Forum Discussion
Search for Credit Card Numbers within tenant
Hello all,
for audit purposes, I need to discover if there are any PAN/Credit Card numbers stored anywhere within our tenant - we use M365 E3/E5 (Sharepoint, onedrive, exchange online).
I'm sure it should be possible with MS Purview, just don't know what would be the best way to do it.... Playing currently with eDiscovery > Case, created query (tenant-wide) for Sensitive Type - Credit Card Number, ...got some results (statistics, etc) but cannot find a way how to locate the files/emails where the Card Number was found.
I'm looking for some advice whether CASE is the right way to deal with this task or there is a better way?
You are in the right path:
Using eDiscovery, you can use the Content search function. Once content search finishes searching for information > you can export a report that contains details (there is a limit of 2TB for the exported file)
Exporting data from Content Search: https://learn.microsoft.com/en-us/purview/ediscovery-export-search-results
Additionally, you can create a DLP policy that points inwards. You're DLP policy would have the following in the rules:
Policy is for SharePoint and OneDrive
Rule: IF data contains Sensitive Information Type (1) PAN or (2) CCN then trigger. Recommended to change the confidence level to High. No action taken
Run policy: Simulation/ Audit mode. So that it doesn't change or affect anything in your org.
Another option:
In Content explorer, there is an SIT section, you'll get ALL (and I do mean ALL) data that matches PAN and CCN. You can export this list too in excel. Then you can use excel to count.
4 Replies
Thank you both - really appreciate the advice. I keep playing with Purview eDiscovery, custom SIT that match exactly what I need, also playing with Content Explorer and Data Explorer, created DLP (this was super helpful) based on your recommendations... and getting some useful data now. Just need to tune it up a little to get the most accurate info.
AakashMalhotraMicrosoft
If you create a new custom SIT, only content created/modified after that SIT was created would be evaluated and will show up in content explorer/ eDiscovery search. For historical content not being used, you will need to run a scan using the on-demand classification capability - https://learn.microsoft.com/en-us/purview/on-demand-classification
You are in the right path:
Using eDiscovery, you can use the Content search function. Once content search finishes searching for information > you can export a report that contains details (there is a limit of 2TB for the exported file)
Exporting data from Content Search: https://learn.microsoft.com/en-us/purview/ediscovery-export-search-results
Additionally, you can create a DLP policy that points inwards. You're DLP policy would have the following in the rules:
Policy is for SharePoint and OneDrive
Rule: IF data contains Sensitive Information Type (1) PAN or (2) CCN then trigger. Recommended to change the confidence level to High. No action taken
Run policy: Simulation/ Audit mode. So that it doesn't change or affect anything in your org.
Another option:
In Content explorer, there is an SIT section, you'll get ALL (and I do mean ALL) data that matches PAN and CCN. You can export this list too in excel. Then you can use excel to count.
BrianStephenHi sumo83
While you can use eDiscovery in Microsoft Purview to search content across Exchange Online, it’s important to note that eDiscovery does not support direct querying of Sensitive Information Types (SITs) such as credit card numbers or Social Security numbers.
If your objective is to identify or manage sensitive data, consider using the following Microsoft Purview tools and features.
1. Microsoft Purview Content Explorer and Data Explorer
Use Content Explorer or Data Explorer to:
- View where sensitive information types are detected across Microsoft 365 services, including Exchange Online, SharePoint Online, and OneDrive for Business.
- Gain visibility into the distribution and types of sensitive data in your organization.
- Support compliance and risk management initiatives.
NOTE:
Access to Content Explorer and Data Explorer requires appropriate Microsoft Purview compliance role group permissions.2. Data Loss Prevention (DLP) Policies
Configure DLP policies in Microsoft Purview to:
- Automatically detect sensitive information in email messages and attachments (In-Transit).
- Apply protective actions such as blocking, alerting, or auditing based on policy rules.
- Help prevent unintentional sharing of sensitive data outside your organization.
Limitations of eDiscovery for SITs
- eDiscovery (Standard or Premium) allows keyword and metadata-based searches but does not support direct filtering by SITs.
- To investigate sensitive data exposure, use DLP alerts or Content Explorer insights instead.
Data Explorer in Microsoft Purview
https://learn.microsoft.com/en-us/purview/data-classification-data-explorerContent Explorer in Microsoft Purview
https://learn.microsoft.com/en-in/purview/data-classification-content-explorerReview and Analyze Data Classification and Protection (Training Module)
https://learn.microsoft.com/en-us/training/modules/purview-review-analyze-data-classification/Keyword queries and search conditions for eDiscovery | Microsoft Learn
I hope that helps!-Brian ✌️