Secure and govern AI apps and agents with Microsoft Purview
The Microsoft Purview family is here to help you secure and govern data across third party IaaS and Saas, multi-platform data environment, while helping you meet compliance requirements you may be subject to. Purview brings simplicity with a comprehensive set of solutions built on a platform of shared capabilities, that helps keep your most important asset, data, safe. With the introduction of AI technology, Purview also expanded its data coverage to include discovering, protecting, and governing the interactions of AI apps and agents, such as Microsoft Copilots like Microsoft 365 Copilot and Security Copilot, Enterprise built AI apps like Chat GPT enterprise, and other consumer AI apps like DeepSeek, accessed through the browser. To help you view, investigate interactions with all those AI apps, and to create and manage policies to secure and govern them in one centralized place, we have launched Purview Data Security Posture Management (DSPM) for AI. You can learn more about DSPM for AI here with short video walkthroughs: Learn how Microsoft Purview Data Security Posture Management (DSPM) for AI provides data security and compliance protections for Copilots and other generative AI apps | Microsoft Learn Purview capabilities for AI apps and agents To understand our current set of capabilities within Purview to discover, protect, and govern various AI apps and agents, please refer to our Learn doc here: Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Here is a quick reference guide for the capabilities available today: Note that currently, DLP for Copilot and adhering to sensitivity label are currently designed to protect content in Microsoft 365. Thus, Security Copilot and Coplot in Fabric, along with Copilot studio custom agents that do not use Microsoft 365 as a content source, do not have these features available. Please see list of AI sites supported by Microsoft Purview DSPM for AI here Conclusion Microsoft Purview can help you discover, protect, and govern the prompts and responses from AI applications in Microsoft Copilot experiences, Enterprise AI apps, and other AI apps through its data security and data compliance solutions, while allowing you to view, investigate, and manage interactions in one centralized place in DSPM for AI. Follow up reading Check out the deployment guides for DSPM for AI How to deploy DSPM for AI - https://aka.ms/DSPMforAI/deploy How to use DSPM for AI data risk assessment to address oversharing - https://aka.ms/dspmforai/oversharing Address oversharing concerns with Microsoft 365 blueprint - aka.ms/Copilot/Oversharing Explore the Purview SDK Microsoft Purview SDK Public Preview | Microsoft Community Hub (blog) Microsoft Purview documentation - purview-sdk | Microsoft Learn Build secure and compliant AI applications with Microsoft Purview (video) References for DSPM for AI Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn Block Users From Sharing Sensitive Information to Unmanaged AI Apps Via Edge on Managed Devices (preview) | Microsoft Learn as part of Scenario 7 of Create and deploy a data loss prevention policy | Microsoft Learn Commonly used properties in Copilot audit logs - Audit logs for Copilot and AI activities | Microsoft Learn Supported AI sites by Microsoft Purview for data security and compliance protections | Microsoft Learn Where Copilot usage data is stored and how you can audit it - Microsoft 365 Copilot data protection and auditing architecture | Microsoft Learn Downloadable whitepaper: Data Security for AI Adoption | Microsoft Explore the roadmap for DSPM for AI Public roadmap for DSPM for AI - Microsoft 365 Roadmap | Microsoft 365PMPurHelp! Sensitivity label applied to whole tenant mistakenly with Watermark
We create a sensitivity label to have a watermark to be applied on the files on where it assigned but accidentally or due to misconfiguration, the watermark applied to whole tenant and the files, need a solution to automatically removed these watermarks from the files wherever it is applied. Please assist, TIA... .Sharing: All Built-in SIT categorised
So, Microsoft Purview gives you 313 built-in Sensitive Information Types (SITs)—yes, I counted! When I worked with an Cyber Risk auditor, one of their ask was categorizing all the items that we decided for it to be deployed. This was a bit of a nightmare, so I took one for the team and grouped them into three neat categories: PII, Financial, and Medical. Now, I’m sharing it with you so that my struggle can save you the headache. You’re welcome! Download the excel spreadsheet here: All SIT list and their categories.xlsx
Ingesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.Retirement notification for the Azure Information Protection mobile viewer and RMS Sharing App
Over a decade ago, we launched Azure Information Protection (AIP) mobile app for iOS and Android and Rights Management Service (RMS) Sharing app for Mac to fill an important niche in our non-Office file ecosystem to enable users to securely view protected filetypes like (P)PDF, RPMSG and PFILEs outside of Windows. These viewing applications are integrated with sensitivity labels from Microsoft Purview and encryption from the Rights Management Service to view protected non-Office files and enforce protection rights. Today, usage of these app is very low, especially for file types other than PDFs. Most PDF use cases have already shifted to native Office apps and modern Microsoft 365 experiences. As part of our ongoing modernization efforts, we’ve decided to retire these legacy apps. We are officially announcing the retirement of the AIP Mobile and RMS Sharing and starting the 12-month clock, after which it will reach retirement on May 30, 2026. All customers with Azure Information Protection P1 service plans will also receive a Message Center post with this announcement. In this blog post, we will cover what you need to know about the retirement, share key resources to support your transition, and explain how to get help if you have questions. Q. How do I view protected non-Office files on iOS and Android? Instead of one application for all non-Office file types, view these files in apps where you’d most commonly see them. For example, use the OneDrive app or the Microsoft 365 Copilot app to open protected PDFs. Here’s a summary of which applications support each file type: 1) PDF and PPDF: Open protected PDF files with Microsoft 365 Copilot, OneDrive or Edge. These applications have native support to view labels and enforce protection rights. Legacy PPDF files must be opened with the Microsoft Information Protection File Labeler on Windows and saved as PDF before they can be viewed. 2) PFILE: These files are no longer viewable on iOS and Android. PFILEs are file types supported for classification and protection and include file extensions like PTXT, PPNG, PJPG and PXML. To view these files, use the Microsoft Purview Information Protection Viewer on Windows. 3) RPMSG: These files are also no longer viewable on iOS and Android. To view these files, use Classic Outlook on Windows. Q. Where can I download the required apps for iOS, Android or Windows? These apps are available for download on the Apple App Store, Google Play Store, Microsoft Download Center or Microsoft Store. Microsoft 365 Copilot: Android / iOS Microsoft OneDrive: Android / iOS Microsoft Edge: AI browser: Android / iOS Microsoft Purview Information Protection Client: Windows Classic Outlook for Windows: Windows Q. Is there an alternative app to view non-Office files on Mac? Before May 30, 2026, we will release the Microsoft Purview Information Protection (MPIP) File Labeler and Viewer for Mac devices. This will make the protected non-Office file experience on Mac a lot better with the ability to not only view but modify labels too. Meanwhile, continue using the RMS Sharing App. Q. Is the Microsoft Purview Information Protection Client Viewer going away too? No. The Microsoft Purview Information Protection Client, previously known as the Azure Information Protection Client, continues to be supported on Windows and is not being retired. We are actively improving this client and plan to bring its viewing and labeling capabilities to Mac as well. Q. What happens if I already have RMS Sharing App or AIP Mobile on my device? You can continue using these apps to view protected files and download onto new devices until retirement on May 30, 2026. At that time, these apps will be removed from app stores and will no longer be supported. While existing versions may continue to function, they will not receive any further updates or security patches. Q. I need more help. Who can I reach out to? If you have additional questions, you have a few options: Reach out to your Microsoft account team. Reach out to Microsoft Support with specific questions. Reach out to Microsoft MVPs who specialize in Information Protection.How to deploy Microsoft Purview DSPM for AI to secure your AI apps
Microsoft Purview Data Security Posture Management (DSPM for AI) is designed to enhance data security for the following AI applications: Microsoft Copilot experiences, including Microsoft 365 Copilot. Enterprise AI apps, including ChatGPT enterprise integration. Other AI apps, including all other AI applications like ChatGPT consumer, Microsoft Copilot, DeepSeek, and Google Gemini, accessed through the browser. In this blog, we will dive into the different policies and reporting we have to discover, protect and govern these three types of AI applications. Prerequisites Please refer to the prerequisites for DSPM for AI in the Microsoft Learn Docs. Login to the Purview portal To begin, start by logging into Microsoft 365 Purview portal with your admin credentials: In the Microsoft Purview portal, go to the Home page. Find DSPM for AI under solutions. 1. Securing Microsoft 365 Copilot Be sure to check out our blog on How to use the DSPM for AI data assessment report to help you address oversharing concerns when you deploy Microsoft 365 Copilot. Discover potential data security risks in Microsoft 365 Copilot interactions In the Overview tab of DSPM for AI, start with the tasks in “Get Started” and Activate Purview Audit if you have not yet activated it in your tenant to get insights into user interactions with Microsoft Copilot experiences In the Recommendations tab, review the recommendations that are under “Not Started”. Create the following data discovery policy to discover sensitive information in AI interactions by clicking into it. Detect risky interactions in AI apps - This public preview Purview Insider Risk Management policy helps calculate user risk by detecting risky prompts and responses in Microsoft 365 Copilot experiences. Click here to learn more about Risky AI usage policy. With the policies to discover sensitive information in Microsoft Copilot experiences in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter to Microsoft Copilot Experiences, and review the following for Microsoft Copilot experiences: Total interactions over time (Microsoft Copilot) Sensitive interactions per AI app Top unethical AI interactions Top sensitivity labels references in Microsoft 365 Copilot Insider Risk severity Insider risk severity per AI app Potential risky AI usage Protect sensitive data in Microsoft 365 Copilot interactions From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities from Microsoft Copilot experiences based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. Then drill down to each activity to view details including the capability to view prompts and response with the right permissions. To protect the sensitive data in interactions for Microsoft 365 Copilot, review the Not Started policies in the Recommendations tab and create these policies: Information Protection Policy for Sensitivity Labels - This option creates default sensitivity labels and sensitivity label policies. If you've already configured sensitivity labels and their policies, this configuration is skipped. Protect sensitive data referenced in Microsoft 365 Copilot - This guides you through the process of creating a Purview Data Loss Prevention (DLP) policy to restrict the processing of content with specific sensitivity labels in Copilot interactions. Click here to learn more about Data Loss Prevention for Microsoft 365 Copilot. Protect sensitive data referenced in Copilot responses - Sensitivity labels help protect files by controlling user access to data. Microsoft 365 Copilot honors sensitivity labels on files and only shows users files they already have access to in prompts and responses. Use Data assessments to identify potential oversharing risks, including unlabeled files. Stay tuned for an upcoming blog post on using DSPM for AI data assessments! Use Copilot to improve your data security posture - Data Security Posture Management combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Govern the prompts and responses in Microsoft 365 Copilot interactions Understand and comply with AI regulations by selecting “Guided assistance to AI regulations” in the Recommendations tab and walking through the “Actions to take”. From the Recommendations tab, create a Control unethical behavior in AI Purview Communications Compliance policy to detect sensitive information in prompts and responses and address potentially unethical behavior in Microsoft Copilot experiences and ChatGPT for Enterprise. This policy covers all users and groups in your organization. To retain and/or delete Microsoft 365 Copilot prompts and responses, setup a Data Lifecycle policy by navigating to Microsoft Purview Data Lifecycle Management and find Retention Policies under the Policies header. You can also preserve, collect, analyze, review, and export Microsoft 365 Copilot interactions by creating an eDiscovery case. 2. Securing Enterprise AI apps Please refer to this amazing blog on Unlocking the Power of Microsoft Purview for ChatGPT Enterprise | Microsoft Community Hub for detailed information on how to integrate with ChatGPT for enterprise, the Purview solutions it currently supports through Purview Communication Compliance, Insider Risk Management, eDiscovery, and Data Lifecycle Management. Learn more about the feature also through our public documentation. 3. Securing other AI Microsoft Purview DSPM for AI currently supports the following list of AI sites. Be sure to also check out our blog on the new Microsoft Purview data security controls for the browser & network to secure other AI apps. Discover potential data security risks in prompts sent to other AI apps In the Overview tab of DSPM for AI, go through these three steps in “Get Started” to discover potential data security risk in other AI interactions: Install Microsoft Purview browser extension For Windows users: The Purview extension is not necessary for the enforcement of data loss prevention on the Edge browser but required for Chrome to detect sensitive info pasted or uploaded to AI sites. The extension is also required to detect browsing to other AI sites through an Insider Risk Management policy for both Edge and Chrome browser. Therefore, Purview browser extension is required for both Edge and Chrome in Windows. For MacOS users: The Purview extension is not necessary for the enforcement of data loss prevention on macOS devices, and currently, browsing to other AI sites through Purview Insider Risk Management is not supported on MacOS, therefore, no Purview browser extension is required for MacOS. Extend your insights for data discovery – this one-click collection policy will setup three separate Purview detection policies for other AI apps: Detect sensitive info shared in AI prompts in Edge – a Purview collection policy that detects prompts sent to ChatGPT consumer, Micrsoft Copilot, DeepSeek, and Google Gemini in Microsoft Edge and discovers sensitive information shared in prompt contents. This policy covers all users and groups in your organization in audit mode only. Detect when users visit AI sites – a Purview Insider Risk Management policy that detects when users use a browser to visit AI sites. Detect sensitive info pasted or uploaded to AI sites – a Purview Endpoint Data loss prevention (eDLP) policy that discovers sensitive content pasted or uploaded in Microsoft Edge, Chrome, and Firefox to AI sites. This policy covers all users and groups in your org in audit mode only. With the policies to discover sensitive information in other AI apps in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter by Other AI Apps, and review the following for other AI apps: Total interactions over time (other AI apps) Total visits (other AI apps) Sensitive interactions per AI app Insider Risk severity Insider risk severity per AI app Protect sensitive info shared with other AI apps From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. To protect the sensitive data in interactions for other AI apps, review the Not Started policies in the Recommendations tab and create these policies: Fortify your data security – This will create three policies to manage your data security risks with other AI apps: 1) Block elevated risk users from pasting or uploading sensitive info on AI sites – this will create a Microsoft Purview endpoint data loss prevention (eDLP) policy that uses adaptive protection to give a warn-with-override to elevated risk users attempting to paste or upload sensitive information to other AI apps in Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Learn more about adaptive protection in Data loss prevention. 2) Block elevated risk users from submitting prompts to AI apps in Microsoft Edge – this will create a Microsoft Purview browser data loss prevention (DLP) policy, and using adaptive protection, this policy will block elevated, moderate, and minor risk users attempting to put information in other AI apps using Microsoft Edge. This integration is built-in to Microsoft Edge. Learn more about adaptive protection in Data loss prevention. 3) Block sensitive info from being sent to AI apps in Microsoft Edge - this will create a Microsoft Purview browser data loss prevention (DLP) policy to detect inline for a selection of common sensitive information types and blocks prompts being sent to AI apps while using Microsoft Edge. This integration is built-in to Microsoft Edge. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Conclusion Microsoft Purview DSPM for AI can help you discover, protect, and govern the interactions from AI applications in Microsoft Copilot experiences, Enterprise AI apps, and other AI apps. We recommend you review the Reports in DSPM for AI routinely to discover any new interactions that may be of concern, and to create policies to secure and govern those interactions as necessary. We also recommend you utilize the Activity Explorer in DSPM for AI to review different Activity explorer events while users interacting with AI, including the capability to view prompts and response with the right permissions. We will continue to update this blog with new features that become available in DSPM for AI, so be sure to bookmark this page! Follow-up Reading Check out this blog on the details of each recommended policies in DSPM for AI: Microsoft Purview – Data Security Posture Management (DSPM) for AI | Microsoft Community Hub Address oversharing concerns with Microsoft 365 blueprint - aka.ms/Copilot/Oversharing Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn Commonly used properties in Copilot audit logs - Audit logs for Copilot and AI activities | Microsoft Learn Supported AI sites by Microsoft Purview for data security and compliance protections | Microsoft Learn Where Copilot usage data is stored and how you can audit it - Microsoft 365 Copilot data protection and auditing architecture | Microsoft Learn Downloadable whitepaper: Data Security for AI Adoption | Microsoft Public roadmap for DSPM for AI - Microsoft 365 Roadmap | Microsoft 365Rethinking Data Security and Governance in the Era of AI
The era of AI is reshaping industries, enabling unprecedented innovations, and presenting new opportunities for organizations worldwide. But as organizations accelerate AI adoption, many are focused on a growing concern: their current data security and governance practices are not effectively built for the fast-paced AI innovation and ever-evolving regulatory landscape. At Microsoft, we recognize the critical need for an integrated approach to address these risks. In our latest findings, Top 3 Challenges in Securing and Governing Data for the Era of AI, we uncovered critical gaps in how organizations manage data risk. The findings exemplify the current challenges: 91% of leaders are not prepared to manage risks posed by AI 1 and 85% feel unprepared to comply with AI regulations 2 . These gaps not only increase non-compliance but also put innovation at risk. Microsoft Purview has the tools to tackle these challenges head on, helping organizations move to an approach that protects data, meets compliance regulations, and enables trusted AI transformation. We invite you to take this opportunity to evaluate your current practices, platforms, and responsibilities, and to understand how to best secure and govern your organization for growing data risks in the era of AI. Platform fragmentation continues to weaken security outcomes Organizations often rely on fragmented tools across security, compliance, and data teams, leading to a lack of unified visibility and insufficient data hygiene. Our findings reveal the effects of fragmented platforms, leading to duplicated data, inconsistent classification, redundant alerts, and siloed investigations, which ultimately is causing data exposure incidents related to AI to be on the rise 3 . Microsoft Purview offers centralized visibility across your organization’s data estate. This allows teams to break down silos, streamline workflows, and mitigate data leakage and oversharing. With Microsoft Purview, capabilities like data health management and data security posture management are designed to enhance collaboration and deliver enriched insights across your organization to help further protect your data and mitigate risks faster. Microsoft Purview offers the following: Unified insights across your data estate, breaking down silos between security, compliance, and data teams. Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations gain unified visibility into GenAI usage across users, data, and apps to address the heightened risk of sensitive data exposure from AI. Built-in capabilities like classification, labeling, data loss prevention, and insider risk insights in one platform. In addition, newly launched solutions like Microsoft Purview Data Security Investigations accelerate investigations with AI-powered deep content analysis, which helps data security teams quickly identify and mitigate sensitive data and security risks within impacted data. Organizations like Kern County historically relied on many fragmented systems but adopted Microsoft Purview to unify their organization’s approach to data protection in preparation for increasing risks associated with deploying GenAI. “We have reduced risk exposure, [Microsoft] Purview helped us go from reaction to readiness. We are catching issues proactively instead of retroactively scrambling to contain them.” – Aaron Nance, Deputy Chief Information Security Officer, Kern County Evolving regulations require continuous compliance AI-driven innovation is creating a surge in regulations, resulting in over 200 daily updates across more than 900 regulatory agencies 4 , as highlighted in our research. Compliance has become increasingly difficult, with organizations struggling to avoid fines and comply with varying requirements across regions. To navigate these challenges effectively, security leaders’ responsibilities are expanding to include oversight across governance and compliance, including oversight of traditional data catalog and governance solutions led by the central data office. Leaders also cite the need for regulation and audit readiness. Microsoft Purview enables compliance and governance by: Streamlining compliance with Microsoft Purview Compliance Manager templates, step-by-step guidance, and insights for region and industry-specific regulations, including GDPR, HIPAA, and AI-specific regulation like the EU AI Act. Supporting legal matters such as forensic and internal investigations with audit trail records in Microsoft Purview eDiscovery and Audit. Activating and governing data for trustworthy analytics and AI with Microsoft Purview Unified Catalog, which enables visibility across your data estate and data confidence via data quality, data lineage, and curation capabilities for federated governance. Microsoft Purview’s suite of capabilities provides visibility and accountability, enabling security leaders to meet stringent compliance demands while advancing AI initiatives with confidence. Organizations need a unified approach to secure and govern data Organizations are calling for an integrated platform to address data security, governance, and compliance collectively. Our research shows that 95% of leaders agree that unifying teams and tools is a top priority 5 and 90% plan to adopt a unified solution to mitigate data related risks and maximize impact 6 . Integration isn't just about convenience, it’s about enabling innovation with trusted data protection. Microsoft Purview enables a shared responsibility model, allowing individual business units to own their data while giving central teams oversight and policy control. As organizations adopt a unified platform approach, our findings reveal the upside potential not only being reduced risk but also cost savings. With AI-powered copilots such as Security Copilot in Microsoft Purview, data protection tasks are simplified with natural-language guidance, especially for under resourced teams. Accelerating AI transformation with Microsoft Purview Microsoft Purview helps security, compliance, and governance teams navigate the complexities of AI innovation while implementing effective data protection and governance strategies. Microsoft partner EY highlights the results they are seeing: “We are seeing 25%–30% time savings when we build secure features using [Microsoft] Purview SDK. What was once fragmented is now centralized. With [Microsoft] Purview, everything comes together on one platform, giving a unified foundation to innovate and move forward with confidence.” – Prashant Garg, Partner of Data and AI, EY We invite you to explore how you can propel your organization toward a more secure future by reading the full research paper at https://aka.ms/SecureAndGovernPaper. Visit our website to learn more about Microsoft Purview. 1 Forbes, Only 9% Of Surveyed Companies Are Ready To Manage Risks Posed By AI, 2023 2 SAP LeanIX, AI Survey Results, 2024 3 Microsoft, Data Security Index Report, 2024 4 Forbes, Cost of Compliance, Thomson Reuters, 2021 5 Microsoft, Audience Research, 2024 6 Microsoft, Customer Requirements Research, 2024Protecting sensitive information in the era of AI with Microsoft Purview Information Protection
As organizations embrace AI to drive innovation and productivity, the amount of data being created, stored, and accessed is growing faster than ever. But with that growth comes new security challenges. Sensitive data can land in unexpected places, buried in old SharePoint sites or tucked away in OneDrive folders, and if it’s not properly labeled or protected, it can be accidentally exposed by AI tools or human error. To help address this risk, Microsoft Purview Information Protection continues to develop, making it easier to discover, classify, and protect sensitive information across Microsoft 365 and beyond. What’s new: On-demand classification for SharePoint and OneDrive We’re introducing on-demand classification for SharePoint and OneDrive, now in public preview. This new capability lets admins initiate targeted scans of data at rest, meaning content that already exists in the cloud but hasn’t been modified or accessed recently, to apply the latest classifiers and sensitivity labels. This expands your ability to protect sensitive information by enabling security teams to proactively classify and label existing files at rest—without waiting for user activity to trigger protection—and with full control over what data to scan and when. Admins can prioritize specific SharePoint sites, OneDrive accounts, or files sets based on risk, business needs, or newly introduced classifiers. When combined with Information Protection’s continuous classification, which automatically reclassifies files whenever they’re created, accessed, or modified, this two-pronged approach helps organizations keep content more closely aligned with the latest security policies: Continuous classification keeps active files up to date by automatically re-evaluating them when they’re created, accessed, or edited On-demand classification brings older or inactive files into scope by allowing admins to scan stored data at rest on their own schedule With on-demand classification, organizations can: Extend protection to previously unclassified or inactive files, increasing overall coverage Strengthen data protection across your environment without relying on end-user actions Reduce the risk of AI tools surfacing unlabeled or unprotected information and do it all natively, without exporting your data or relying on fragmented tools Why it matters: Expanding coverage and reducing AI oversharing risks Unlabeled sensitive data is high-risk data. AI tools like Copilot can surface content without understanding whether it should be shared. If a file hasn’t been classified, meaning it hasn’t been evaluated against current classifiers, it won’t be labeled or protected. That increases the risk of accidental exposure. That’s where on-demand classification and Data Security Posture Management (DSPM) for AI work together to reduce that risk: DSPM identifies oversharing risks, such as files that contain sensitive information but lack sensitivity labels Admins can initiate an on-demand scan directly from DSPM to classify data at rest—content that’s been sitting untouched but still poses risk Scans are fully configurable. You choose the scope (sites, users), filters (e.g., last modified time), and which classifiers to apply. Once classified, labeled files are automatically protected through policies like Data Loss Prevention (DLP) and Insider Risk Management (IRM) and other policy-based controls Example: A financial services team has archived quarterly reports in a SharePoint folder. DSPM detects that these files haven’t been labeled, even though they may contain sensitive financial data. An admin initiates an on-demand classification scan scoped to just that site, using updated financial classifiers. Once classified, the appropriate sensitivity labels and relevant policies are applied. This ensures sensitive data stays protected, even if it hasn’t been touched in years. With on-demand classification, admins aren’t limited to real-time triggers. They get flexible, precise tools to catch what’s been missed and close potential security gaps on their terms. Built-in integration with other Microsoft Purview solutions The results of classification integrate with other Microsoft Purview solutions. For example, a DLP policy for financial information can automatically detect and block the sharing of a classified document containing sensitive financial data, mitigating risks of accidental leaks. This expansion ensures that the benefits of classification, and the related security policies, are applicable to all data, strengthening overall data security posture. Flexible, cost-efficient protection On-demand classification is offered with a pay-as-you-go pricing model , allowing organizations to scale their data protection efforts according to their needs. Before running a classification scan, admins can estimate the cost to fit their goals and budget. By providing greater control over data security, on-demand classification helps organizations proactively manage risk, maintain compliance, and strengthen their overall security posture. Learn more about on-demand classification here. Figure 1: On-demand classification scan results Automate data security at scale Organizations managing large-scale data in Azure Storage face challenges in consistently enforcing security and compliance policies across their data estate. To address this, Microsoft Purview protection policies for Azure SQL, Data Lake, and Blob Storage are now in public preview, enabling administrators to define and automatically apply protection policies based on sensitivity label of assets. This helps ensure consistent enforcement of access controls, sensitivity labeling, and data classification at scale. Learn more in this blog. Figure 2: Information Protection policies for Azure SQL, Data Lake, and Blob Storage Notable optical character recognition (OCR) enhancements Optical character recognition (OCR) enables Microsoft Purview to scan images for sensitive information. Examples include screenshots of sensitive documents, scanned forms, and pictures of proprietary data like personal IDs or credit cards. We are happy to share that, in addition to the ability to scan standalone images in EXO, which is generally available, support for embedded images is now available in EXO in public preview. This enhancement now allows for the detection of sensitive information within images embedded in attachments or documents in emails, including screenshots of confidential documents, scanned forms, and photos containing proprietary data shared in Office or archive files in EXO. This provides administrators with greater visibility into sensitive information that may be hidden within embedded images in emails and attachments, ensuring that all data is properly classified and protected. Along with that, the OCR cost estimator for MacOS is now generally available. OCR cost estimator helps organizations predict and manage costs by providing a clear estimate of images by location for Exchange, Teams, SharePoint, OneDrive, and endpoints. Customers can try the OCR cost estimator for free for 30 days. Once you select “Try for free,” you will have 30 days to run estimates through the OCR cost estimator and configure settings based on the needs and budget of your organization. It can be run without setting up an Azure subscription, making it accessible to all organizations. Figure 3: Cost estimation report for OCR by location Strengthening document protection with dynamic watermarking We announced dynamic watermarking in Word, Excel, and PowerPoint last year and we’re happy to share that it’s now generally available. This capability is designed to deter users from leaking sensitive information and to attribute leaks if they do occur. When an admin enables the dynamic watermarking setting for a protected sensitivity label, files with that sensitivity label will render with dynamic watermarks when opened in Word, Excel, and PowerPoint. These dynamic watermarks contain the User Principal Name (UPN), usually email address, associated with the account being used to open the file, allowing for leaks to be tracked back to specific users. Learn more about dynamic watermarking, how it works, and how to configure it within a sensitivity label in our documentation. Figure 4: Word file with dynamic watermarks Enhanced audit logs for auto-labeling in SharePoint Auto-labeling in Microsoft Purview Information Protection automatically labels an organization’s most sensitive content to reduce the need for manual user labeling. It can label data at rest across SharePoint and OneDrive up to 100k files per day. Ensuring consistent and accurate labeling of sensitive information can be challenging without clear insights into the labeling process. To address this issue, starting this month, we will provide more detailed information on why a file is labeled, including policy and rule match information on SharePoint. This enhancement will enable SharePoint to send back information on the policy and rule matches that triggered the auto-labeling of files. This added transparency simplifies the task for administrators, enabling them to review and refine their labeling policies more effectively. As a result, sensitive information will be more consistently and accurately labeled in accordance with organizational standards. Get started You can try Microsoft Purview Information Protection and other Microsoft Purview solutions directly within the Microsoft Purview portal with a free trial. * Interactive guide: aka.ms/InfoProtectionInteractiveGuide Mechanics video on how to automatically classify and protect documents and data Mechanics video on AI-powered data classification And, lastly, join the Microsoft Purview Information Protection Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Information Protection. An active NDA is required. Click here to join. Licensing details On-demand classification An E5, E5 Compliance, or E5 Information Protection and Governance license is required. Pricing is based on the number of files, at $20 per 10,000 assets scanned. More pricing information will be available soon. OCR embedded in EXO An Azure subscription and M365 E3 or E5 license are required. Pricing is based on the number of images scanned, at $1.00 per 1,000 images scanned. Each scanned image is counted as a single transaction. For more details, see here. OCR cost estimator for macOS The cost estimator is available at no cost for 30 days. After this period, generating new estimates will be disabled. However, the insights gained during the 30 days should provide enough data to understand usage patterns and estimate potential monthly costs. Learn more about cost estimator here. Dynamic watermarking Included in E5, E5 Compliance, and E5 Information Protection and Governance licenses. Auto-labeling audit enrichments Included in E5, E5 Compliance, and E5 Information Protection and Governance licenses. * Pay-as-you-go capabilities are not available in the free trial. Cost of a Data Breach Report 2024 | IBM
