Why Microsoft Teams "sprawl" is the best thing that has ever happened to your company!
I have been asked countless times by IT managers, "How do I control Teams Sprawl", and this question always throws me off because the question is asked in a way that indicates "sprawl" is a bad thing. The way I look at this is that it shows natural, organic growth, and to me that is a good thing. That means the company likes and is enjoying the solution. I am not sure why you would want to limit this. It is small business owners dream that their product goes viral or for a young artist to have their YouTube video get a million views in a few days. Why would we not want the same thing within our own departments in corporate America?Microsoft Purview – Data Security Posture Management (DSPM) for AI
Introduction to DSPM for AI In an age where Artificial Intelligence (AI) is rapidly transforming industries, ensuring the security and compliance of AI integrations is paramount. Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorised data exposure. Microsoft Purview Data Security Posture Management (DSPM) for AI addresses three primary areas: Recommendations, Reports, and Data Assessments. DSPM for AI assists in identifying vulnerabilities associated with unprotected data and enables prompt action to enhance data security posture and mitigate risks effectively. Getting Started with DSPM for AI To manage and mitigate AI-related risks, Microsoft Purview provides easy-to-use graphical tools and comprehensive reports. These features allow you to quickly gain insights into AI use within your organization. The one-click policies offered by Microsoft Purview simplify the process of protecting your data and ensuring compliance with regulatory requirements. Prerequisites for Data Security Posture Management for AI To use DSPM for AI from the Microsoft Purview portal or the Microsoft Purview compliance portal, you must have the following prerequisites: You have the right permissions. Monitoring Copilot interactions requires: Users are assigned a license for Microsoft 365 Copilot. o Microsoft Purview auditing enabled. Check instructions for Turn auditing on or off. Required for monitoring interactions with third-party generative AI sites: Devices are onboarded to Microsoft Purview, required for: Gaining visibility into sensitive information that's shared with third-party generative AI sites. (e.g., credit card numbers pasted into ChatGPT). Applying endpoint DLP policies to warn or block users from sharing sensitive information with third-party generative AI sites. (e.g. a user identified as elevated risk in Adaptive Protection is blocked with the option to override when they paste credit card numbers into ChatGPT) The Microsoft Purview browser extension is deployed to users and required to discover site visits to third-party generative AI sites. Things to consider Recommendations may differ based on M365 licenses and features. Not all recommendations are relevant for every tenant and can be dismissed. Any default policies created while Data Security Posture Management for AI was in preview and named Microsoft Purview AI Hub won't be changed. For example, policy names will retain their Microsoft AI Hub -prefix. In this blog post we are going to focus on Recommendations. Recommendations Let's explore each of the recommendations in detail, which will encompass one-click policy creation, data assessments, step-by-step guidance, and regulations. The data in the reports section will be contingent upon the completion of each recommendation. Figure 1: Recommendations – DSPM for AI Control unethical behaviour in AI Type: One-click policy Solution: Communication Compliance Description: This policy identifies sensitive information within prompts and response activities in Microsoft 365 Copilot. Action: Create policy to setup a one-click policy. Conditions: Content matches any of these trainable classifiers: Regulatory Collusion, Stock manipulation, Unauthorized disclosure, Money laundering, Corporate Sabotage, Sexual, Violence, Hate, Self-harm By default, all users and groups are added. The customisation of the policy is also available during the one-click policy creation process. Figure 2: Recommendations – One-click policy Guided assistance to AI regulations Type: New AI regulations Solution: Compliance manager Description: This recommendation is based on the NIST AI RMF regulations, suggesting actions to help users protect data during interactions with AI systems. Action: Monitor AI interaction logs: Go to Audit logs, configure search with workload filter, select copilot and sensitive information type and review search results. Monitor AI interactions in other AI apps: Navigate to DSPM for AI and review interactions in other AI apps for sensitive content and turn on policies to discover data across AI interactions and other AI apps. Flag risky communication and content in AI interactions: Create Communication compliance policy to define the necessary conditions and fields and select Microsoft Copilot as location. Prevent sensitive data from being shared in AI apps: Create Data loss prevention (DLP) policy with sensitive information type as conditions for Teams and Channel messages location. Manage retention and deletion policies for AI interactions: Create a retention policy for Teams chat and Microsoft 365 Copilot interactions to preserve relevant AI activities for a longer duration while promptly deleting non-relevant user actions. Protect sensitive data referenced in Copilot responses Type: Assessment Solution: Data assessments Description: Use data assessments to identify potential oversharing risks, including unlabelled files. Action: Create Data Assessments, Navigate to DSPM for AI - Data Assessments and Create Assessments. Enter assessment name and description Select users and data sources to assets for oversharing data Conduct the assessment scan and review the results to gain insights into oversharing risks and recommended solutions to restrict access to sensitive data. Implement the necessary fixes to protect your data. Discover and govern interactions with ChatGPT Enterprise AI (preview) Type: ChatGPT Enterprise AI (Data discovery) Solution: Microsoft Purview Data Map Description: Register ChatGPT Enterprise workspace to discover and govern interactions with ChatGPT Enterprise AI. Action: If you’re organisation is using ChatGPT Enterprise, then enable the Connector In Microsoft Azure, use Key Vault to manage credentials for third-party connectors: Use Key Vault to create and manage the secret for the ChatGPT Enterprise AI Connector. In Microsoft Purview, configure the new connector using Data Map: How to manage data sources in the Microsoft Purview Data Map Create and start a new scan: Create a new scan, select credential, review, and run the scan. Protect sensitive data referenced in Microsoft 365 Copilot (preview) Type: Data Security Solution: Data loss prevention Description: Content with sensitivity labels will be restricted from Copilot interactions with a data loss prevention policy. Action: Create a custom DLP policy and select Microsoft 365 Copilot as the data source. Create a custom rule o Condition: content contains sensitivity labels. o Action: Prevent Copilot from processing content. Figure 3: Custom DLP policy condition and action Fortify your data security Type: Data security Solution: Data loss prevention Description: Data security risks can range from accidental oversharing of information outside of the organization to data theft with malicious intent. These policies will protect against the data security risks with AI apps. Action: A one-click policy is available to create a data loss prevention (DLP) policy for endpoints (devices), aimed at blocking the transmission of sensitive information to AI sites. It utilises Adaptive Protection to give a warn-with-override alert to users with elevated risk levels who attempt to paste or upload sensitive information to other AI assistants in browsers such as Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Figure 4: Block with override for elevated risk users Information Protection Policy for Sensitivity Labels Type: Data security Solution: Sensitivity Labels Description: This policy will set up default sensitivity labels to preserve document access rights and protect Microsoft 365 Copilot output. Action: Create policies will navigate to Information protection portal to set up sensitivity labels and publishing policy. Protect your data from potential oversharing risks Type: Data Security Solution: Data Assessment Description: Data assessments provide insights on potential oversharing risks within your organisation for SharePoint Online and OneDrive for Business (roadmap) along with fixes to limit access to sensitive data. This report will include sharing links. Action: This is a default oversharing assessment policy. To see the latest oversharing scan results: Select View latest results and choose a data source. Complete fixes to secure your data. Figure 5: Data assessments – Oversharing assessment data with sharing links report Use Copilot to improve your data security posture (preview) Type: Data security posture management Solution: Data security posture management (DSPM) Description: Data Security Posture Management (preview) combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Benefits: Data security recommendations Gain insights into your data security posture and get recommendations protecting sensitive data and closing security gaps. Data security trends Track your org's data security posture over time with reports summarizing sensitive label usage, DLP policy coverage, changes in risky user behaviour, and more. Security Copilot Security Copilot helps you investigate alerts, identify risk patterns, and pinpoint the top data security risks in your org.DLP - Data Loss Prevention policy for attachments on emails (.msg) saved in OneDrive for Business
Let's say an end user receives an outlook email that included a pdf file which also included sensitive info like a ssn or bank account number etc. Then that end user drags/drops the email w/ attachment into OneDrive for biz I know that we can set up a DLP on a specific end user's OneDrive for Business info Can anyone let me know for sure if the DLP will actually flag info saved in a pdf attachment which is embedded in the .msg file which also lives in OneDrive for Business????
Set Up Endpoint DLP Evidence Collection on your Azure Blob Storage
Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings. Before you start setting up the storage, you should review Get started with collecting files that match data loss prevention policies from devices | Microsoft Learn to understand the licensing, permissions, device onboarding and your requirements. Prerequisites Before you begin, ensure the following prerequisites are met: You have an active Azure subscription. You have the necessary permissions to create and configure resources in Azure. You have setup endpoint Data Loss Prevention policy on your devices Configure the Azure Blob Storage You can follow these steps to create an Azure Blob Storage using the Azure portal. For other methods refer to Create a storage account - Azure Storage | Microsoft Learn Sign in to the Azure Storage Accounts with your account credentials. Click on + Create On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account, or you accept the default options and proceed. Learn more about azure storage account properties Once you have provided all the information click on the Networking tab. In network access, select Enable public access from all networks while creating the storage account. Click on Review + create to validate the settings. Once the validation passes, click on Create to create the storage Wait for deployment of the resource to be completed and then click on Go to resource. Once the newly created Blob Storage is opened, on the left panel click on Data Storage -> Containers Click on + Containers. Provide the name and other details and then click on Create Once your container is successfully created, click on it. Assign relevant permissions to the Azure Blob Storage Once the container is created, using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on it: One for the administrators and investigators so they can view and manage evidence One for users who need to upload items to Azure from their devices Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. We will use portal to create these custom roles. Learn more about custom roles in Azure RBAC Open the container and in the left panel click on Access Control (IAM) Click on the Roles tab. It will open a list of all available roles. Open context menu of Owner role using ellipsis button (…) and click on Clone. Now you can create a custom role. Click on Start from scratch. We have to create two new custom roles. Based on the role you are creating enter basic details like name and description and then click on JSON tab. JSON tab gives you the details of the custom role including the permissions added to that role. For owner role JSON looks like this: Now edit these permissions and replace them with permissions required based on the role: Investigator Role: Copy the permissions available at Permissions on Azure blob for administrators and investigators and paste it in the JSON section. User Role: Copy the permissions available at Permissions on Azure blob for usersand paste it in the JSON section. Once you have created these two new roles, we will assign these roles to relevant users. Click on Role Assignments tab, then on Add + and on Add role assignment. Search for the role and click on it. Then click on Members tab Click on + Select Members. Add the users or user groups you want to add for that role and click on Select Investigator role – Assign this role to users who are administrators and investigators so they can view and manage evidence User role – Assign this role to users who will be under the scope of the DLP policy and from whose devices items will be uploaded to the storage Once you have added the users click on Review+Assign to save the changes. Now we can add this storage to DLP policy. For more information on configuring the Azure Blob Storage access, refer to these articles: How to authorize access to blob data in the Azure portal Assign share-level permissions. Configure storage in your DLP policy Once you have configured the required permissions on the Azure Blob Storage, we will add the storage to DLP endpoint settings. Learn more about configuring DLP policy Open the storage you want to use. In left panel click on Data Storage -> Containers. Then select the container you want to add to DLP settings. Click on the Context Menu (… button) and then Container Properties. Copy the URL Open the Data Loss Prevention Settings. Click on Endpoint Settings and then on Setup evidence collection for file activities on devices. Select Customer Managed Storage option and then click on Add Storage Give the storage name and copy the container URL we copied. Then click on Save. Storage will be added to the list. Storage will be added to the list for use in the policy configuration. You can add up to 10 URLs Now open the DLP endpoint policy configuration for which you want to collect the evidence. Configure your policy using these settings: Make sure that Devices is selected in the location. In Incident reports, toggle Send an alert to admins when a rule match occurs to On. In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint. Select the storage account you want to collect the evidence in for that rule using the dropdown menu. The dropdown menu shows the list of storages configured in the endpoint DLP settings. Select the activities for which you want to copy matched items to Azure storage Save the changes Please reach out to the support team if you face any issues. We hope this guide is helpful and we look forward to your feedback. Thank you, Microsoft Purview Data Loss Prevention TeamMicrosoft Purview: New data security controls for the browser & network
Protect your organization’s data with Microsoft Purview. Gain complete visibility into potential data leaks, from AI applications to unmanaged cloud services, and take immediate action to prevent unwanted data sharing. Microsoft Purview unifies data security controls across Microsoft 365 apps, the Edge browser, Windows and macOS endpoints, and even network communications over HTTPS — all in one place. Take control of your data security with automated risk insights, real-time policy enforcement, and seamless management across apps and devices. Strengthen compliance, block unauthorized transfers, and streamline policy creation to stay ahead of evolving threats. Roberto Yglesias, Microsoft Purview Principal GPM, goes beyond Data Loss Prevention Keep sensitive data secure no matter where it lives or travels. Microsoft Purview DLP unifies controls across Microsoft 365, browsers, endpoints, and networks. See how it works. Know your data risks. Data Security Posture Management (DSPM) in Microsoft Purview delivers a 360° view of sensitive data at risk, helping you proactively prevent data leaks and strengthen security. Get started. One-click policy management. Unify data protection across endpoints, browsers, and networks. See how to set up and scale data security with Microsoft Purview. Watch our video here. QUICK LINKS: 00:00 — Data Loss Prevention in Microsoft Purview 01:33 — Assess DLP Policies with DSPM 03:10 — DLP across apps and endpoints 04:13 — Unmanaged cloud apps in Edge browser 04:39 — Block file transfers across endpoints 05:27 — Network capabilities 06:41 — Updates for policy creation 08:58 — New options 09:36 — Wrap up Link References Get started at https://aka.ms/PurviewDLPUpdates Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -As more and more people use lesser known and untrusted shadow AI applications and file sharing services at work, the controls to proactively protect your sensitive data need to evolve too. And this is where Data Loss Prevention, or DLP, in Microsoft Purview unifies the controls to protect your data in one place. And if you haven’t looked at this solution in a while, the scope of protection has expanded to ensure that your sensitive data stays protected no matter where it goes or how it’s consumed with controls that extend beyond what you’ve seen across Microsoft 365. Now adding browser-level protections that apply to unmanaged and non-Microsoft cloud apps when sensitive information is shared. -For your managed endpoints, today file system operations are also protected on Windows and macOS. And now we are expanding detection to the network layer. Meaning that as sensitive information is shared into apps and gets transmitted over web protocols, as an admin, you have visibility over those activities putting your information at risk, so you can take appropriate action. Also, Microsoft Purview data classification and policy management engines share the same classification service. Meaning that you can define the sensitive information you care about once, and we will proactively detect it even before you create any policies, which helps you streamline creating policies to protect that information. -That said, as you look to evolve your protections, where do you even start? Well, to make it easier to prioritize your efforts, Data Security Posture Management, or DSPM, provides a 360 degree view of data potentially at risk and in need of protection, such as potential data exfiltration activities that could lead to data loss, along with unprotected sensitive assets across data sources. Here at the top of the screen, you can see recommendations. I’ll act on this one to detect sensitive data leaks to unmanaged apps using something new called a Collection Policy. More on how you can configure this policy a bit later. -With the policy activated, new insights will take up to a day to reflect on our dashboard, so we’ll fast forward in time a little, and now you can see a new content category at the top of the chart for sensitive content shared with unmanaged cloud apps. Then back to the top, you can see the tile on the right has another recommendation to prevent users from performing cumulative exfiltration activities. And when I click it, I can enable multiple policies for both Insider Risk Management and Data Loss Prevention, all in one click. So DSPM makes it easier to continually assess and expand the protection of your DLP policies. And there’s even a dedicated view of AI app-related risks with DSPM for AI, which provides visibility into how people in your organization are using AI apps and potentially putting your data at risk. -Next, let me show you DLP in action across different apps and endpoints, along with the new browser and network capabilities. I’ll demonstrate the user experience for managed devices and Microsoft 365 apps when the right controls are in place. Here I have a letter of intent detailing an upcoming business acquisition. Notice it isn’t labeled. I’ll open up Outlook, and I’ll search for and attach the file we just saw. Due to the sensitivity of the information detected in the document, it’s fired up a policy tip warning me that I’m out of compliance with my company policy. Undeterred, I’ll type a quick message and hit send. And my attempt to override the warning is blocked. -Next, I’ll try something else. I’ll go back to Word and copy the text into the body of my email, and you’ll see the same policy tip. And, again, I’m blocked when I still try to send that email. These protections also extend to Teams chat, Word, Excel, PowerPoint and more. Next, let me show you how protections even extend to unmanaged cloud apps running in the Edge browser. For example, if you want to use a generative AI website like you’re seeing here with DeepSeek, even if I manually type in content that matches my Data Loss Prevention policy, you’ll see that when I hit submit, our Microsoft Purview policy blocks the transmission of this content. This is different from endpoint DLP, which can protect file system operations like copy and paste. These Edge browser policies complement existing endpoint DLP protections in Windows and macOS. -For example, here I have the same file with sensitive information that we saw before. My company uses Microsoft Teams, but a few of our suppliers use Slack, so I’ll try to upload my sensitive doc into Slack, and we see a notification that my action is blocked. And since these protections are on the file and run in the file system itself, this would work for any app. That said, let’s try another operation by copying the sensitive document to my removable USB drive. And here I’m also blocked. So we’ve seen how DLP protections extend to Microsoft 365 apps, managed browsers, and file systems. -Additionally, new protections can extend to network communication protocols when sharing information with local apps running against web services over HTTPS. In fact, here I have a local install of the ChatGPT app running. As you see, this is not in a browser. In this case, if I unintentionally add sensitive information to my prompt, when it passes the information over the network to call the ChatGPT APIs, Purview will be able to detect it. Let’s take a look. If I move over to DSPM for AI in Microsoft Purview, as an admin, I have visibility into the latest activity related to AI interactions. If I select an activity which found sensitive data shared, it displays the user and app details, and I can even click into the interaction details to see exactly what was shared in the prompt as well as what specifically was detected as sensitive information on it. This will help me decide the actions we need to take. Additionally, the ability to block sharing over network protocols is coming later this year. -Now, let’s switch gears to the latest updates for policy creation. I showed earlier setting up the new collection policy in one click from DSPM. Let me show you how we would configure the policy in detail. In Microsoft Purview, you can set this up in Data Loss Prevention under Classifiers on the new Collection Policies page. These policies enable you to tailor the discovery of data and activities from the browser, network, and devices. You can see that I already have a few created here, and I’ll go ahead and create a new one right from here. -Next, for what data to detect, I can choose the right classifiers. I have the option to scope these down to include specific classifiers, or include all except for the ones that I want to exclude. I’ll just keep them all. For activities to detect, I can choose the activities I want. In this case, I’ll select text and files shared with a cloud or AI app. Now, I’ll hit add. And next I can choose where to collect the data from. This includes connected data sources, like devices, Copilot experiences, or Enterprise AI apps. The unmanaged cloud apps tab uses the Microsoft Defender for Cloud Apps catalog to help me target the applications I want in scope. -In this case, I’ll go ahead and select all the first six on this page. For each of these applications, I can scope which users this policy applies to as a group or separately. I’ll scope them all together for simplicity. Here I have the option to include or exclude users or groups from the policy. In this case, I’ll keep all selected and save it. Next, I have the option of choosing whether I want AI prompt and responses that are detected to be captured and preserved in Purview. This enabled the experience we saw earlier of viewing the full interaction. -Finally, in mode, you can turn the policy on. Or if you leave it off, this will save it so that you can enable it later. Once I have everything configured, I just need to review and create my policy, and that’s it. In addition, as you create DLP policies, you’ll notice new corresponding options. Let me show you the main one. For each policy, you’ll now be asked what type of data you want to protect. First is data stored in connected sources. This includes Microsoft 365 and endpoint policies, which you’re likely already using now. The new option is data in browser and network activity. This protects data in real-time as it’s being used in the browser or transmitted over the network. From there, configuring everything else in the policy should feel familiar with other policies you’ve already defined. -To learn more and get started with how you can extend your DLP protections, check out aka.ms/PurviewDLPUpdates. Keep checking back to Microsoft Mechanics for all the latest updates and thanks for watching.Purview Webinars
REGISTER FOR ALL WEBINARS HERE Upcoming Microsoft Purview Webinars JULY 15 (8:00 AM) Microsoft Purview | How to Improve Copilot Responses Using Microsoft Purview Data Lifecycle Management Join our non-technical webinar and hear the unique, real life case study of how a large global energy company successfully implemented Microsoft automated retention and deletion across the entire M365 landscape. You will learn how the company used Microsoft Purview Data Lifecyle Management to achieve a step up in information governance and retention management across a complex matrix organization. Paving the way for the safe introduction of Gen AI tools such as Microsoft Copilot. 2025 Past Recordings JUNE 10 Unlock the Power of Data Security Investigations with Microsoft Purview MAY 8 Data Security - Insider Threats: Are They Real? MAY 7 Data Security - What's New in DLP? MAY 6 What's New in MIP? APR 22 eDiscovery New User Experience and Retirement of Classic MAR 19 Unlocking the Power of Microsoft Purview for ChatGPT Enterprise MAR 18 Inheriting Sensitivity Labels from Shared Files to Teams Meetings MAR 12 Microsoft Purview AMA - Data Security, Compliance, and Governance JAN 8 Microsoft Purview AMA | Blog Post 📺 Subscribe to our Microsoft Security Community YouTube channel for ALL Microsoft Security webinar recordings, and more!Sharing Sensitive data on Sharepoint Online with approval from manager
Hi guys, I have an O365 E3 License for users. trying to create the following scenario. If a document containing Sensitive information is stored on Sharepoint online/ OneDrive for Business and the User tries to share the data outside the organization then automatically it should trigger an approval process to the respective sender's manager and if the manager approves, then the recipient should able to access the shared data.
