Pinned Posts
Forum Widgets
Latest Discussions
Guidance: Sensitivity Labels during Mergers & Acquisitions (separate tenants, non-M365, etc.)
We’re building an internal playbook for how to handle Microsoft Purview sensitivity labels during mergers and acquisitions, and I’d really appreciate any lessons learned or best practices. Specifically, I’m interested in how others have handled: Acquired organizations on a separate Microsoft 365/O365 tenant for an extended period (pre- and post-close): How did you handle “Internal Only” content when the two tenants couldn’t fully trust each other yet? Any tips to reduce friction for collaboration between tenants during the transition? Existing label structures, such as: We use labels like “All Internal Only” and labels with user-defined permissions — has anyone found good patterns for mapping or reconciling these with another company’s labels? What if the acquired company is already using sensitivity labels with a different taxonomy? How did you rationalize or migrate them? Acquisitions where the target does not use Microsoft 365 (for example, Google Workspace, on-prem, or other platforms): Any strategies for protecting imported content with labels during or after migration? Gotchas around legacy permissions versus label-based protections? General pitfalls or watch-outs between deal close and full migration: Anything you wish you had known before your first M&A with Purview labels in play? Policies or configurations you’d recommend setting (or avoiding) during the interim period? Any examples, war stories, or template approaches you’re willing to share would be incredibly helpful as we shape our playbook. Thanks in advance for any insights!
Filter Fabric objects
On one side I can understand point a connector at Fabric and let it run and ingest into Purview. However, I would like to manage what does get pulled into Purview from Fabric. There are Dev/Test workspaces with reports and dashboards that are not preferred to be ingested, as well as Lakehouses and Warehouses with the same concept of Dev/Test/Prod. Is there a way to control the objects that are ingested via the Fabric connector? The other thought I had was maybe individual connectors like SQL and PBI, but there isn't anything that I can see. Thoughts or direction?
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!Unexpected Service Principal Additions After Purview Label Schema Migration
Hi everyone, I recently migrated our Microsoft Purview label schema in our tenant and noticed some interesting audit log entries right after the migration. Specifically, Entra ID recorded Add service principal actions for: Microsoft Edge management service Purview Ecosystem (https://api.purview.microsoft.com) Both events were logged under my admin account, with the User-Agent showing kiota-dotnet/1.16.4, which suggests an automated process or Microsoft Graph SDK interaction. Here are some details: Operation: Add service principal Result: Success Tags: disableLegacyUserImpersonationClient, disableLegacyUserImpersonationResource, and for Purview: GitCreatedApp Triggered at: The exact time I completed the label schema migration. My question: Is this expected behavior when migrating Purview label schemas? Are these service principals required for Purview and Edge management integration? Any best practices to confirm these additions are legitimate and secure? Thanks in advance for your insights! Best regards StephanInformation Scanner - SQL connection fails
Hello everyone, we are currently deploying the information scanner. The issue appeared after the scanner was already installed successfully SQL Server is running on a custom TCP port (49999), encrypted connection, and the scanner database is existing with the correct owner (service account). We also acquired the Entra token Error Failed to access scanner database. Verify the database is up and running and can be accessed by scanner service account and by the currently logged in user that executes the command. Troubleshooting steps taken: Diag show: Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-ScannerDatabase. Make sure all nodes run the same MIP client version. SQL error: Message Could not obtain information about Windows NT group/user 'Domain\scanaccount', error code 0x5. Update-ScannerDatabase executed - same error Login to SQL Servers are successful SQL CMD: sqlcmd -S SQL.company.de,4321 -E -N -Q "SELECT @@VERSION" ## Worked Other configs: Tried to reregister database multiple times / service account is sysadmin at SQL server (shared) SQL DB Alias used instead of Port / SQL Browser did not work Allowed everything through firewall on SQL server - still fail 4h of troubleshooting gone by - and i am stuck - what can i do next? BR Stephan
Service Domain restrictions
I’m currently implementing an Endpoint DLP policy to enforce service domain restrictions. The goal is to prevent users from uploading documents to non-corporate domains and only allow uploads to a specific allow-list (authorized domains), we only use Microsoft Edge I have the basic configuration working, but I have a few questions about behaviors I’m seeing: Dynamic Groups: Is it supported to use Microsoft 365 Dynamic Groups for the policy scope/assignment? File Types: How can I make the policy target all file types? Currently, I'm managing this via a defined list of extensions, but I'd like to cover everything. Copy/Paste vs. Upload (The main issue): When I drag and drop or use the "Upload" button from File Explorer to a blocked domain, the action is blocked as expected. However, if I copy and paste the file (or content) directly into the website, it bypasses the block and uploads successfully. Why does this happen? Policy Activation: It seems documents only pick up the policy restrictions after they are modified. Is this the expected behavior? Any recommendations or insights on what I might be missing would be appreciated. Thanks!
Microsoft Purview Unified Catalog – Draft Data Product Visibility (RBAC)
I have three Entra ID security groups that must be able to see all data products across the estate, including Draft, Unpublished, Published, and Retired: Purview.Admin.Team Purview.Data.Governance Purview.Data.Architecture.Team What I tested I tested assigning these groups to the available Microsoft Purview Unified Catalog roles at both application and governance‑domain scope, including Global Catalog Reader / domain reader roles Governance Domain Owner Data Governance Administrator Data Product Owner Data Steward Observed results Reader roles and Data Governance Administrator allowed users to see the list of data products but not Draft / Unpublished items. Governance Domain Owner and Data Product Owner allowed draft visibility but grant ownership/control. Only assigning the groups as Data Steward on each governance domain consistently allowed visibility of all data product lifecycle states (Draft, Unpublished, Published, Retired) without granting ownership. Current understanding Draft and Unpublished data products are only visible to users assigned domain‑level governance roles Data Steward is the least‑privileged role that provides draft visibility To achieve estate‑wide draft visibility, the groups must be assigned as Data Steward on every governance domain Application‑level roles alone (including Data Governance Administrator) are insufficient Question (seeking confirmation) Is this understanding and solution correct and aligned with Microsoft’s intended Purview Unified Catalog RBAC design, or is there an alternative supported way to provide read‑only draft data product visibility without assigning Data Steward per governance domain?
Microsoft Purview Client side labeling issue
Hello Everyone, I hope this message finds you well. I wanted to share some observations and seek your guidance on an issue I'm encountering with sensitivity label recommendations in Outlook. I have created a label with auto-labeling (Client side) enabled and configured it to identify sensitive information types (SITs) such as SSN and credit card details (Instance count 1- ANY). The curious part is, when I attach a Notepad file in Outlook that contains SSN and credit card information, I do not receive any sensitivity label recommendations in both Outlook desktop and web versions. However, if I paste the same content directly into the email body, I do receive the respective sensitivity label recommendation. Moreover, when I attach a Word document (not labeled) that contains SSN and credit card information, Outlook does not show any recommendation either. Interestingly, if the Word document detects the sensitive content and recommends a label, and I then save the document with the recommended label, attaching it back to Outlook does trigger the label recommendation. Could you please clarify if this behavior is by design or if there might be a missing configuration on my end? Your insights would be greatly appreciated. Thank you!Microsoft purview auto labeling contextual summary
Hello All, I am not able to see the Contextual summary in service side auto labeling of Microsoft purview information protection. I do have "data classification content viewer role" in my ID. Please let me know if I am missing any thing to see the contextual summary.
