Data Security topics

Welcome, Purview Lightning Talks audience!

RenWoods — Thu, 30 Apr 2026 12:41:14 GMT

Please log in and then post any of your Data Security (and AI) spillover Purview Lightning Talks questions in the thread below. You can tag them using these hyperlinked handles:

Session Title	Speaker	Tech Community Alias (tag)
The Purview Label Engine: Automated Classification, Translation, and Co-Documentation for Enterprise Tenants	Michael Kirst Neshva	MichaelKirst1970
Stop, Think, Protect: Data Security in Real Life with Purview	Oliver Sahlmann	Oliver Sahlmann
Using Purview to Prevent Oversharing with AI Services	Viktor Hedberg	headburgh
How I Helped My Customers Understand Their AI Usage (and Protect Their Sensitive Data)	Bram de Jager	Bram de Jager
Four Labels Max for Daily Use: Which Ones & Why?	Romain Dalle	RomainDalle_MVP_MCT
Data‑driven Endpoint DLP Solution with Advanced Hunting	Tatu Seppälä	tseppala
The Purview Hack No One Talks About: Container Sensitivity Labels That Fix Oversharing Fast	Nikki Chapple	nikkichapple
Why You Should Create Your Own Sensitive Information Types (SITs)	Niels Jakobsen	Niels_Jakobsen
From Zero to First Signal: Insider Risk Management Prerequisites That Actually Matter	Sathish Veerapandian	Sathish Veerapandian
Securing Data in the Age of AI	Júlio César Gonçalves Vasconcelos	jcvasconcelos
Beyond eDiscovery – Purview DSI for Security Investigation	Susantha Silva	susanthasilva
Elevating Purview DLP with a Real‑World Use Case	Victor Wingsing	vicwingsing

Purview Lightning Talks takes place April 30th at 8am pacific: Webinar Details

Full agenda here.

Also, you can come here at any time and click "Start a Discussion" to post a topic or question to your Purview Community!

Endpoint DLP Collection Evidence on Devices

Sergio_Londono — Mon, 13 Apr 2026 17:27:02 GMT

Hello team,

I am trying to setup the feature collect evidence when endpoint DLP match.

Official feature documentation:

https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-learn

https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started

unfortunately, it is not working as described in the official documentation, I opened ticket with Microsoft support and MIcrosoft Service Hub, Unfortunatetly, they don't know how to setup it, or they are unable to solve the issue.

Support ticket:
TrackingID#26040XXXXXXX9201
Service Hub ticket:

https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create

TrackingID#26040XXXXXXXX924

I follow the steps to configure:

based on the Microsoft documentation, I should be able to see the evidence in Activity explorer or Purview DLP alert or Defender Alerts/Incidents.

PURVIEW - SCANNER ACCOUNT MISMATCH

zenodj — Wed, 01 Apr 2026 17:47:49 GMT

Hello

I have a strange issue on Scanner
Setup is fine also discover is fine, in activity explorer we see discovered file, issue was in USER column that reports not scanner dedicated user but purview admin user.

We also try open a case with MS but no one respond

Any suggestions?

Thanks

Zeno

AIP scanner not discovering sensitivity content

kirh — Fri, 27 Mar 2026 11:08:39 GMT

I am deploying the Purview Information Protection AIP scanner to scan an some of the on‑premises Windows file share and some network file shares that is in scope for compliance and data protection. However, the scanner is not discovering sensitive content within files stored on the share for a custom configured SIT.

The custom SIT is tested and it properly works, but the data are being reported as no matches / no sensitive content found to discover the files that may be applied with sensitivity label.

This issue is observed across one or more mapped repository paths and may be inconsistent by folder, file type or file size. I noticed the scanner appears “healthy” service is running, repository configured and schedules enabled.

Data Security at Ignite🔥

RenWoods — Mon, 17 Nov 2025 21:09:09 GMT

Have you made it to San Francisco? Make sure you attend these exciting Data Security sessions! Check out all things Microsoft Security at Ignite.

Label Inheritance in outlook.

Mansha — Sat, 15 Nov 2025 13:40:12 GMT

When an attachment with a higher-priority sensitivity label is added, the email initially inherits that label. However, after the attachment is removed, the email reverts to the default label, and if another attachment with a different (higher priority) label is subsequently added, the email does not automatically inherit the new label. Is this correct behavior and any MS doc related to this?

When the default sensitivity label is applied, an asterisk (*) appears next to the label.

Mansha — Sat, 15 Nov 2025 13:32:02 GMT

When I open a Word document and the default sensitivity label (e.g., INTERNAL) is applied, an asterisk appears next to the label along with a message indicating that the file hasn’t been saved yet. Is there any detail Microsoft documentation that explains this behavior? This only occur for default label if I try to remove default label (without saving word file) and apply any other label then * mark is not there.

Safeguard data on third-party collaboration platforms

SaqibSyed — Thu, 04 Sep 2025 09:38:19 GMT

I am exploring options to safeguard sensitive data in third-party collaboration platforms like GitHub and Confluence.

Does Microsoft Purview provide any native integration for these platforms?
Do I need to rely on third-party connectors/integrations to extend Purview’s capabilities into these environments?

Securing Data with Microsoft Purview IRM + Defender: A Hands-On Lab

Perparim_Abdullahu — Tue, 26 Aug 2025 01:50:00 GMT

Hi everyone

I recently explored how Microsoft Purview Insider Risk Management (IRM) integrates with Microsoft Defender to secure sensitive data. This lab demonstrates how these tools work together to identify, investigate, and mitigate insider risks.

What I covered in this lab:

Set up Insider Risk Management policies in Microsoft Purview
Connected Microsoft Defender to monitor risky activities
Walkthrough of alerts triggered → triaged → escalated into cases
Key governance and compliance insights

Key learnings from the lab:

Purview IRM policies detect both accidental risks (like data spillage) and malicious ones (IP theft, fraud, insider trading)
IRM principles include transparency (balancing privacy vs. protection), configurable policies, integrations across Microsoft 365 apps, and actionable alerts
IRM workflow follows: Define policies → Trigger alerts → Triage by severity → Investigate cases (dashboards, Content Explorer, Activity Explorer) → Take action (training, legal escalation, or SIEM integration)
Defender + Purview together provide unified coverage: Defender detects and responds to threats, while Purview governs compliance and insider risk

This was part of my ongoing series of security labs.
Curious to hear from others — how are you approaching Insider Risk Management in your organizations or labs?

Alert on DLP Policy Change

GrahamP67 — Thu, 31 Jul 2025 08:01:15 GMT

Is it possible to configure an alert from Purview when a DLP policy is created, amended or removed?

I am trying to build a process to satisfy NIST CM-6(2): Respond to Unauthorized Changes that identifies when a policy chnage happens and to cross reference to an authorised change record.

I can find the events Updated, Created or Changed a DLP Poloicy in audit search but can Purview be configured to generate an alert when these events happen?

DLP Alerts Naming Metadata

Hleo — Tue, 29 Jul 2025 11:18:01 GMT

Im currently facing an issue that every time my DLP policy matches, it creates an Alert on Defender where the name of the file appears on it, for example:

DLP policy match for document 'file.pdf' on a device

DLP policy matched for email with subject (SUBJECT)

I do not want that file.pdf nor SUBJECT appear on the title on Defender, where i can configure to avoid this ?

AADSTS50020: protected PDF issue for external users

mevaibhav831345 — Wed, 04 Jun 2025 11:45:08 GMT

I have been recently (don't know when it was started) observed getting error from protected PDF (sensitivity label with user defined permission) file while trying to open that pdf via AIP viewer mobile app (Android/iOS) AS external user (who has permission to open/view).

No issue with Office file types protected.

external (not internal, not guest) user (currently testing with gmail.com account, other O365 tenant user) getting error as attached from AIP view mobile app.

We do have AIP excluded at conditional access policy which helped so far to avoid this problem for external users.

Is there been any recent change in behavior around user defined protected PDF? Since user having problem is external, have no clue where to look for log and start investigation.

Error code: AADSTS50020

Restrict sharing of Power BI Data to limited users

SaqibSyed — Thu, 22 May 2025 13:46:39 GMT

In the Power BI admin center, we have enabled the setting:
"Restrict content with protected labels from being shared via link with everyone in your organization".
As expected, this prevents users from generating "People in your organization" sharing links for content protected with sensitivity labels.

We only have one sensitivity label with protection enabled. However, due to Power BI’s limitations with labels that include "Do Not Forward" or user-defined permissions, this label is not usable in Power BI.

Our Power BI team wants to restrict sensitive data from being shared org-wide and instead limit access to specific individuals. One idea was to create another sensitivity label with encryption that works with Power BI and use that to enforce the restriction. However, such a label would also affect other Microsoft 365 apps like Word, Excel, and Outlook — which we want to avoid.

I looked into using DLP, but MS documentation mentions below limitations, that makes me unsure if this will meet the requirement.

1. DLP either restricts access to the data owner or to the entire organization.
2. DLP rules apply to workspaces, not individual dashboards or reports.

My question:
Is there any way to restrict sharing of Power BI (or Fabric) content to specific users within the organization without changing our existing sensitivity label configurations or creating a new encryption-enabled label that could impact other apps?

DLP Policy Rule "U.S. Physical Address" exclusion

ENMRSH — Tue, 13 May 2025 17:47:54 GMT

We have the built in Sensitive Info Type "U.S. Physical Address" in our Default HR & Privacy Info Protection Policy in simulation. This is set to the location of just Exchange Email only. Everyone in the company has our physical address in their email signature. This combination keeps triggering alerts even if I set the instance count to something like 3.

I've asked Co-Pilot for instructions to create an exclusion where I can enter our physical address to be ignored but the instructions always mention options that don't exist in the rule edit screen.

I see online people asking for signatures to be ignored but the response is they can't be. Am I doomed to ask all staff to remove their signature, remove this SIT altogether, or just let the Action of "encrypt email messages" proceed and have our organization look the fool for encrypting every email sent outside the organization? Anyone know how to tell Purview to ignore your own physical address?

Can DLP Purview scan inbound emails for Sensitive data?

Jamie34 — Mon, 05 May 2025 16:54:29 GMT

I have a unique use case where we are trying to understand if DLP Purview can scan inbound email external email for sensitive information. If so, is there a specific white page that gives instructions on what settings need to be enabled to scan inbound. I tried using conditions in the existing DLP policies but the external emails were not flagged.

Data discovery | Starting Purview journey

SaqibSyed — Tue, 29 Apr 2025 08:47:58 GMT

An organization is beginning its Microsoft Purview data security journey, with sensitivity labels already published. As they prepare to implement Data Loss Prevention (DLP) and Insider Risk Management (IRM), the initial focus is on data discovery and identifying relevant use cases for policy creation. From a technical standpoint, beyond using Data Explorer and Activity Explorer, what other tools or methods can support this discovery process? How should one approach such a greenfield environment to effectively perform a Data Assessment, identify and prioritize policy use cases?

MS Purview InformationProtectionPolicy - Extract Sensitivity Labels - Permissions Granted

LeonardoCanal — Mon, 28 Apr 2025 01:45:51 GMT

Hello community, I'm currently facing an issue trying to extract sensitivity labels from our Microsoft 365 tenant and could use some assistance.

I have already ensured that the necessary permissions and application are in place. I initially attempted to retrieve the labels via the Microsoft Graph Explorer (graph-explorer) using the endpoint:
https://graph.microsoft.com/beta/security/informationProtection/sensitivityLabels. As you can see in the attached image, I encountered a "Forbidden - 403" error, suggesting a problem with permissions or consent, even though InformationProtectionPolicy.Read is listed under the "Modify permissions" tab as "Unconsent".

The only way that I found to solve it was using "https://graph.microsoft.com/beta/me/security/informationProtection/sensitivityLabels" but I need to use it in Python Code, without a user validation of credential.

Next, I tried to achieve the same using Python and the Microsoft Graph API directly. I obtained an access token using a Client ID and Secret, authenticating against https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token. The application associated with this Client ID and Secret has been granted the InformationProtectionPolicy.Read permission. However, when making a GET request to https://graph.microsoft.com/beta/security/informationProtection/sensitivityLabels in Python, I receive the following error:

I have already granted what I believe are the relevant permissions, including InformationProtectionPolicy.Read.All, InformationProtectionPolicy.Read, Application.Read.All, and User.Read.

Has anyone successfully retrieved sensitivity labels using the Microsoft Graph API?

If so, could you please share any insights or potential solutions?

I'm wondering if there are other specific permissions required or if there's a particular nuance I might be missing. Any help would be greatly appreciated!

Thank you in advance.

Leonardo Canal

Purview endpoint DLP cant block file upload to web.whatsapp on open in app mode chrome browser MacOS

gumilaris2 — Sun, 20 Apr 2025 02:35:09 GMT

we are using purview endpoint DLP to block file upload to web.whatsapp.com on browser for MacOS. its working fine on chrome browser when i try dirrectly upload file contain ssn pattern and its blocked by purview but if we upload using open in app mode (pwa) purview cant detect that activity and file is uploaded to web whatsapp susscessfully.

try to upload senstive file to web.whatsapp.com from chrome browser and its blocked.

but when i try to use "open in app" mode (pwa) dlp purview cant detect the sensitive upload to web.whatsapp.com

how to detect and block file uploaded to unwanted url if user using pwa especially on chrome browser?

try the same scenario on edge, purview able to detect pwa and can intercept the activity but why in chrome its not the same behaviour expected.

"Purview DLP policy is not working as expected."

Melvin_Maldonado03 — Mon, 31 Mar 2025 22:55:51 GMT

I am creating a DLP policy with the following configurations:

A new policy applied to devices was generated.

--SCOPE

Devices

--USERS

DLP_TEST

--A rule is created: DLP_TEST_APPSBLOCK

--THE FOLLOWING CONDITIONS ARE ADDED

Document could not be scanned

Document did not complete analysis

File type is:

Word Processing
Spreadsheet
Presentation
Archive
Mail

File extension is:

py
txt
HTML

--THE FOLLOWING ACTIONS ARE ADDED

Application groups: DLP_TEST_APPS

Copy to clipboard: Block

Print: Block

Copy to USB: Block

Copy to shared network resource: Block

--APPLICATIONS NOT IN THE SHARED APPLICATION GROUPS

Configuration: Block with override

--NOTIFICATIONS

Use notifications to inform users and properly teach them about sensitive information: Enabled

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

In restricted applications, even though I have blocked everything, it still allows me to attach documents from WhatsApp. Although it prevents copying or dragging, I can always upload documents, which should not happen.

This is just a test, but I would like to know what is happening and how I can solve it

Suppress Alerting to Endpoint DLP Printing on "Print to PDF".

Dalesh07 — Mon, 31 Mar 2025 20:06:27 GMT

Is there a way to configure an Endpoint DLP policy for Printing to NOT alert on "Print to File" events primarily Print to PDf's. For example print events where the target name are "Microsoft Print to PDF" or "Adobe PDF"? I understand you can create Printer groups, but there is no way to use as a condition when creating DLP rule.