Forum Discussion
DSPM for AI Data Risk Assessment Question
Hello everyone, my team is creating a POC for DSPM for AI in order to be ready for actual implementations. We have encountered some unexpected issues that we have found no conclusive answers to in the official articles. Everything that follows is related to the Data Risk Assessment feature that comes with DSPM for AI and its sharepoint site scanning features.
First of all, does the assessment feature use both built-in and custom SITs? If this is the case, we need to take into account any custom data types in an actual implementation.
Secondly, we have noticed that no assessment type (including the default one) reads all the sites found in the sharepoint admin center. We have noticed that one of them is probably the root site as its format is https://<domain name>/ while every other site looks like https://<domain name>/sites/<site name>, another one was most likely created by an application and there are some that do not appear in the list but do appear in the assessment results. All of these sites except the "root" seem to be up and running, although some show the "request access" page when opening.
Third, we have not found a conclusive answer as to what is the difference between the site and item level scan. This is because, item level scan finds and scans even less sites. The configuration is as follows:
- Default Assessment: All users, All sites (default option) -> Finds 17/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0.
- Site Level Assessment: All users, All sites (default option) -> Finds 11/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0.
- Item Level Assessment: All users, No All Sites option. Finds 8/19 sites ->Scans 4/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0.
To sum this up, my team's questions are the following:
- Does this solution use custom SITs in addition to built-in ones?
- What extra configuration is required to scan ALL sharepoint sites for sensitive info using the Data Risk Assessments?
- What added value does the Item Level scan provide?
- Is any extra configuration besides the enterprise app creation required for Item Level scanning on all sites
Thank you all in advance!
1 Reply
Prathista IlangoMicrosoft
Hello Chris_P,
Here are the answers to your questions. Hope this helps!
- Does this solution use custom SITs in addition to built-in ones? It identifies any sensitive info types (custom and build-in).
- What extra configuration is required to scan ALL sharepoint sites for sensitive info using the Data Risk Assessments?
Default assessment runs for top used sites in the organization. To scan specific sites, create custom assessment. Refer to: How to use DSPM for AI Data Risk Assessment to Address Internal Oversharing | Microsoft Community Hub - What added value does the Item Level scan provide?
Item level scan identifies items as potentially overshared if they have a sharing link for external or anonymous users, and also shows any applied sensitivity label and the owner of each item. Along with that, the following remediation actions can be taken on the identified potentially overshared items:- Resolve
- Apply sensitivity label
- Notify
- Remove sharing link
Refer to:
How to use DSPM for AI Data Risk Assessment to Address Internal Oversharing | Microsoft Community Hub - Is any extra configuration besides the enterprise app creation required for Item Level scanning on all sites.
Item level scanning can be done for a maximum of 10 sites. Item-scanning scans potentially overshared items in the sites. Refer to the article mentioned above. The prerequisites are mentioned here: https://learn.microsoft.com/en-us/purview/dspm-for-ai-considerations#prerequisites-for-microsoft-365-item-level-scanning-for-data-risk-assessments
With respect to request access page issue, make sure the permissions are correctly configured in the Entra app, as per the prerequisites mentioned above, and the same is used while creating the item-level scan in custom assessment.
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided