Microsoft Purview Blog articles

From Oversharing to Enforcement: A Practical Guide to AI Data Security with Microsoft Purview

George Smyrlis — Thu, 23 Apr 2026 14:58:26 GMT

Why AI Changed the Data Security Problem

AI does not create entirely new categories of risk—it supercharges existing ones. Traditional data leakage stems from ordinary behavior: sharing a document too broadly, sending an email to the wrong person, copying regulated data to an uncontrolled device. Generative AI amplifies all of these because of the power and speed with which it can proactively surface content that may be obsolete, over-permissioned, or ungoverned. DSPM exists to help with exactly this challenge: it continuously scans your environment to identify sensitive data, assess risk, and recommend actions to reduce exposure.

Oversharing at Scale
Before AI, an overshared SharePoint file might sit unnoticed. Now, Copilot can summarize it in response to a casual prompt, distributing its contents far beyond the original audience.
Prompt Leakage
Users can inadvertently expose sensitive information—financial account numbers, health records, project code names—simply by typing them into a Copilot prompt. Because AI interactions feel conversational, users tend to drop their guard.
Shadow AI
Beyond sanctioned tools, employees experiment with unapproved AI services.
Autonomous Agents

Autonomous agents expand the data security threat surface by acting independently on sensitive information across systems and boundaries. Their ability to access and share data without direct user interaction increases the risk of oversharing, exfiltration, and unauthorized access, while also introducing complex behavior patterns that are harder to monitor, govern, and control using traditional security models.

What Microsoft Purview Now Brings Together

Data Security Posture Management (DSPM)

DSPM consolidates insights from Data Loss Prevention (DLP), Insider Risk Management, Information Protection, and Data Security Investigations into a single view for monitoring data risks, policy coverage, and posture trends. Now also in Public Preview, DSPM extends coverage to third-party SaaS and IaaS platforms such as Google Cloud Platform, Snowflake, and Databricks, and integrates with partner solutions including Cyera, BigID, and OneTrust for comprehensive risk insights.

A central innovation in this version is data security objectives—prominent, selectable cards that each represent a specific security goal. Selecting an objective guides administrators through an end-to-end workflow that groups together the most relevant Purview solutions—information protection, DLP, Insider Risk Management, and eDiscovery—so teams can focus on achieving a specific data security outcome rather than navigating separate solutions.

Each Outcome card displays key metrics such as the percentage of data covered by policies, the number of risky sharing incidents, and improvements over time. Within each outcome, DSPM surfaces suggested prioritized actions—applying sensitivity labels, configuring DLP policies, or investigating alerts—all tailored to the organization's data. Administrators can take action directly from the workflow, including remediating oversharing, configuring one-click policies, or launching investigations into suspicious activity.

DLP Integration for AI Interactions

DLP is one of the core solutions integrated into DSPM's unified approach. The Activity Explorer's AI activities tab captures events where DLP rules were matched during AI interactions—including prompts, responses, and browsing to generative AI sites. DSPM can automate remediation steps such as removing public sharing links or applying data loss prevention policies to help prevent incidents before they happen.

AI Observability and Agent Governance

Dedicated dashboards and metrics monitor risks associated with AI apps and agents. AI observability enables tracking of agent-specific activities—oversharing, exfiltration, and unusual access patterns—across both Microsoft and third-party environments. Enhanced reporting provides advanced filtering and customizable views, supporting granular analysis of sensitive data usage, DLP activity, and posture trends. Audit logs and activity explorer features help track interactions with AI apps and agents, supporting compliance investigations and incident response.

AI-Powered Security Operations

DSPM not only secures and governs AI apps and agents but also uses Microsoft Security Copilot and AI agents to help secure and govern data. AI analyzes access patterns, sharing behaviors, and policy gaps to surface actionable risks and can detect unusual activity such as excessive sharing or suspicious downloads. Under administrator guidance, AI agents can take direct action on detected risks—removing public sharing links, applying DLP policies, or revoking permissions. These actions are always audited. To streamline investigations, AI-driven triage agents review alerts from DLP and Insider Risk Management solutions, filtering out noise and highlighting the most critical threats.

Three Practical Starting Points

For many organizations adopting generative AI, the biggest hurdle isn't recognizing new risks—it's figuring out where to begin. A "boil the ocean" approach can stall progress, while tackling a few targeted areas delivers quicker wins.

The best early moves are those that reduce exposure quickly, improve visibility, and build a foundation for stronger governance over time.

Starting Point 1: Enable prompt-level protection for Microsoft 365 Copilot

An effective first step is to put guardrails on the prompts users enter into AI. Microsoft Purview DLP allows administrators to restrict Microsoft 365 Copilot and Copilot Chat from processing prompts that contain sensitive information. In practice, users are often more comfortable pasting data into a chat prompt than attaching it to an email, which means a well-meaning employee could inadvertently feed a confidential file or personal data into Copilot.

Enabling prompt-level DLP creates an immediate safety net: if a user's prompt includes, say, a credit card number or a customer's national ID, Copilot will detect it and refuse to process or share that content. DSPM provides suggested prioritized actions—including configuring DLP policies—that can be activated directly from the workflow, and recommended policies can start in simulation mode. Simulation mode lets you see what would have been blocked or flagged, without actually interrupting users, so you can fine-tune the policy and prepare your helpdesk for any questions. Once you're comfortable with the results, switching to enforcement mode will actively block disallowed prompts and log those events for review.

By activating this one control, you've significantly reduced the most immediate oversharing risk—the "oops, I pasted the wrong data" scenario—within hours of starting your AI governance program.

Tradeoff: Simulation mode provides safety but delays enforcement. For organizations with imminent regulatory exposure, consider shortening the simulation window and monitoring alert volumes closely.

Starting Point 2: Gain visibility into shadow AI usage before broad enforcement

The second step is to illuminate what's happening in the shadows. Before rushing into blocking every unsanctioned AI tool, it's crucial to understand how and where AI is being used across the organization. In most enterprises, there's an official layer of AI usage and an often larger, unofficial layer—employees experimenting with free online AI chatbots, writing assistants, or code generators.

DSPM provides this visibility. The Discover > Apps and agents dashboard shows AI apps used across the organization, including the top 20 most recently used agents, with details about sensitive data they accessed and how they are protected by Purview policies.

The AI observability page provides a broader inventory of all AI apps and agents with activity in the last 30 days, including how many are high risk and the total with sensitive interactions. The Activity Explorer's AI activities tab shows when users browsed to generative AI sites, the prompts and responses involved, whether sensitive information was present, and whether DLP rules were matched. Armed with this insight, you can make informed decisions. If you discover that the majority of "AI consumption" comes from just two external apps, you might focus your immediate controls on those two. Conversely, if the data shows most unsanctioned usage is low-risk, you might decide to monitor rather than block it.

The key is visibility first, enforcement second—letting real data guide where to tighten controls versus where to offer secure alternatives.

Tradeoff: Visibility without timely follow-through can create a false sense of security. Set a defined window (e.g., 30 days) after which findings must translate into at least one concrete policy action.

Starting Point 3: Operationalize DSPM objectives for Copilot

A stronger third starting point is to use DSPM as your operational guide, not just a dashboard of charts. DPSM introduces data security objectives—each one a focused end-to-end workflow for a specific outcome. Rather than configuring individual features in isolation, you select an objective and let Purview navigate you through achieving that outcome with the relevant tools.

For generative AI, the key objective to leverage early is "Prevent data exposure in Microsoft 365 Copilot and Microsoft Copilot interactions". By selecting this objective in the Purview portal, you're effectively telling Purview, "help me implement whatever is needed to make Copilot safe with our data." The DSPM interface then groups together the critical pieces: it may prompt you to enable a DLP policy, suggest applying or refining sensitivity labels on content, or surface an Insider Risk Management policy template for detecting AI-related risky behavior. It also surfaces metrics so you can track progress—for example, the percentage of data covered by policies, or the number of risky sharing incidents that have been remediated.

Using DSPM objectives keeps your team aligned on a clear goal from day one. It shifts the conversation from "what knobs do we turn on?" to "how do we achieve this outcome?" You follow a guided plan curated by the platform's intelligence rather than navigating five different admin pages and hoping it adds up to protection.

Tradeoff: Objectives streamline the path but can obscure the underlying complexity. Teams should periodically step outside the guided workflow to review the full policy landscape and ensure no coverage gaps exist between objectives.

From Visibility to Remediation: Turning Insights into Action

Automated Remediation at Scale

DSPM can automate remediation steps such as removing public sharing links or applying data loss prevention policies to prevent incidents before they happen. Under administrator guidance, AI agents within DSPM can take direct action on detected risks—removing sharing links, applying DLP policies, or revoking permissions—and these actions are always audited. This moves the operating model from manual, one-at-a-time fixes to systematic, policy-driven remediation.

Closing the Loop: From Risk to Standing Policy

DSPM's data security objectives surface suggested prioritized actions such as applying sensitivity labels, configuring DLP policies, or investigating alerts, all tailored to the organization's data. Reporting and analytics are organized by outcome, making it easier to identify and report improvements, compliance, and risk reduction. This turns recurring findings into standing preventive controls. Instead of re-running assessments and manually fixing the same patterns, administrators create durable policies that enforce the desired state going forward.

Alert-Driven Investigation and Tuning

Audit logs and activity explorer features help track interactions with AI apps and agents, supporting compliance investigations and incident response. Integrated investigation and forensics tools support rapid incident response and root cause analysis for data security events. Impact prediction visuals and progress tracking for remediation steps are surfaced throughout DSPM, enabling administrators to quantify the effect of their actions and adjust course.

The closed-loop process is: Discover (DSPM scans and risk assessments) → Remediate (automated actions and bulk fixes) → Prevent (create or tighten DLP and auto-labeling policies) → Monitor (alert review, investigation, and policy tuning).

What "Good" Looks Like in a Regulated or Risk-Aware Organization

A mature AI governance posture is defined by measurable outcomes and sustainable operating rhythms—not feature count:

Clear, communicated AI usage policies. Users know what is and is not acceptable in AI interactions because the tools reinforce the rules. DLP policy tips delivered at the moment of a violation are a primary training mechanism—they remind users in context why their prompt was blocked and what to do instead.
Measured enablement over blanket bans. Leading organizations allow Copilot with appropriate controls and restrict only truly unacceptable scenarios. Policies deployed initially in simulation mode provide data to calibrate enforcement thresholds before blocking. This avoids productivity backlash while preserving security posture.

High data hygiene and classification rates. Purview's AI protections depend heavily on sensitivity labels. If everything is unlabeled or "General," label-based controls have nothing to act on. Mature organizations invest in auto-labeling and mandatory labeling to close this gap before deploying AI at scale. DSPM's data security objectives include suggested actions such as applying sensitivity labels, directly tying classification to governance outcomes.

Quantifiable risk reduction. Security leadership can produce metrics from Purview that show trend lines: DSPM Outcome cards display the percentage of data covered by policies, the number of risky sharing incidents, and improvements over time. These figures feed directly into compliance reporting and audit evidence. Key metrics are tracked over time, supporting continuous improvement of the organization's data security posture.

Cross-functional governance. AI governance is not a solo IT Security effort. Stakeholders from security, compliance, legal, and business units review AI usage patterns, discuss policy tuning, and evaluate new Purview capabilities as they release. Role-based access controls within DSPM provide granular access to features and AI content for delegated administration and compliance, enabling this cross-functional model without overexposing sensitive data to every participant.

Tradeoff: Strict enforcement can frustrate power users and slow AI adoption. Organizations should explicitly define escalation paths—if a legitimate use case is blocked by DLP, there must be a fast process to review and adjust, rather than a permanent "no."

A Phased Adoption Model

Phase	Focus	Key Activities
Phase 1 — Quick Wins (weeks)	Visibility and baseline safeguards	Enable prompt-level DLP for Copilot in simulation mode. Run first DSPM data risk assessment for oversharing. Enable shadow AI discovery via DSPM's Apps and agents dashboard and AI observability page. Start from the DSPM objective "Prevent data exposure in Microsoft 365 Copilot and Microsoft Copilot interactions."
Phase 2 — Broad Enforcement (months)	Acting on findings	Switch DLP policies from simulation to enforcement. Use automated remediation actions (removing sharing links, applying DLP policies, revoking permissions). Expand sensitive information type definitions and add custom types. Rollout user communications explaining new controls and escalation paths.
Phase 3 — Mature Governance (ongoing)	Continuous improvement and AI-powered operations	Leverage AI-driven triage agents to filter alert noise and highlight critical threats. Conduct periodic DSPM posture reviews using Outcome card metrics. Tune policies based on impact prediction visuals and progress tracking. Extend protections to new AI apps and agents as they are adopted—DSPM's AI observability tracks agent-specific activities across Microsoft and third-party environments. Formalize cross-functional AI governance cadence.

*Phase 1 should take weeks, not months—the objective is to establish a baseline before risk accumulates.

*Phase 2 is where enforcement generates measurable risk reduction.

*Phase 3 is ongoing: as Microsoft continues extending Purview to additional AI apps and agent types, the governance framework must evolve in tandem.

The DSPM preview's integration with third-party SaaS and IaaS platforms (Google Cloud Platform, Snowflake, Databricks) and partner solutions (Cyera, BigID, OneTrust) means the governance perimeter can expand alongside the organization's AI footprint.

Conclusion

AI adoption and data protection are not opposing forces. Microsoft Purview now provides the visibility, policy controls, and remediation workflows to move from discovering AI risk to actively governing Copilot, third-party AI apps, and agents at scale. DSPM surfaces oversharing and AI usage patterns through unified dashboards, data risk assessments, and AI observability. DLP blocks sensitive data in prompts and restricts AI access to labeled content. Insider Risk Management detects adversarial AI behavior. AI-driven triage and remediation agents close the gap between identifying a problem and fixing it—with every automated action audited.

The path forward starts with practical actions: enable prompt-level DLP, illuminate shadow AI usage, and operationalize DSPM's "Prevent data exposure in Microsoft 365 Copilot and Microsoft Copilot interactions" objective. From there, enforce what you find, measure the results using DSPM's outcome-based metrics, and progressively mature your governance posture.

Organizations that operationalize this loop will be in a strong position: able to say, "We use AI to work smarter—and we have the safeguards in place to do it safely."

Deploy scalable ring‑fenced Purview operations with Administrative Units

MaximeBombardier — Sat, 18 Apr 2026 01:22:01 GMT

As Microsoft Purview deployments mature, many organisations encounter the same scaling challenge: how do you decentralize operations without fragmenting governance or losing visibility? Administrative Units (AUs) provide a native way to solve this by enabling ring‑fenced operations—allowing teams to operate independently within clearly defined boundaries, while preserving central oversight.

This post focuses on the why behind using Administrative Units in Microsoft Purview, with a particular emphasis on scalable, ring‑fenced operations. We’ll walk through three reference architectures that illustrate how Administrative Units support real‑world operating models—without requiring multiple tenants or separate DLP platforms.

note: this article and visuals will focus on Administrative Units support in Purview Data Loss Prevention. However, Administrative Units are supported in additional solutions of Microsoft Purview. Refer to Administrative units in Microsoft Purview | Microsoft Learn for more details and support.

Why Administrative Units matter for scalable operations

Many large organisations operate with decentralized compliance and DLP teams, often aligned to regions, business units, or regulated functions. Historically, this led to one of two sub‑optimal patterns:

Multiple, disconnected DLP solutions or tenants
Centralized teams managing policies and alerts for parts of the business they don’t own

Administrative Units change this model by allowing organisations to:

Partition users (and supported resources) into logical units
Assign restricted administrators who can only see and act within their unit
Apply both global and AU‑scoped policies together, with predictable behavior

From a Purview perspective, this enables true business function autonomy, enforced through RBAC and data visibility boundaries, while keeping global services—such as classification—centralized.

Reference architecture 1: Layered governance with ring‑fenced operations

Scenario

An organisation wants to migrate from multiple legacy DLP solutions into Microsoft Purview while preserving independent operations for each business function or region.

Architecture highlights

This model introduces three distinct layers:

Central governance (Global)
- Global administrators define baseline policies applicable across the tenant
- Shared services such as classifiers and reusable components remain central
- Central teams retain cross‑tenant monitoring and reporting capabilities
Administrative Units (per business function)
- Each business function or region is mapped to an Administrative Unit
- RBAC, policy visibility, and alert management are strictly scoped to the AU
- Policies created here only affect users within that unit
Business function‑level operations
- Scoped DLP admins manage local policies
- Alerts and incidents are handled by the owning team
- Controls can be tuned to meet specific regulatory or operational needs

Why this matters

This architecture enables a phased migration:

Start with a single entity
Gradually scale across additional business functions
Avoid policy sprawl by consolidating and retiring legacy configurations

Crucially, tenant‑wide limits and global services remain unchanged, ensuring consistent performance as scale increases.

Reference architecture 2: Ring‑fencing user activity visibility to sub‑business functions

Scenario

“We have dedicated DLP analysts for executives. DLP alerts and activities for these users must only be visible to that team.”

Architecture highlights

This model refines the first architecture and allowing to have DLP analysts for a subset of users only.
Executive users are placed into a dedicated Administrative Unit representing a subset of users of a business unit.
Policies can be published to multiple Administrative Units (ex: Americas + Americas - Execs)

In this model:

Some DLP administrators may be assigned to multiple AUs so they can publish policies across them
Users must belong to a single AU to ensure clean visibility boundaries

Why this matters

This pattern is particularly effective for:

Executive monitoring
HR or Legal teams
Highly sensitive populations

It delivers strict separation of duties without duplicating policies or creating isolated tenants, and aligns with how Purview scopes alerts, activity explorer, and audit data when Administrative Units are used.

Reference architecture 3: User activity visibility for multi‑AU users

Scenario

Some users operate across multiple business functions—for example, executives or shared service leaders—while still requiring controlled visibility for analysts.

Architecture highlights

User activities are stamped with the sum of all Administrative Units the user belonged to at the time of the activity
Scoped DLP administrators:
- Can only create policies affecting users within their assigned AU. However the sum of their policies will be applicable.
Scoped DLP analysts:
- See all activities for users in their AU, even if those activities were generated by policies scoped to a different AU.

Why this matters

This model ensures:

No loss of investigative context for analysts
Predictable visibility when users span multiple organizational boundaries
Continued enforcement of AU‑based separation of duties

It also reinforces a key principle: Administrative Units control visibility and management scope — not the existence of the underlying activity data. Once a user's in scope of a policy, its related activities/alerts are visible to DLP analysts allowed to review this user's activities.

When not to use Administrative Units

Administrative Units are a powerful enabler for decentralized, ring‑fenced operations—but they are not required in every Purview deployment.

You may choose not to introduce Administrative Units in the following situations:

Single, centralized compliance team. If one team owns all policy creation, alert triage, and investigations across the organisation—and there is no requirement to restrict visibility—Administrative Units add limited value. In this model, global role groups already provide sufficient control.

No need for visibility or management separation. Administrative Units are primarily about scoping visibility and permissions. If all administrators are expected to see all users, alerts, and activities, AU‑based scoping may introduce unnecessary complexity without operational benefit.

Early or small‑scale Purview deployments. Organisations at an early stage of Purview adoption—running a small number of global policies—may find it simpler to start without AUs and introduce them later as operating models mature. Administrative Units do not change tenant limits or global services, so adoption can be phased over time.

Requirements driven purely by policy targeting. If the primary requirement is targeting users dynamically for policy application (rather than restricting administrator access or visibility), adaptive scopes alone may be sufficient. Administrative Units become relevant when who can see and manage data is as important as which users are in scope.

In short, Administrative Units are best introduced when organisations need to scale operations with clear ownership boundaries, not simply to organise users.

Centralized vs. Decentralized Functions in a Ring‑Fenced Operating Model

A scalable Microsoft Purview operating model relies on a deliberate split between functions that remain centralized at the tenant level and those that are decentralized to business functions or regions via Administrative Units (AUs). This balance enables autonomy without fragmentation, preserving global consistency while allowing teams to operate independently within defined boundaries.

Functions that Remain Centralized

Certain capabilities are intentionally retained at the global (tenant) level to ensure consistency, performance, and governance across the organisation. These functions are not delegated to Administrative Units:

Global governance and baseline policy definition
Central teams define tenant‑wide baseline policies that apply consistently across all users, regardless of AU membership. This ensures minimum protection standards and avoids divergent interpretations of risk.
Shared services and reusable components
Core services such as classifiers and other reusable components remain centralized to prevent duplication, reduce administrative overhead, and maintain consistent detection behavior across the tenant.
Cross‑tenant monitoring and reporting
Central teams retain visibility across Administrative Units for monitoring, reporting, and oversight purposes, ensuring that decentralization does not result in blind spots at the organizational level.
Tenant‑wide limits and platform behavior
Administrative Units do not alter tenant‑wide service limits or global platform characteristics. Keeping these aspects centralized ensures predictable performance and scalability as additional business functions are onboarded.

Functions that Are Decentralized via Administrative Units

Operational responsibility is decentralized to business functions or regions by mapping them to Administrative Units, with strict scoping enforced through RBAC and data visibility boundaries:

Policy creation and management scoped to the AU
Business function teams can create and manage policies that only affect users within their Administrative Unit, allowing controls to be tailored to local regulatory or operational requirements without impacting other parts of the organisation.
Scoped visibility of alerts, activities, and incidents
Administrators and analysts assigned to an AU can only see alerts, activities, and incidents for users in that unit. This enforces separation of duties and prevents unintended access to sensitive data belonging to other functions.
Local alert handling and incident response
Decentralized teams own the investigation and remediation of alerts generated within their AU, enabling faster response times and clearer accountability.
Operational tuning per business function
Controls can be adjusted within an AU to reflect specific risk tolerances, regulatory obligations, or operational realities, without creating policy sprawl or requiring separate tenants.

Why This Split Matters

By clearly separating centralized governance and shared services from decentralized, AU‑scoped operations, organisations can scale Purview deployments in a phased and controlled manner—starting with a single business function and expanding over time—while maintaining consistent governance, visibility, and performance across the tenant.

Key takeaways

Administrative Units in Microsoft Purview are not just a permissions feature—they are an operating model enabler. Used correctly, they allow organisations to:

Scale decentralized operations with confidence
Enforce ring‑fenced visibility and management boundaries
Combine global consistency with local autonomy

For organisations planning large‑scale Purview deployments or consolidating legacy compliance tooling, Administrative Units provide a foundational architecture for sustainable growth.

Learn more

Data Security Posture Reports (Custom Workspace and Charts)

Sarahzin_Shane — Wed, 15 Apr 2026 17:10:30 GMT

For more insights on OOB Reports, check out this article.

Overview: NOW IN PUBLIC PREVIEW

Microsoft Purview Posture Reports provide a clear, outcome‑based view of how effectively data protection controls, such as Sensitivity Labels and Data Loss Prevention (DLP) policies, are working across Microsoft 365. Rather than focusing on individual alerts or isolated events, Posture Reports help organizations answer a higher‑level, executive‑ready question:

Are our data protection controls consistently applied and actually reducing risk at scale?

Posture Reports transform complex telemetry from Audit logs, Activity Explorer, and policy enforcement into measurable, defensible insights that security, compliance, and business leaders can act on with confidence. Building on the out‑of‑the‑box experience, Custom Posture Reports enable teams to create scenario‑specific views tailored to their organization’s risk priorities.

Key capabilities include:

Custom dashboards with drag‑and‑drop sections and cards
Built‑in and custom metric or chart cards powered by Activity Explorer data
Flexible filtering to support focused investigations and reporting

Tips:

Start with clear questions, then choose cards that answer them
Avoid overcrowding reports; fewer, well‑chosen cards are more effective
Use metric cards for status, analytics cards for understanding
Treat custom reports as living assets, iterate as needs evolve

This allows security teams to move beyond one‑size‑fits‑all reporting and build views aligned to their unique data protection strategy.

Preview note: As this feature is in Preview, capabilities, terminology, and UX may change, and not all scenarios are fully documented yet.

Key Concepts

Where can I access these reports?

Three Locations:

Purview.microsoft.com -> Information Protection -> Reports

Purview.microsoft.com -> Data Loss Prevention -> Posture Reports

Purview.microsoft.com -> DSPM -> Reports (CUSTOM COMING)

What is a Custom Report?

A Custom Report is a user‑created report container where you assemble one or more cards to visualize Information Protection–related data (for example, labeling, classification, or protection activity). Unlike the built‑in reports, custom reports are designed to be adaptable to different audiences and questions.

Typical use cases include:

Tracking adoption of sensitivity labels over time
Monitoring where sensitive data is most concentrated
Creating executive‑friendly, KPI‑style summaries
Building analyst views for deeper investigation

Core Actions in the Custom Reports Experience

Add Report creates a new, empty report canvas. This is the starting point where you define:

The report name and purpose
Create custom reports with your preferred cards and analytics.

Add section is used to create a logical grouping within a custom report. A section acts as a container that helps organize cards on the report canvas into meaningful groupings based on purpose, audience, or storyline.

What a section does	How sections are used
Provides structure to a report by grouping related cards together Improves readability and navigation, especially in reports with multiple cards Helps separate different analytical themes within the same report	A report can contain one or more sections Each section can include multiple cards (metric cards, chart cards, analytics cards, or custom cards) Sections are added before cards, serving as the layout framework for the report

Add Card lets you place a visualization or metric onto the report canvas. Each card answers a specific question, such as “How much data is labeled Confidential?” or “Where is sensitive content growing fastest?”

Cards are the building blocks of custom reports and can be mixed and matched within the same report.

Permissions: in order to create these reports, you must have permissions to create labels and DLP policies.

Built‑in (OOB – Out of the Box) cards:

Custom reports include two built‑in card types that can be added to sections:

Metric cards – predefined cards used to display key metrics and trends
Analytics cards – predefined cards that provide deeper analytical insights

Note: In addition to built‑in cards, you can add custom cards (such as metric‑based or chart‑based custom cards) to tailor the report to your scenario.

What is a Metric Card?	What is an Analytic Card?
Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context.	Analytics cards provide richer visualizations that help users explore patterns and trends in the data.
What they do: A Metric card is used to create a card that pairs a primary metric with its historical trend This allows users to answer not just “What is the value?” but also “Is it improving or declining?” Metric cards are commonly used for adoption, growth, and compliance health indicators These cards focus on showing trends over time	What they do: Show distributions, breakdowns, or trends over time Enable comparison across locations, labels, or workloads Support investigation and analysis rather than just reporting These are useful when you need a visual representation rather than a single metric. Display data using charts such as bars, lines, or other visual formats

What is a Metric Card?

What is an Analytic Card?

Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context.

Analytics cards provide richer visualizations that help users explore patterns and trends in the data.

What they do:

A Metric card is used to create a card that pairs a primary metric with its historical trend
This allows users to answer not just “What is the value?” but also “Is it improving or declining?”
Metric cards are commonly used for adoption, growth, and compliance health indicators
These cards focus on showing trends over time

What they do:

Show distributions, breakdowns, or trends over time
Enable comparison across locations, labels, or workloads
Support investigation and analysis rather than just reporting
These are useful when you need a visual representation rather than a single metric.
Display data using charts such as bars, lines, or other visual formats

Custom cards allow you to define tailored views aligned to your organization’s unique questions.

What they do:

Focus on specific scenarios not covered by default cards
Combine dimensions or filters relevant to your business context
Adapt reporting to regulatory, regional, or operational needs

When to use them:

Organization‑specific KPIs
Regulatory or audit‑driven reporting
Advanced scenarios that go beyond standard dashboards

Custom cards are especially useful for mature programs where built‑in reports are no longer sufficient on their own.

Custom Card Configuration

The following example illustrates how a metric‑based custom card can be configured to track adoption trends.

Scenario: Track adoption of the Confidential sensitivity label over the last 30 days.

Card type:

Custom card (built from a Metric card)

Metric configuration	Filters applied	What this card shows
Metric: Number of items labeled Confidential Time range: Last 30 days (custom) Display format: Compound (shows total count with trend direction)	Sensitivity label: Confidential Workload: SharePoint	The current total number of items labeled Confidential Whether labeling activity is increasing or decreasing over the last 30 days A focused view of adoption for a specific label and workload

This type of custom card is well‑suited for adoption tracking, executive summaries, and ongoing compliance health monitoring.

Metric card configuration:

Metric cards currently surface up to 7 days of data, providing recent context for the selected metric. Custom surfaces up to the last 30 days of data.
You can choose different display formats, such as:
Number – a raw count or value
Percentage – a proportional view of the metric
Compound – a combination of value and trend for quick interpretation
You can apply filters to limit the data set to specific criteria (for example, a particular label, location, or workload), allowing the metric to reflect a targeted scenario rather than all data

Chart cards are used to visualize data as a graphical chart and can be created as custom cards when you need a visual representation rather than a single metric.

Click on Chart Card and under Chart card configuration, select the primary activities: Sensitivity Label

Then define the Chart Type

Based on the configuration options shown in the UI, the following chart types are available:

Vertical bar – compares values across categories using vertical bars; commonly used for side‑by‑side comparisons
Horizontal bar – compares values across categories using horizontal bars; useful when category labels are long
Pie – shows proportional distribution of values across categories
Donut – similar to a pie chart, with a central area that improves readability
Line chart – visualizes trends or changes over time

Selecting the appropriate chart type helps ensure the custom card clearly communicates the intended insight and improves overall report readability.

These cards are commonly used for trend analysis, distribution views, and comparative reporting. Both make patterns easier to understand.

Real World Example

The business goal this report is addressing is to prove security value and risk reduction, especially to leadership and stakeholders, by tying data protection investments to measurable outcomes.

Primary Business Goal: demonstrate that the organization’s data protection controls are effective in reducing financial data risk.
The report shows that sensitive financial data is not only being found, but consistently labeled and enforced through DLP, validating that controls are working as intended.

Supporting Business Objectives

Executive assurance & trust	Provide leadership with evidence that compliance and security controls are actively protecting financial data, not just configured.
Risk reduction validation	Show that financial SITs are being systematically identified and governed, reducing exposure and improper data handling.
Value justification for security investments	Correlate auto labeling and DLP outcomes to demonstrate ROI on Purview, labeling, and policy investments.
Operational confidence	Confirm that auto‑labeling policies are accurately detecting sensitive data at scale and triggering appropriate DLP enforcement.
Audit and compliance readiness	Establish defensible proof that sensitive financial data is discovered, classified, and protected consistently across the environment.

Step 1: Create a report, add a name, and description

Step 2: Add a section called Key Outcomes (title and description) and add metric cards to show the data at a glance.

Step 3: Add another section. Include the following two out of the box charts available.

Step 4: Add another section with the out of the box charts

Step 5: Add the last section that ties everything together. One out of the box chart and another custom chart.

Step 6: for the custom chart above, Do a vertical bar, pivot (the groupings at the bottom of the chart) to Activity. Then, add filters (Sensitive info type: the SITs and Activity: DLPRuleMatch.

The report highlights key outcomes, label adoption, application areas, and auto labeling policies. It identifies the main SITs used in labeling and connects them to DLP, demonstrating that the admin's data security measures are effective, particularly with financial information.

Using AI to simplify insights

This AI integration builds on Microsoft Purview’s existing reporting stack (Posture Reports, Activity Explorer and Audit) and introduces AI-assisted interpretation, summarization, and report composition to reduce manual analysis and accelerate decision-making.

To access the report AI Summary: Click on the report and open “View Details”

AI will prepare and summarize the report.

AI Report Components

Executive Summary	Delivers a high level, leadership friendly narrative of the most important insights. Highlights overall posture, major risks, and notable improvements or regressions. Summarizes overall activity (for example, total labeled items and dominant platforms) Calls out major observations and limitations (such as lack of trend comparison due to retention) Provides a concise interpretation of what the data means at a point in time This section answers: “What happened, and what should I know without reading the full report?”
Key metrics	This section provides the essential quantitative data that forms the foundation of the report. Establishes a baseline that can be tracked over time Quantitative measures such as: Number of policy triggers or Label adoption rates Lists the primary counts, categories, and time range used for analysis Clarifies what measurements are available and which are not (such as trends) This section answers: “What are the exact numbers this report is based on?”
Distribution Breakdown	This section shows how activity is distributed across categories or dimensions. Breaks total activity into meaningful segments (for example, Mac vs. Web Browser) Displays proportional impact using counts and percentages Helps identify concentration areas or imbalances across platforms This section answers: “Where is activity happening the most?”
Trend Analysis	Evaluates changes over time when historical data is available. Compares current activity to prior periods Highlights increases, decreases, or stability in behavior Clearly calls out when trend analysis is not possible due to data limitations This section answers: “is behavior improving, worsening, or staying the same over time?”
Key Findings	Synthesizes insights derived from metrics, distributions, and trends. Interprets the data rather than restating it Identifies notable patterns, gaps, or risks (for example, platform skew or low adoption) Connects observations to possible operational or policy implications. This section answers: “What stands out as important or concerning?”
Assessment	Provides an overall evaluation of the security or compliance posture Combines findings into a holistic judgment Assesses scope, coverage, and effectiveness of current practices Describes whether the posture is sufficient or limited This section answers: “How healthy is our current posture?”
Status	Summarizes the assessment into a simple outcome indicator.
Recommendations	Guides next steps based on observed gaps and risks. Suggests practical actions to improve coverage or effectiveness. Aligns recommendations to best practices and product capabilities. Prioritizes changes that reduce risk and improve consistency. This section answers: “What should we do nex
References	Provides traceability and supporting documentation. Links to authoritative Microsoft documentation used to inform recommendations Allows readers to validate guidance or explore implementation details This section answers: “Where can I verify or learn more?”

Full AI Report Summary

Summary

Posture Reports represent a shift from security configuration to security outcomes. They empower organizations to confidently answer critical questions about risk, readiness, and return on security investment, especially in an AI‑driven world.

As reporting continues to evolve, Posture Reports will play a foundational role in how customers prove, improve, and communicate their data security posture.

Data Security Posture Reports

Sarahzin_Shane — Wed, 15 Apr 2026 17:18:17 GMT

Proving Your Data Security Posture with Confidence

Microsoft Purview Posture Reports help organizations prove (not just assume) that their data security controls are working. They provide a clear, outcome‑based view of how effectively sensitivity labels and Data Loss Prevention (DLP) policies are protecting sensitive data across Microsoft 365. Rather than focusing on individual events or alerts, Posture Reports answer a higher‑level question:

Are our data protection controls consistently applied and enforced across the organization?

We designed Posture Reports to give security, compliance, and business leaders a defensible, measurable view of data security posture, especially critical as organizations adopt Copilot and other AI tools.

Purview reporting offers unified data security insights, helping teams identify and address top risks quickly. By consolidating intelligence, it highlights vulnerabilities so you can take prompt action. With contextual information and measurable results, Purview streamlines responses to threats, improves resilience, and supports a proactive security strategy. Microsoft Purview reporting dashboards drive security decisions because they convert massive, fragmented security telemetry into decision‑ready insights: what’s happening, where the risk is, whether controls are effective, and what to do next. For insights on customizing these reports, check out this article.

Where can I access these reports?

Three Locations:

Purview.microsoft.com -> Information Protection -> Reports

Purview.microsoft.com -> Data Loss Prevention -> Posture Reports

Purview.microsoft.com -> DSPM -> Reports

Posture Reports Basics

The out-of-box (OOB) reports are built with a combination of Metric and Analytic cards. Note: these reports are refreshed hourly.

What is a Metric Card?	What is an Analytic Card?
Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context.	Analytics cards provide richer visualizations that help users explore patterns and trends in the data.
What they do: A Metric card is used to create a card that pairs a primary metric with its historical trend This allows users to answer not just “What is the value?” but also “Is it improving or declining?” Metric cards are commonly used for adoption, growth, and compliance health indicators These cards focus on showing trends over time	What they do: Show distributions, breakdowns, or trends over time Enable comparison across locations, labels, or workloads Support investigation and analysis rather than just reporting These are useful when you need a visual representation rather than a single metric. Display data using charts such as bars, lines, or other visual formats

What is a Metric Card?

What is an Analytic Card?

Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context.

Analytics cards provide richer visualizations that help users explore patterns and trends in the data.

What they do:

A Metric card is used to create a card that pairs a primary metric with its historical trend
This allows users to answer not just “What is the value?” but also “Is it improving or declining?”
Metric cards are commonly used for adoption, growth, and compliance health indicators
These cards focus on showing trends over time

What they do:

Show distributions, breakdowns, or trends over time
Enable comparison across locations, labels, or workloads
Support investigation and analysis rather than just reporting
These are useful when you need a visual representation rather than a single metric.
Display data using charts such as bars, lines, or other visual formats

These cards are commonly used for trend analysis, distribution views, and comparative reporting. Both make patterns easier to understand.

Report Insights

The following table goes into each OOB report and breaks down different viewpoints to help understand how to use them.

Report	Where it shows	Data Security Decision Intent	Why	What it shows	Key Metrics	Filter by
Label distribution and adoption in Microsoft 365	DSPM Reports Information Protection Reports	Expand auto labeling to high volume unlabeled areas Simplify or consolidate confusing labels Look for high label coverage areas as additional enforcement opportunities Prioritize training/auto-labeling in areas with low label adoption	Label coverage is the foundational signal for downstream controls	Label activities by workload Sensitivity labels by platform for endpoint devices Sensitivity label usage Label activities by application methods	Total labeled items Auto-labeled items Manually labeled items Labeled by default	How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User
Auto-labeling coverage	DSPM Reports Information Protection Reports	Which auto-labeling polices to promote from audit to enforce Where false positives need tuning before enforcement Which sensitive data types are under-protected Whether auto-labeling can safely scale further	Can we trust our classification signal enough to automate protection?	Auto-labeling by enforcement (which are in sim mode vs. enforcement mode) Auto-labeled items by policies Top auto-labeling policies (most active auto-labeling policies by number of items they have labeled) Auto-labeling policies by platform for endpoint devices	Total labeled items Auto-labeled items Auto-labeled emails Auto-labeled files	How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User
Sensitivity Label Changes	DSPM Reports Information Protection Reports	Whether to restrict or justify label downgrades Where insider risk controls may be needed (users downgrading heavily) Which labels need stronger default enforcement? Whether user behavior is increasing data exposure	Label changes are often an early warning signal of oversharing or misuse	Sensitivity label transition trends (timelines for label upgraded/downgraded/removed over time) Sensitivity label removed across workloads (where labels have been removed) Types of Sensitivity labels downgraded (to which sensitivity labels items were often downgraded) Sensitivity label downgrade methods (Analyze sensitivity label downgrades by application method/workload. Dual chart helps identify if this is happening manual or automatic) Sensitivity label downgrades by user (which users are most frequently downgrading)	Labels upgraded Labels removed Labels downgraded Labels downgraded manually	How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User
Top users triggering DLP Policies	DSPM Reports Data Loss Prevention Posture Reports	Whether activity reflects risky behavior or broken workflows Which users or roles need targeted controls or guidance If DLP policies are too broad or too noisy If insider risk investigations should be warranted or considered	Distinguish Real risk vs policy misalignment vs. normal business activity	DLP Policies Triggered by Users (DLP rule match per rule)	Unique users involved in triggers Total users with repeated triggers	Policy Location (Workload) Endpoint Device Activity
Most triggered DLP Rules or Activities	DSPM Reports Data Loss Prevention Posture Reports	Which policies need tuning or scoping Where enforcement can be strengthened safely Which risks are systemic vs. isolated Whether DLP is actually aligned to sensitive data	High volume DLP rules should drive prioritization, not alert fatigue	Top DLP Rules Triggered DLP Rules Triggered by Device Activity (most common endpoint activities triggered)	Total rules triggered Unique users involved in triggers Total protective actions taken	Policy Location (Workload) Endpoint Device Activity
Most triggered DLP policies	DSPM Reports Data Loss Prevention Posture Reports	Are my highest‑priority policies aligned to real user behavior Shows whether your most critical policies are: Actively protecting data, or rarely triggered (possibly mis-scoped or irrelevant)	Which DLP policies are most actively protecting sensitive data, is this the highest risk?	DLP Policies Triggered by Workload	Total policy trigger volume Unique users involved in triggers Total rules triggered	Policy Location (Workload) Endpoint Device Activity

Report

Where it shows

Data Security Decision Intent

Why

What it shows

Key Metrics

Filter by

Label distribution and adoption in Microsoft 365

DSPM Reports

Information Protection Reports

Expand auto labeling to high volume unlabeled areas

Simplify or consolidate confusing labels

Look for high label coverage areas as additional enforcement opportunities

Prioritize training/auto-labeling in areas with low label adoption

Label coverage is the foundational signal for downstream controls

Label activities by workload

Sensitivity labels by platform for endpoint devices

Sensitivity label usage

Label activities by application methods

Total labeled items

Auto-labeled items

Manually labeled items

Labeled by default

How applied

Activity

Location

Platform

Sensitivity label

Sensitive info type

Policy

Rule

How applied detail

Sensitive info type confidence

User

Auto-labeling coverage

DSPM Reports

Information Protection Reports

Which auto-labeling polices to promote from audit to enforce

Where false positives need tuning before enforcement

Which sensitive data types are under-protected

Whether auto-labeling can safely scale further

Can we trust our classification signal enough to automate protection?

Auto-labeling by enforcement (which are in sim mode vs. enforcement mode)

Auto-labeled items by policies

Top auto-labeling policies (most active auto-labeling policies by number of items they have labeled)

Auto-labeling policies by platform for endpoint devices

Total labeled items

Auto-labeled items

Auto-labeled emails

Auto-labeled files

How applied

Activity

Location

Platform

Sensitivity label

Sensitive info type

Policy

Rule

How applied detail

Sensitive info type confidence

User

Sensitivity Label Changes

DSPM Reports

Information Protection Reports

Whether to restrict or justify label downgrades

Where insider risk controls may be needed (users downgrading heavily)

Which labels need stronger default enforcement?

Whether user behavior is increasing data exposure

Label changes are often an early warning signal of oversharing or misuse

Sensitivity label transition trends (timelines for label upgraded/downgraded/removed over time)

Sensitivity label removed across workloads (where labels have been removed)

Types of Sensitivity labels downgraded (to which sensitivity labels items were often downgraded)

Sensitivity label downgrade methods (Analyze sensitivity label downgrades by application method/workload. Dual chart helps identify if this is happening manual or automatic)

Sensitivity label downgrades by user (which users are most frequently downgrading)

Labels upgraded

Labels removed

Labels downgraded

Labels downgraded manually

How applied

Activity

Location

Platform

Sensitivity label

Sensitive info type

Policy

Rule
How applied detail

Sensitive info type confidence

User

Top users triggering DLP Policies

DSPM Reports

Data Loss Prevention Posture Reports

Whether activity reflects risky behavior or broken workflows

Which users or roles need targeted controls or guidance
If DLP policies are too broad or too noisy

If insider risk investigations should be warranted or considered

Distinguish Real risk vs policy misalignment vs. normal business activity

DLP Policies Triggered by Users (DLP rule match per rule)

Unique users involved in triggers

Total users with repeated triggers

Policy

Location (Workload)

Endpoint Device

Activity

Most triggered DLP Rules or Activities

DSPM Reports

Data Loss Prevention Posture Reports

Which policies need tuning or scoping

Where enforcement can be strengthened safely

Which risks are systemic vs. isolated

Whether DLP is actually aligned to sensitive data

High volume DLP rules should drive prioritization, not alert fatigue

Top DLP Rules Triggered

DLP Rules Triggered by Device Activity (most common endpoint activities triggered)

Total rules triggered

Unique users involved in triggers

Total protective actions taken

Policy

Location (Workload)

Endpoint Device Activity

Most triggered DLP policies

DSPM Reports

Data Loss Prevention Posture Reports

Are my highest‑priority policies aligned to real user behavior

Shows whether your most critical policies are: Actively protecting data, or rarely triggered (possibly mis-scoped or irrelevant)

Which DLP policies are most actively protecting sensitive data, is this the highest risk?

DLP Policies Triggered by Workload

Total policy trigger volume

Unique users involved in triggers

Total rules triggered

Policy

Location (Workload)

Endpoint Device Activity

Customer Use Cases

What are some customer concerns Posture Reports address OOB?

Use Case	Situation	Guidance
Labeling & auto-labeling program rollout: “Are we increasing coverage and preventing drift?”	Customer situation: A customer is rolling out sensitivity labels and auto-labeling. Leadership asks: “Are we labeling more content?” Security asks: “Are sensitive items still unprotected?” And compliance asks: “Are users downgrading labels?”	In posture reports, Information Protection coverage includes label distribution/adoption, auto-labeling posture, and posture drift through label transitions (e.g., label downgrades). This maps directly to “coverage + drift + enforcement” conversations. The built-in IP posture set also calls out label distribution and adoption, auto-labeling policy coverage, and sensitivity label activity as core reports. For “active data” posture, the design intent explicitly includes questions like “What % of my active data estate is labeled vs not labeled?” and “What %/count of unlabeled data has sensitive info?” and “How is labeling protection trending over 30 days?”: perfect for proving program progress (or identifying gaps).
DLP tuning & noise reduction: “Which policies/rules are actually firing, and who’s tripping them?”	Customer situation: The DLP admin is overwhelmed: policies exist, but they don’t know which ones are actually driving volume (or pain), and which users are repeatedly triggering violations. They need to prioritize tuning based on real-world triggers.	Surfaces most triggered DLP rules, most triggered DLP policies, and top users triggering DLP policies. This is directly aligned to the operational question “Are our policies effective?” The service-description blurb explicitly frames DLP posture reports as highlighting most triggered rules, highest-volume policies, and top policy violators. This is exactly what admins use to decide what to tune first. Helps teams move from anecdotal “DLP is noisy” to a ranked view of where to focus (policy/rule/user).
CISO Reports, “Are we safer this quarter?” posture readout	Customer situation: A CISO (or compliance leader) needs a repeatable, executive-ready snapshot of how the organization is protecting sensitive data, without stitching together audit logs, Activity Explorer screenshots, and spreadsheets. Posture Reports are explicitly positioned as “executive-ready visibility” across Information Protection + DLP.	Provides OOB, executive-ready visibility into data protection posture across Information Protection and Data Loss Prevention, so the CISO can answer “Is Purview doing what we intend it to do?” and “Where are the gaps?” quickly. Enables a consistent monthly/quarterly narrative from built-in metrics and trends, with hourly refresh called out as a customer/partner value driver (great for “freshness” credibility in leadership reviews). Uses a rolling window approach; guidance is to save/export what you want to retain for future reference (great for recurring readouts).

Frequently Asked Questions (FAQs)

Question	Guidance
What is the least permission required to see Posture Report section for DLP?	Information Protection Reader
We can see Activity Explorer details inside the reports in a non-simplified view, where all confidential information is visible. If someone has the Security Reader role, will they be able to see these things?	Security Reader can see Activity Explorer content surfaced inside Posture Reports, including user/activity-level details that may expose sensitive metadata. If you want a role that can view posture reports but not see confidential item-level signals, Security Reader is not the safe minimum; Information Protection Reader is.
Why are our DLP "Device Posture" reports are not in the Posture Reports and only on the DLP Overview page?	It will move. Right now, the traffic on home page is high, so we launched there. There will eventually be a deep clone into our "Posture Reports" section, however, it will take some time before it shows up.
Can I get reports going back longer than 30 days?	We're working on increasing this number but at this time, the reports go back a max of 30 days.
Is there any impact on tenant performance when enabling new reporting features? How quickly will reports populate after enabling the feature?	No significant impact is expected. If labeling, scanning, and/or DLP policies are already active, reports populate instantly when the feature is enabled (assuming E5 is in place). No additional intrusive operations are performed on the tenant.
Can we customize these reports?	We have a current public preview in place for posture report customization.

Stay tuned for more updates as we continue to build out Microsoft Purview Reporting.

Co-Authors: Kevin Kirkpatrick and Jane Switzer

Microsoft Purview Referential Architecture Diagrams

MaximeBombardier — Mon, 13 Apr 2026 23:24:30 GMT

The Microsoft Purview architecture diagrams provide a referential view of how data classification, sensitivity labeling, Data Loss Prevention (DLP) and Insider Risk operate across Microsoft 365 workloads. These diagrams are intended to help organisations understand where policy evaluation occurs, how signals flow between services, and how enforcement is applied consistently.

Rather than prescribing a single deployment model, the diagrams illustrate common architectural patterns used to protect sensitive data across endpoints, email, and collaboration services.

Classification: How Content Sensitivity Is Determined

This diagram shows how content is classified across Microsoft 365 workloads and connected locations.