
๐ป Endpoint DLP
Endpoint DLP extends DLP policies to Windows 10/11 endpoints. Devices must be onboarded to Microsoft Purview (same onboarding as MDE) via Intune or Group Policy.
๐ Activities Monitored
- File copy to USB removable media
- File upload to cloud services (browser)
- File copy to network share
- Print to local or network printer
- Copy to clipboard
- Bluetooth transfer
- RDP session file transfer
โ๏ธ Endpoint DLP Configuration
- Onboard devices via Intune or MDE (same agent)
- Enable Endpoint DLP in Purview settings
- Define sensitive service domains (allowed/blocked)
- Configure browser restrictions (Chrome, Edge extensions)
- Set USB policy: Allow all, Block all, or Audit only
๐ Retention Policies & Labels
๐ Retention Policies
- Apply org-wide retention rules automatically
- Retain: keep for N years, then delete or review
- Delete: delete after N years regardless
- Locations: Exchange, SharePoint, OneDrive, Teams, Viva Engage
- Compliance: GDPR 7-year, HIPAA 6-year, SOX 7-year
๐ท๏ธ Retention Labels
- Applied per document or folder (more granular)
- Can trigger a disposition review before deletion
- Mark as a record (immutable)
- Auto-apply based on SIT or query
- Recommended for regulatory record management
๐ค DSPM for AI (Copilot Protection)
Data Security Posture Management for AI is the newest Purview module. It assesses risks introduced by Microsoft Copilot and other AI apps โ oversharing, sensitive data in prompts, and shadow AI usage.
๐ What DSPM for AI Does
- Detects sensitive data referenced in Copilot prompts
- Identifies overshared content that Copilot can surface
- Monitors 3rd-party AI app usage (shadow AI)
- Provides remediation recommendations
- Tracks user interactions with AI tools
๐ก๏ธ Protection Actions
- Block sensitive data from appearing in Copilot responses
- Require sensitivity label before Copilot processes document
- Alert when user submits PII to external AI tool
- Restrict Copilot to labeled/classified content only
- Generate AI activity audit reports
๐ Audit & eDiscovery
๐ Audit Log
- Standard audit: 90-day retention (M365 E3)
- Premium audit: 1โ10 year retention (M365 E5)
- High-value events: Mail access, file operations, admin actions
- Query via Purview compliance portal or PowerShell
โ๏ธ eDiscovery
- Standard: Search, export, hold
- Premium: Custodian management, review sets, analytics
- Legal hold: Preserve content from deletion
- Litigation hold: Applied per mailbox
๐ Reports & Activity Explorer
๐ Activity Explorer
- All label and DLP activity in one view
- Filter by user, location, activity type
- 28 days of data (standard)
- Export to CSV
๐ DLP Reports
- Policy match count and trend
- Top users with violations
- Override reasons summary
- False positive rate
๐ค AI Activity Reports
- Copilot prompt sensitivity hits
- Shadow AI app usage by user
- Oversharing risk assessment score
- Recommended remediations
๐ป PowerShell & Graph
# Connect to Security & Compliance Center
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Get all DLP policies
Get-DlpCompliancePolicy | Select-Object Name, Mode, Enabled, Workload
# Get DLP policy rules
Get-DlpComplianceRule -Policy "PCI DSS - Credit Card" |
Select-Object Name, Disabled, ContentContainsSensitiveInformation
# Get sensitivity labels
Get-Label | Select-Object Name, Priority, ContentType, Disabled
# Search audit log for file access events
Search-UnifiedAuditLog `
-StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-Operations FileAccessed, FileDownloaded `
-RecordType SharePointFileOperation |
Select-Object CreationDate, UserIds, Operations, AuditData
# Create a DLP policy via Graph API
POST https://graph.microsoft.com/beta/security/dataLossPreventionPolicies
{
"displayName": "Block External Sharing of Credit Card Data",
"mode": "simulation",
"locations": [{ "location": "Exchange" }]
}โ Implementation Checklist
๐ท๏ธ Sensitivity Labels
- Label taxonomy defined and approved by stakeholders
- Sensitivity labels created in Purview portal
- Label policies published to users/groups
- Default label configured for Office apps
- Mandatory labeling enabled
- Auto-labeling configured for key SITs
๐ซ DLP Policies
- DLP policy for PCI (credit card) data
- DLP policy for PII (SSN, passport)
- DLP policy for external sharing of sensitive labels
- All policies start in Simulation mode
- Activity Explorer reviewed before enforcement
- Endpoint DLP devices onboarded
๐ Retention & Records
- Retention requirements mapped per regulation
- Retention policies applied to Exchange and SharePoint
- Teams retention policy configured
- Retention labels for records management created
๐ค DSPM & AI Protection
- DSPM for AI enabled in Purview
- Copilot interaction audit enabled
- Shadow AI app discovery reviewed
- Oversharing assessment completed and remediated