Recent Blogs
One of the main changes and advantages of onboarding Microsoft Sentinel to the Defender portal is the fact that alerts are automatically correlated into single incidents. Alert correlation will kick ...
Sep 26, 2025
With the adoption of the NIS2 Directive EU 2022 2555, cybersecurity obligations for both public and private sector organizations have become more strict and far reaching. NIS2 aims to establish a hig...
Sep 26, 2025
In our previous Defender for Cloud Storage Security blog, we likened cloud storage to a high-tech museum - housing your organization’s most valuable artifacts, from sensitive data to AI training sets...
Sep 25, 2025
Integrating Microsoft Security Copilot with Azure Logic Apps enables security teams to automate investigations, orchestrate fast incident response, and unify workflows across the modern enterprise. B...
Sep 24, 2025Recent Discussions
Purview YouTube Show and Podcast
I am a Microsoft MVP who co-hosts All Things M365 Compliance with Ryan John Murphy from Microsoft. The show focuses on Microsoft 365 compliance, data security, and governance. Our episodes cover: Microsoft Purview features and updates Practical guidance for improving compliance posture Real-world scenarios and expert discussions Recent episodes include: Mastering Records Management in Microsoft Purview: A Practical Guide for AI-Ready Governance Teams Private Channel Messages: Compliance Action Required by 20 Sept 2025 Microsoft Purview DLP: Best Practices for Successful Implementation Shadow AI, Culture Change, and Compliance: Securing the Future with Rafah Knight 📺 Watch on YouTube: All Things M365 Compliance - YouTube 🎧 Listen on your favourite podcast platform: All Things M365 Compliance | Podcast on Spotify If you’re responsible for compliance, governance, or security in Microsoft 365, this is for you. 👉 Subscribe to stay up to date – and let us know in the comments what topics you’d like us to cover in future episodes!New blog post: Is Your Data Ready for Microsoft 365 Copilot?
Is Your Data Ready for Microsoft 365 Copilot? Microsoft 365 Copilot is a game-changer for productivity, but here’s the catch: Copilot surfaces what users already have access to. If your governance isn’t in order, sensitive data could be exposed. In my latest blog, I share: ✅ How to prevent oversharing in Teams & SharePoint ✅ Why sensitivity labels are critical for Copilot ✅ How to monitor usage and avoid shadow AI ✅ Why you don’t need perfect governance to start 📖 Read the full blog: Microsoft 365 Copilot Data Readiness Checklist 👉 What’s your biggest challenge with Copilot readiness? Drop your thoughts below!
eDiscovery for email attachment with encrypted sensitivity labels
We are currently testing encrypted sensitivity labels in conjunction with eDiscovery. We applied an encrypted label to a document, and eDiscovery was able to successfully search for the content in both OneDrive and SharePoint. However, the same functionality does not appear to work for email attachments—the content of encrypted attachments is not searchable. Are there any specific settings or configurations that need to be enabled to support encrypted email attachments in eDiscovery? Thanks
eDiscovery case (Premium) and on-premise file share content
We have E5 license and Purview eDiscovery premium. We have a need to create eDiscovery case with on-premise file share data source. As part of this configuration, we have done the following: Installed a graph connector agent on the on-premise file share with azure app registration with the appropriate permissions. In Microsoft 365 admin center, configured file share data source linking to file share graph connector above. The files on the file server were successfully indexed. No issues. However, in the next step, while creating an eDiscovery case (Premium), we don't see "Add Graph Connector as a data source within a case" to add the above graph connector. What are we missing? The user has Global Administrator permissions.
Exclude Devices from Secure Score
I have a scenario where DevOps devices are spun up in the environment and onboarded to Defender then after very short periods of time never used again. Leaving thousands of devices onboarded which are not in use/live anymore. With the devices being onboarded to DFE this affects the Secure Score significantly, the hosts use a specific host name prefix and we were looking to see if there was a way to have Secure Score exclude these devices as they greatly impact the overall %.
Windows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks DanielPurview Data Quality Dashboard/ Report - Refresh
Hi All, Currently I am getting all blank in Purview Data quality dashboard, before two months dashboard shows all values across each data quality dimensions and showed graph for each quadrant in a dashboard. After two months when checked the dashboard everything is blank nothing is shown in the report. (Note : I have created two governance domain and each domain has five data products assigned with data assets, implemented data quality rules on top of each data assets that time scores were reflected in the Purview data quality dashboard), but suddenly now it all went blank scores showing as 'blank' Note : None of the data quality assessment were not deleted during that two months, data quality rules are still active and its still showing scores at data asset level. But its not showing in the dashboard currently. Can you please help me to sort out, is there any refresh policy associated for Purview Data quality dashboard.Defender tagging based on Intune App policy
Will the issue about tagging devices in the security centre with MDE-management ever be resolved? this has been ongoing for over 10 months and will allow us to smoothly tag and group items in the defender section a whole lot easier. For some of our clients we NEED this as the current abilities are so basic and useless considering defenders awful naming method. "Use of dynamic device tagging capabilities in Defender for Endpoint to tag devices with MDE-Management isn't currently supported with security settings management. Devices tagged through this capability don't successfully enroll. This is currently under investigation." https://learn.microsoft.com/en-us/defender-xdr/configure-asset-rulesADR: Audited detections not showing in Microsoft Defender
Hi all, I am trying to figure out why the Attack surface reduction rules report does not show me any audited detections. Specifically, I am testing out the rule Block process creations originating from PSExec and WMI commands in Audit mode. A test was run on the endpoint by starting a WMI process and an event was logged to Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. Any ideas?
"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.
Advanced Hunting Query Help
Hey y'all, I'm trying to write a query that can be used to determine the number of times an each IOC generated an alert (file hash, URL, IP, etc). I'm using the query builder tool within Defender, and I'm looking into the AlertInfo and AlertEvidence tables, but I'm not seeing where the link exists between each of these alert records and the corresponding IOC. For instance. If I submit a custom indicator, to Block a file identified by a sha256 hash, and that file gets correctly blocked, I want to see a count for the number of times that IOC value (the hash in this instance) triggered an alert. I'm hoping the community can help me determine whether I'm missing something glaringly obvious or if there's some documentation I haven't read yet. Thanks for reading!Exclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!
Firewall/Proxy allow-list for onboarding devices and Microsoft Purview
We are enabling Microsoft Purview in our Microsoft 365 tenant and onboarding clients. We need to finalize our network firewall/proxy allow-list. Please hlep us confirm the required ports, IP ranges, service tags, and FQDNs for client(onboarding device)-to-Microsoft Purview Service communication?Glossary access issue in portal
I'm new to Purview and need some guidance on how to troubleshoot this. I have created a new glossary over the apis and can list the new glossary after its creation. I cannot however see the new glossary in the portal. I am the purview admin so have all the access rights including Data Curator. The api uses a registered app with client secret to gain access. The apis can confirm access and creation of the glossary, the portal just throws a 403 error message Muddying the waters a little I have a federated user on the tenant where purview is running. I really don't know where to start troubleshooting this, any help appreciatedDefault Label and Justification Suddenly Stopped Working
Hi, Sometime last week, default labels for documents suddenly stopped working, it still works for emails. Also, there is a configuration where users have to provide a justification to lower a sensitivity label, that stopped working as well. This has all been in place since May and have always worked but just suddenly stopped working last week. I created a new label with the exact configuration to test, but that works perfectly. I have tried recreating the labels that do not work anymore, but nothing changed. Has anyone experienced this and how did you go about it. Thanks, AishatManaging Multi-Tenant Azure/365: Workarounds for Cross-Tenant Limitations in Purview and Fabric
I am working in a Microsoft Azure/365 multi-tenant setting due to some constraints. I am using Purview (Tenant1) and Fabric (Tenant2), M365 in (Tenant 2). I'm facing issues with various solutions due to cross tenant limitation for eg: Data Quality Connection, Metadata ingestion, lineage, etc. To overcome this I am exploring various workarounds. Key Question: 1. Are there proven workarounds or solutions to manage data estate in this scenario? (Can't merge /migrate tenants)
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
The second webinar bridges theory to practice. Now that you know why unification matters, it’s time to learn how to get started. In this foundations panel session hosted by Identity Expert, Merill Fe...
Online