Microsoft Purview topics

Microsoft Purview to detect passwords

miro2022 — Thu, 30 Apr 2026 22:26:52 GMT

Hi All

What would you recommend for scanning and setting up scheduled scans in Microsoft Purview to detect passwords or sensitive credentials stored in SharePoint sites and OneDrive?

We would like to discover whether anyone has shared or stored passwords in SharePoint or OneDrive, as we have already had an incident because of this.

Are there any recommended Purview solutions, policies, or detection rules we should use for this? Ideally, we would like to schedule regular scans and receive alerts or reports when potential passwords, credentials, or secrets are detected.

Any advice or recommended approach would be appreciated. thanks

thanks

Miro

Activity explorer scoping to AU

AlaaAy — Wed, 29 Apr 2026 15:39:32 GMT

I remember that Activity Explorer can be fully scoped to Admin Units, and that the Restricted admin can see activity explorer and DLP matching events for the scoped AU only, is that correct?
Cause I was checking and I found the Restricted admin can see the activities also for the users out of the scoped AU. Does that make sense?

eDiscovery search: Sites not available when adding a Group data source

danielschmidt — Mon, 27 Apr 2026 15:30:12 GMT

Hi,

I am attempting to use Purview eDiscovery to search a SharePoint site associated with a Group.

When adding the Data Source, I search for the URL of the SharePoint site, and the Group is returned.

However, after selecting the group and clicking Manage, it indicates Sites are "Not Available".

What causes this, and how do fix it?

My user is a member of the "eDiscovery Manager" role group as an "eDiscovery Administrator", and licensed with "Microsoft 365 E3" and "Microsoft Purview Suite". It is also an Owner of the target Group / SP Site.

Label usage rights not working correctly in office web-view

mdohm1355 — Mon, 27 Apr 2026 07:58:30 GMT

Hello everyone,

I’ve created three simple Purview sensitivity labels (PUBLIC, RESTRICTED, CONFIDENTIAL). RESTRICTED and CONFIDENTIAL use usage-rights, so every internal employee and group is the owner of the document. External users are not permitted to open the document.

Unfortunately, I can’t export or print my labeled documents in the Office Web View. In Office Desktop, however, the labels work correctly.
This issue occurs for various internal users. Tested with Word, Excel, and PowerPoint.

Co-authoring is enabled. User access never expires. Offline access is permitted.

Do you have any ideas?

Label usage rights

Web-view

Office Desktop

Auto Labeling Policy Delay for Old Files (Exsisting Files)

BanuMurali — Sun, 26 Apr 2026 14:44:29 GMT

Hi Everyone,

We are observing a difference in auto labelling policy behaviour in Purview for Sharepoint.

An auto labelling policy has been enabled and scoped to sharepoint with metadata based rule(document creation date or document modification date). The scoped sharepoint only contain 7 unlabeled files that were uploaded before the policy turned on. The policy is working because if i placed any new file after enabling the policy got labelled within about 5 minutes, but the exsisting files are not labeled and remains unlabelled. It seems the new files are evalauated via the near time while exsisting file rely on asychronous mode. Can anyone help explain why exsisting files take longer to be proceesed even when there there are only a few files or share if you faced similar behaviour. This is the test scenario, as we plan to enable the same policy across more than 50 plus sites containing millions of unlabeled files and we want to understand and predict that even though its takes time all exsisting unlabeled files will eventually will be labelled. This is very crucial, so please helo us understand this behaviour.

Regards,

BanuMurali

ErrorBoundary@wicd-mail/main

CCraft301 — Fri, 24 Apr 2026 12:16:04 GMT

I'm trying to investigate a possible phishing email and when I click on View Message List, I get that error. It does show removed after delivery, but I want to block either the sender or the domain.

Unified Catalog Self-serve analytics integration

JBNFM — Tue, 21 Apr 2026 18:52:14 GMT

I'm hoping someone has gone through the process of setting up the Self-serve analytics in the Unified Catalog settings to push the Unified Catalog information down to a Fabric Lakehouse.

I created a Workspace, and then created a lakehouse in this workspace, and created a folder under the files section in the lakehouse. I used the MSI that is shown in Purview when you configure the storage for the connection and granted it contriubutor access to the Workspace.

I then went into Purview, settings for Unified Catalog, and in the solution integrations, set up Fabric storage and provided the URL to the File folder I set up on the lakehouse.

I tested the connection and it tested successfully.

When I set up the scheduler to run, I received the following:

The blacked out is the Workspace ID.

I'm trying to understand what I'm missing, I'm assuming write permissions are missing somewhere, but I'm not sure. Any assistance is appreciated.

Shared capabilities

RalfBauer1 — Mon, 20 Apr 2026 08:53:04 GMT

I am writing my thesis about Microsoft Purview. And something is not very clear to me about the shared capabilities. So I know Microsoft has the platform and the product shared capabilities. The platform shared capabilities are the foundation for Purview. Like audit logs and retention labels etc. The product shared capabilities are products as Adaptive Protection and OCR. There is a lot information about the product shared capabilities on learn.microsoft.com. But is there anything I can find about the platform shared capabilities like a blogpost or a webinar?

How to identify users handling SITs before purchasing Microsoft Purview licenses?

elangamban — Mon, 20 Apr 2026 06:59:38 GMT

Posting this on behalf of a customer we are currently advising as a Microsoft Partner.

The customer is in the evaluation stage of Microsoft Purview and has raised a licensing concern that we would like the community's guidance on.

CUSTOMER'S CONCERN

Purview licenses are user-based, meaning every user who directly or indirectly benefits from the service needs to be licensed. However, to determine which users actually handle sensitive data (and therefore require a license), tools like Content Explorer and Activity Explorer are needed — both of which require an E5 or equivalent license to access in the first place.

This creates a chicken-and-egg problem for the customer:

They need Purview to identify who handles sensitive data, but they need to know who handles sensitive data to decide how many Purview licenses to buy.

QUESTIONS ON BEHALF OF THE CUSTOMER

1. Is there an official Microsoft-supported mechanism or tool that allows customers to assess their SIT exposure and identify affected users before committing to a full Purview license purchase?

2. Is it viable for the customer to purchase a single license (1 qty) assigned to an admin account to perform a tenant-wide scoping and discovery exercise — and would that single license provide sufficient access to identify all users handling SITs across the tenant?

3. If the 90-day Purview E5 trial is the recommended path, does Content Explorer automatically scan and surface SIT matches across all users in the tenant without requiring any pre-configured DLP policies or sensitivity labels to be set up first?

As a partner, we want to ensure we are guiding our customer toward the correct pre-purchase assessment approach before recommending a licensing SKU and quantity.

Any guidance from the community or Microsoft would be greatly appreciated.

Microsoft Purview PowerShell: Interactive Sign-In Basics + Fixing Common Connect-IPPSSession Errors

Prathista Ilango — Sat, 18 Apr 2026 17:17:03 GMT

If you’re new to Microsoft Purview PowerShell and your interactive sign-in fails when you run Connect-IPPSSession, you’re not alone.

In this post, I’ll walk through the quick setup (module install + connection) and then cover practical fixes for a common authentication failure: “A window handle must be configured” (WAM / MSAL window handle error).

Once connected, you can run Purview-related cmdlets for tasks like working with sensitivity labels, DLP policies, eDiscovery, and other compliance operations (depending on your permissions).

Step 1: Install the Exchange Online PowerShell module

Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement

Step 2: Connect to Microsoft Purview (Security & Compliance) PowerShell

For interactive sign-in, you can start with the standard connection pattern below (replace the placeholder with your User Principal Name)

Common issue: Interactive sign-in fails with a WAM “window handle” error

The ExchangeOnlineManagement module uses modern authentication. In some hosts/environments, the sign-in UI can’t attach to a parent window, so token acquisition fails and you may see the error below. This is commonly associated with WAM (Web Account Manager) / MSAL interactive sign-in.

Error Acquiring Token:

A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles

A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles

At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.9.2\netFramework\ExchangeOnlineManagement.psm1:591 char:21

+                     throw $_.Exception.InnerException;

+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], MsalClientException

    + FullyQualifiedErrorId : A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles

You’ll often hit this on secured devices, PowerShell ISE, or hardened corporate images. Below are two solutions to bypass this error. Start with the recommended option first.

1. Recommended workaround: Use Get-Credential without disabling WAM

This approach avoids the WAM-based interactive prompt. You’ll be asked for credentials via a standard PowerShell credential dialog, and the module will complete modern authentication.

$cred = Get-Credential Connect-IPPSSession -Credential $cred

A credential prompt appears: Enter your username and password.

After authentication, you should be connected to the Security & Compliance (Microsoft Purview) PowerShell session.
As a quick validation, try a lightweight cmdlet such as Get-Label or Get-DlpCompliancePolicy (availability depends on permissions).

If this works in your environment, it’s a simple way to proceed without changing system-wide WAM behavior.

2. Alternative workaround: Disable WAM for the session (use with caution)

If the interactive UI is failing, you can try disabling WAM. Newer versions of the ExchangeOnlineManagement module support a -DisableWAM switch on the connection cmdlets, which bypasses the WAM broker and can avoid the “window handle” failure.

Connect-IPPSSession -UserPrincipalName <yourUPN> -DisableWAM

If you can’t use -DisableWAM or if it is not working as expected (or you’re troubleshooting a specific host issue), some admins set an environment variable to disable WAM for MSAL using the commands below. Treat this as a temporary troubleshooting step and follow your organization’s security guidance.

$env:MSAL_DISABLE_WAM = "1" setx MSAL_DISABLE_WAM 1

Important warning!

Changing authentication/broker behavior can have security and supportability implications.
Use this only for troubleshooting and revert when you’re done using the following commands.

$env:MSAL_DISABLE_WAM = "0" setx MSAL_DISABLE_WAM 0

Quick summary

If you’re scripting for Microsoft Purview and interactive sign-in fails due to the WAM “window handle” error, try the sequence below.

Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement $cred = Get-Credential Connect-IPPSSession -Credential $cred

Hope this helps!

If you’ve hit this in a specific host (PowerShell ISE vs Windows PowerShell vs PowerShell 7, RDP/jump box, etc.), share what worked for you in the comments.

Thanks for reading. Happy Scripting!

Reference: Connect to Security & Compliance PowerShell | Microsoft Learn

Purview Integration during Merger and Acquisitions

arunsekaran — Thu, 16 Apr 2026 17:33:54 GMT

a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; }

Hello,

We are currently in the process of merging with two other organizations and are looking to integrate our Microsoft Purview environments.

All three organizations have different sensitivity labeling schemes, and we would like guidance on the best approach to achieve a unified labeling strategy across the merged organization.

Specifically, should we create a new, common set of sensitivity labels for the combined organization and plan a phased transition for users? One of the organizations already has the majority of its documents labeled, so maintaining those existing labels during the merger is a key concern.

We are also looking for best practices to ensure that existing labels are preserved when the two additional organizations are onboarded into Purview, while still moving toward a consistent, unified labeling framework.

Any suggestions or if any one had already been a part of such a merger, please share your experience

Purview DLP Behaviours in SharePoint and OneDrive

manojviduranga — Wed, 15 Apr 2026 14:53:11 GMT

We are currently testing Microsoft Purview DLP policies for user awareness across SharePoint Online, and OneDrive. The policy is configured such that sensitive information (based on a sensitivity label-OFFICIAL Sensitive) shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured.

In SharePoint Online and OneDrive, users are not experiencing any DLP-related behaviour. When attempting to share labelled content externally:

No policy tips are displayed
No override prompts are presented
No indication of DLP enforcement is shown

Users are able to share content externally without any awareness prompt or restriction.

Sharing in OneDrive/SharePoint

Expected behaviour:

Users should receive a policy tip during the sharing process
Users should be prompted for justification when overriding, aligned with the DLP configuration

Has anyone observed similar behaviour with DLP in SharePoint Online and OneDrive, particularly in scenarios where no blocking action is configured? Keen to understand if this is expected behaviour, a known limitation, or if there are any configuration considerations or workarounds to achieve a consistent user experience across workloads.

Purview DLP Behaviours in Outlook Desktop

manojviduranga — Wed, 15 Apr 2026 14:45:51 GMT

We are currently testing Microsoft Purview DLP policies for user awareness, where sensitive information shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured.

We are observing the following behaviours in Outlook Desktop:

Inconsistent policy tip display (across Outlook Desktop Windows clients) – For some users, the policy tip renders correctly, while for others it appears with duplicated/stacked lines of text. This is occurring across users with similar configurations.
Override without justification – Users are able to click “Send Anyway/Confirm and send” without selecting any justification option (e.g. business justification, manager approval, etc.), which bypasses the intended control.

New Outlook:

Classic Outlook:

This has been observed on Outlook Desktop (Microsoft 365 Apps), including:

Version 2602 (Build 19725.20170 Click-to-Run)

Version 2602 (Build 16.0.19725.20126 MSO)

Has anyone experienced similar behaviour with DLP policy tips or override enforcement in Outlook Desktop? Keen to understand if this is a known issue or if there are any recommended fixes or workarounds.

DLP Policy - DSPM Block sensitive info from AI sites

Bosanac89 — Tue, 14 Apr 2026 13:02:05 GMT

Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc.

Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge.

Troubleshooting\testing done:

Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer.
Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.).
Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule.
Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top).
Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered.
Validated Target domain = chatgpt.com in Activity Explorer for paste events.
Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs.
Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity).
Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload.
Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false.
Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).

Purview Graph API

southpawmurph — Wed, 08 Apr 2026 18:20:11 GMT

Hello. I'm trying to find information on the Purview Graph API and it's endpoints. It looks like the endpoints aren't posted publicly and are listed within an admin console. Can someone help me with how to view the endpoints?

Also, are the graph API endpoints capable of reading and creating assets into Purview?

Leveraging Microsoft Graph to Automate Compliance Workflows MS Purview

milgo — Wed, 08 Apr 2026 12:32:38 GMT

Background

Microsoft Purview provides organizations with capabilities to discover, classify, protect, and govern sensitive information across Microsoft 365 workloads. As organizations increasingly rely on Purview for compliance operations such as auditing, investigations, and regulatory response, there is a growing need to automate these processes beyond the Microsoft Purview portal.

Microsoft exposes key compliance capabilities through Microsoft Graph APIs, enabling organizations to integrate Purview operations directly into automation workflows. The Microsoft Purview APIs in Microsoft Graph allow applications to align with data governance, security, and compliance policies defined within the Purview portal, helping ensure that applications handling sensitive information respect organizational controls.

Automating eDiscovery Operations with Microsoft Graph

The Microsoft Purview eDiscovery APIs available through Microsoft Graph enable organizations to automate repetitive compliance tasks and integrate with existing investigation or legal workflows. These APIs are intended to support litigation, investigation, and regulatory scenarios by allowing administrators to programmatically manage key eDiscovery components such as cases, custodians, searches, review sets, and exports.

This capability allows organizations to move from manual portal‑based workflows toward repeatable, policy‑aligned processes integrated into automation platforms or downstream compliance tooling.

Programmatic Access to Audit Logs

Microsoft Purview Audit captures thousands of operations across Microsoft 365 services and retains them in the unified audit log for security investigations and compliance obligations. Through Microsoft Graph, administrators can now programmatically search and retrieve audit logs using the Purview Audit Search API.

This API enables administrators and applications to query and retrieve relevant audit activity logs across workloads such as Exchange, Entra ID, OneDrive, SharePoint, and Intune, providing visibility into user activity and administrative operations performed across the organization.

This provides a programmatic alternative to legacy PowerShell‑based audit search methods, improving reliability and enabling automation of compliance monitoring workflows.

Supporting Policy‑Aware Applications

Applications that integrate with Microsoft Purview APIs through Microsoft Graph can interpret and enforce compliance policies such as sensitivity labels or data loss prevention (DLP) rules. Microsoft documents that apps built using these APIs can prevent data misuse by aligning with compliance and security requirements defined within the organization’s governance framework.

This integration also allows enterprise applications to respect sensitivity labels and policy‑driven controls, ensuring that interactions with organizational data remain compliant with regulatory requirements and internal governance policies.

Conclusion

Microsoft Purview governs organizational data through classification, retention, auditing, and investigation capabilities. Microsoft Graph provides the automation layer that allows these governance controls to be accessed programmatically. By integrating Microsoft Graph with Microsoft Purview APIs, organizations can automate eDiscovery workflows, retrieve audit logs programmatically, and ensure that applications interacting with sensitive data respect compliance policies defined within their Microsoft 365 environment.

Learning Resources

Unable to use MS Graph DLP Api's to use with my Entra Registered App

prasath5s — Tue, 07 Apr 2026 11:33:58 GMT

In purview, I have set of policies in DLP, where I have registered to block the US SSN in the text contents and I have created different policies in all of them

I have selected the available locations:

Exchange email - All accounts
SharePoint sites
OneDrive accounts - All accounts
Teams chat and channel messages - All accounts
Devices - All accounts
Microsoft Defender for Cloud Apps
On-premises repositories

And selected action as block all, in all of them for the rule and enabled the rule (not in simulation mode)

Now, I have the app registered in Entra and I try to use the following API's

https://learn.microsoft.com/en-us/graph/api/userprotectionscopecontainer-compute?view=graph-rest-1.0

https://learn.microsoft.com/en-us/graph/api/userdatasecurityandgovernance-processcontent?view=graph-rest-1.0&tabs=http

But whenever I use the compute api I can see i'm only getting

curl -X POST https://graph.microsoft.com/v1.0/users/5fd51e08-c5f1-4298-b79b-a357eaa414ff/dataSecurityAndGovernance/protectionScopes/compute\ -H 'Authorization: Bearer <ACCESS_TOKEN>'\ -H 'Content-Type: application/json' -d '{ "activities": "uploadText,downloadText" }'

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.policyUserScope)", "value": [ { "activities": "uploadText,downloadText", "executionMode": "evaluateOffline", "locations": [ { "@odata.type": "#microsoft.graph.policyLocationApplication", "value": "b48106d9-1cdb-4d90-9485-fe2b6ee78acf" } ], "policyActions": [] } ] }

My sample App's Id is showing up but always with `evaluateOffline`

I don't know why it always gives 'evaluteOffline' and policyActions is always empty array

Also, I can see my Entra registered app is showing up here in the value of the locations

And when I use the processContent api , I always get modified in the response and nothing else like below:

curl -XPOST https://graph.microsoft.com/v1.0/users/5fd51e08-c5f1-4298-b79b-a357eaa414ff/dataSecurityAndGovernance/processContent \ -H 'Authorization: <ACCESS TOKEN>'\ -H 'Content-Type: application/json' -d '{ "contentToProcess": { "contentEntries": [ { "@odata.type": "microsoft.graph.processConversationMetadata", "identifier": "07785517-9081-4fe7-a9dc-85bcdf5e9075", "content": { "@odata.type": "microsoft.graph.textContent", "data": "Please process this application for John VSmith, his SSN is 121-98-1437 and credit card number is 4532667785213500" }, "name": "Postman message", "correlationId": "d63eafd2-e3a9-4c1a-b726-a2e9b9d9580d", "sequenceNumber": 0, "isTruncated": false, "createdDateTime": "2026-04-06T00:23:20", "modifiedDateTime": "2026-04-06T00:23:20" } ], "activityMetadata": { "activity": "uploadText" }, "deviceMetadata": { "operatingSystemSpecifications": { "operatingSystemPlatform": "Windows 11", "operatingSystemVersion": "10.0.26100.0" }, "ipAddress": "127.0.0.1" }, "protectedAppMetadata": { "name": "Postman", "version": "1.0", "applicationLocation": { "@odata.type": "microsoft.graph.policyLocationApplication", "value": "b48106d9-1cdb-4d90-9485-fe2b6ee78acf" } }, "integratedAppMetadata": { "name": "Postman", "version": "1.0" } } }'

In the above request I have mentioned some sample US Security SSN, but the response I get is

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.processContentResponse", "protectionScopeState": "notModified", "policyActions": [], "processingErrors": [] }

But Ideally I want to see whether I can get the content is valid or not, for example in the above request, it has SSN, so ideally I should get restrictAction or something right?

Or is that evaluateInline is not available or something?

Note that I have purchased E5 and assigned to the user who is trying this

Also, whenever I choose to create a Policy in DLP , I got two options

And Lets say I choose "Enterprise applications & devices", what happens is in the Locations, I'm seeing only these as the options:

And If I choose the "Inline Traffic", i'm seeing only these options

In Unmanaged, I'm seeing the following

And in the Enforcement Options, I have the following :

And in the "Advanced DLP rules" I'm seeing only these

So, can you tell me the exact steps in the Purview suite, I couldn't where to mention the Entra registered App, I searched and I couldn't find one

But in the compute endpoint, https://learn.microsoft.com/en-us/graph/api/userprotectionscopecontainer-compute?view=graph-rest-1.0

I'm getting my app but only with "evaluateOffline" and with that ETag, If I use the processContent Api, its not giving anything except as I mentioned above in the post

Co Authoring with Sensitivity Labels

Tiffanyb — Fri, 03 Apr 2026 14:55:30 GMT

Hello,

I am working with sensitivity labels with my organization. We currently have Standard, Confidential, and Highly Confidential which all are encrypted. I have Co-Authoring turned on but I have some trouble with. We a lot of documents being collaborated on.

Standard: Co-Authoring functions normal and Auto-Save is toggled on.

Highly Confidential: Custom Permission in Sensitivity Label (View, Edit, Reply, Forward) I asked copilot and it stated even though my permissions are selected custom I have "Edit" on their for my internal users it is reading it as Co authoring; Co-Authoring is on and functioning but internal end users Auto-Save is toggled off and they are being asked to save a copy of the document or excel sheet then upload it again to SharePoint.

Why isn't "Auto-Save" toggled on for "Highly Confidential" label? Can it be adjusted so it can be on? Do I have to make adjustments to my permissions in the Sensitivity label?

Any help is appreciated.

Thank you!

Unified Catalog activity / usage reporting

Brian_Winterlich — Wed, 25 Mar 2026 14:02:52 GMT

Hi,

We are building out our data products and glossary terms in Purivews Data Governance Unified catalog. I’d like to get some metrics on data consumer activity/usage. Metrics like how many users running searches for terms or data products. How many people navigating into data assets to discover data, etc. I haven’t found any reports like this. Is there any audit logs specific to data governance I can query? I’m trying to gauge user adoption.

thanks

Mange all people

tgraham-legalops — Tue, 24 Mar 2026 16:26:13 GMT

If I click this button, will everyone get scabies?