Recent Blogs
Meet Sathish Veerapandian: security architect, community collaborator, published author, and cycling enthusiast with a knack for turning real-world customer challenges into product-shaping feedback. ...
Jun 25, 2026
The Problem: Static Analysis Without Context
Traditional static analysis treats every file as an island. Scan a binary, match against known signatures, flag what you recognize. The approach is well...
Jun 24, 2026
12 MIN READ
Introduction
This post focuses on a topic critical to help move to post-quantum cryptographic (PQC) algorithms and that topic is crypto-agility for applications that use cryptography.
This post d...
Jun 23, 2026
Microsoft Sentinel platform offers a growing list of tools and features, with graph being a cornerstone capability.
Sentinel graph is a relationship-first method for organizing and querying data wi...
Jun 23, 2026Recent Discussions
Microsoft Defender (GCC) - User Submitted "Mark and Notify" for Third Party Phishing Simulations
Our Microsoft 365 tenant is in the GCC environment, and we use a third party phishing simulation platform along with the built in Outlook Report Message button (not a third party reporting add in). When a user correctly reports one of our simulated phishing emails, the message appears in Microsoft Defender > User Submitted as expected. The problem is what happens next. When we select Mark and notify, the only available options are: Phishing Spam No threat found There is no option to notify the user that the email was actually part of a phishing simulation. This creates a difficult situation: If we choose No threat found, Defender tells the user the message was safe, making it appear they incorrectly reported the email even though they did exactly what we trained them to do. If we choose Phishing, the user receives the correct feedback, but the message is counted as a real phishing event, affecting our Defender metrics and potentially generating false incidents and reporting. It feels like we're stuck in a design loop where neither option provides the desired outcome. My questions are: Is there a supported way in Microsoft Defender (particularly GCC) to notify users that a reported message was a simulated phishing email when using the native Outlook Report Message button? Is this capability available in Commercial tenants but not GCC, or is it unavailable across all environments? If this functionality does not exist, what is the recommended process for submitting a feature request specifically for the GCC version of Microsoft Defender? This seems like a valuable enhancement for organizations that use third party phishing simulation platforms while relying on Microsoft's native reporting experience. Has anyone else found a good workflow for this scenario?
Unlabelled Files
I have a requirement to produce a report which contains the number of files in M365 SharePoint & OneDrive which do not have a sensitivity label applied. I am struggling to find a sensible approach to this and I am fairly certain this is not possible in Purview unless I have missed something. If anyone can help it would be appreciated. Thanks
Is "Endpoint Security Policies" available to us? (error getting Intune policies)
Question We'd like to use Defender \ Endpoint Security Policies. Is that possible for my tenant's environment? Getting below error on "Defender \ Endpoint Security Policies" page "There seems to be an issue getting your Intune policies" Details of our environment Purpose of defender To protect our server fleet that's running outside of Azure Tenant GCC - Moderate Scoped Region Commercial Azure East US 2 Subscription Microsoft Defender for Servers Plan 1 (No other subscription, etc.) Defender Client OS Windows 2016, 2019, 2022 RHEL8, 9 (No desktops\laptops) Agents installed on each Windows and Linux server Defender is onboarded Arc is onboarded Configured Settings and Errors Defender \ Settings \ Configuration management \ Enforcement scope https://security.microsoft.com/securitysettings/endpoints/configuration_management2 Error at top of page "Intune is not configured to allow Microsoft Defender for Endpoint to manage security configuration settings." Use MDE to enforce security configuration settings from Intune Set to ON Enable configuration management Windows Server devices On tagged devices Windows Server Domain Controller devices On tagged devices Linux devices On tagged devices Security settings management for Microsoft Defender for Cloud onboarded devices. Set to ON Manage Security settings using Configuration Manager Set to OFF Defender \ Settings \ Configuration management \ Intune Permissions https://security.microsoft.com/securitysettings/endpoints/intune_permissions Getting error "Access needed You don't have the right permissions in AAD to view this information (in addition to those you already have in MDE). To adjust your permissions, go to the AAD portal." Defender \ Endpoint Security Policies https://security.microsoft.com/policy-inventory On main page, getting below error There seems to be an issue getting your Intune policies If I try to make a new policy There seems to be an issue loading the policy authoring wizard. Intune \ Endpoint security https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu Getting Error You don't have access Intune roles | My permissions https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/~/myPermissions You're an administrator with full permissions to all Microsoft Intune resources. Intune roles | Administrator Licensing https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/~/administratorLicensing Allow admins without an Intune license to access Intune. Their scope of access is determined by the Intune roles you've assigned them. I've clicked the box "Allow access to unlicensed admins" Alternatives If Defender \ Endpoint Security Policies isn't available, as alternatives, I guess we could use SCCM Antimalware policies to manage Windows servers Deploying a central mdatp_managed.json to manage Linux servers However, it would be greatly preferred to use the Defender \ Endpoint Security Policies feature for Windows and LinuxMicrosoft Purview Unified Catalog; Governance Domains and Business Concepts
I've been using the attached artefacts for some time to help explain the knowledge exchange aspects of Microsoft Purview Unified Catalog, particularly how Governance Domains and Business Concepts work together to provide business context, ownership, stewardship and operational insights. They have been useful in workshops with data architects, governance professionals, product owners and business stakeholders to demonstrate how concepts fit together within a governance domain and contribute towards trusted information and better business outcomes. I'm interested in hearing from the wider Purview community: Do these artefacts accurately represent the intent and capabilities of Governance Domains within Microsoft Purview? Are there any concepts that you feel are missing, over-emphasised, or could be represented more clearly? How are others explaining Governance Domains and Business Concepts to non-technical stakeholders? Any feedback, suggestions, or alternative approaches would be greatly appreciated. I'm always looking to refine these materials and make them more useful for organisations adopting Purview Unified Catalog. #MicrosoftPurview #DataGovernance #DataManagement #Metadata #DataProducts #MicrosoftData #Purview #DataArchitecture #UnifiedCatalog
Confusion around Purview Definitions and Risk Scoring
In the early days of implementation and we've done our 'Quick setup' of Insider Risk Management which created our Adaptive Protection Policy for IRM, two IRM DLP policies (Endpoint & Teams/Exchange) and the Conditional Access policy. My question is around 'Triggering events', Indicators and Insider Risk Levels. To my understanding, a triggering event is the event that decides when the policy will start assigning risk scores to user activity which will then allow us to then give users risk levels. We have the option to either set this triggering event to either the DLP policies, or when a user performs an exfiltration activity/ sequence. The DLP policies only match activity when a user has a defined risk level and attempts to perform a specific activity i.e. sharing M365 with people outside the organisation. I'm not sure if I'm thinking about this backwards, but if I set my Adaptive protection policy to only start assigning risk scores to user activity when they match a DLP policy, how can they trigger a DLP policy if they wont be assigned a risk level until that scoring begins to happen? Should I be setting my triggering events to be "User performs an Exfiltration Activity" instead of "User Matches a DLP policy"?
PHS staged rollout works for existing users but not new synced users
We are troubleshooting an Entra ID PHS staged rollout issue with a federated domain using a third-party WS-Fed IdP. The intended behavior is that normal federated users redirect to the IdP, while users in the PHS staged rollout group receive the Microsoft/Entra password prompt instead. Existing users in the staged rollout group continue to work correctly. They enter their UPN and receive the Microsoft password prompt. One known-good test user is not provisioned in the third-party IdP and still signs in successfully through the Entra password prompt, so the working path does not require the user to exist in the IdP. The issue is only with newly created AD-synced users. Newly synced users in the same staged rollout group are still being routed to the federated IdP at HRD instead of receiving the Entra password prompt. We’ve verified the staged rollout policy and group membership from Graph, confirmed the affected users are properly AD-synced with clean immutableID/sourceAnchor, and confirmed PHS is working. Federation metadata and HRD policies also look clean. Seamless SSO/AZUREADSSOACC was checked and remediated, but the behavior did not change. For failed attempts, there is no Entra sign-in log entry, including tenant-wide interactive and non-interactive logs. However, the federated IdP logs show a WS-Fed inbound request from login.microsoftonline.com for the affected user. That makes it look like Entra HRD is routing the user to federation before sign-in logging or token issuance. The issue started around an Entra Connect AD connector/DC-path change. We have since reverted the connector to the previous known-good configuration. After reverting, we created a clean-room test user with the correct UPN set before first sync, confirmed sync/PHS/sourceAnchor, added the user directly to the staged rollout group, and waited 60+ minutes. The clean-room user still redirected to the federated IdP instead of getting the Entra password prompt. So the current behavior is that established staged-rollout users still get the Entra password prompt, but newly created synced staged-rollout users are sent to the federated IdP by HRD. Has anyone seen staged rollout get into this state, where existing users work but new synced users remain on the federated HRD path despite valid rollout policy, group membership, synced password hash, and clean immutableID/sourceAnchor? Is there any known backend cache/state reset or escalation path for HRD/staged rollout routing?Anthropic Claude Purview Data Connector showing all users as Guests..
It appears this connector is not mapping fields properly causing internal users to be mapped as "guests", and since prompts/data isn't maintained for guest users the connector is effectively not gathering anything but noise. Unlike the other data connectors, one cannot create field mappings. Also the app being named using the guid of Microsoft's own "dataassessments" service principal I don't think is intended either. Has anybody else experienced this? See below for an example.
Permission required to see the Exposed Entities in Secure Score's MDI items
The documentation here suggests to see the full details of Microsoft Defender for Identity items in Secure Score, I would need the following permission: Security operations/Security data /Security data basics (Read) However, when even with those permissions, I don't have access to the Exposed Entities tab. What permission would I need to be able to have read access to those?Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!Endpoint DLP Device Onboarding - WorkspaceOne
Hi everyone, We have a customer who is using WorkspaceOne for managing the Endpoints. It is an Hybrid environment. We need some guidance and documentation(if any), to help onboard devices for Purview eDLP. The ruled-out option is Group Policy as some employees are working from home and some working from office. There are around 25k+ devices in the tenant that needs to be onboarded. The customer is not using Intune or SCCM. We are looking for best method/approach to onboard devices where the org is using WorkspaceOne.Best approach for contractor block policy
Hello there I need some assistance with your best approach for vendor block policy. I am thinking to create one policy with three rules Block all vendors with the block AD group Vendors to allow emails to approved domains only vendors to send email to external to organisation with ability to send to approve domains Do you think this is a good approach by breaking down into three different rules ? Also I am bit confused with the conditions on the rule 2 and rule 3. what would you your approach with complete breakdown ?
mysignins.microsoft.com failing to save passkeys
Morning. Trying to add passkeys to accounts via mysignins.microsoft.com, it almost universally fails. The failing step is when I go to name it - it just never completes. Same result using BitWarden, Yubikeys, etc. Doing this in Edge, because in Firefox - my existing security methods don't even show up. If I check the audit logs, it will give me two entries - one stating that I failed to register security info, and another about a group management query. NO idea what this is, the only identifier within the logs is my own object ID. Possibly it's related to the group I have assigned to the Passkeys Authentication Methods policy. (which doesn't have any restrictions, but does enforce attestation) CoPilot suggested it may be that the token is expiring, or something with my Edge profile - and to try in private browsing. No change. Doing a review of our conditional access policies to see if Registering Security info is locked down - it WAS locked down to only my region (Canada). This has since been made Report-Only, just in case. Looking at the audit log entry for the failure, there's a correlation ID 9c269291-737f-4c17-b178-b1040834fb3f and performedBy {"AppId":"19db86c3-b2b9-44cc-b339-36da233a3be2","AgentType":0,"BlueprintId":null}. If I try to filter non-int sign-ins based on that Correlation ID, I get nothing. If I use AppId as the RESOURCEId, I get a FAILURE entry with the following error - yet no conditional access policies are applied. The authentication details shows this, which is weird - per=user MFA shouldn't be applied. We don't use this. But there are sign-ins at the exact same moment to the same resource, WITH MFA successful. I can register other methods wiithout issue. I tried creating an explicit CA policy GRANTING access to register sec info, with a TAP. That is the above sign-in. TAP worked.. just NOT for passkey registration. Other weird behaviours: 1. This portal times out so quick. Like... constantly. I have not configured anything to do this, as far as I know. 2. Opening the same portal in Firefox returns no MFA methods. None. No error, of course - it's just blank.
Risky sign-ins not showing anything
Hi, For some time already, I am not sure why but I cannot see anything in risky sign-ins in Identity Protection (MS Entra). Even when I receive a summary email (Microsoft Entra ID Protection Weekly Digest) mentioning there were risky sinn-ings detected. When I click on the risky signings directly in the email to take me to the report, I see no data there at all... When I modify filters to include all, nothing shows up either. It has been like this for few months already. Before, I could see them with no issues. Has anything changed? Or why I can't see any records?TAP requires step-up MFA when user already has a passkey registered — expected behavior?
Environment Microsoft 365 Business Premium (Entra ID P1) Cloud-only tenant Authentication methods enabled: FIDO2/Passkey only + TAP All other methods disabled (no Authenticator push, no TOTP, no SMS) CA Policy configuration CA001 — Protect Security Info Registration Target: User action — Register security information Grant: Custom authentication strength "Bootstrap and Recovery" (TAP one-time + TAP multi-use + Passkey/FIDO2 + WHfB/Platform credential) Status: On CA002 — Require Phishing-Resistant Authentication Target: All cloud apps (excluding Azure Credential Configuration Endpoint and tested also excluding Microsoft App Access Panel) Grant: Built-in Phishing-resistant MFA Status: On What was tested Scenario 1 — User with no registered methods (only with Platform credential): Admin issues TAP (multi-use, 4 hours) User navigates to aka.ms/mysecurityinfo User authenticates with TAP Result: Access granted — user can register passkey without any step-up, even in a flow authenticating directly to a resource (such as Microsoft Teams in browser) Scenario 2 — User with an existing portable passkey already registered (in MS Authenticator): Admin issues TAP (multi-use, 4 hours) User navigates to aka.ms/mysecurityinfo User authenticates with TAP Result: Entra requests a second factor — specifically the existing passkey — before allowing access to My Security Info. Seems the system enforces CA002 or a platform-level step-up requirement. The TAP is accepted as a first factor, but the platform then requires the existing passkey as a second factor before proceeding. Sign-in log analysis: The behavior does not appear in the Conditional Access tab of the sign-in logs as a CA policy failure — it appears to be enforced at the platform level, not by any configured CA policy. Questions Is it by design that when a user already has a registered MFA-capable method (passkey), the platform enforces step-up authentication before allowing access to My Security Info — even when the user authenticates with a valid TAP? If so, does the correct recovery procedure require the admin to first remove all existing authentication methods before issuing a TAP — so the user has no registered methods and the TAP is accepted without step-up? Is there any way to allow TAP to bypass this step-up requirement for recovery scenarios, without removing existing methods first? Any pointers to official documentation or confirmed behavior would be appreciated.Managed VNET Integration Runtime failing with 502 error.
Good afternoon everyone. I'm a DevOps Engineer who is new to Purview. I used Terraform to deploy a Purview account for a POC for a client, however, I'm having a real issue creating a Managed VNET IR. The private endpoints are all visible and approved and if I check in the shell I can see the IR and the Managed VNET both exist (names sanitized). { "name": "SAMPLENAME", "properties": { "managedVirtualNetwork": { "referenceName": "ManagedVnet-name" }, "typeProperties": { "computeProperties": { "location": "WestEurope" } } } } But in the Purview portal the status shows as failed and if I try update it, I get a popup notification stating that the process timed out due to a 502 error. The URL in the error is " https://api.purview-service.microsoft.com/scan/integrationRuntimes/{NAME}?api-version=2022-02-01-preview" I thought this might be an issue with permissions or that I'm not in the admin role group in my client environment so I did the same process in my local purview account (where I'm global admin and in the Purview Administrators role group) and I'm having exactly the same problem. The managed vnet and IR exist when queried in the cloud shell but the state in the portal shows as failed. I am a "Data source Admin" in both purview accounts but I'm wondering if there's some other role assignment or role group assignment that I'm missing? Thanks in advance. Devon Britton.# Seeking Feedback – Microsoft Purview Governance Domain Metamodel
I've been working on a proposed metamodel for some time to help organisations decide how to structure Governance Domains within Microsoft Purview and would appreciate feedback from others who have implemented Purview at scale. The intention is not to prescribe a single approach, but to describe several governance patterns that seem to emerge in practice. Some additional assumptions I've made: * Numeric prefixes such as `01.01.01` help maintain sort order and readability. * Standardising on three levels appears easier to manage, although Purview supports five levels. * Microsoft guidance suggests keeping Governance Domains to approximately 200. * Governance Domains themselves are relatively flexible and can be renamed or repositioned within the hierarchy. * Data Products currently appear to be bound to the Governance Domain in which they are created and cannot presently be reassigned to another Governance Domain, making early design decisions more important. I'm interested in hearing from organisations already using Governance Domains in production. A few questions for discussion: Have you adopted one of these patterns, or a hybrid approach? Are there Governance Domain types missing from this metamodel? Is the recommendation of standardising on three hierarchy levels sensible, or have you found deeper structures manageable? Are there any Microsoft best practices, roadmap items or implementation experiences that would suggest a different approach? I've attached an infographic illustrating the proposed metamodel and would welcome any thoughts, criticism or lessons learned from real-world implementations.Feature Request: Export ALL to PDF
When exporting from a Review Set, Ii would like to have an option to export ALL documents to PDF. Of most concern is exporting email (with attachments) to PDF. Attachments may have been redacted. But if the email is exported it will include the unredacted attachment. This is not acceptable. They were redacted for a reason. We can force the export to convert the email to PDF by placing a useless redaction on the email. It can be small or large. Can contain text or not. It can be 2 pixels square. It has to be there so we can force the email to convert to PDF for the export. Manually adding a fake / useless redaction to hundreds of emails is an enormous (but currently essential) waste of time. Since the system already knows how to do the conversion, it should be simple to just give us an option to convert ALL emails to PDF. Might slow down the processing, but... It protects the names / numbers / etc. being redacted.Reminder: Next Tuesday 6/23 at 9AM PST we will be hosting an 'Ask Microsoft Anything' session on Tech Community for the Sentinel SIEM Migration Experience!
Join us for a live demo and AMA on the Microsoft Sentinel SIEM migration experience. We’ll show how the experience helps teams move from legacy SIEMs like Splunk and QRadar into Microsoft Sentinel with a more guided, lower-friction path. We’ll cover what it does today, how it works, and the questions customers ask most, then open it up for live Q&A. Link here: Ask Microsoft Anything: The Microsoft Sentinel SIEM Migration Experience Hope to see you there!Terribly lost - what are the basic controlls here?
Hello all. I'm an MSP, looking at methods of securing data in the wake of AI adoption. Obviously, I'm getting pointed to Purview for this. And I've managed to make sense of SOME of it - sensitivity labels, labeling policies, and sensitive info types. The problem I have is that these 'solutions' are spread out amongst 3-4 different 'solutions' - Information Protection, DLP, DSPM (DSPM,, DSPM classic, DSPM for AI 'classic') and it's genuinely just really badly designed. It's done the classic Microsoft move of having the Marketing team build the interface, and caring more about market capture/buzzwords than usability. As is the norm, the documentation quality varies a ton. And between Intune, SharePoint, Entra, Defender, Azure, certifications - I don't actually have time to learn another market-capture tool, which I will use 2% of. We don't license Purview. And I'm not going to license Purview until some effort is put into usability, and the interface is redesigned by native, technical english speakers (no hate, but I've seen first-hand how MBAEnglish-as-a-second-language translates into this sort of opacity). But obviously, we HAVE to use it because a bunch of stuff was pushed into it. Without adding another set of half-automated Microsoft recommendations to my list, and avoiding premium 'solutions' - what are the basic 'solutions' that are required for Data controls, in the face of AI? What exactly was merged into Purview, that existed elsewhere previously? Here is what I've gotten familiar with so far: 1. DLP policies. These are pretty opaque to me, and seem to heavily rely on OTHER 365 products, like Defender for Endpoint, Edge for Business. So again, designed by the marketing team. 2. Sensitivity labels, labeling publishing policies, auto-labeling policies. What am I missing?
Events
As organizations scale, tenant sprawl becomes inevitable. Legacy test tenants, employee‑created environments, and forgotten tenants create blind spots for security and identity teams.
Get to know M...
Online
As organizations move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage has become mission critical. In this series, Microsoft experts will show ho...
Online