Forum Widgets
Latest Discussions
Label Inheritance in outlook.
When an attachment with a higher-priority sensitivity label is added, the email initially inherits that label. However, after the attachment is removed, the email reverts to the default label, and if another attachment with a different (higher priority) label is subsequently added, the email does not automatically inherit the new label. Is this correct behavior and any MS doc related to this?When the default sensitivity label is applied, an asterisk (*) appears next to the label.
When I open a Word document and the default sensitivity label (e.g., INTERNAL) is applied, an asterisk appears next to the label along with a message indicating that the file hasn’t been saved yet. Is there any detail Microsoft documentation that explains this behavior? This only occur for default label if I try to remove default label (without saving word file) and apply any other label then * mark is not there.
Safeguard data on third-party collaboration platforms
I am exploring options to safeguard sensitive data in third-party collaboration platforms like GitHub and Confluence. Does Microsoft Purview provide any native integration for these platforms? Do I need to rely on third-party connectors/integrations to extend Purview’s capabilities into these environments?Securing Data with Microsoft Purview IRM + Defender: A Hands-On Lab
Hi everyone I recently explored how Microsoft Purview Insider Risk Management (IRM) integrates with Microsoft Defender to secure sensitive data. This lab demonstrates how these tools work together to identify, investigate, and mitigate insider risks. What I covered in this lab: Set up Insider Risk Management policies in Microsoft Purview Connected Microsoft Defender to monitor risky activities Walkthrough of alerts triggered → triaged → escalated into cases Key governance and compliance insights Key learnings from the lab: Purview IRM policies detect both accidental risks (like data spillage) and malicious ones (IP theft, fraud, insider trading) IRM principles include transparency (balancing privacy vs. protection), configurable policies, integrations across Microsoft 365 apps, and actionable alerts IRM workflow follows: Define policies → Trigger alerts → Triage by severity → Investigate cases (dashboards, Content Explorer, Activity Explorer) → Take action (training, legal escalation, or SIEM integration) Defender + Purview together provide unified coverage: Defender detects and responds to threats, while Purview governs compliance and insider risk This was part of my ongoing series of security labs. Curious to hear from others — how are you approaching Insider Risk Management in your organizations or labs?Alert on DLP Policy Change
Is it possible to configure an alert from Purview when a DLP policy is created, amended or removed? I am trying to build a process to satisfy NIST CM-6(2): Respond to Unauthorized Changes that identifies when a policy chnage happens and to cross reference to an authorised change record. I can find the events Updated, Created or Changed a DLP Poloicy in audit search but can Purview be configured to generate an alert when these events happen?
DLP Alerts Naming Metadata
Im currently facing an issue that every time my DLP policy matches, it creates an Alert on Defender where the name of the file appears on it, for example: DLP policy match for document 'file.pdf' on a device DLP policy matched for email with subject (SUBJECT) I do not want that file.pdf nor SUBJECT appear on the title on Defender, where i can configure to avoid this ?
AADSTS50020: protected PDF issue for external users
I have been recently (don't know when it was started) observed getting error from protected PDF (sensitivity label with user defined permission) file while trying to open that pdf via AIP viewer mobile app (Android/iOS) AS external user (who has permission to open/view). No issue with Office file types protected. external (not internal, not guest) user (currently testing with gmail.com account, other O365 tenant user) getting error as attached from AIP view mobile app. We do have AIP excluded at conditional access policy which helped so far to avoid this problem for external users. Is there been any recent change in behavior around user defined protected PDF? Since user having problem is external, have no clue where to look for log and start investigation. Error code: AADSTS50020Restrict sharing of Power BI Data to limited users
In the Power BI admin center, we have enabled the setting: "Restrict content with protected labels from being shared via link with everyone in your organization". As expected, this prevents users from generating "People in your organization" sharing links for content protected with sensitivity labels. We only have one sensitivity label with protection enabled. However, due to Power BI’s limitations with labels that include "Do Not Forward" or user-defined permissions, this label is not usable in Power BI. Our Power BI team wants to restrict sensitive data from being shared org-wide and instead limit access to specific individuals. One idea was to create another sensitivity label with encryption that works with Power BI and use that to enforce the restriction. However, such a label would also affect other Microsoft 365 apps like Word, Excel, and Outlook — which we want to avoid. I looked into using DLP, but MS documentation mentions below limitations, that makes me unsure if this will meet the requirement. 1. DLP either restricts access to the data owner or to the entire organization. 2. DLP rules apply to workspaces, not individual dashboards or reports. My question: Is there any way to restrict sharing of Power BI (or Fabric) content to specific users within the organization without changing our existing sensitivity label configurations or creating a new encryption-enabled label that could impact other apps?
DLP Policy Rule "U.S. Physical Address" exclusion
We have the built in Sensitive Info Type "U.S. Physical Address" in our Default HR & Privacy Info Protection Policy in simulation. This is set to the location of just Exchange Email only. Everyone in the company has our physical address in their email signature. This combination keeps triggering alerts even if I set the instance count to something like 3. I've asked Co-Pilot for instructions to create an exclusion where I can enter our physical address to be ignored but the instructions always mention options that don't exist in the rule edit screen. I see online people asking for signatures to be ignored but the response is they can't be. Am I doomed to ask all staff to remove their signature, remove this SIT altogether, or just let the Action of "encrypt email messages" proceed and have our organization look the fool for encrypting every email sent outside the organization? Anyone know how to tell Purview to ignore your own physical address?
