Forum Discussion
Terribly lost - what are the basic controlls here?
Hello all. I'm an MSP, looking at methods of securing data in the wake of AI adoption. Obviously, I'm getting pointed to Purview for this. And I've managed to make sense of SOME of it - sensitivity labels, labeling policies, and sensitive info types.
The problem I have is that these 'solutions' are spread out amongst 3-4 different 'solutions' - Information Protection, DLP, DSPM (DSPM,, DSPM classic, DSPM for AI 'classic') and it's genuinely just really badly designed. It's done the classic Microsoft move of having the Marketing team build the interface, and caring more about market capture/buzzwords than usability. As is the norm, the documentation quality varies a ton. And between Intune, SharePoint, Entra, Defender, Azure, certifications - I don't actually have time to learn another market-capture tool, which I will use 2% of.
We don't license Purview. And I'm not going to license Purview until some effort is put into usability, and the interface is redesigned by native, technical english speakers (no hate, but I've seen first-hand how MBAEnglish-as-a-second-language translates into this sort of opacity). But obviously, we HAVE to use it because a bunch of stuff was pushed into it.
Without adding another set of half-automated Microsoft recommendations to my list, and avoiding premium 'solutions' - what are the basic 'solutions' that are required for Data controls, in the face of AI? What exactly was merged into Purview, that existed elsewhere previously? Here is what I've gotten familiar with so far:
1. DLP policies. These are pretty opaque to me, and seem to heavily rely on OTHER 365 products, like Defender for Endpoint, Edge for Business. So again, designed by the marketing team.
2. Sensitivity labels, labeling publishing policies, auto-labeling policies.
What am I missing?
1 Reply
I would recommend starting with DSPM to get visibility into the data estate.
DSPM gives you a better starting point by helping identify where sensitive data exists, where it is overshared, which SharePoint/OneDrive locations are risky, what is unlabeled, and what may be exposed to Copilot or other AI experiences. But without premium license DSPM features are limited.
With E3 license for example, I'll follow these Microsoft recommended steps.
Remediate Oversharing1. Identify high-risk sites and content ( SharePoint Advanced Management, Purview Content Explorer, DSPM)
3.Apply interim Copilot protections ( SharePoint Advanced Management, Purview DLP)
2. Fix access and permissions ( SharePoint Advanced Management)Outcomes:
• High-risk sites are identified, prioritized, and contained
• Copilot exposure is reduced immediately, even before full cleanup
• Foundation is set for durable GuardrailsSetup Guardrails
1. Establish secure defaults ( SharePoint Advanced Management, Sensitivity Labels)
2. Establish secure Guardrails (Purview DLP)3. Continuously Enforce & Optimize Guardrail (Purview DSPM, Purview DLP alerts)
Outcomes:
• Guardrails are enforced by default, not manually remediated
• New content and sites are protected at creation
• Copilot can scale safely without re-introducing Oversharing risk
Meet Regulations
1. Identify and address gaps against Regulations ( Purview Compliance Manager)2. Define Regulatory Requirements (Purview eDiscovery, Purview Data Lifecycle Managemen)
3. Improve data hygiene ( SharePoint Advanced Management, Purview retention labels)Outcomes:
• AI risks and regulatory gaps are identified and tracked
• Copilot usage is auditable, enforceable, and defensible
• Higher-quality Copilot responses and a reduced Oversharing data surface
https://learn.microsoft.com/en-us/microsoft-365/copilot/configure-secure-governed-data-foundation-microsoft-365-copilot
I hope this helps.
