Microsoft Purview topics

Managed VNET Integration Runtime failing with 502 error.

DevonBritton — Thu, 18 Jun 2026 14:12:58 GMT

Good afternoon everyone.

I'm a DevOps Engineer who is new to Purview.

I used Terraform to deploy a Purview account for a POC for a client, however, I'm having a real issue creating a Managed VNET IR. The private endpoints are all visible and approved and if I check in the shell I can see the IR and the Managed VNET both exist (names sanitized).

{ "name": "SAMPLENAME", "properties": { "managedVirtualNetwork": { "referenceName": "ManagedVnet-name" }, "typeProperties": { "computeProperties": { "location": "WestEurope" } } } }

But in the Purview portal the status shows as failed and if I try update it, I get a popup notification stating that the process timed out due to a 502 error. The URL in the error is "

https://api.purview-service.microsoft.com/scan/integrationRuntimes/{NAME}?api-version=2022-02-01-preview"

I thought this might be an issue with permissions or that I'm not in the admin role group in my client environment so I did the same process in my local purview account (where I'm global admin and in the Purview Administrators role group) and I'm having exactly the same problem. The managed vnet and IR exist when queried in the cloud shell but the state in the portal shows as failed.

I am a "Data source Admin" in both purview accounts but I'm wondering if there's some other role assignment or role group assignment that I'm missing?

Thanks in advance.

Devon Britton.

Terribly lost - what are the basic controlls here?

underQualifried — Wed, 17 Jun 2026 13:12:07 GMT

Hello all. I'm an MSP, looking at methods of securing data in the wake of AI adoption. Obviously, I'm getting pointed to Purview for this. And I've managed to make sense of SOME of it - sensitivity labels, labeling policies, and sensitive info types.

The problem I have is that these 'solutions' are spread out amongst 3-4 different 'solutions' - Information Protection, DLP, DSPM (DSPM,, DSPM classic, DSPM for AI 'classic') and it's genuinely just really badly designed. It's done the classic Microsoft move of having the Marketing team build the interface, and caring more about market capture/buzzwords than usability. As is the norm, the documentation quality varies a ton. And between Intune, SharePoint, Entra, Defender, Azure, certifications - I don't actually have time to learn another market-capture tool, which I will use 2% of.

We don't license Purview. And I'm not going to license Purview until some effort is put into usability, and the interface is redesigned by native, technical english speakers (no hate, but I've seen first-hand how MBAEnglish-as-a-second-language translates into this sort of opacity). But obviously, we HAVE to use it because a bunch of stuff was pushed into it.

Without adding another set of half-automated Microsoft recommendations to my list, and avoiding premium 'solutions' - what are the basic 'solutions' that are required for Data controls, in the face of AI? What exactly was merged into Purview, that existed elsewhere previously? Here is what I've gotten familiar with so far:

1. DLP policies. These are pretty opaque to me, and seem to heavily rely on OTHER 365 products, like Defender for Endpoint, Edge for Business. So again, designed by the marketing team.
2. Sensitivity labels, labeling publishing policies, auto-labeling policies.

What am I missing?

Best approach for contractor block policy

Rk10 — Wed, 17 Jun 2026 04:44:21 GMT

Hello there I need some assistance with your best approach for vendor block policy. I am thinking to create one policy with three rules

Block all vendors with the block AD group
Vendors to allow emails to approved domains only
vendors to send email to external to organisation with ability to send to approve domains

Do you think this is a good approach by breaking down into three different rules ? Also I am bit confused with the conditions on the rule 2 and rule 3.

what would you your approach with complete breakdown ?

Anthropic Claude Purview Data Connector showing all users as Guests..

Jroth — Thu, 11 Jun 2026 17:34:07 GMT

It appears this connector is not mapping fields properly causing internal users to be mapped as "guests", and since prompts/data isn't maintained for guest users the connector is effectively not gathering anything but noise. Unlike the other data connectors, one cannot create field mappings. Also the app being named using the guid of Microsoft's own "dataassessments" service principal I don't think is intended either. Has anybody else experienced this? See below for an example.

Lakebase connector

joaosilveira07 — Tue, 02 Jun 2026 11:38:59 GMT

I'm requesting a native Purview connector for Databricks Lakebase. Although Lakebase reached general availability in January, no dedicated connector currently exists. As a workaround, we're scanning Lakebase Postgres tables as generic PostgreSQL sources, but this approach only supports username/password authentication and prevents us from using service principals—a requirement for our security posture.

I believe that Lakebase volume will grow and it would be a great add on.

Performance in scanning

sagedogusa — Thu, 28 May 2026 14:41:22 GMT

We are trying to search for CUI data on internal file stores. Last week, I decided to run another discovery scan, this time using ALL instead of Policy Only. It took much longer and left the scanner server in an almost unusable state and didn’t give really any more information than the first one did.

Based on my research, we need to define and set the policy before we run scans. This is the information tip from the Purview scanner settings:

Scan started at: 2026-05-20 22:54:06Z

Scan ended at: 2026-05-24 16:16:51Z

Scan duration: 3 days, 17 hours, 22 minutes, 45 seconds

Scan id: 93acb922-e2ac-4fb7-b259-d6184e7aa434

Repository: \\cab-filesrv-01.fg.com\Departments. Enforce mode is Off

Scanned files:3509640

Actions:

Classified:3369456

Classified as Public:14

Classified as Fg Private:3369442

Labeled:0

Remove label:0

Protected:0

Remove protection:0

Files with matched information types:572895

Skipped due to - No match:0

Skipped due to - Not supported:0

Skipped due to - Already labeled:0

Skipped due to - Already scanned:0

Skipped due to - Require justification:0

Skipped due to - Unknown reason:0

Skipped due to - Excluded:98833

Skipped due to - Attribute:0

Failed:41318

Data System Wide Lineage via API Request

southpawmurph — Fri, 15 May 2026 13:52:54 GMT

I'm struggling with finding a solution. My goal is to identify all existing lineage relationships for any data objects within a specific data system they belong to. I've been using the Purview REST API (Datamap Dataplane) but I haven't found an endpoint returning data system side lineage/relationships.

For my scenario I have a Databricks metastore and need to know the existing lineage relationships of those data objects within Purview so I can purge them out when we are doing our scheduled lineage refresh.

Separating IRM Full Control from Excel Worksheet Protection

jmartos — Tue, 12 May 2026 17:14:37 GMT

We've developed several excel workbooks that leverage VBA macros with workbook structure and worksheet password protections to maintain standards. The VBA macros unlock workbook/sheet protections to perform tasks and relock on completion. Our executive management has tasked us to protect the workbooks to prevent unauthorized access so we have applied a sensitivity label to restrict access to an AD group (Project Managers). However, short of granting Full Control, the IRM prevents the macros from removing sheet/book protections. We have tried to allow permissions for OBJMODEL and DOCEDIT already at Copilot's recommendation but this was unsuccessful. We don't want to grant full control because users are then able to remove the document label.

Any suggestions for how to grant workbook/sheet protection permission without allowing users to remove labels? At this time the best we've come up with is to grant the full access but require an explanation for a label downgrade with an alert to the admin/document owner.

Endpoint DLP Device Onboarding - WorkspaceOne

Sabita1 — Wed, 06 May 2026 07:16:52 GMT

Hi everyone,

We have a customer who is using WorkspaceOne for managing the Endpoints. It is an Hybrid environment. We need some guidance and documentation(if any), to help onboard devices for Purview eDLP. The ruled-out option is Group Policy as some employees are working from home and some working from office. There are around 25k+ devices in the tenant that needs to be onboarded. The customer is not using Intune or SCCM.

We are looking for best method/approach to onboard devices where the org is using WorkspaceOne.

Purview not getting enough attention from Microsoft - Will be Decom

riverazure — Tue, 05 May 2026 18:35:57 GMT

At this stage is clear for everybody that Microsoft is not putting the same effort in Purview as they are putting in other products like Fabric, D365 , etc..

Seems to me that in one or two years purview will probably be decommisioned

Rational :

- The support is very week (teams taking care of the support tickets are very week from a knowhow perspective and take ages to resolve something )

- Functionalities take a lot of time to be released

- Its not properly integrated with Fabric, for example there is almost no lineage and the classification is not set via data map

- DLP for Fabric only works with some SITs, does not work for example with Trainable Classifiers, etc..

- The Roadmap takes care of something, but minimal

- The Way to Log Error records for data quality rules is very week and not user friendly

I wonder what is the idea of Microsoft for the next 3 or 4 years when it comes to Purview

Will it continue to have Governance ? will it only be taking care of security or compliance?

Get-AdaptiveScopeMembers doesn't show the SiteURL for OneDrive

Raechel Moermond — Tue, 05 May 2026 14:08:26 GMT

I am working through reporting for Adaptive Scopes and Adaptive Retention policies. I'm so close. But I discovered a problem with my script in that when people return to the company after their account has been deleted, they get a new OneDrive URL. This is expected. While they can have the same email address as an inactive mailbox, they cannot have the same OneDrive URL as an inactive URL. Since we keep all data for a minimum of 7 years, it is possible for a UPN to be the "owner" of 2 or more OneDrive URLs (one active and the others are from previous accounts). I have no easy way of seeing which OneDrive URL is active short of looking for digits at the end of the URL and taking the highest digit. But, what I want to know, is why isn't it here?

Why doesn't "Get-AdaptiveScopeMember" return the SiteURL for the user? I thought maybe it was because my test user didn't have a OneDrive site when the account was added to the scope, so I added my actual user account to the scope and it shows the same thing. Is SiteURL only for SharePoint sites and not OneDrive sites? This makes no sense. Does it just take more time to show up? what's the time frame on that?

Microsoft Purview to detect passwords

miro2022 — Thu, 30 Apr 2026 22:26:52 GMT

Hi All

What would you recommend for scanning and setting up scheduled scans in Microsoft Purview to detect passwords or sensitive credentials stored in SharePoint sites and OneDrive?

We would like to discover whether anyone has shared or stored passwords in SharePoint or OneDrive, as we have already had an incident because of this.

Are there any recommended Purview solutions, policies, or detection rules we should use for this? Ideally, we would like to schedule regular scans and receive alerts or reports when potential passwords, credentials, or secrets are detected.

Any advice or recommended approach would be appreciated. thanks

thanks

Miro

Activity explorer scoping to AU

AlaaAy — Wed, 29 Apr 2026 15:39:32 GMT

I remember that Activity Explorer can be fully scoped to Admin Units, and that the Restricted admin can see activity explorer and DLP matching events for the scoped AU only, is that correct?
Cause I was checking and I found the Restricted admin can see the activities also for the users out of the scoped AU. Does that make sense?

eDiscovery search: Sites not available when adding a Group data source

danielschmidt — Mon, 27 Apr 2026 15:30:12 GMT

Hi,

I am attempting to use Purview eDiscovery to search a SharePoint site associated with a Group.

When adding the Data Source, I search for the URL of the SharePoint site, and the Group is returned.

However, after selecting the group and clicking Manage, it indicates Sites are "Not Available".

What causes this, and how do fix it?

My user is a member of the "eDiscovery Manager" role group as an "eDiscovery Administrator", and licensed with "Microsoft 365 E3" and "Microsoft Purview Suite". It is also an Owner of the target Group / SP Site.

Label usage rights not working correctly in office web-view

mdohm1355 — Mon, 27 Apr 2026 07:58:30 GMT

Hello everyone,

I’ve created three simple Purview sensitivity labels (PUBLIC, RESTRICTED, CONFIDENTIAL). RESTRICTED and CONFIDENTIAL use usage-rights, so every internal employee and group is the owner of the document. External users are not permitted to open the document.

Unfortunately, I can’t export or print my labeled documents in the Office Web View. In Office Desktop, however, the labels work correctly.
This issue occurs for various internal users. Tested with Word, Excel, and PowerPoint.

Co-authoring is enabled. User access never expires. Offline access is permitted.

Do you have any ideas?

Label usage rights

Web-view

Office Desktop

Auto Labeling Policy Delay for Old Files (Exsisting Files)

BanuMurali — Sun, 26 Apr 2026 14:44:29 GMT

Hi Everyone,

We are observing a difference in auto labelling policy behaviour in Purview for Sharepoint.

An auto labelling policy has been enabled and scoped to sharepoint with metadata based rule(document creation date or document modification date). The scoped sharepoint only contain 7 unlabeled files that were uploaded before the policy turned on. The policy is working because if i placed any new file after enabling the policy got labelled within about 5 minutes, but the exsisting files are not labeled and remains unlabelled. It seems the new files are evalauated via the near time while exsisting file rely on asychronous mode. Can anyone help explain why exsisting files take longer to be proceesed even when there there are only a few files or share if you faced similar behaviour. This is the test scenario, as we plan to enable the same policy across more than 50 plus sites containing millions of unlabeled files and we want to understand and predict that even though its takes time all exsisting unlabeled files will eventually will be labelled. This is very crucial, so please helo us understand this behaviour.

Regards,

BanuMurali

ErrorBoundary@wicd-mail/main

CCraft301 — Fri, 24 Apr 2026 12:16:04 GMT

I'm trying to investigate a possible phishing email and when I click on View Message List, I get that error. It does show removed after delivery, but I want to block either the sender or the domain.

Unified Catalog Self-serve analytics integration

JBNFM — Tue, 21 Apr 2026 18:52:14 GMT

I'm hoping someone has gone through the process of setting up the Self-serve analytics in the Unified Catalog settings to push the Unified Catalog information down to a Fabric Lakehouse.

I created a Workspace, and then created a lakehouse in this workspace, and created a folder under the files section in the lakehouse. I used the MSI that is shown in Purview when you configure the storage for the connection and granted it contriubutor access to the Workspace.

I then went into Purview, settings for Unified Catalog, and in the solution integrations, set up Fabric storage and provided the URL to the File folder I set up on the lakehouse.

I tested the connection and it tested successfully.

When I set up the scheduler to run, I received the following:

The blacked out is the Workspace ID.

I'm trying to understand what I'm missing, I'm assuming write permissions are missing somewhere, but I'm not sure. Any assistance is appreciated.

Shared capabilities

RalfBauer1 — Mon, 20 Apr 2026 08:53:04 GMT

I am writing my thesis about Microsoft Purview. And something is not very clear to me about the shared capabilities. So I know Microsoft has the platform and the product shared capabilities. The platform shared capabilities are the foundation for Purview. Like audit logs and retention labels etc. The product shared capabilities are products as Adaptive Protection and OCR. There is a lot information about the product shared capabilities on learn.microsoft.com. But is there anything I can find about the platform shared capabilities like a blogpost or a webinar?

How to identify users handling SITs before purchasing Microsoft Purview licenses?

elangamban — Mon, 20 Apr 2026 06:59:38 GMT

Posting this on behalf of a customer we are currently advising as a Microsoft Partner.

The customer is in the evaluation stage of Microsoft Purview and has raised a licensing concern that we would like the community's guidance on.

CUSTOMER'S CONCERN

Purview licenses are user-based, meaning every user who directly or indirectly benefits from the service needs to be licensed. However, to determine which users actually handle sensitive data (and therefore require a license), tools like Content Explorer and Activity Explorer are needed — both of which require an E5 or equivalent license to access in the first place.

This creates a chicken-and-egg problem for the customer:

They need Purview to identify who handles sensitive data, but they need to know who handles sensitive data to decide how many Purview licenses to buy.

QUESTIONS ON BEHALF OF THE CUSTOMER

1. Is there an official Microsoft-supported mechanism or tool that allows customers to assess their SIT exposure and identify affected users before committing to a full Purview license purchase?

2. Is it viable for the customer to purchase a single license (1 qty) assigned to an admin account to perform a tenant-wide scoping and discovery exercise — and would that single license provide sufficient access to identify all users handling SITs across the tenant?

3. If the 90-day Purview E5 trial is the recommended path, does Content Explorer automatically scan and surface SIT matches across all users in the tenant without requiring any pre-configured DLP policies or sensitivity labels to be set up first?

As a partner, we want to ensure we are guiding our customer toward the correct pre-purchase assessment approach before recommending a licensing SKU and quantity.

Any guidance from the community or Microsoft would be greatly appreciated.