Pinned Posts
Forum Widgets
Latest Discussions
Classification on DataBricks
Hello everyone, I would like to request an updated confirmation regarding the correct functioning of custom classification for Databricks Unity Catalog data sources. Here is my current setup: The data source is active. Source scanning is working correctly. I created the custom classification in “Annotation management / Classifications”. I created and successfully tested the regular expression under “Annotation management / Classification Rules”. I generated the Custom Scan Rule Set in “Source management / Scan Rule Sets”, associated to Databricks and selecting the custom rule. However, when running the scan on Databricks: I do not find any option to select my Scan Rule Set (for another source like Teradata, this option is visible). No classification findings are generated based on my custom rule. Other tests do produce findings (system-generated). Does anyone have insights on what I should verify? Or is this custom classification functionality not supported for Databricks?
Automatic sensitivity label on existing labeled documents and emails
If I enable today automatic sensitivity labeling for label "Confidential" on behalf on sensitive information type "Credit Card" and 1000 documents are labeled with the label "Confidential". What happend if I remove the sensitive information type "Credit Card" from the label "Confidential", and put it on the Automatic sensitivity label "Highly Confidential". What happend to the 1000 documents which already have the label "Confidential"? Will it be modified to "Highly Confidential" or not?
Email to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community, I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with below: - Firstly, we can send email to externally user contain sensitive information, it is encryption or blocked (result: worked as expected). If remail encrypt, the external receiver require verify the Identity via sign in with google acc / with a one time password. - Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why? Well appreciated for update and supporting. Thanks,
eDiscovery - Issues exploring groups & users related to a hybrid data source
Hi all, first time posting - unusually I could find nothing out there that helped. I work in an organisation has an on-premises domain which syncs to our tenant. I don't manage the domain or the sync, but I'm assured that the settings are vanilla and there are no errors being logged. 99% of our users are hybrid. The tenant is shared across multiple legal entities, so I'm using eDiscovery to fulfil our GDPR subject access requests The issue I am hitting is straightforward. in eDiscovery searches with hybrid users as the data source, I cannot add related objects (manager, direct reports, groups the user is in). The properties are present in Entra, but not visible to Purview, so I'm not investigating sync errors at the moment. For cloud objects, I can see manager, teams, etc. and it works fine. Does anyone have any insights they can share on the "explore and add" mechanics in eDiscovery search data sources? I'm drawing a complete blank on this one. Where should I be looking?[HELP] "Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with Device location. After several scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the orange alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, only for the error to return. Please help![HELP]"Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with the Devices location. After multiple scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, banner disappears briefly, only to return. Please help!
Datascan not picking up the schema of .parquet files ParquetFormat JavaInvocationException happened
Since about a week we have a problem with our datascan on ADLS not picking up the schema of .parquet files. It does pick up on the asset but not on the schema of said asset. The parquet files are perfectly readable and writeable with Fabric/spark. Purview had no issue picking them up before last week, but it seems that something has changed on the Microsoft side? Anyone else facing these issues recently? 2026-02-02T06:21:47.116Z,SystemError,ReadData,https://xxx.dfs.core.windows.net/landingzone/masterdata/someotherfile.parquet,ParquetFormat JavaInvocationException happened,ScanErr0000Guidance: Sensitivity Labels during Mergers & Acquisitions (separate tenants, non-M365, etc.)
We’re building an internal playbook for how to handle Microsoft Purview sensitivity labels during mergers and acquisitions, and I’d really appreciate any lessons learned or best practices. Specifically, I’m interested in how others have handled: Acquired organizations on a separate Microsoft 365/O365 tenant for an extended period (pre- and post-close): How did you handle “Internal Only” content when the two tenants couldn’t fully trust each other yet? Any tips to reduce friction for collaboration between tenants during the transition? Existing label structures, such as: We use labels like “All Internal Only” and labels with user-defined permissions — has anyone found good patterns for mapping or reconciling these with another company’s labels? What if the acquired company is already using sensitivity labels with a different taxonomy? How did you rationalize or migrate them? Acquisitions where the target does not use Microsoft 365 (for example, Google Workspace, on-prem, or other platforms): Any strategies for protecting imported content with labels during or after migration? Gotchas around legacy permissions versus label-based protections? General pitfalls or watch-outs between deal close and full migration: Anything you wish you had known before your first M&A with Purview labels in play? Policies or configurations you’d recommend setting (or avoiding) during the interim period? Any examples, war stories, or template approaches you’re willing to share would be incredibly helpful as we shape our playbook. Thanks in advance for any insights!
Purview Data Map – Proposed Domain & Collection Structure
Microsoft Purview Data Map – Proposed Domain & Collection Structure This proposed Microsoft Purview Data Map domain and collection structure ensures that users responsible for specific data assets can be granted precisely scoped permissions—particularly for updating metadata—by mapping Business Units, Departments, Teams, and environments in a clear hierarchy that allows RBAC inheritance to assign the right level of access to the right people. Domain Name Data Catalogue (Short, clear, governance-aligned name to avoid UI truncation and scripting issues.) Collection Path Data Catalogue → Business Units → Departments → Teams → [Prod | Non-Prod] Level 1: Business Units Level 2: Departments (within each Business Unit) Level 3: Teams (within each Department) Optional: Environment segregation under Teams (Prod / Non-Prod) Reasons & Requirements 1. Domain Naming Short, clear name avoids UI truncation and scripting issues. Detailed descriptions stored in metadata; name remains simple for automation and future-proofing. 2. Structure Alignment Alignment with organisational charts and unified governance hierarchy: Business Units → Departments → Teams Provides intuitive navigation and meaningful context for users. 3. Hierarchy Depth Limited to 4–5 levels for usability and RBAC inheritance. Avoids unnecessary complexity while maintaining clarity. 4. Environment Handling Prod / Non-Prod split under Teams for simplicity. Additional environments only if governance differs significantly. 5. RBAC & Ownership Permissions align with organisational roles. Supports the principle of least privilege. 6. Scanning & Policy Scans assigned at Team level for precise governance. Policies inherit from higher levels for consistency. Selective scanning preferred for cost efficiency. 7. Best Practice Compliance Matches Microsoft guidance: short names, shallow hierarchy, environment segregation. Clear distinction between governance path and technical hierarchy. Role Assignment in Collections Data Curator Role Designed for users who: Edit and update metadata. Manage business context for assets within the collection. Assign to: Data Owners (Directorate level). Data Stewards (Team level). Data Product Owners / Asset Managers (for their own assets). Why at Collection Level? RBAC in Purview inherits down the collection hierarchy: Assign at Team collection → edit metadata for all assets in that Team. Assign at Group or Directorate level → edit metadata for all child collections. Ensures least privilege and ownership-based editing. Best Practice Read-only roles (Data Reader) applied broadly for transparency. Data Curator scoped to the lowest level where the user has responsibility (usually Team). Avoid assigning Data Curator at the root unless absolutely necessary.Secure your data—Microsoft Purview at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across data security, compliance, and AI. This year’s sessions and labs will help you prevent data exfiltration, manage insider risks, and enable responsible AI adoption across your organization. Featured sessions: BRK250: Preventing data exfiltration with a layered protection strategy Learn how Microsoft Purview enables a layered approach to data protection, including AI and non-AI apps, devices, browsers, and networks. BRK257: Drive secure Microsoft 365 Copilot adoption using Microsoft Purview Discover built-in safeguards to prevent data loss and insider risks as you scale Copilot and agentic AI. LAB548: Prevent data exposure in Copilot and AI apps with DLP Configure DLP policies to protect sensitive data across Microsoft 365 services and AI scenarios. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions. Why attend: Ignite is your chance to see the latest Purview features, connect with product experts, and get hands-on with new compliance and data protection tools. Microsoft will also preview future enhancements for agentic AI and unified data governance. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Connect with peers and security leaders through these signature security experiences: Security Leaders Dinner—CISOs and VPs connect with Microsoft leaders. CISO Roundtable—Gain practical insights on secure AI adoption. Secure the Night Party—Network in a relaxed, fun setting. Register for Microsoft Ignite >
