Pinned Posts
Forum Widgets
Latest Discussions
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!Unexpected Service Principal Additions After Purview Label Schema Migration
Hi everyone, I recently migrated our Microsoft Purview label schema in our tenant and noticed some interesting audit log entries right after the migration. Specifically, Entra ID recorded Add service principal actions for: Microsoft Edge management service Purview Ecosystem (https://api.purview.microsoft.com) Both events were logged under my admin account, with the User-Agent showing kiota-dotnet/1.16.4, which suggests an automated process or Microsoft Graph SDK interaction. Here are some details: Operation: Add service principal Result: Success Tags: disableLegacyUserImpersonationClient, disableLegacyUserImpersonationResource, and for Purview: GitCreatedApp Triggered at: The exact time I completed the label schema migration. My question: Is this expected behavior when migrating Purview label schemas? Are these service principals required for Purview and Edge management integration? Any best practices to confirm these additions are legitimate and secure? Thanks in advance for your insights! Best regards StephanInformation Scanner - SQL connection fails
Hello everyone, we are currently deploying the information scanner. The issue appeared after the scanner was already installed successfully SQL Server is running on a custom TCP port (49999), encrypted connection, and the scanner database is existing with the correct owner (service account). We also acquired the Entra token Error Failed to access scanner database. Verify the database is up and running and can be accessed by scanner service account and by the currently logged in user that executes the command. Troubleshooting steps taken: Diag show: Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-ScannerDatabase. Make sure all nodes run the same MIP client version. SQL error: Message Could not obtain information about Windows NT group/user 'Domain\scanaccount', error code 0x5. Update-ScannerDatabase executed - same error Login to SQL Servers are successful SQL CMD: sqlcmd -S SQL.company.de,4321 -E -N -Q "SELECT @@VERSION" ## Worked Other configs: Tried to reregister database multiple times / service account is sysadmin at SQL server (shared) SQL DB Alias used instead of Port / SQL Browser did not work Allowed everything through firewall on SQL server - still fail 4h of troubleshooting gone by - and i am stuck - what can i do next? BR Stephan
Service Domain restrictions
I’m currently implementing an Endpoint DLP policy to enforce service domain restrictions. The goal is to prevent users from uploading documents to non-corporate domains and only allow uploads to a specific allow-list (authorized domains), we only use Microsoft Edge I have the basic configuration working, but I have a few questions about behaviors I’m seeing: Dynamic Groups: Is it supported to use Microsoft 365 Dynamic Groups for the policy scope/assignment? File Types: How can I make the policy target all file types? Currently, I'm managing this via a defined list of extensions, but I'd like to cover everything. Copy/Paste vs. Upload (The main issue): When I drag and drop or use the "Upload" button from File Explorer to a blocked domain, the action is blocked as expected. However, if I copy and paste the file (or content) directly into the website, it bypasses the block and uploads successfully. Why does this happen? Policy Activation: It seems documents only pick up the policy restrictions after they are modified. Is this the expected behavior? Any recommendations or insights on what I might be missing would be appreciated. Thanks!
Microsoft Purview Unified Catalog – Draft Data Product Visibility (RBAC)
I have three Entra ID security groups that must be able to see all data products across the estate, including Draft, Unpublished, Published, and Retired: Purview.Admin.Team Purview.Data.Governance Purview.Data.Architecture.Team What I tested I tested assigning these groups to the available Microsoft Purview Unified Catalog roles at both application and governance‑domain scope, including Global Catalog Reader / domain reader roles Governance Domain Owner Data Governance Administrator Data Product Owner Data Steward Observed results Reader roles and Data Governance Administrator allowed users to see the list of data products but not Draft / Unpublished items. Governance Domain Owner and Data Product Owner allowed draft visibility but grant ownership/control. Only assigning the groups as Data Steward on each governance domain consistently allowed visibility of all data product lifecycle states (Draft, Unpublished, Published, Retired) without granting ownership. Current understanding Draft and Unpublished data products are only visible to users assigned domain‑level governance roles Data Steward is the least‑privileged role that provides draft visibility To achieve estate‑wide draft visibility, the groups must be assigned as Data Steward on every governance domain Application‑level roles alone (including Data Governance Administrator) are insufficient Question (seeking confirmation) Is this understanding and solution correct and aligned with Microsoft’s intended Purview Unified Catalog RBAC design, or is there an alternative supported way to provide read‑only draft data product visibility without assigning Data Steward per governance domain?
Microsoft Purview Client side labeling issue
Hello Everyone, I hope this message finds you well. I wanted to share some observations and seek your guidance on an issue I'm encountering with sensitivity label recommendations in Outlook. I have created a label with auto-labeling (Client side) enabled and configured it to identify sensitive information types (SITs) such as SSN and credit card details (Instance count 1- ANY). The curious part is, when I attach a Notepad file in Outlook that contains SSN and credit card information, I do not receive any sensitivity label recommendations in both Outlook desktop and web versions. However, if I paste the same content directly into the email body, I do receive the respective sensitivity label recommendation. Moreover, when I attach a Word document (not labeled) that contains SSN and credit card information, Outlook does not show any recommendation either. Interestingly, if the Word document detects the sensitive content and recommends a label, and I then save the document with the recommended label, attaching it back to Outlook does trigger the label recommendation. Could you please clarify if this behavior is by design or if there might be a missing configuration on my end? Your insights would be greatly appreciated. Thank you!Microsoft purview auto labeling contextual summary
Hello All, I am not able to see the Contextual summary in service side auto labeling of Microsoft purview information protection. I do have "data classification content viewer role" in my ID. Please let me know if I am missing any thing to see the contextual summary.
Pre-migration queries related to data discovery and file analysis
Hi Team, A scenario involves migrating approximately 25 TB of data from on‑premises file shares to SharePoint. Before the migration, a discovery phase is required to understand the composition of the data. The goal is to identify file types (Microsoft Office documents, PDFs, images, etc.) without applying any labels at this stage. The discovery requirements include: Identification of file types Detection of duplicate or redundant files Identification of embedded UNC paths, macros, and document links Detection of applications running directly from file shares Guidance is needed on which Microsoft Purview components—such as the on‑premises scanner or the Data Map—can support these discovery requirements. Clarification is also needed on whether Purview is capable of meeting all the above needs. Clarification is also needed on whether Purview can detect duplicate or redundant files, and if so, which module or capability enables this. Additionally, since Purview allows downloading only up to 10,000 logs at a time, what would be the best approach to obtain discovery logs for a dataset of this size (25 TB)? Thank you !
