Security and AI Essentials
Protect your organization with AI-powered, end-to-end security.
Defend Against Threats
Get ahead of threat actors with integrated solutions.
Secure All Your Clouds
Protection from code to runtime.
Secure All Access
Secure access for any identity, anywhere, to any resource.
Protect Your Data
Comprehensive data security across your entire estate.
Recent Blogs
Use Microsoft Entra Agent ID to assign accountable identities, control agent access, and automate sponsor lifecycle management at scale.
Jul 07, 2026132Views
0likes
0Comments
AI agents are changing how applications interact with data, and database security needs to evolve with them. In this July 2026 edition of the Azure Database Platform Security Newsletter, we focus on ...
Jul 07, 202665Views
0likes
0Comments
Most Azure Policy reporting stops at compliance status. Useful, yes — but not enough. When a control fails, teams need to know what failed, why it matters, and who should act.
That gap becomes obvi...
Jul 06, 2026135Views
0likes
0Comments
5 MIN READ
Hi folks – Mike Hildebrand here! It’s the July 4 th holiday here in the good 'ol USA and happens to also be our country’s 250 th birthday … and where I live, that means it’s probably hot. VERY ho...
Jul 04, 2026547Views
2likes
0Comments
Recent Discussions
Ask Microsoft Anything: Attack Disruption with Microsoft Defender on July 14
Hey Defender enthusiasts! Just wanted to remind you all that we are holding an AMA next week at 9AM PST on July 14 with the Attack Disruption team. Come learn about Attack Disruption—Microsoft Defender’s built‑in, AI-powered capability that stops in‑progress attacks at machine speed by analyzing attacker intent, identifying compromised assets, and containing threats before they spread. Bring your questions and hear directly from product experts on real‑world scenarios and best practices. Hope to see you there! Event Link: Ask Microsoft Anything: Microsoft Defender Attack Disruption | Microsoft Community Hub5Views0likes0CommentsDefenderXDR "Preparing new space for data and connecting them" is stuck , and never finished !
Hello everyone, I am delivering SC-200 courses and on the lab environment of Skillable (or even free-tiers) when you have to "initiate" the data space for DefenderXDR, the process seems to be stuck .... never finished and we are "locked" in the page of a ...coffee cup and the phrase "Hang on. We are preparing new spaces for your data and connecting them. " does anyone else have same problem ? Any resolution , (I have already open a support ticket to Skillable support, but I haven't got resolution for over 1+day , and cannot open or continue the lab (for connecting or onboarding Microsoft Defender for Endpoint ) which is frustrating for the participants-students Thanks PanosUnlabelled Files
I have a requirement to produce a report which contains the number of files in M365 SharePoint & OneDrive which do not have a sensitivity label applied. I am struggling to find a sensible approach to this and I am fairly certain this is not possible in Purview unless I have missed something. If anyone can help it would be appreciated. ThanksSolvedLooking for a simple deployment guide
MS Learn is a great starting point, but it just doesn't seem to cover the steps needed to get up and running safely. I have concerns about adding or setting something that suddenly creates a vulnerability or exposure. Where is the installation guide that installs and configures the solution then tells you, "You are now protected". Do I really want to set my own policies? Why aren't the default set of rules good enough, safe enough. I can't have a solution that is so complicated I need to hire a team to manage it 24 hours a day. I am okay investigating an alert and helping a user solve a pop-up question. Why is every major corporation around the world required to re-invent the same or similar policies the company next door is creating to make this tool work? I want to onboard all of our Intune devices and monitor anything that CAN'T be stopped by default security measures. Just the fact that Sentinel appears to be changing as an embedded tool within Defender gives me hope that this will be getting closer to a more manageable tool. But that still seems a way off. I am ready to do the reading and research to get this set up but I am hoping for a guide that is specific enough to achieve a final result. Thank for understanding my challenges here.DVM Certificate Inventory Shows No Data Despite Healthy Endpoints in Defender for Endpoint
Hi Team, I'm testing Microsoft Defender Vulnerability Management. Current status: - Defender Vulnerability Management Add-on enabled - Certificates inventory tab is visible - Software Inventory populated - Security Recommendations populated - Windows and Linux devices onboarded - Linux mdatp health = healthy:true, licensed:true, cloud_enabled:true - Devices have local certificates installed - Certificate Inventory page shows "No data" The DVM Add-on was enabled more than 36 hours ago. Has anyone experienced a delay in Certificate Inventory population or are there additional prerequisites beyond DVM licensing and device onboarding? Thanks.Made a self-hosted Entra ID governance portal for app/identity sprawl (open source)
Our tenant ended up with hundreds of app registrations and enterprise apps, and the native portal makes you dig through a separate blade for every basic question. Who owns this app? Which secrets die next month? What hasn't been signed into in a year? Which ones have scary Graph permissions? There's no single view for any of it, and half the ownership info was missing anyway. Entra ID Governance, access reviews, PIM all exist, but they felt heavy (and licensed) for what I actually wanted, which was just a fast list I could scan for routine cleanup. So I built one. Lightweight portal that runs entirely in your own subscription: One grid for App Registrations, Enterprise Apps, Managed Identities and Privileged Users Risk flags per identity: expiring/expired creds, high-risk permissions, no owner, stale sign-in, no CA coverage Ownership tracking, review and owner-change workflow, CSV export Tenant health score and a consent posture dashboard Optional expiry email notifications (needs a SendGrid key) Reads Graph through a managed identity, so no app secrets for data access and nothing leaves your tenant Runs about $26-30/month (one B2 App Service plan). B1 is also supported, but it's noticeably slower. It's not a replacement for Entra ID Governance or PIM, more of a cheap everyday hygiene thing. Full disclosure, I used AI building this and writing this up. I designed the architecture and functionality, tested it and ran it against my own tenant. It's open source and deployable with Azure DevOps or an Azure CLI script. Data never leaves your own tenant. Repo (screenshots + setup): https://github.com/nicolaibaralmueller/entra-identity-governance-portal Would love feedback, especially what you'd want it to flag that it doesn't, or where the risk scoring feels off. Been building it on and off for a few months with a lot of iteration. Hopefully this could be useful for others as well.Struggling with running DQ Scans (Long queuing and Retry Count Error Issues)
Hi everyone, I have been exploring Microsoft Purview Data Quality quite extensively. At this point, I have configured more than 4,000 data quality rules across more than 10 Microsoft Fabric capacities, each with a minimum capacity of F16. Fabric is the source for all assets registered in Purview. I have identified several issues with the product, but the two that are currently impacting me the most are the following: DQ scans failing with a generic error“Max Retry Count Reached. Ending Workflow. Current Task HandleError”The challenge is that the error message does not identify which rule is causing the failure. As a result, I have to troubleshoot manually by disabling groups of rules, rerunning the scans, and repeating the process until I find the problematic rule. This trial-and-error approach is very time-consuming, especially at this scale. This seems to be caused by issues in some of the DQ rules, even though all rules are marked as “Good to go” in Purview. When running Data Quality scans, I often receive the following error: DQ scans remain queued for a long timeI am not sure why this happens or what resource, orchestration, or scheduling constraint is causing the delay. Whenever I run these DQ scans, they remain in a Queued state for at least 10 minutes, even when there is nothing running on the Fabric capacities. Has anyone experienced similar behavior with Purview Data Quality at this scale? Specifically, I would appreciate any guidance on: How to identify which DQ rule is causing a scan failure Why scans remain queued even when Fabric capacity appears to be idle Whether there are known limitations or best practices for running thousands of DQ rules in Purview Thank you.PHS staged rollout works for existing users but not new synced users
We are troubleshooting an Entra ID PHS staged rollout issue with a federated domain using a third-party WS-Fed IdP. The intended behavior is that normal federated users redirect to the IdP, while users in the PHS staged rollout group receive the Microsoft/Entra password prompt instead. Existing users in the staged rollout group continue to work correctly. They enter their UPN and receive the Microsoft password prompt. One known-good test user is not provisioned in the third-party IdP and still signs in successfully through the Entra password prompt, so the working path does not require the user to exist in the IdP. The issue is only with newly created AD-synced users. Newly synced users in the same staged rollout group are still being routed to the federated IdP at HRD instead of receiving the Entra password prompt. We’ve verified the staged rollout policy and group membership from Graph, confirmed the affected users are properly AD-synced with clean immutableID/sourceAnchor, and confirmed PHS is working. Federation metadata and HRD policies also look clean. Seamless SSO/AZUREADSSOACC was checked and remediated, but the behavior did not change. For failed attempts, there is no Entra sign-in log entry, including tenant-wide interactive and non-interactive logs. However, the federated IdP logs show a WS-Fed inbound request from login.microsoftonline.com for the affected user. That makes it look like Entra HRD is routing the user to federation before sign-in logging or token issuance. The issue started around an Entra Connect AD connector/DC-path change. We have since reverted the connector to the previous known-good configuration. After reverting, we created a clean-room test user with the correct UPN set before first sync, confirmed sync/PHS/sourceAnchor, added the user directly to the staged rollout group, and waited 60+ minutes. The clean-room user still redirected to the federated IdP instead of getting the Entra password prompt. So the current behavior is that established staged-rollout users still get the Entra password prompt, but newly created synced staged-rollout users are sent to the federated IdP by HRD. Has anyone seen staged rollout get into this state, where existing users work but new synced users remain on the federated HRD path despite valid rollout policy, group membership, synced password hash, and clean immutableID/sourceAnchor? Is there any known backend cache/state reset or escalation path for HRD/staged rollout routing?Issue Using Built in Trainable Classifiers in Auto Labelling Policies - Purview
Over the last few days, I have run into issue while configuring Auto labelling policies in Purview specifically when using built in classifiers for eg: Budget, Agreements These classifiers are parr of ready to use. They have been working well for us until recently but now saving an auto labelling rule that includes any of Trainable classifiers getting client side error: 'Could not find rule pack associated with sensitive information type' this is unexpected because: same classifiers eg: Budget worked perfectly just few weeks ago. No changes have made to roll, permissions on our side. Still not sure why showing issue now. Kindly request you, help me with root cause of the cause. Please feel free to post it comments if someone faced same issue in using trainable classifiers in auto labelling policies. Thanks in advance. Regards, BanuMuraliMicrosoft 365 Developer E5 license lacking endpoints and device on defender portal
Dear Support Team, I am a microsoft certified trainer (MCT). I currently have a Microsoft 365 Developer E5 license assigned to my tenant. However, I have noticed that my Microsoft Defender portal (security.microsoft.com) is missing several critical features. For example, I cannot see the Endpoints or Devices menus, which is preventing me from implementing and testing Microsoft Defender for Endpoint. Additionally, my Azure tenant and Microsoft 365 tenant are separate. This has created challenges when configuring security services such as Microsoft Sentinel (SIEM), as certain prerequisites and integrations require configuration through the Microsoft Defender portal. Due to the missing Defender features, I am unable to complete the necessary setup. I would appreciate your assistance in understanding: Why the Endpoints and Devices sections are unavailable in my Defender portal despite having a Microsoft 365 Developer E5 license. Whether additional licensing, onboarding steps, or tenant configurations are required to enable Microsoft Defender for Endpoint features. How best to integrate or align my separate Azure and Microsoft 365 tenants to support services such as Microsoft Sentinel and Defender XDR. These issues are significantly impacting my ability to evaluate and implement Microsoft's security solutions. I would appreciate any guidance or recommendations to resolve them. Thank you for your assistance. Kind regards, [Your Name]Sentinel - Defender for Cloud P2 Benefit
Hi all, To receive the the benefit of the Sentinel / Defender for Cloud P2 500mb benefit is the following correct: Enabled Defender for Cloud P2 on the server or via Azure Arc (these are mainly on-prem servers. Create a DCR rule to collect events and send to our Sentinel Workspace. Enable Defender on the Sentinel workspace (not subscription) Defender for Servers is far more work than it should be!26Views0likes2CommentsFeature Request: Manual Invocation Mode for Embedded Security Copilot Experiences to reduce cost !
Hello, I see that Copilot for Security in XDR dashboards , if used in embedded mode (I mean whenever you are opening a case to investigate) you get AUTOMATICALLY a summary of the incident , and you are consuming SCU costs. I want a way either globally as a tenant option, or through a pwsh to be able to DISABLE this, or be able to PRESS the AI button AND THEN generate the AI reply (and consume SCU credits ..) Current behavior: Open Incident --> Copilot automatically generates Incident Summary --> SCUs ARE consumed Desired behavior: Open Incident --> No AI execution --> Click "Generate Summary" MANUALLY --> SCUs consumed I am not talking about RBAC controls to assign WHO of my admins can use Security Copilot, I have set that, BUT I want my admin to decide IF they want AI to help them (and consume - pay for that SCU credits-costs) OR NOT !! At the moment I havent found any solution, except to educate my admin to press CANCEL the moment he/she opens such an XDR dashboard ! :) Does anyone knows something ? Regards, PanosExposure-Driven Security in the Modern Enterprise
The idea is simple — but powerful: It’s not just about detecting threats. It’s about identifying and prioritizing the exposures that make those threats possible. Attack path analysis, identity risk correlation, misconfiguration visibility, privilege exposure… all connected in a single risk context. So I’d like to ask the community: How are you currently measuring exposure in your environment? – Are you mapping attack paths across identities, endpoints, and cloud workloads? – Are privileged identities part of your exposure prioritization model? – Are remediation efforts aligned with actual exploitability or just severity level? In your view, what is the biggest challenge when moving from reactive detection to proactive exposure reduction? Curious to hear how others are integrating Exposure Management into their Zero Trust architecture.CA policy when does it apply
Is this correct statement? "CA policies are evaluated only when a user authenticates?" I created a CA policy that enforces device compliance with Intune. I noticed that an un-enrolled device was still able to access O365 app, even after the CA policy was turned on. Only after forcing users to logout of all O365 apps and re-authenticate were the users prompted to enroll the device. This tells me that the CA policy that forces device compliance wasn't evaluated until the user had to reauthenticate. Looking for confirmation on thisSolvedPurview HR connector
Hi, I am trying to upload a csv file with resigning users to Purview through the HR connector, following the steps from this documentation (https://learn.microsoft.com/en-us/purview/import-hr-data). Have set up a power automate flow to create a bearer token and upload the csv file using a POST API to "https://webhook.ingestion.office.com/api/signals" as shown in the Github sample solution and script. However, I run into the following error: "No HTTP resource was found that matches the request URI 'https://40.75.149.147/api/signals'. The IP seems to change each time I make the API call. Is the URI correct or should I be using another specific URI? Any help would be greatly appreaciated. Thanks in advance!Solved46Views0likes1CommentBest approach to detect multiple user accounts signing in from the same physical device
Hi Everyone, Working on environment: D365 Finance & Operations (cloud). Goal: I need to detect when more than one Dynamics user account is being used from the same physical device, and ideally count how many distinct users are active on that device. The business reason is this is not permissible to login with more than one account in the same device. For example: User X has device D1, User Y has device D2. User X logged in with his account using Device D2 (which is user's Y device). I want to know if this happened, cause it's not permissible behavior in the organization. For more illustration some users have blank devices id when I see Microsoft Entra. Or if I could find out when a user logs in and integrate it with D365 F&O to store the device the user logged into in a custom log table or anything that tells me that this user account is opened on more than one device or this device has more than one logged-in user account. .Glossary Terms Governance Model
A practical implementation pattern that scales from a Proof of Concept to enterprise deployment. If you're involved in implementing Microsoft Purview or designing an enterprise data governance model, I'd be interested to hear how you're approaching glossary management within your organisation. Do you manage a single enterprise glossary, separate domain glossaries, or a combination of both? I'd love to hear your experiences and any lessons you've learned. https://www.linkedin.com/search/results/all/?keywords=%23microsoftpurview&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23microsoft&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23datagovernance&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23unifiedcatalog&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23enterprisedatacatalogue&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23metadata&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23metadatamanagement&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23dataproducts&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23datamesh&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23federatedgovernance&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23enterprisearchitecture&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23dataarchitecture&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23informationarchitecture&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23datamanagement&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23azure&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23microsoft365&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23purview&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23glossary&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23businessglossary&origin=HASH_TAG_FROM_FEED https://www.linkedin.com/search/results/all/?keywords=%23dataskylabstudio&origin=HASH_TAG_FROM_FEED 😀 Understanding the Enterprise and Local Glossary Terms Governance Model This diagram demonstrates a scalable approach to managing Glossary Terms in Microsoft Purview Unified Catalog. The objective is simple: Create enterprise business terminology once, reuse it across the organisation, and keep specialist business terminology within the Governance Domain that owns it. This approach creates a Single Source of Truth for shared business language, reduces duplication, improves consistency and allows the governance model to scale as the organisation grows. Step 1 – Create an Enterprise Glossary Terms Governance Domain The first step is to create a dedicated Governance Domain specifically for Enterprise Glossary Terms. For example: Enterprise Glossary Terms This Governance Domain becomes the central location where enterprise-wide business terminology is created, maintained and governed. Examples include: Party Person Organisation Customer Employee Product Account Contract Invoice Order Transaction These are business concepts that are commonly used across multiple business functions and Governance Domains. Each Enterprise Glossary Term has: One agreed business definition. One accountable owner. One authoritative source. One location where it is maintained. Unlimited reuse across Data Products. Think of this Governance Domain as the organisation's enterprise business dictionary. Step 2 – Create Business Governance Domains Next, create Governance Domains that reflect your organisational structure. For example: Finance Sales Human Resources Meat, Dairy & Approved Establishments Each Governance Domain is responsible for: Its own Data Products. Its own local Glossary Terms. Its own stewardship and governance. Step 3 – Create Local Glossary Terms Not every business term belongs in the Enterprise Glossary. Many terms are only relevant to a single business function and should remain owned within that local Governance Domain. For example: Finance General Ledger Cost Centre Budget Code Payment Run Sales Sales Channel Campaign Opportunity Discount Code Human Resources Job Grade Leave Type Shift Pattern Pay Band Meat, Dairy & Approved Establishments Establishment Type Hygiene Rating Carcass Classification Milk Cooler Capacity These Local Glossary Terms remain within their own local Governance Domain because they are not intended for enterprise-wide reuse. They can be seen in the Enterprise Glossary. Step 4 – Create Data Products Each Governance Domain creates the Data Products it owns. Examples include: Finance Financial Reporting Sales Sales Orders Human Resources Employee Directory Meat, Dairy & Approved Establishments Establishment Inspections The Data Product becomes the business representation of a collection of related data. Step 5 – Reuse Enterprise Glossary Terms When creating a Data Product, associate the Enterprise Glossary Terms that describe the business concepts used by that Data Product. For example: Financial Reporting Uses: Customer Account Transaction Invoice Sales Orders Uses: Customer Product Contract Order Employee Directory Uses: Person Employee Organisation Establishment Inspections Uses: Organisation Party Product Notice that these Enterprise Glossary Terms are not recreated inside each Governance Domain. Instead, they are referenced from the Enterprise Glossary Terms Governance Domain. This is the key principle behind the model: Create once. Reuse many times. Step 6 – Add Local Glossary Terms Each Data Product can also reference Local Glossary Terms from its own Governance Domain. For example: Financial Reporting Also uses: General Ledger Cost Centre Sales Orders Also uses: Sales Channel Employee Directory Also uses: Job Grade Establishment Inspections Also uses: Inspection Risk Category Each Data Product therefore combines: Enterprise Glossary Terms Local Glossary Terms This provides consistent enterprise language while still allowing each business area to manage its own specialist terminology. Why this model works This implementation separates enterprise business language from specialist business language. Enterprise Glossary Terms provide: A Single Source of Truth. One agreed definition. One accountable owner. Reuse across every Governance Domain. Local Glossary Terms provide: Business-specific terminology. Local ownership. Specialist business knowledge. Flexibility without affecting enterprise standards. Together they provide: Reduced duplication. Consistent business language. Easier governance. Better Discovery Search. Simpler maintenance. Reusable metadata. A scalable governance model. Relationship with the Conceptual Data Model The Enterprise Glossary answers the question: What business concepts does the organisation use? The Conceptual Data Model answers: How are those business concepts related? For example: Customer │ places│ ▼ Order │ contains ▼ Product The Enterprise Glossary defines each business concept. The Conceptual Data Model describes how those concepts relate to one another. Together they establish a common business language that can be reused consistently across Governance Domains, Data Products and the wider Enterprise Data Catalogue. Microsoft Purview Implementation Steps Create a Governance Domain called Enterprise Glossary Terms. Create enterprise-wide Glossary Terms within this Governance Domain. Assign an accountable owner for each Enterprise Glossary Term. Create business Governance Domains that reflect the organisation. Create Local Glossary Terms only where the terminology is unique to that Governance Domain. Create Data Products within each Governance Domain. Associate Enterprise Glossary Terms with Data Products wherever the same business meaning applies. Associate Local Glossary Terms with Data Products where specialist business terminology is required. Continue expanding the Enterprise Glossary as new shared business concepts emerge. Key Principle Create once. Reuse everywhere. Keep local terms local. Enterprise Glossary Terms establish the organisation's shared business language, while Local Glossary Terms allow individual Governance Domains to manage specialist terminology. Together they provide a scalable governance model for Microsoft Purview Unified Catalog that supports Federated Data Governance, Data Mesh principles, and long-term enterprise growth without unnecessary duplication of business definitions.53Views0likes1CommentGlossary Terms: Governance Model
Hi folks, Don't want to spam the same post twice; however, I only found this area of data governance after I had posted in Purview section. Create enterprise business terminology once, reuse it across the organisation, and keep specialist business terminology within the Governance Domain that owns it. Glossary Terms Governance Model | Microsoft Community Hub I'd like to know if people have done similar?33Views0likes1CommentMicrosoft Purview Unified Catalog; Governance Domains and Business Concepts
I've been using the attached artefacts for some time to help explain the knowledge exchange aspects of Microsoft Purview Unified Catalog, particularly how Governance Domains and Business Concepts work together to provide business context, ownership, stewardship and operational insights. They have been useful in workshops with data architects, governance professionals, product owners and business stakeholders to demonstrate how concepts fit together within a governance domain and contribute towards trusted information and better business outcomes. I'm interested in hearing from the wider Purview community: Do these artefacts accurately represent the intent and capabilities of Governance Domains within Microsoft Purview? Are there any concepts that you feel are missing, over-emphasised, or could be represented more clearly? How are others explaining Governance Domains and Business Concepts to non-technical stakeholders? Any feedback, suggestions, or alternative approaches would be greatly appreciated. I'm always looking to refine these materials and make them more useful for organisations adopting Purview Unified Catalog. #MicrosoftPurview #DataGovernance #DataManagement #Metadata #DataProducts #MicrosoftData #Purview #DataArchitecture #UnifiedCatalog
Events
Learn more about attack disruption—Microsoft Defender’s built‑in, AI-powered capability that stops in‑progress attacks at machine speed by analyzing attacker intent, identifying compromised assets, ...
Tuesday, Jul 14, 2026, 09:00 AM PDTOnline
1like
51Attendees
3Comments