Recent Blogs
See the latest Microsoft Entra capabilities to control AI and web use, prevent risky uploads, and modernize private app access without legacy VPN friction.
May 01, 2026
Learn what SASE is, why it matters, and how Microsoft Entra helps you start your secure access journey in a cloud-first world.
Apr 30, 2026
Welcome to the April 2026 edition of What's new in Microsoft Sentinel. April brings a broad set of updates, with RSAC 2026 announcements rolling out alongside new features. Highlights include cost li...
Apr 30, 2026
Co-authors: Kayla Rohde & Kenneth Johnson
Having multiple cybersecurity technologies, controls, systems, and stakeholders operating together without conflict is not a temporary inconvenience. It is...
Apr 30, 2026Recent Discussions
Endpoint DLP Collection Evidence on Devices
Hello team, I am trying to setup the feature collect evidence when endpoint DLP match. Official feature documentation: https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-learn https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started unfortunately, it is not working as described in the official documentation, I opened ticket with Microsoft support and MIcrosoft Service Hub, Unfortunatetly, they don't know how to setup it, or they are unable to solve the issue. Support ticket: TrackingID#26040XXXXXXX9201 Service Hub ticket: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create TrackingID#26040XXXXXXXX924 I follow the steps to configure: based on the Microsoft documentation, I should be able to see the evidence in Activity explorer or Purview DLP alert or Defender Alerts/Incidents.
Microsoft Purview to detect passwords
Hi All What would you recommend for scanning and setting up scheduled scans in Microsoft Purview to detect passwords or sensitive credentials stored in SharePoint sites and OneDrive? We would like to discover whether anyone has shared or stored passwords in SharePoint or OneDrive, as we have already had an incident because of this. Are there any recommended Purview solutions, policies, or detection rules we should use for this? Ideally, we would like to schedule regular scans and receive alerts or reports when potential passwords, credentials, or secrets are detected. Any advice or recommended approach would be appreciated. thanks thanks Miro
runHuntingQuery API and 'evaluate pivot'
Seem to have a problem where any request to the runHuntingQuery API with 'evaluate pivot' fails with error": { "code": "UnknownError", "message": "", Is this just a 'feature' ? The query happily runs trough the website/XDR portal. :-( Is there a way to simulate a pivot (easily) in powerapps ?Onboard devices in Purview is grayed out
I’m getting started with Microsoft Purview and running into issues onboarding devices. In the Purview portal, no devices appear, and the “Onboard devices” option is grayed out. I have EMS E5 licenses assigned to all users, and I’m signed in as a Global Admin with Purview Administrator and Security Administrator roles. All devices are managed by Intune and run Windows 11 Enterprise with the latest updates. They are Microsoft Entra joined (AAD joined), show up correctly in Defender, and their Defender onboarding status is active and onboarded. What piece am I missing that would prevent these devices from showing in Purview and keep the onboarding option disabled? Any guidance would be appreciated.
Activity explorer scoping to AU
I remember that Activity Explorer can be fully scoped to Admin Units, and that the Restricted admin can see activity explorer and DLP matching events for the scoped AU only, is that correct? Cause I was checking and I found the Restricted admin can see the activities also for the users out of the scoped AU. Does that make sense?Welcome, Purview Lightning Talks audience!
Please log in and then post any of your Data Security (and AI) spillover Purview Lightning Talks questions in the thread below. You can tag them using these hyperlinked handles: Session Title Speaker Tech Community Alias (tag) The Purview Label Engine: Automated Classification, Translation, and Co-Documentation for Enterprise Tenants Michael Kirst Neshva MichaelKirst1970 Stop, Think, Protect: Data Security in Real Life with Purview Oliver Sahlmann Oliver Sahlmann Using Purview to Prevent Oversharing with AI Services Viktor Hedberg headburgh How I Helped My Customers Understand Their AI Usage (and Protect Their Sensitive Data) Bram de Jager Bram de Jager Four Labels Max for Daily Use: Which Ones & Why? Romain Dalle RomainDalle_MVP_MCT Data‑driven Endpoint DLP Solution with Advanced Hunting Tatu Seppälä tseppala The Purview Hack No One Talks About: Container Sensitivity Labels That Fix Oversharing Fast Nikki Chapple nikkichapple Why You Should Create Your Own Sensitive Information Types (SITs) Niels Jakobsen Niels_Jakobsen From Zero to First Signal: Insider Risk Management Prerequisites That Actually Matter Sathish Veerapandian Sathish Veerapandian Securing Data in the Age of AI Júlio César Gonçalves Vasconcelos jcvasconcelos Beyond eDiscovery – Purview DSI for Security Investigation Susantha Silva susanthasilva Elevating Purview DLP with a Real‑World Use Case Victor Wingsing vicwingsing Purview Lightning Talks takes place April 30th at 8am pacific: Webinar Details Full agenda here. Also, you can come here at any time and click "Start a Discussion" to post a topic or question to your Purview Community!Governing Entra‑Registered AI Apps with Microsoft Purview
As the enterprise adoption of AI agents and intelligent applications continues to accelerate, organizations are rapidly moving beyond simple productivity tools toward autonomous, Entra‑registered AI workloads that can access, reason over, and act on enterprise data. While these capabilities unlock significant business value, they also introduce new governance, security, and compliance risks—particularly around data oversharing, identity trust boundaries, and auditability. In this context, it becomes imperative to govern AI interactions at the data layer, not just the identity layer. This is where Microsoft Purview, working alongside Microsoft Entra ID, provides a critical foundation for securing AI adoption—ensuring that AI agents can operate safely, compliantly, and transparently without undermining existing data protection controls. Lets look at the role of each solution Entra ID vs Microsoft Purview A very common misconception is that Purview “manages AI apps.” In reality, Purview and Entra serve distinct but complementary roles: Microsoft Entra ID Registers the AI app Controls authentication and authorization Enforces Conditional Access and identity governance Microsoft Purview Governs data interactions once access is granted Applies classification, sensitivity labels, DLP, auditing, and compliance controls Monitors and mitigates oversharing risks in AI prompts and responses Microsoft formally documents this split in its guidance for Entra‑registered AI apps, where Purview operates as the data governance and compliance layer on top of Entra‑secured identities. Lets look at how purview governs the Entra registered AI apps. Below is the high level reference architecture which can be extended to low level details 1. Visibility and inventory of AI usage Once an AI app is registered in Entra ID and integrated with Microsoft Purview APIs or SDK, Purview can surface AI interaction telemetry through Data Security Posture Management (DSPM). DSPM for AI provides: Visibility into which AI apps are being used Which users are invoking them What data locations and labels are touched during interactions Early indicators of oversharing risk This observability layer becomes increasingly important as organizations adopt Copilot extensions, custom agents and third‑party AI apps. 2. Classification and sensitivity awareness Purview does not rely on the AI app to “understand” sensitivity. Instead the Data remains classified and labeled at rest. AI interactions inherit that metadata at runtime Prompts and responses are evaluated against existing sensitivity labels If an AI app accesses content labeled Confidential or Highly Confidential, that classification travels with the interaction and becomes enforceable through policy. This ensures AI does not silently bypass years of data classification work already in place. 3. DLP for AI prompts and responses One of the most powerful but yet misunderstood purview capabilities is the AI‑aware DLP. Using DSPM for AI and standard Purview DLP: Prompts sent to AI apps are inspected Responses generated by AI can be validated Sensitive data types (PII, PCI, credentials, etc.) can be blocked, warned, or audited Policies are enforced consistently across M365 and AI workloads Microsoft specifically highlights this capability to prevent sensitive data from leaving trust boundaries via AI interactions. 4. Auditing and investigation Every AI interaction governed by Purview can be recorded in the Unified Audit Log, enabling: Forensic investigation Compliance validation Insider risk analysis eDiscovery for legal or regulatory needs This becomes critical when AI output influences business decisions and regulatory scrutiny increases. Audit records treat AI interactions as first‑class compliance events, not opaque system actions 5. Oversharing risk management Rather than waiting for a breach, Purview proactively highlights oversharing patterns using DSPM: AI repeatedly accessing broadly shared SharePoint sites High volumes of sensitive data referenced in prompts Excessive AI access to business‑critical repositories These insights feed remediation workflows, enabling administrators to tighten permissions, re‑scope access, or restrict AI visibility into specific datasets. In a nutshell, With agentic AI accelerating rapidly, Microsoft has made it clear that organizations must move governance closer to data, not embed it into individual AI apps. Purview provides a scalable way to enforce governance without rewriting every AI workload, while Entra continues to enforce who is allowed to act in the first place. This journey makes every organizations adopt Zero Trust at scale as its no longer limited to users, devices, and applications; It must now extend to AI apps and autonomous agents that act on behalf of the business. If you find the article insightful and you appreciate my time, please do not forget to like it 🙂Welcome, Purview Lighting Talks audience!
Please log in and then post any of your Risk and Compliance spillover Purview Lightning Talks questions in the thread below. You can tag them using these hyperlinked handles: The Day Offboarding Exposed Infinite Retention - Nikki Chapple nikkichapple Length: 10 minutes | Topic: Data Lifecycle Management A routine Purview request led to an unexpected discovery: more than 9,000 orphaned OneDrives and thousands of inactive mailboxes still storing content long after employees had left. This talk explains how a retain-only policy created hidden retention debt and how Adaptive Scopes can help organisations separate active users from leavers to avoid similar pitfalls. What's In My Compliance Manager Toolbox: A Cloud Security Architect's Perspective - Jerrad Dahlager j-dahl7 Length: 8 minutes | Topic: Compliance Manager A practical walkthrough of how I use Compliance Manager across real client engagements to map controls, track improvement actions, and simplify multi-framework compliance. No theory, just what works in the field. Does M365 Support eDiscovery? - Julian Kusenberg - Leprechaun91 Length: 11 minutes | Topic: eDiscovery A myth-busting session that separates perception from reality when it comes to Microsoft 365 eDiscovery capabilities. Also, you can come here at any time and click "Start a Discussion" to post a topic or question to your Purview Community! Purview Lightning Talks takes place April 30th at 8am pacific: Webinar DetailsWelcome, Purview Lighting Talks audience!
Please log in and then post any of your Data Governance spillover Purview Lightning Talks questions in the thread below. You can tag them using these hyperlinked handles: Improving Discovery, Trust, and Reuse of Analytics with Purview Data Products - CraigWyndowe Length: 5 minutes | Topic: Governance This talk shows how bringing Power BI and Fabric assets into Microsoft Purview Governance Domains and Data Products creates a single, trusted view of enterprise analytics. By connecting reports, semantic models, and underlying data with shared metadata, ownership, and business context, organizations can make existing assets easy to discover and safe to reuse. Also, you can come here at any time and click "Start a Discussion" to post a topic or question to your Purview Community!Sharing: PDF readers that support Purview labels
As I was researching on Adobe Acrobat reader and Sensitivity labels, I decided to check if the common alternative PDF readers out there are able to support Purview MIP Sensitivity labels. There is already a published documentation on this for SharePoint-Compatible PDF readers that supports Microsoft IRM: https://learn.microsoft.com/en-us/purview/sp-compatible-pdf-readers-for-irm (last updated Nov-2023) but I wanted to see if these same PDF readers supports the ability for end-users to use/ select labels similar to that of Adobe Acrobat As of 11-June-2025; atleast one of them clearly do: Nitro PDF: Yes. Documentation shows that users can see and use the sensitivity labels. PDF -X.change Editor: Yes. Documentation show that users can see and use the sensitivity labels. (check the official website, I can't hyperlink it because the site is blocked. FOX PDF editor: No. Documentation only states RMS and not clear if it show Purview labels. This is for F.O.X.I.T editor (spelled without the ".") but for some reason there is a community ban on that word and it won't allow me to post the full name PDFescape: No. Sumatra PDF: No Okular: No If there are other PDF readers that I've missed, I encourage you list it down in the comment below. Would love to grow this list.Shared capabilities
I am writing my thesis about Microsoft Purview. And something is not very clear to me about the shared capabilities. So I know Microsoft has the platform and the product shared capabilities. The platform shared capabilities are the foundation for Purview. Like audit logs and retention labels etc. The product shared capabilities are products as Adaptive Protection and OCR. There is a lot information about the product shared capabilities on learn.microsoft.com. But is there anything I can find about the platform shared capabilities like a blogpost or a webinar?
DLP Policy - DSPM Block sensitive info from AI sites
Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc. Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge. Troubleshooting\testing done: Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer. Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.). Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule. Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top). Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered. Validated Target domain = chatgpt.com in Activity Explorer for paste events. Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs. Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity). Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload. Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false. Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).Unsanctioned cloud apps generates constant alerts
When I mark a cloud app as unsanctioned it created a URL based indicator to block the site. However, it also by default enables the Generate Alert option on the indictor. This causes my SOC to bet inundated with garbage alerts. Now normally if I'm just unsanctioning one Cloud App a could go and turn of the alert. However, I use cloud app policy that will identify any new Cloud Apps in an entire category and then unsanction it. But it enables Generate Alert on the URL indicator. Then if someone accesses that new one the generate alert kicks off. I don't want to have to go into every new app and untick generate alert manually that's just too time consuming. Is there a way to change the default behaviour when adding an indicator to not enable the generate alert? Of is there some other way to do this? I could consider using power automate or something but I'd rather the default behaviour be the fix as automation can break. I don't have time to babysit it.
'Registering user becomes local admin on Joined Devices' - WHAT
Stumbled on a tenant with 'JOIN' available for all users. Haven't worked with this much - most tenants I see only have registration. But then I noticed the horrifying 'Registering user is added as local administrator on the device during Microsoft Entra join' option was ALSO set to ALL. This is a tenant we just took on, but I've never seen that control before. This is terrifying, considering AFAIK, there is no real way for a registering user to know if they're registering or joining. Beneath it is an option to 'Manage Additional local administrators on all Microsoft Entra joined devices', which leads to the Role page for Device Administrators, which is empty. Under Description, this describes what APPEARS to be to be the same thing mentioned in the previous control - 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'. But no one is assigned this. Conveniently, on my own tenant, I happened to let someone JOIN yesterday. We have this limited to 2 (now 3) people - most just register... But this user Joined, and the 'Joining user becomes local admin' option was on ALL. But I can't validate that the user ever become local admin. They don't have the role, their device shows as joined, but there's no additional roles. The audit logs don't look weird. They're not in that 'Device Administrators' group, which describes itself as 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'. Thoughts? Freaking out, honestly. We have a mix of DC and Cloud users. I've inherited them all, and had the understanding that Join was essentially registration but with Org ownership. I've tried to get some input from Copilot, but he has basically waffled between 'No, this setting is just badly named' and 'no, actually it's this other setting' and 'no, you know what, it all makes sense somehow'. 1. Does that option actually set the joining user as global admin? Is that really the default setting? 2. can you validate this ANYWHERE in Entra? Or does it just disappear? 3. what is that Device Admin group? A separate group, independent of these two settings, that gives local admin? 4. Is there a graph endpoint that can be used to set this? Thanks
Feature Request: Extend Security Copilot inclusion (M365 E5) to M365 A5 Education tenants
Background At Ignite 2025, Microsoft announced that Security Copilot is included for all Microsoft 365 E5 customers, with a phased rollout starting November 18, 2025. This is a significant step forward for security operations. The gap Microsoft 365 A5 for Education is the academic equivalent of E5 — it includes the same core security stack: Microsoft Defender, Entra, Intune, and Purview. However, the Security Copilot inclusion explicitly covers only commercial E5 customers. There is no public roadmap or timeline for extending this benefit to A5 education tenants. Why this matters Education institutions face the same cybersecurity threats as commercial organizations — often with fewer dedicated security resources. The A5 license was positioned as the premium security offering for education. Excluding it from Security Copilot inclusion creates an inequity between commercial and education customers holding functionally equivalent license tiers. Request We would like Microsoft to: Confirm whether Security Copilot inclusion will be extended to M365 A5 Education tenants If yes, provide an indicative timeline If no, clarify the rationale and what alternative paths exist for education customers Are other EDU admins in the same situation? Would appreciate any upvotes or comments to help raise visibility with the product team.eDiscovery search: Sites not available when adding a Group data source
Hi, I am attempting to use Purview eDiscovery to search a SharePoint site associated with a Group. When adding the Data Source, I search for the URL of the SharePoint site, and the Group is returned. However, after selecting the group and clicking Manage, it indicates Sites are "Not Available". What causes this, and how do fix it? My user is a member of the "eDiscovery Manager" role group as an "eDiscovery Administrator", and licensed with "Microsoft 365 E3" and "Microsoft Purview Suite". It is also an Owner of the target Group / SP Site.
Events
AMA: What’s New in Microsoft Purview Data Security Investigations
Join us to learn about the latest updates to Microsoft Purview Data Security Investigations (DSI)—including new capabilities like t...
Online
Learn how Microsoft Entra Conditional Access, our Microsoft Zero Trust policy engine, protects access for your workforce and for agents by enforcing real‑time adaptive access policies that continuous...
Online