Forum Widgets
Latest Discussions
Endpoint DLP Collection Evidence on Devices
Hello team, I am trying to setup the feature collect evidence when endpoint DLP match. Official feature documentation: https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-learn https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started unfortunately, it is not working as described in the official documentation, I opened ticket with Microsoft support and MIcrosoft Service Hub, Unfortunatetly, they don't know how to setup it, or they are unable to solve the issue. Support ticket: TrackingID#26040XXXXXXX9201 Service Hub ticket: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create TrackingID#26040XXXXXXXX924 I follow the steps to configure: based on the Microsoft documentation, I should be able to see the evidence in Activity explorer or Purview DLP alert or Defender Alerts/Incidents.PURVIEW - SCANNER ACCOUNT MISMATCH
Hello I have a strange issue on Scanner Setup is fine also discover is fine, in activity explorer we see discovered file, issue was in USER column that reports not scanner dedicated user but purview admin user. We also try open a case with MS but no one respond Any suggestions? Thanks Zeno
Securing Data with Microsoft Purview IRM + Defender: A Hands-On Lab
Hi everyone I recently explored how Microsoft Purview Insider Risk Management (IRM) integrates with Microsoft Defender to secure sensitive data. This lab demonstrates how these tools work together to identify, investigate, and mitigate insider risks. What I covered in this lab: Set up Insider Risk Management policies in Microsoft Purview Connected Microsoft Defender to monitor risky activities Walkthrough of alerts triggered → triaged → escalated into cases Key governance and compliance insights Key learnings from the lab: Purview IRM policies detect both accidental risks (like data spillage) and malicious ones (IP theft, fraud, insider trading) IRM principles include transparency (balancing privacy vs. protection), configurable policies, integrations across Microsoft 365 apps, and actionable alerts IRM workflow follows: Define policies → Trigger alerts → Triage by severity → Investigate cases (dashboards, Content Explorer, Activity Explorer) → Take action (training, legal escalation, or SIEM integration) Defender + Purview together provide unified coverage: Defender detects and responds to threats, while Purview governs compliance and insider risk This was part of my ongoing series of security labs. Curious to hear from others — how are you approaching Insider Risk Management in your organizations or labs?
Label Inheritance in outlook.
When an attachment with a higher-priority sensitivity label is added, the email initially inherits that label. However, after the attachment is removed, the email reverts to the default label, and if another attachment with a different (higher priority) label is subsequently added, the email does not automatically inherit the new label. Is this correct behavior and any MS doc related to this?When the default sensitivity label is applied, an asterisk (*) appears next to the label.
When I open a Word document and the default sensitivity label (e.g., INTERNAL) is applied, an asterisk appears next to the label along with a message indicating that the file hasn’t been saved yet. Is there any detail Microsoft documentation that explains this behavior? This only occur for default label if I try to remove default label (without saving word file) and apply any other label then * mark is not there.
MS Purview InformationProtectionPolicy - Extract Sensitivity Labels - Permissions Granted
Hello community, I'm currently facing an issue trying to extract sensitivity labels from our Microsoft 365 tenant and could use some assistance. I have already ensured that the necessary permissions and application are in place. I initially attempted to retrieve the labels via the Microsoft Graph Explorer (graph-explorer) using the endpoint: https://graph.microsoft.com/beta/security/informationProtection/sensitivityLabels. As you can see in the attached image, I encountered a "Forbidden - 403" error, suggesting a problem with permissions or consent, even though InformationProtectionPolicy.Read is listed under the "Modify permissions" tab as "Unconsent". The only way that I found to solve it was using "https://graph.microsoft.com/beta/me/security/informationProtection/sensitivityLabels" but I need to use it in Python Code, without a user validation of credential. Next, I tried to achieve the same using Python and the Microsoft Graph API directly. I obtained an access token using a Client ID and Secret, authenticating against https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token. The application associated with this Client ID and Secret has been granted the InformationProtectionPolicy.Read permission. However, when making a GET request to https://graph.microsoft.com/beta/security/informationProtection/sensitivityLabels in Python, I receive the following error: I have already granted what I believe are the relevant permissions, including InformationProtectionPolicy.Read.All, InformationProtectionPolicy.Read, Application.Read.All, and User.Read. Has anyone successfully retrieved sensitivity labels using the Microsoft Graph API? If so, could you please share any insights or potential solutions? I'm wondering if there are other specific permissions required or if there's a particular nuance I might be missing. Any help would be greatly appreciated! Thank you in advance. Leonardo CanalLockdown owerApps HTTP Conector
I have been asked to apply data security control over the PowerApps HTTP connector by either whitelisting the URI that it can access or applying block control based on content inspection. Can that be done using Defender for Cloud Apps, Purview Compliance DLP or another product? thanks Graham
