Pinned Posts
Forum Widgets
Latest Discussions
Objects in a Retention Policy populated by Adaptive Scopes
I need a way to get all users in a retention policy that is populated by an adaptive scope. I can get all the members of the scope, and I can show that the policy uses that adaptive scope. But I know my audience. They will want to see that the users are actually in the policy. They will probably even want to see that it matches the users in the adaptive scope. In the GUI, I can click on an adaptive retention policy and click on "policy details". This will show all the users that the policy applies to and the date/time they were added, if they were removed from the policy, etc. And I can even export that. How can I get this same information via PowerShell? It's going to be important because, as you can see, there's a big difference in the date/time added. they were all in the adaptive scope BEFORE this policy was created, but it still took nearly 24 hours for all users to be added. Which is fine, and typical, but if a user gets added to the adaptive scope and does not have the policy applied to them within 24 hours, we need to know this. The goal is as much automation as possible, with checks and balances in place. Checks and balances require gathering information. That's going to require getting this information via PowerShell.DLP Policy exclusion if any of the recipients are internal
I am trying to add an exclusion to my DLP policies when one of the recipients of an email is from a trusted domain. To do this I Added a group to my rule and used the AND NOT Recipient domain is with a list of approved domains. the rule works for email to a single recipient but not when there are multiple recipients
Can´t Sign confidential documents
Hello, I have a problem. I want to send confidential contracts to customers for signing with Adobe DocuSign. This contracts have a label "confidential" from purview and are encrypted. But now the customer cant sign the contract with DocuSign because of the encryption. Is there a way that they can sign the document? We must encrypt the documents because compliance reasons and ISMS. Thank you.
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!Information Scanner - SQL connection fails
Hello everyone, we are currently deploying the information scanner. The issue appeared after the scanner was already installed successfully SQL Server is running on a custom TCP port (49999), encrypted connection, and the scanner database is existing with the correct owner (service account). We also acquired the Entra token Error Failed to access scanner database. Verify the database is up and running and can be accessed by scanner service account and by the currently logged in user that executes the command. Troubleshooting steps taken: Diag show: Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-ScannerDatabase. Make sure all nodes run the same MIP client version. SQL error: Message Could not obtain information about Windows NT group/user 'Domain\scanaccount', error code 0x5. Update-ScannerDatabase executed - same error Login to SQL Servers are successful SQL CMD: sqlcmd -S SQL.company.de,4321 -E -N -Q "SELECT @@VERSION" ## Worked Other configs: Tried to reregister database multiple times / service account is sysadmin at SQL server (shared) SQL DB Alias used instead of Port / SQL Browser did not work Allowed everything through firewall on SQL server - still fail 4h of troubleshooting gone by - and i am stuck - what can i do next? BR Stephan
Microsoft Purview - Endpoint Data Discovery
Hi all, I wanted to understand Microsoft Purview’s capabilities around data discovery on Windows endpoints, specifically in a legacy data scenario. Use case: We have data residing on Windows machines/endpoints that is: Legacy in nature Not being actively moved, migrated, or modified Sitting at rest on local disks (user endpoints) Questions: Can Microsoft Purview perform data discovery or classification on such endpoint‑resident data? Does Purview support scanning or discovering data on Windows endpoints at rest, without requiring the data to be uploaded, migrated, or modified? If not directly, are there any supported approaches or workarounds (e.g., via integrations with Microsoft Defender for Endpoint, Information Protection scanners, or other Purview components) to achieve this? What are the current limitations of Purview when it comes to endpoint-based data discovery?How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario in an environment with Microsoft 365 E5 licenses: Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes). Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" connectors (which appear to be exclusively Azure Purview) are importing the necessary data. Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can use them to build corresponding rules in Sentinel? Thank you!Different Retention Policies for Active/Inactive Mailboxes
Cloud Environment: Azure GOV tenant, GCC-High. Users are licensed with: MS365 E3 - GCCHIGH MS Defender for Office365 (Plan 1) - GCCHIGH Windows 10/11 Enterprise E5 - GCCHIGH Hybrid Identity: Users are synced from AD DS to Entra ID, via Entra Connect. Thus, we set various identity attributes, like "Department" using the AD DS attribute editor. Confirmed the "Department" attribute is syncing correctly to Entra ID. Purview Adaptive scopes: Active Mailboxes (user), oPATH query: (IsInactiveMailbox -eq "False") Inactive Project Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "project staff") Inactive Contract Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "contract staff") Purview Data Lifecycle Management, Retention policies: Default Data Retention (Exchange mailboxes) - Adaptive scope "Active Mailboxes", Retention: Keep content for 7 years, then do nothing. Inactive Project Staff (Exchange mailboxes) - Adaptive scope "Inactive Project Staff", Retention: keep items for 3 years, then delete items automatically. Inactive Contract Staff (Exchange mailboxes) - Adaptive scope "Inactive Contract Staff", Retention: keep items for 1 years, then delete items automatically. Desired Outcome: All active staff, regardless of Department attribute have the "Default Data Retention" policy applied to mailbox, so when their account is deleted in AD DS, (soft deleted in Entra ID after Entra Connect sync), their mailbox goes to inactive state. Then, when the mailbox is inactive, the "Inactive" retention policy is automatically applied depending on what their Department attribute was, before their Entra ID identity got soft deleted by Entra Connect sync. Problem/Questions: We tried this for 1 user account, and although the Default Data Retention policy was applied before the user was soft deleted, the Inactive Project Staff policy was never applied (waited 4 days). This test user didn't have any licenses assigned to them when we tried this, unfortunately. Could this be the reason why the Inactive Project Staff policy was never applied? When they were soft deleted, their mailbox was visible in Purview "Inactive mailboxes". Will adaptive scope retention policies still be applied to inactive mailboxes, if that adaptive scope relies on an Entra ID attribute, like "Department"? I assume this Entra ID attribute is somehow stored in the now, inactive mailbox.
Label group migration - existing files labelled with former parent labels
Hi, I have a question about behavior during migration from legacy parent labels to label groups. Historically, we were allowed to apply parent labels directly to content. In our environment, we have an existing parent label called PUBLIC which has sublabels. PUBLIC itself has content encryption configured, so during migration it will be recreated as a sublabel within a label group. As a result, there are existing files that are currently labelled simply as PUBLIC (applied back when parent labels could be used directly). Post-migration, we plan to de-publish this newly created PUBLIC sublabel from user-facing policies. My question is about what happens to those existing files during and after the migration. Will files that are already labelled as PUBLIC automatically be updated to a specific label within the label group, such as PUBLIC/PUBLIC, or will they remain labelled as PUBLIC with no automatic relabelling? In other words, does the label group migration perform any automatic relabelling of existing content, or does it only affect label structure and publication going forward?Justification not triggered when downgrading between sublabels under same parent label
Hi all, I am looking for confirmation of expected behaviour with Microsoft Purview sensitivity labels and justification. We have justification enabled in our sensitivity label policy. When a user changes a label between labels that belong to the same label group, no justification prompt appears. When a user changes from a label in one label group to a label in a different label group, the justification prompt does appear as expected. Is this behavior by design? Specifically, does Microsoft treat the label group as the enforcement boundary for downgrade justification, meaning justification is not evaluated when moving between labels within the same group, even if effective protection is reduced? If this is expected, is there any supported way to require justification when downgrading between labels in the same label group? Thank you!
