Recent Blogs
Welcome to our new Microsoft Sentinel blog series!
We’re excited to launch a new blog series focused on Microsoft Sentinel. From the latest product innovations and feature updates to industry recog...
Nov 03, 2025
In today’s evolving threat landscape, organizations increasingly rely on layered email security solutions to protect users and sensitive data. Microsoft supports and collaborates with Integrated Clou...
Nov 03, 2025
4 MIN READ
The cybersecurity threat landscape continues to evolve with novel attacks and techniques emerging each day. Microsoft Defender Experts for Hunting, included with Microsoft Defender Experts for XDR, h...
Nov 03, 2025
We have reviewed the new settings in Microsoft Edge version 142 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...
Nov 03, 2025Recent Discussions
Purview Connector Status
I have set up an Instant Bloomberg connector in Microsoft Purview. Data is now flowing daily from Bloomberg to Microsoft Purview. How can I retreive the status of the connector? My prefered option would be to have a a PowerShell script to extract the "Connection status with source", the "last import at" and the latest log. And if that PS script cannot be done, an email sent by Purview with about the same info would work.
Purview workspace scan: table visible but metadata not ingested
I'm copying gold tables from a dev workspace lakehouse to a user workspace warehouse in Fabric. The copied tables appear correctly in the warehouse, but when I run a Purview scan on the entire user workspace, all metadata is ingested except for one specific table. All other warehouse objects scan successfully - only this particular copied table is missing from Purview. What could cause this selective scanning issue?
Lockdown owerApps HTTP Conector
I have been asked to apply data security control over the PowerApps HTTP connector by either whitelisting the URI that it can access or applying block control based on content inspection. Can that be done using Defender for Cloud Apps, Purview Compliance DLP or another product? thanks Graham
Microsoft Default Credit Card Number is not working effectively.
Hi All, I just observe that Microsoft default SIT for Credit Card is detecting more False Positives, it is detecting the 16 digit transaction numbers, tracking ID's, Receipt numbers and even Microsoft support ticket numbers also detecting as Credit Card Numbers. how can we finetune the Microsoft Default SIT to make sure it should detect only valid Credit Card Numbers.
Feature request: Get rid of "Welcome to new Microsoft Purview portal" screen
Any new user of Purview DGS will be shown this screen: I strongly believe this should be an admin led tenant-wide decision, and not an 'any new user on it's own decision'. The screen is confusing and completely unnecessary for new users with "Global Catalog Reader" permissions only. The problem with this screen is that it results in some users landing in the classic portal, while all documentation and training materials that we share are based on the new portal. My suggestions would be to move this option to 'settings'. After all, as Microsoft, you want your users to use the new portal too, right? P.S. in the meantime, please get rid of the homepage and move all that under a 'getting started' page: Catalog homepage improvements are urgently needed | Microsoft Community HubUnknown DLP Policies Triggering IRM Alerts
Two unknown DLP policies are triggering high severity IRM alerts, and these policies are not showing in our DLP policy list. The policies names are: FileCopiedToRemovableMedia (Preview) FileUploadedToCloud (Preview) Additionally, there are no associated events in Activity Explorer. These alerts are causing confusion with our Security operations because they result in Sentinel incidents.Hundreds of DSM-Synology NAS work files are intercepted by Defender as threats!
Hi everyone. . . Sorry, long... For a couple of days now, I've been experiencing an annoying, persistent, and unresolvable problem affecting the Synology Drive Client 3.5.2 working folder D:\.SynologyWorkingDirectory. I'm running Windows 11 Pro 64-bit v25H2, and a couple of days ago, I accidentally discovered that Windows Defender has become incredibly slow when launched from its taskbar icon. Once I opened Defender, it presented a report with HUNDREDS (!) of threats, all caused by (temporary?) files in the hidden working folder "D:\.SynologyWorkingDirectory." The vast majority of the threats were eliminated. However, a few were classified as "severe" and warned that Defender may not have been able to completely eliminate the threat. I'm almost certain these aren't real threats, partly because of my extreme care with my browsing habits and behavior, but primarily because there are hundreds of them and they're constantly being created, exclusively in the D:\.SynologyWorkingDirectory folder. Defender, for its part, constantly deletes them, making it incredibly slow, and opening its history is equally slow. I ran a thorough system scan with Defender, both online and offline, but nothing was found. I also ran a scan with MalwareBytes, and nothing was found, perhaps also because the files are quickly deleted by Defender. I therefore suspect that Windows Defender has arbitrarily classified Synology's temporary files as threats. Even deleting Windows Defender's history was a painstaking task due to numerous (!) failed attempts due to the low-level and operational protections in Windows 11 Pro 64-bit v25H2. The only solution was to boot WinRE from a Windows installation USB drive, then delete the scans folder (D:\ProgramData\Microsoft\Windows Defender\Scans) from DOS. I also had to obtain the Bitlocker key, but clearing the history is pointless because it continually recreates itself with new detections! I'm forced to pause Synology Drive Client v3.5.2. How can I get support for this issue? Regards . .Entra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
Duplicate file detection
Hi Community, I need to scan multiple windows file servers using Microsoft Purview and one of the asks is to detect and identify duplicate files on those. Can someone please guide how that can be accomplished. What functionality needs to be used and how to go about duplicate detection? Note that this is primarily duplicate finding assignment for files as in office documents and pdfs. Thanks.
MS Purview Data Map - Sensitivity Label - Atlas API
Hi Everyone, Can someone confirm if it’s possible to update the Sensitivity label column in the Microsoft Purview Unified Data Catalog using the Atlas API? Since Microsoft Fabric currently does not support the auto-labeling feature in the Data Map, can we apply sensitivity labels to Fabric assets in the catalog through the Atlas API? Regards, BanuMurali
License question
Hello, From what I've read, if I have 10 licensed (Defender for Office 365) users, each with their own mailbox and an additional shared mailbox connected, I only need to license those 10 users (the shared mailbox doesn't need to be licensed additionally). However, I don't see such a provision in the licensing agreements themselves. If I understand this correctly, can someone point me to the relevant clause in the agreement? Does a shared mailbox that no one uses require a Defender license (if the organization uses Defender for Office 365 licenses)? thx.Detecting Duplicate Documents
I am looking for an approach to identify duplicate documents within and across file servers of an organisation. What functionalities would be used for this and preferably if someone can provide a practical, step by step approach it will help. Am relatively new to Purview. Understand this should be probably possible using Information protection, but not clear exactly how. Thanks for help.
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs.Microsoft 365 Apps for Enterprise Security Baseline 2412; when available?
https://learn.microsoft.com/en-us/intune/intune-service/protect/security-baseline-v2-office-settings?pivots=v2306 is currently available in Intune. Microsoft already released the 2412 version via the Microsoft Security Compliance Toolkit. Unfortunately, this version is not available in Intune nyet. When can we expect that version to become available in Intune?Cannot see Data Map and Unified Catalog in the free version of Microsoft Purview
Hey, I am trying to setup a data connection in the free version of Microsoft Purview. However, I cannot see the Data Map and Unified Catalog features. Is this the intended limitation of the free version? Or do I miss something?Can’t Remove Defender Tag After Asset Rule Was Deleted
Hi all, I’m facing an issue where a rule-based tag in Microsoft Defender for Endpoint remains visible on devices even after I deleted the original asset rule. The rule was disabled and deleted months ago, but the tag still appears under Rule-based tags in the device details. Even using the API or PowerShell doesn’t show or remove it. Is there any supported way to force a tag refresh or clear orphaned rule-based tags from the Defender portal? Thanks in advance, Luca
XDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?XDR Advanced hunting API region availability
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
Token Protection Conditional access policy is blocking access to PowerShell Modules.
Hi Everyone, Recently we have started implementing Microsoft token protection via CAP. We have created the policy based on the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection Everything is working fine for regular users, but for our admin accounts that require access to Powershell modules, they get this error when trying to access: I've confirmed this is linked to the token protection policy and no other policy is causing this behavior. The policy is configured in the following way: My question here is: How can I keep our admin accounts included on this policy without affecting Powershell access? Thank you for your help.
