In today's rapidly evolving technology landscape, data security and compliance are key. Microsoft Purview offers a robust solution for managing and securing interactions with AI based solutions.
This integration not only enhances data governance but also ensures that sensitive information is handled with the appropriate controls. Let's dive into the benefits of this integration and outline the steps to integrate with ChatGPT Enterprise in specific.
The integration works for Entra connected users on the ChatGPT workspace, if you have needs that goes beyond this, please tell us why and how it impacts you.
Benefits of Integrating ChatGPT Enterprise with Microsoft Purview
- Enhanced Data Security: By integrating ChatGPT Enterprise with Microsoft Purview, organizations can ensure that interactions are securely captured and stored within their Microsoft 365 tenant. This includes user text prompts and AI app text responses, providing a comprehensive record of communications.
- Compliance and Governance: Microsoft Purview offers a range of compliance solutions, including Insider Risk Management, eDiscovery, Communication Compliance, and Data Lifecycle & Records Management. These tools help organizations meet regulatory requirements and manage data effectively.
- Customizable Detection: The integration allows for the detection of built in can custom classifiers for sensitive information, which can be customized to meet the specific needs of the organization. To help ensures that sensitive data is identified and protected. The audit data streams into Advanced Hunting and the Unified Audit events that can generate visualisations of trends and other insights.
- Seamless Integration: The ChatGPT Enterprise integration uses the Purview API to push data into Compliant Storage, ensuring that external data sources cannot access and push data directly. This provides an additional layer of security and control.
Step-by-Step Guide to Setting Up the Integration
1. Get Object ID for the Purview account in Your Tenant:
- Go to portal.azure.com and search for "Microsoft Purview" in the search bar.
- Click on "Microsoft Purview accounts" from the search results.
- Select the Purview account you are using and copy the account name.
- Go to portal.azure.com and search for “Enterprise" in the search bar. Click on Enterprise applications.
- Remove the filter for Enterprise Applications
- Select All applications under manage, search for the name and copy the Object ID.
2. Assign Graph API Roles to Your Managed Identity Application:
- Assign Purview API roles to your managed identity application by connecting to MS Graph utilizing Cloud Shell in the Azure portal.
- Open a PowerShell window in portal.azure.com and run the command Connect-MgGraph. Authenticate and sign in to your account.
- Run the following cmdlet to get the ServicePrincipal ID for your organization for the Purview API app.
(Get-MgServicePrincipal -Filter "AppId eq '9ec59623-ce40-4dc8-a635-ed0275b5d58a'").id
- This command provides the permission of Purview.ProcessConversationMessages.All to the Microsoft Purview Account allowing classification processing. Update the ObjectId to the one retrieved in step 1 for command and body parameter. Update the ResourceId to the ServicePrincipal ID retrieved in the last step.
$bodyParam= @{
"PrincipalId"= "{ObjectID}"
"ResourceId" = "{ResourceId}"
"AppRoleId" = "{a4543e1f-6e5d-4ec9-a54a-f3b8c156163f}"
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '{ObjectId}' -BodyParameter $bodyParam
- It will look something like this from the command line
3. Store the ChatGPT Enterprise API Key in Key Vault
- The steps for setting up Key vault integration for Data Map can be found here Create and manage credentials for scans in the Microsoft Purview Data Map | Microsoft Learn
- When setup you will see something like this in Key vault.
4. Integrate ChatGPT Enterprise Workspace to Purview:
- Create a new data source in Purview Data Map that connects to the ChatGPT Enterprise workspace. Go to purview.microsoft.com and select Data Map, search if you do not see it on the first screen.
- Select Data sources
- Select Register
-
- Search for ChatGPT Enterprise and select
- Provide your ChatGPT Enterprise ID
- Create the first scan by selecting Table view and filter on ChatGPT
- Add your key vault credentials to the scan
- Test the connection and once complete click continue
- When you click continue the following screen will show up, if everything is ok click Save and run.
- Validate the progress by clicking on the name, completion of the first full scan may take an extended period of time. Depending on size it may take more than 24h to complete.
- If you click on the scan name you expand to all the runs for that scan.
When the scan completes you can start to make use of the DSPM for AI experience to review interactions with ChatGPT Enterprise. The mapping to the users is based on the ChatGPT Enterprise connection to Entra, with prompts and responses stored in the user's mailbox.
5. Review and Monitor Data:
Please see this article for required permissions and guidance around Microsoft Purview Data Security Posture Management (DSPM) for AI, Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn
- Use Purview DSPM for AI analytics and Activity Explorer to review interactions and classifications.
- You can expand on prompts and responses in ChatGPT Enterprise
6. Microsoft Purview Communication Compliance
Communication Compliance (here after CC) is a feature of Microsoft Purview that allows you to monitor and detect inappropriate or risky interactions with ChatGPT Enterprise. You can monitor and detect requests and responses that are inappropriate based on ML models, regular Sensitive Information Types, and other classifiers in Purview. This can help you identify Jailbreak and Prompt injection attacks and flag them to IRM and for case management.
Detailed steps to configure CC policies and supported configurations can be found here.
7. Microsoft Purview Insider Risk Management
We believe that Microsoft Purview Insider Risk Management (here after IRM) can serve a key role in protecting your AI workloads long term. With its adaptive protection capabilities, IRM dynamically adjusts user access based on evolving risk levels. In the event of heightened risk, IRM can enforce Data Loss Prevention (DLP) policies on sensitive content, apply tailored Entra Conditional Access policies, and initiate other necessary actions to effectively mitigate potential risks.
This strategic approach will help you to apply more stringent policies where it matters avoiding a boil the ocean approach to allow your team to get started using AI.
To get started use the signals that are available to you including CC signals to raise IRM tickets and enforce adaptive protection. You should create your own custom IRM policy for this. Do include Defender signals as well.
Based on elevated risk you may select to block users from accessing certain assets such as ChatGPT Enterprise. Please see this article for more detail Block access for users with elevated insider risk - Microsoft Entra ID | Microsoft Learn.
8. eDiscovery
eDiscovery of AI interactions is crucial for legal compliance, transparency, accountability, risk management, and data privacy protection. Many industries must preserve and discover electronic communications and interactions to meet regulatory requirements. Including AI interactions in eDiscovery ensures organizations comply with these obligations and preserves relevant evidence for litigation. This process also helps maintain trust by enabling the review of AI decisions and actions, demonstrating due diligence to regulators. Microsoft Purview eDiscovery solutions | Microsoft Learn
9. Data Lifecycle Management
Microsoft Purview offers robust solutions to manage AI data from creation to deletion, including classification, retention, and secure disposal. This ensures that AI interactions are preserved and retrievable for audits, litigation, and compliance purposes. Please see this article for more information Automatically retain or delete content by using retention policies | Microsoft Learn.
Closing
By following these steps, organizations can leverage the full potential of Microsoft Purview to enhance the security and compliance of their ChatGPT Enterprise interactions. This integration not only provides peace of mind but also empowers organizations to manage their data more effectively.
We are still in preview some of the features listed are not fully integrated, please reach out to us if you have any questions or if you have additional requirements.
Updated Jan 30, 2025
Version 2.0Jon_Nordstrom
Microsoft
Joined July 17, 2018
Microsoft Security Blog
Follow this blog board to get notified when there's new activity