Recent Blogs
3 MIN READ
Simplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.
Nov 04, 2025
15 MIN READ
Overview
In an era where cyber threats evolve at an unprecedented pace and artificial intelligence (AI) transforms business operations, Microsoft stands at the forefront with a comprehensive strate...
Nov 04, 2025
Welcome to our new Microsoft Sentinel blog series!
We’re excited to launch a new blog series focused on Microsoft Sentinel. From the latest product innovations and feature updates to industry recog...
Nov 03, 2025
In today’s evolving threat landscape, organizations increasingly rely on layered email security solutions to protect users and sensitive data. Microsoft supports and collaborates with Integrated Clou...
Nov 03, 2025Recent Discussions
Cannot update Case number in Microsoft Purview eDiscovery
I can no longer update the Case number under case settings in the new eDiscovery UI. I used to be able to update it via the externalId Graph endpoint but that appears to be deprecated. The error simply reads "update failed" - there is no additional information. Is anyone else having this problem?Sentinel to Defender webinar series CANCELLED, will be rescheduled at a later date.
The Sentinel to Defender webinar series has been cancelled. Please visit aka.ms/securitycommunity to sign up for upcoming Microsoft Security webinars and to join the mailing list to be notified of future sessions. We apologize for any inconvenience.
Microsoft Default Credit Card Number is not working effectively.
Hi All, I just observe that Microsoft default SIT for Credit Card is detecting more False Positives, it is detecting the 16 digit transaction numbers, tracking ID's, Receipt numbers and even Microsoft support ticket numbers also detecting as Credit Card Numbers. how can we finetune the Microsoft Default SIT to make sure it should detect only valid Credit Card Numbers.
Detecting Duplicate Documents
I am looking for an approach to identify duplicate documents within and across file servers of an organisation. What functionalities would be used for this and preferably if someone can provide a practical, step by step approach it will help. Am relatively new to Purview. Understand this should be probably possible using Information protection, but not clear exactly how. Thanks for help.
Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!
Kql query that search reg key
Hay I created the next kql query but unfraternally i get O devices on the results : // Search for creation, modification, or deletion events for the specified ESU registry key DeviceRegistryEvents | where RegistryKey has_any (@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp desc Am I doing something wrong? Thanks Elad.Purview Connector Status
I have set up an Instant Bloomberg connector in Microsoft Purview. Data is now flowing daily from Bloomberg to Microsoft Purview. How can I retreive the status of the connector? My prefered option would be to have a a PowerShell script to extract the "Connection status with source", the "last import at" and the latest log. And if that PS script cannot be done, an email sent by Purview with about the same info would work.
Purview workspace scan: table visible but metadata not ingested
I'm copying gold tables from a dev workspace lakehouse to a user workspace warehouse in Fabric. The copied tables appear correctly in the warehouse, but when I run a Purview scan on the entire user workspace, all metadata is ingested except for one specific table. All other warehouse objects scan successfully - only this particular copied table is missing from Purview. What could cause this selective scanning issue?
Lockdown owerApps HTTP Conector
I have been asked to apply data security control over the PowerApps HTTP connector by either whitelisting the URI that it can access or applying block control based on content inspection. Can that be done using Defender for Cloud Apps, Purview Compliance DLP or another product? thanks GrahamFeature request: Get rid of "Welcome to new Microsoft Purview portal" screen
Any new user of Purview DGS will be shown this screen: I strongly believe this should be an admin led tenant-wide decision, and not an 'any new user on it's own decision'. The screen is confusing and completely unnecessary for new users with "Global Catalog Reader" permissions only. The problem with this screen is that it results in some users landing in the classic portal, while all documentation and training materials that we share are based on the new portal. My suggestions would be to move this option to 'settings'. After all, as Microsoft, you want your users to use the new portal too, right? P.S. in the meantime, please get rid of the homepage and move all that under a 'getting started' page: Catalog homepage improvements are urgently needed | Microsoft Community HubUnknown DLP Policies Triggering IRM Alerts
Two unknown DLP policies are triggering high severity IRM alerts, and these policies are not showing in our DLP policy list. The policies names are: FileCopiedToRemovableMedia (Preview) FileUploadedToCloud (Preview) Additionally, there are no associated events in Activity Explorer. These alerts are causing confusion with our Security operations because they result in Sentinel incidents.Hundreds of DSM-Synology NAS work files are intercepted by Defender as threats!
Hi everyone. . . Sorry, long... For a couple of days now, I've been experiencing an annoying, persistent, and unresolvable problem affecting the Synology Drive Client 3.5.2 working folder D:\.SynologyWorkingDirectory. I'm running Windows 11 Pro 64-bit v25H2, and a couple of days ago, I accidentally discovered that Windows Defender has become incredibly slow when launched from its taskbar icon. Once I opened Defender, it presented a report with HUNDREDS (!) of threats, all caused by (temporary?) files in the hidden working folder "D:\.SynologyWorkingDirectory." The vast majority of the threats were eliminated. However, a few were classified as "severe" and warned that Defender may not have been able to completely eliminate the threat. I'm almost certain these aren't real threats, partly because of my extreme care with my browsing habits and behavior, but primarily because there are hundreds of them and they're constantly being created, exclusively in the D:\.SynologyWorkingDirectory folder. Defender, for its part, constantly deletes them, making it incredibly slow, and opening its history is equally slow. I ran a thorough system scan with Defender, both online and offline, but nothing was found. I also ran a scan with MalwareBytes, and nothing was found, perhaps also because the files are quickly deleted by Defender. I therefore suspect that Windows Defender has arbitrarily classified Synology's temporary files as threats. Even deleting Windows Defender's history was a painstaking task due to numerous (!) failed attempts due to the low-level and operational protections in Windows 11 Pro 64-bit v25H2. The only solution was to boot WinRE from a Windows installation USB drive, then delete the scans folder (D:\ProgramData\Microsoft\Windows Defender\Scans) from DOS. I also had to obtain the Bitlocker key, but clearing the history is pointless because it continually recreates itself with new detections! I'm forced to pause Synology Drive Client v3.5.2. How can I get support for this issue? Regards . .Entra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!Duplicate file detection
Hi Community, I need to scan multiple windows file servers using Microsoft Purview and one of the asks is to detect and identify duplicate files on those. Can someone please guide how that can be accomplished. What functionality needs to be used and how to go about duplicate detection? Note that this is primarily duplicate finding assignment for files as in office documents and pdfs. Thanks.
MS Purview Data Map - Sensitivity Label - Atlas API
Hi Everyone, Can someone confirm if it’s possible to update the Sensitivity label column in the Microsoft Purview Unified Data Catalog using the Atlas API? Since Microsoft Fabric currently does not support the auto-labeling feature in the Data Map, can we apply sensitivity labels to Fabric assets in the catalog through the Atlas API? Regards, BanuMurali
License question
Hello, From what I've read, if I have 10 licensed (Defender for Office 365) users, each with their own mailbox and an additional shared mailbox connected, I only need to license those 10 users (the shared mailbox doesn't need to be licensed additionally). However, I don't see such a provision in the licensing agreements themselves. If I understand this correctly, can someone point me to the relevant clause in the agreement? Does a shared mailbox that no one uses require a Defender license (if the organization uses Defender for Office 365 licenses)? thx.
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs.Microsoft 365 Apps for Enterprise Security Baseline 2412; when available?
https://learn.microsoft.com/en-us/intune/intune-service/protect/security-baseline-v2-office-settings?pivots=v2306 is currently available in Intune. Microsoft already released the 2412 version via the Microsoft Security Compliance Toolkit. Unfortunately, this version is not available in Intune nyet. When can we expect that version to become available in Intune?Cannot see Data Map and Unified Catalog in the free version of Microsoft Purview
Hey, I am trying to setup a data connection in the free version of Microsoft Purview. However, I cannot see the Data Map and Unified Catalog features. Is this the intended limitation of the free version? Or do I miss something?
