Building layered protection: New Microsoft Purview data security controls for the browser & network
Microsoft is committed to helping our customers protect their data wherever it lives or travels - even as the modern data estate grows more complex. Over the years, we have taken a uniquely seamless approach of building protections directly where data is stored, used, or moves, helping customers get up and running easily without compromising on coverage. Our journey started with native integration of Purview data security controls into Microsoft 365 apps and services. This built-in design enables us to secure data right where most of your organization’s productivity takes place, without added latency or onboarding. This principle has continued with built-in controls for Teams, PowerBI, Fabric, and Microsoft 365 Copilot. We have also extended protections to Windows and macOS endpoint devices using a differentiated, agentless model that delivers visibility and control without deployment headaches or heavy on-premises footprint. However, the nature of modern work is continuously evolving: Generative AI tools are increasingly ubiquitous in the digital workplace and information workers are spending more time working in the browser than ever before [1]. As such, we are once again evolving our solutions to the modern AI era by extending Purview data security capabilities to the network layer and Microsoft Edge for Business. These capabilities include: Inline discovery of sensitive data across the network through secure access service edge (SASE) integration Inline discovery & protection of sensitive data in Edge for Business Data security controls for unmanaged Windows & macOS devices using Edge for Business When combined with existing Purview protections across cloud, email, and endpoints, the new browser and network controls empower teams to build a layered strategy for data protection that scales with the pace and complexity of today’s data ecosystems. Introducing inline data discovery for the network Historically, Microsoft Purview has possessed the ability to allow or block the use of sensitive data within specified applications through our cloud and endpoint data loss prevention (DLP) solutions. As users interact with a wider variety of cloud-connected apps & services throughout the day – such as unmanaged SaaS apps, personal cloud storage services, and consumer GenAI apps – organizations need greater oversight over sensitive data that is being sent outside of the trusted boundaries of the organization. Today, we are excited to share that Microsoft Purview is opening its best-in-class data classification and data loss prevention policies to an ecosystem of secure access service edge (SASE) solutions. Integrating Purview with your SASE technology of choice enables you to secure sensitive data at the network layer using the same tools and workflows you rely on every day. This approach also enables you to extend Purview inspection, classification and ability to make policy verdicts to data in unmanaged, 3rd party locations, all at the speed & scale of the cloud. Users won’t have their pace and productivity disrupted as policies await decisions from on-premises classification systems, and admins can intercept sensitive data before it's leaked to risky destinations. Alongside us for the start of this journey are Netskope, a Leader in the Gartner Magic Quadrant for SSE and SASE, iboss, a Leader in the IDC ZTNA MarketScape, and Palo Alto Networks, a Leader in the Gartner Magic Quadrant for SSE and SASE. We are excited to announce that inline discovery of sensitive data will be available in public preview early May through the Netskope One SSE and iboss Zero Trust SASE integrations. The integration with Palo Alto Networks Prisma Access for inline discovery will be available later this year. The list of supported SASE partners will continue to expand in the coming months. Through these joint solutions, we can help our customers see greater value from bringing together best-of-breed data security and network visibility. "As insider threats rise and adversaries leverage AI, large enterprises are strengthening their security strategies by integrating insights from diverse tools. Netskope’s seamless integration with Microsoft Purview tackles these evolving challenges head-on, enhancing data protection and ensuring classified information remains secure." – Siva VRS, Wipro, Vice President & Global Business Unit Head, Cyber Security Practices Securing risky data interactions through SASE integration Through the upcoming Netskope and iboss integrations, your SASE solution will provide visibility into network traffic originating from managed devices to potentially untrusted locations. These interactions can be initiated from desktop applications such as the ChatGPT desktop app, cloud file sync apps like Box, and even non-Microsoft browsers such as Opera or Brave. Examples of common but potentially risky interactions include: Intentional or inadvertent exfiltration of sensitive company data to a personal or 3rd party instance of an application: For example, an employee is working with a partner outside of their organization on an upcoming project via the Slack desktop application. If the employee sends sensitive data to that 3rd party Slack channel, such as customer account numbers or contact information, this event will be captured in Purview Data Security Posture Management (DSPM) and Activity Explorer, and the admin can dive deeper into the sensitive data that was exfiltrated & its destination: Use of unsanctioned generative AI applications or plugins: Some employees in your organization may have installed an unsanctioned GPT plugin for their Microsoft Word application, for example. If they prompt the plugin to summarize the contents of the Confidential merger & acquisition document that is open, this prompt will also be captured in Purview DSPM for AI. Learn more about inline discovery of sensitive data in GenAI applications in this blog. Detection & discovery of these events provide data security admins invaluable insight into how sensitive data is leaving trusted locations through the network, even before policies are ever created. From Purview DSPM, admins can better understand how the sensitive data detected in network activity contributes to their organizational risk, such as the top applications to which users send sensitive data, and the types of data that are most frequently exfiltrated. Even better, DSPM provides proactive policy recommendations for controls that can help address this risk. Additionally, admins have the option to leverage Activity Explorer to drill down into specific egress points and destinations of sensitive data to better inform their protection strategy. Visibility of sensitive data in motion not only gives admins insight into how to improve their data loss prevention strategy, but also broadens their aperture of activities that could indicate potentially risky behavior by users. In the coming months, these new network signals will unlock a new category of policy indicators in Purview Insider Risk Management. Indicators for user activities such as file uploads or AI prompt submissions detected through the network will help Insider Risk Management formulate richer and comprehensive profiles of user risk. In turn, these signals will also better contextualize future data interactions and enrich policy verdicts. Introducing inline data protection in Edge for Business Every day, your employees interact with data across a variety of web applications & services. Chances are, some of this data is sensitive or proprietary for the organization. For that reason, it’s growing increasingly critical to have visibility and control over how employees interact with sensitive data within the browser. Today, we are excited to announce two new capabilities that represent significant strides in our growing set of native data security controls for Edge for Business, the secure enterprise browser optimized for AI: inline data protection and data security controls for unmanaged devices. With the new inline protection capability for Edge for Business, available in public preview in the coming weeks, you can prevent data leakage across the various ways that users interact with sensitive data in the browser, including typing of text directly into a web application or generative AI prompt. Inline protection is built natively into Edge for Business, meaning it can be enabled even without endpoint DLP deployed, and complements existing endpoint DLP protections for uploading or pasting sensitive content to the browser. Starting with some of the top consumer GenAI apps (ChatGPT, Google Gemini, and DeepSeek), admins will be able to block typed prompts containing sensitive data. This list will continuously expand to support a broad range of unmanaged apps, including additional genAI, email, collaboration, and social media apps. In the example below, you can see how a Purview DLP policy can block a user from submitting a prompt containing sensitive M&A details to Google Gemini for summarization: Inline protection can also leverage Adaptive Protection policy conditions for activities in GenAI apps. This enables data security admins to tailor the level of enforcement to the risk level of the user interacting with the data, minimizing disruption to day-to-day AI usage. For example, Adaptive Protection can enable admins to block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for an elevated-risk user. To bring this full circle, risky prompts sent to GenAI apps or responses containing sensitive information can also raise a user’s risk level through risky AI usage detections in Insider Risk Management. This helps organizations understand and adapt to how insiders are interacting with data in AI apps. Similarly to inline data discovery for the network, visibility into sensitive data use in Edge for Business will now surface in Purview DSPM, even if a protection policy has not yet been deployed. If DSPM observes high data exfiltration risk originating from Edge for Business, it will proactively recommend a set of data security policies to mitigate that risk, such as blocking typed sensitive data and sensitive files from being sent to consumer AI apps. Purview data security controls for unmanaged devices In addition to the new inline protection capability, we are thrilled to announce that Purview data security controls now extend to Edge for Business on unmanaged Windows or macOS devices. These data loss prevention policies, rolling out in public preview in the coming weeks, allow organizations to prevent or enable access to data in organizational apps based on the sensitivity of the data, as long as the end user is logged into their Edge for Business profile. This is particularly relevant for organizations that leverage a significant contractor or frontline workforce, or enable bring-your-own-device (BYOD) policies. Similarly to inline protection, these controls are built natively into Edge for Business and can be activated even without endpoint DLP deployed. As an example, your organization may allow a contractor to use a personal macOS device to access corporate resources. By opening Edge for Business and logging in using their Entra ID account, Purview data security policies can now be applied to that browser session. If the contractor navigates to a managed app such as Workday or a proprietary line of business app, you can apply context-aware data protections such as allowing download of a benefits brochure that does not contain any sensitive information, but preventing download of employee or patient records that contain sensitive data. This context-aware policy helps organizations balance adequate data security controls with end user productivity. To learn more about security capabilities built into Edge for Business, the secure enterprise browser, visit the blog. Licensing details Inline data discovery via 3rd party network integrations: Your global admin will be able to enable this capability by activating Purview pay-as-you-go meters. Pricing will be based on the number of requests captured through network traffic within the scope of a policy. Additional pricing details will be available with public preview rollout in early May. Inline discovery & protection in Edge for Business: Included in E5, E5 Compliance, and E5 Information Protection & Governance up to a certain number of requests. (Note: Inline protection for Edge for Business is included in E5 today. Microsoft will monitor the telemetry and reserve the right to declare a certain threshold where this data will be absorbed in an E5 license, and reserve the right to charge additionally based on usage beyond such threshold.) Data security controls for unmanaged devices accessing Edge for Business: Included in E5, E5 Compliance, and E5 Information Protection & Governance. Get started You can try Microsoft Purview data security solutions directly in the Microsoft Purview compliance portal with a free trial. Want to learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant? Hear from Microsoft leaders online at Microsoft Secure on April 9. [1] Internal Windows telemetryProtecting sensitive information in the era of AI with Microsoft Purview Information Protection
In today’s rapidly evolving digital landscape, organizations face increasing challenges in protecting large volumes of sensitive data. As businesses increasingly adopt AI technologies, the volume of data generated and processed is growing at an unprecedented rate. This rapid data growth, coupled with the modern workplace’s demand for accessing information from various devices and locations, necessitates robust data protection measures. At the same time, security must not come at the cost of productivity. With AI becoming integral to modern workflows, organizations need the right guardrails to ensure employees can harness the power of AI for greater efficiency while ensuring data remains protected. At the same time, security must not come at the cost of productivity. With AI becoming integral to modern workflows, organizations need the right guardrails to ensure employees can harness the power of AI for greater efficiency while ensuring data remains protected. To help organizations navigate these challenges, Microsoft Purview Information Protection continues to advance its capabilities, enabling organizations to discover, classify, label, and protect sensitive information not only within Microsoft 365, but also across select non-Microsoft 365 data sources. In this blog, we will highlight the new enhancements and capabilities that make it easier to secure sensitive data, provide visibility, and enforce compliance policies. Expanding data classification and protection capabilities The global average cost of a data breach increased 10% in one year, reaching $4.9 million [1], underscoring the growing urgency of data protection. As organizations generate and store vast amounts of information, much of it remains untouched—whether kept for business continuity, historical reference, or regularity compliance. However, without proper protection, this data can leave organizations susceptible to hidden data risks, including data misuses and leaks. To address this challenge, we are thrilled to announce the public preview of on-demand classification for SharePoint and OneDrive, starting in April. On-demand classification expands the scope of data protection by scanning files that have not been classified or modified for a long time. Once classified, customers can automatically apply the relevant sensitivity label based on their organization's labeling policies. This ensures that all files, regardless of when the file was last modified or accessed, are protected and compliant with organizational policies. This makes it easier for organizations to manage and protect their large volumes of data on SharePoint and OneDrive. It not only improves data security but also enhances the overall data security posture by ensuring continuous compliance and effective risk management. Administrators can scope on-demand classification scans to specific SharePoint sites or OneDrive accounts and can select files by the last modified time. For example, an organization might focus on scanning files in a SharePoint site dedicated to financial records, which are considered high risk due to the sensitive nature of the data. The results of classification integrate with other Microsoft Purview solutions, such as Insider Risk Management (IRM) and Data Loss Prevention (DLP), to provide robust protection. For example, a DLP policy for financial information can automatically detect and block the sharing of a classified document containing sensitive financial data, preventing potential leaks. This expansion ensures that the benefits of classification, and the related DLP and IRM policies, are applicable to all data, strengthening overall data security posture. One major challenge in maintaining a strong data security posture is data oversharing, especially in AI-driven environments. When data is unclassified, mislabeled or outdated, it can be exposed in unintended ways, increasing the risk of unauthorized access. To address this, Microsoft’s Data Security Posture Management (DSPM) for AI, announced last year, includes an oversharing assessment that gives administrators greater visibility and control. Building on this capability, the new on-demand classification allows administrators to initiate a classification scan directly from the oversharing assessment in DSPM for AI. This ensures that older or previously unscanned files are classified according to the latest data protection policies. Additionally, it helps Microsoft 365 Copilot index and ground data more accurately, ensuring AI-driven outputs remain secure. By providing a more comprehensive view of all data, on-demand classification helps organizations proactively manage risk, making AI copilots even safer. On-demand classification will be offered with a pay-as-you-go pricing model, allowing organizations to scale their data protection efforts according to their needs. Before you trigger an on-demand classification scan, you can estimate the cost and fine-tune the scope as many times as needed to get a better understanding of the potential cost you would incur based on your organization’s needs. Automate data security at scale Organizations managing large-scale data in Azure Storage face challenges in consistently enforcing security and compliance policies across their data estate. To address this, Microsoft Purview protection policies for Azure SQL, Data Lake, and Blob Storage are now in public preview, enabling administrators to define and automatically apply protection policies based on sensitivity label of assets. This helps ensure consistent enforcement of access controls, sensitivity labeling, and data classification at scale. Learn more in this blog. igure 2: Information Protection policies for Azure SQL, Data Lake, and Blob Storage Notable optical character recognition (OCR) enhancements Optical character recognition (OCR) enables Microsoft Purview to scan images for sensitive information. Examples include screenshots of sensitive documents, scanned forms, and pictures of proprietary data like personal IDs or credit cards. We are happy to share that, in addition to the ability to scan standalone images in EXO, which is generally available, support for embedded images is now available in EXO in public preview. This enhancement now allows for the detection of sensitive information within images embedded in attachments or documents in emails, including screenshots of confidential documents, scanned forms, and photos containing proprietary data shared in Office or archive files in EXO. This provides administrators with greater visibility into sensitive information that may be hidden within embedded images in emails and attachments, ensuring that all data is properly classified and protected. Along with that, the OCR cost estimator for MacOS is now generally available. OCR cost estimator helps organizations predict and manage costs by providing a clear estimate of images by location for Exchange, Teams, SharePoint, OneDrive, and endpoints. Customers can try the OCR cost estimator for free for 30 days. Once you select “Try for free,” you will have 30 days to run estimates through the OCR cost estimator and configure settings based on the needs and budget of your organization. It can be run without setting up an Azure subscription, making it accessible to all organizations. Strengthening document protection with dynamic watermarking We announced dynamic watermarking in Word, Excel, and PowerPoint last year and we’re happy to share that it’s now generally available. This capability is designed to deter users from leaking sensitive information and to attribute leaks if they do occur. When an admin enables the dynamic watermarking setting for a protected sensitivity label, files with that sensitivity label will render with dynamic watermarks when opened in Word, Excel, and PowerPoint. These dynamic watermarks contain the User Principal Name (UPN), usually email address, associated with the account being used to open the file, allowing for leaks to be tracked back to specific users. Learn more about dynamic watermarking, how it works, and how to configure it within a sensitivity label in our documentation. 4: Word file with dynamic watermarks Enhanced audit logs for auto-labeling in SharePoint Auto-labeling in Microsoft Purview Information Protection automatically labels an organization’s most sensitive content to reduce the need for manual user labeling. It can label data at rest across SharePoint and OneDrive up to 100k files per day. Ensuring consistent and accurate labeling of sensitive information can be challenging without clear insights into the labeling process. To address this issue, starting this month, we will provide more detailed information on why a file is labeled, including policy and rule match information on SharePoint. This enhancement will enable SharePoint to send back information on the policy and rule matches that triggered the auto-labeling of files. This added transparency simplifies the task for administrators, enabling them to review and refine their labeling policies more effectively. As a result, sensitive information will be more consistently and accurately labeled in accordance with organizational standards. Get started You can try Microsoft Purview Information Protection and other Microsoft Purview solutions directly within the Microsoft Purview portal with a free trial. * Interactive guide: aka.ms/InfoProtectionInteractiveGuide Mechanics video on how to automatically classify and protect documents and data Mechanics video on AI-powered data classification And, lastly, join the Microsoft Purview Information Protection Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Information Protection. An active NDA is required. Click here to join. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Licensing details On-demand classification Pricing information will be available when public preview begins on April 1st, 2025. OCR embedded in EXO An Azure subscription and M365 E3 or E5 license are required. Pricing is based on the number of images scanned, at $1.00 per 1,000 images scanned. Each scanned image is counted as a single transaction. For more details, see here. OCR cost estimator for macOS The cost estimator is available at no cost for 30 days. After this period, generating new estimates will be disabled. However, the insights gained during the 30 days should provide enough data to understand usage patterns and estimate potential monthly costs. Learn more about cost estimator here. Dynamic watermarking Included in E5, E5 Compliance, and E5 Information Protection and Governance licenses. Auto-labeling audit enrichments Included in E5, E5 Compliance, and E5 Information Protection and Governance licenses. * Pay-as-you-go capabilities are not available in the free trial. Cost of a Data Breach Report 2024 | IBMStrengthening data protection in the modern workplace with Microsoft Purview Information Protection
In today's rapidly evolving digital landscape, the protection of sensitive organizational data is critical, especially given the accelerated adoption of AI technology. However, only 22% of organizations feel extremely confident in their ability to keep data secure as they adopt generative AI technologies [1]. Simultaneously, data security teams are tasked with protecting organizational data across a growing set of access points as employees work from a variety of different devices, browsers, and locations. Microsoft Purview Information Protection continues to invest in comprehensive protections to safeguard data across modern data estates – including those that have enabled generative AI for their workforce. In this blog, we’ll share notable classification improvements and additions to Information Protection that can help your organization protect sensitive data wherever it lives or travels, extend support for protected documents wherever work happens, and strengthen protections for mission-critical documents. Protecting sensitive data wherever it lives or travels across the modern data estate Today, we are excited to announce enhanced labeling and document protections for Office files and PDFs in SharePoint for customers with E5 and SharePoint Advanced Management licenses. Previously, SharePoint site owners could apply default sensitivity labels to newly added or created files in a document library. Now, site owners can easily extend sensitivity labels to all documents at rest in a library and protect them through the label if they are downloaded, moved, or copied from SharePoint. This two-fold enhancement, now in public preview, not only streamlines labeling for all currently-unlabeled and unprotected documents at rest but also ensures that protections travel with the documents if they leave the original SharePoint site. After selecting the option to “Extend protections on unencrypted files when they’re downloaded, copied, or moved" in the library settings, site owners will now see the specified label applied to all previously-unlabeled files or files with labels that were not configured to apply encryption. These labels also extend to files that are synchronized with OneDrive. Based on the label’s user-defined permissions, only those who have access rights to the online copy of the file can decrypt and access the file when downloaded. If a user's permissions to the original SharePoint library are revoked, their access to any documents within that library – even when downloaded locally – are also revoked. This keeps documents protected as they leave SharePoint, such as for collaboration purposes or due to attempted exfiltration. This feature is also supported by the Information Protection SDK. It is worth noting that this capability only supports labels with user-defined permissions at this time. Additional labeling & SDK improvements in Microsoft Purview Information Protection In addition to the enhanced labeling capability for SharePoint document libraries detailed above, we are pleased to share improvements to our auto labeling capacity for OneDrive and SharePoint. Purview Information Protection now supports auto-labeling of up to 100k files per day, up from the previous 25k file limit. This improvement is generally available. Additionally, auto-labeling simulation mode now features the ability to view the sensitivity label currently applied to a file, and the ability to filter based on label. These improvements to auto-labeling simulation mode will become available in public preview in the coming weeks. Learn more about auto-labeling simulation mode here. Extending label-based protections to Teams, Copilot Studio, and Fabric To further enable consistent, streamlined sensitivity labeling of your important business data, we are announcing label inheritance for Teams meetings based on the sensitivity of files shared in the meeting in public preview. This capability, which will be available in the coming weeks, facilitates secure collaboration across your organization by ensuring that if labeled files are referenced in a Teams meeting, the highest sensitivity label will be applied holistically to the meeting, its artifacts, and the files that were shared within. For example, if a Teams meeting is initiated with a “General” sensitivity label, and a collaborator in the meeting shares a document labeled “Highly Confidential” in the meeting chat, the label of the meeting will be upgraded to “Highly Confidential.” Microsoft Purview is also supporting ways to protect sensitive data in custom AI applications built through Copilot Studio. In May, we announced that developers using Copilot Studio can turn on the Purview integration to extend our best-of-suite data security controls to their custom apps – this includes the ability to limit access to sensitive data to only authorized users, and for AI-generated outputs to inherit and cite the sensitivity label of referenced files. To learn more about new Purview data security & governance controls for apps built in Copilot Studio, visit the blog. Last month, we announced that we were extending the ability to apply labels and restrict access to content based on sensitivity label to Fabric data, helping admins discover, classify, and protect sensitive information. With this expanded sensitivity label support, admins could use sensitivity labels to manage who has access to Fabric items. For example, a security admin could restrict access to data items with a “financial data” sensitivity label to users except for those in the finance department. These data protection and auto labeling policies are now available in public preview for Fabric, Azure SQL, and Azure Data Lake Storage (ADLS), ensuring that your business-critical data is protected even beyond Microsoft 365. In the spirit of expanding Information Protection support across services and platforms, we’re also happy to share that the Information Protection SDK on .NET is now generally available on all supported Ubuntu LTS versions. Extending support for protected documents wherever work happens With the goal of securing sensitive data without hindering user productivity, we’d like to share three additional enhancements to Information Protection that make it easier for users to access protected documents: Broader support for protected PDFs on mobile devices: We recognize that in today’s digital world, work doesn’t just happen on a corporate desktop – employees can access organizational data from anywhere in the world, on a broad variety of devices. To better enable secure access to this data, we are excited to share expanded support for documents encrypted and protected by Information Protection on mobile devices: 1-click support on Outlook mobile application: Now generally available on iOS and Android. In the Outlook app, we are also making it easier for authorized users to decrypt and view protected PDFs with just one click, without the need for additional tools or steps. OneDrive mobile application: Now generally available on iOS and in coming weeks on Android. Microsoft 365 mobile application: Now generally available on iOS and Android. Broader support for protected PDFs on web: As the global workforce spends more of its time working directly in browsers, we must also expand our support for protected documents on the web. We're happy to share that starting today, OneDrive and SharePoint Online users can now view protected PDFs directly from any browser – including Chrome, Firefox, and Safari – without the need to switch to desktop applications for rendering and decryption. This makes it easier for users to access and consume protected PDFs without disruption. These improvements augment support for Information Protection-defined usage rights restrictions that already exist in the Microsoft Edge browser, such as screen capture restrictions on Office files. Strengthening document protections with dynamic watermarking Earlier this year, we announced dynamic watermarking in preview, which equips information protection admins with more robust document protections through sensitivity labels. This capability is available in public preview for all Information Protection customers with Information Protection Plan 2 (included in E5). When an admin enables the dynamic watermarking setting for a protected sensitivity label, files with that sensitivity label will render with dynamic watermarks when opened in Word, Excel, and PowerPoint. This deters collaborators or users who have access to the document from sharing its contents broadly, preventing sensitive data leakage and enabling easier attribution of leaks. Noteworthy classification updates to optical character recognition and named entity SITs Optical character recognition (OCR) enables Microsoft Purview to scan images for sensitive information. Examples include screenshots of sensitive documents, scanned forms, and pictures of proprietary data like Personal IDs or credit cards. OCR is billed to customers based on the number of images scanned In September of this year, we announced the availability of the OCR Cost estimator in public preview. The OCR cost estimator minimizes uncertainty due to lack of visibility or predictability into the total images you may incur costs for. It also breaks down a clear estimate by location for Exchange, Teams, SharePoint, OneDrive, and endpoints. Once you select “Try for free,” you will have 30 days to run estimates through the OCR cost estimator and configure settings based on the needs and budget of your organization. It can be run without setting up an Azure subscription, making it accessible to all organizations. We are also delighted to announce a significant expansion in named entity sensitive information types (SITs). Named entity SITs play a crucial role in identifying and protecting sensitive data within documents such as person names, physical addresses, and health-related data. This is essential for ensuring compliance with various regulations and safeguarding privacy even across geographic regions. Recent improvements include: Expanded support for the detection of disease names to 26 additional languages. This enhancement enables more comprehensive protection of health-related information across a broader range of linguistic contexts. Expanded support for physical address detections to 7 additional countries: China, South Korea, Taiwan, Greenland, Russia, Ukraine, and South Africa. Get started You can try Microsoft Purview Information Protection and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial! Interactive guide: aka.ms/InfoProtectionInteractiveGuide Mechanics video on how to automatically classify and protect documents and data Mechanics video on AI-powered data classification And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Information Protection. An active NDA is required. Click here to join. We look forward to your feedback. [1] 2024 Data Security Index Report | Microsoft Security
General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint
In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public. Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. Key Features User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document. Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string. Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android. Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks. Benefits & Differentiators Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators: Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android. Cross-platform support: Web, Windows, Mac, iOS, and Android. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files. Get Started with Dynamic Watermarking When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption. You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here. For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks. To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.Microsoft Information Protection and Compliance Resources
The Microsoft Information Protection and Compliance Customer Experience (CXE) team work with Microsoft's largest enterprise customers to provide guidance and advisory services to help them deploy our information protection and compliance solutions. As part of our community you can speak directly to our engineering teams and get early access to changes by joining our webinars, participating in private previews, reviewing product roadmaps, attending in-person events, or providing feedback on our forums. Getting Started We have lots of resources below to help, but to start with you can review: https://aka.ms/MIPC/GettingStarted Official Documentation A lot of the common questions that customers ask have been captured in our documentation. There are a team of tech writers who work tirelessly to ensure it's accurate and up to date! MIP - https://aka.ms/MIPdocs Compliance - https://docs.microsoft.com/en-us/microsoft-365/compliance/ Licensing Documentation Licensing for different features across the M365 security and compliance product set arefrequently asked questions. M365 Security and Compliance - https://aka.ms/MIPC/licensing Information Protection section - https://aka.ms/MIPC/MIPlicensing White Papers We have documents that we've developed for our customers where we share best practices and guidance to help deploy our solutions. MIP - https://aka.ms/MIPC/DataClassification Zero Trust Deployment Center This contains all of our guidance to help you with your Zero Trust planning and deployment activities. http://aka.ms/ZTGuide You can jump straight to securing your data with Zero Trust - https://aka.ms/ZTData MIP&C Deployment Acceleration Guides (DAGs) We have written a number of guides which will help with: ➢ One Compliance Story covering how to each solution features complement each. ➢ Best Practices based on the CxE teams experience with customer roadblocks. ➢ Considerations to take and research before starting your deployment. ➢ Help Resources links to additional readings and topics to gain a deeper understanding. ➢ Appendix for additional information on licensing. Check out the blog post here https://aka.ms/MIPC/DAGs for more details and the documents. Webinars To check out our upcoming webinars, or recordings of past webinars, visit https://aka.ms/MIPC/Webinars. Private Previews To join our private preview program, where you can get early access to changes in exchange for your feedback. sign-up https://aka.ms/MIPC/JoinPreviews check out the previews page for full details - https://aka.ms/MIPC/Previews Forums Got questions or feedback? Check out our product-specific forums where you can speak directly to our engineering teams. MIP Yammer Channel - https://aka.ms/MIPC/AskMIPTeam MIP Product Feedback - https://aka.ms/MIP/uservoice Compliance Product Feedback - https://aka.ms/CompUV Tech Community - Security, Privacy, & Compliance Code Samples / Scripts You can check out our PowerShell code snippets at: GitHub Repo: https://aka.ms/MIPC/PowerShellSamples Localization migration script: https://aka.ms/MIPC/Blog-LocaleMigration Social Media Hang out on Social Media? Check out the team's presence below and follow and interact with us there as well. MIP: https://Twitter.com/MIPNews Compliance Blog - https://aka.ms/CompBlog MIP Blog - https://aka.ms/MIPblog Thanks! @Adam Bell on behalf of the MIP and Compliance CXE teamRetirement notification for the Azure Information Protection Unified Labeling add-in for Office
We are officially announcing the retirement of the Azure Information Protection (AIP) Unified Labeling add-in for Office and starting the 12-month clock, after which it will reach retirement on April 11, 2024.Microsoft Security in Action: Zero Trust Deployment Essentials for Digital Security
The Zero Trust framework is widely regarded as a key security model and a commonly referenced standard in modern cybersecurity. Unlike legacy perimeter-based models, Zero Trust assumes that adversaries will sometimes get access to some assets in the organization, and you must build your security strategy, architecture, processes, and skills accordingly. Implementing this framework requires a deliberate approach to deployment, configuration, and integration of tools. What is Zero Trust? At its core, Zero Trust operates on three guiding principles: Assume Breach (Assume Compromise): Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. Verify Explicitly: Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Use Least Privileged Access: Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based policies like adaptive access control. Implementing a Zero Trust architecture is essential for organizations to enhance security and mitigate risks. Microsoft's Zero Trust framework essentially focuses on six key technological pillars: Identity, Endpoints, Data, Applications, Infrastructure, & Networks. This blog provides a structured approach to deploying each pillar. 1. Identity: Secure Access Starts Here Ensure secure and authenticated access to resources by verifying and enforcing policies on all user and service identities. Here are some key deployment steps to get started: Implement Strong Authentication: Enforce Multi-Factor Authentication (MFA) for all users to add an extra layer of security. Adopt phishing-resistant methods, such as password less authentication with biometrics or hardware tokens, to reduce reliance on traditional passwords. Leverage Conditional Access Policies: Define policies that grant or deny access based on real-time risk assessments, user roles, and compliance requirements. Restrict access from non-compliant or unmanaged devices to protect sensitive resources. Monitor and Protect Identities: Use tools like Microsoft Entra ID Protection to detect and respond to identity-based threats. Regularly review and audit user access rights to ensure adherence to the principle of least privilege. Integrate threat signals from diverse security solutions to enhance detection and response capabilities. 2. Endpoints: Protect the Frontlines Endpoints are frequent attack targets. A robust endpoint strategy ensures secure, compliant devices across your ecosystem. Here are some key deployment steps to get started: Implement Device Enrollment: Deploy Microsoft Intune for comprehensive device management, including policy enforcement and compliance monitoring. Enable self-service registration for BYOD to maintain visibility. Enforce Device Compliance Policies: Set and enforce policies requiring devices to meet security standards, such as up-to-date antivirus software and OS patches. Block access from devices that do not comply with established security policies. Utilize and Integrate Endpoint Detection and Response (EDR): Deploy Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on endpoints and integrate with Conditional Access. Enable automated remediation to quickly address identified issues. Apply Data Loss Prevention (DLP): Leverage DLP policies alongside Insider Risk Management (IRM) to restrict sensitive data movement, such as copying corporate data to external drives, and address potential insider threats with adaptive protection. 3. Data: Classify, Protect, and Govern Data security spans classification, access control, and lifecycle management. Here are some key deployment steps to get started: Classify and Label Data: Use Microsoft Purview Information Protection to discover and classify sensitive information based on predefined or custom policies. Apply sensitivity labels to data to dictate handling and protection requirements. Implement Data Loss Prevention (DLP): Configure DLP policies to prevent unauthorized sharing or transfer of sensitive data. Monitor and control data movement across endpoints, applications, and cloud services. Encrypt Data at Rest and in Transit: Ensure sensitive data is encrypted both when stored and during transmission. Use Microsoft Purview Information Protection for data security. 4. Applications: Manage and Secure Application Access Securing access to applications ensures that only authenticated and authorized users interact with enterprise resources. Here are some key deployment steps to get started: Implement Application Access Controls: Use Microsoft Entra ID to manage and secure access to applications, enforcing Conditional Access policies. Integrate SaaS and on-premises applications with Microsoft Entra ID for seamless authentication. Monitor Application Usage: Deploy Microsoft Defender for Cloud Apps to gain visibility into application usage and detect risky behaviors. Set up alerts for anomalous activities, such as unusual download patterns or access from unfamiliar locations. Ensure Application Compliance: Regularly assess applications for compliance with security policies and regulatory requirements. Implement measures such as Single Sign-On (SSO) and MFA for application access. 5. Infrastructure: Securing the Foundation It’s vital to protect the assets you have today providing business critical services your organization is creating each day. Cloud and on-premises infrastructure hosts crucial assets that are frequently targeted by attackers. Here are some key deployment steps to get started: Implement Security Baselines: Apply secure configurations to VMs, containers, and Azure services using Microsoft Defender for Cloud. Monitor and Protect Infrastructure: Deploy Microsoft Defender for Cloud to monitor infrastructure for vulnerabilities and threats. Segment workloads using Network Security Groups (NSGs). Enforce Least Privilege Access: Implement Just-In-Time (JIT) access and Privileged Identity Management (PIM). Just-in-time (JIT) mechanisms grant privileges on-demand when required. This technique helps by reducing the time exposure of privileges that are required for people, but are only rarely used. Regularly review access rights to align with current roles and responsibilities. 6. Networks: Safeguard Communication and Limit Lateral Movement Network segmentation and monitoring are critical to Zero Trust implementation. Here are some key deployment steps to get started: Implement Network Segmentation: Use Virtual Networks (VNets) and Network Security Groups (NSGs) to segment and control traffic flow. Secure Remote Access: Deploy Azure Virtual Network Gateway and Azure Bastion for secure remote access. Require device and user health verification for VPN access. Monitor Network Traffic: Use Microsoft Defender for Endpoint to analyze traffic and detect anomalies. Taking the First Step Toward Zero Trust Zero Trust isn’t just a security model—it’s a cultural shift. By implementing the six pillars comprehensively, organizations can potentially enhance their security posture while enabling seamless, secure access for users. Implementing Zero Trust can be complex and may require additional deployment approaches beyond those outlined here. Cybersecurity needs vary widely across organizations and deployment isn’t one-size-fits all, so these steps might not fully address your organization’s specific requirements. However, this guide is intended to provide a helpful starting point or checklist for planning your Zero Trust deployment. For a more detailed walkthrough and additional resources, visit Microsoft Zero Trust Implementation Guidance. The Microsoft Security in Action blog series is an evolving collection of posts that explores practical deployment strategies, real-world implementations, and best practices to help organizations secure their digital estate with Microsoft Security solutions. Stay tuned for our next blog on deploying and maximizing your investments in Microsoft Threat Protection solutions.
Optimizing OneDrive Retention Policies with Administrative Units and Adaptive Scopes
A special thank you note to Ashwini_Anand for contributing to the content of this blog. In today's digital landscape, efficient data retention management is a critical priority for organizations of all sizes. Organizations can optimize their OneDrive retention policies, ensuring efficient and compliant data management tailored to their unique user base and licensing arrangements. Scenario: Contoso Org encountered a distinct challenge - managing data retention for their diverse user base of 200,000 employees, which includes 80,000 users with F3 licenses and 120,000 users with E3 and E5 licenses. As per Microsoft licensing, F3 users are allocated only 2 GB of OneDrive storage, whereas E3 and E5 users are provided with a much larger allocation of 5 TB. This difference required creating separate retention policies for these users' groups. The challenge was further complicated by the fact that retention policies utilize the same storage for preserving deleted data. If a unified retention policy were applied to all users such as retaining data for 6 years before deletion - F3 users’ OneDrive storage could potentially fill up within a year or less (depending on usage patterns). This would leave F3 users unable to delete or save new files, severely disrupting productivity and data management. To address this, it is essential to create a separate retention policy for E3 and E5 users, ensuring that the policy applies only to these users and excludes F3 users. This blog will discuss the process of designing and implementing such a policy for the large user base based on separate licenses, ensuring efficient data management and uninterrupted productivity. Challenges with Retention Policy Configuration for large organizations 1. Adaptive Scope Adaptive scopes in Microsoft Purview allow you to dynamically target policies based on specific attributes or properties such as department, location, email address, custom Exchange attributes etc. Refer the link to get the list of supported attributes: Adaptive scopes | Microsoft Learn. Limitation: Although Adaptive scopes can filter by user properties, Contoso, being a large organization, had already utilized all 15 custom attributes for various purposes. Additionally, user attributes also couldn’t be used to segregate users based on licenses. This made it challenging to repurpose any attribute for our filter criteria to apply the retention policy to a specific set of users. Furthermore, refinable strings used in SharePoint do not work for OneDrive sites. 2. Static Scope Static scope refers to manually selected locations (e.g., specific users, mailboxes, or sites) where the policy is applied. The scope remains fixed and does not automatically adjust. Limitation: Static scope allows the inclusion or exclusion of mailboxes and sites but is limited to 100 sites and 1000 mailboxes, making it challenging to utilize for large organizations. Proposed Solution: Administrative Units with Adaptive Scope To address the above challenges, it required utilizing Administrative Units (Admin Units - is a container within an organization that can hold users, groups, or devices. It helps us to manage and organize users within an organization more efficiently, especially in large or complex environments) with Adaptive Scopes for creation of a retention policy targeting E3 and E5 licensed users. This approach allows organizations to selectively apply retention policies based on user licenses, enhancing both efficiency and governance. Prerequisites For Administrative unit - Microsoft Entra ID P1 license For Retention policy - Refer to the link: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Learn Configuration Steps Step 1: Create Administrative Unit: Navigate to Microsoft Entra Admin Center https://entra.microsoft.com/#home Click on ‘Identity’ and then click on ‘Show more’ Expand ‘Roles & admins’ Proceed to ‘Admin units’ -> Add. Define a name for the Administrative unit. Click on ‘Next: Assign roles’ No role assignment required, click on 'Next: Review + create’) Click on ‘Create’. To get more information about creating administrative unit, refer this link: Create or delete administrative units - Microsoft Entra ID | Microsoft Learn Step 2: Update Dynamic Membership: Select the Administrative Unit which is created in Step1. Navigate to ‘Properties’ Choose ‘Dynamic User’ for Membership type. Click on ‘Add a dynamic query’ for Dynamic user members. Click on ‘Edit' for Rule syntax In order to include E3 and E5 licensed users who are using OneDrive, you need to include SharePoint Online Service Plan 2 enabled users. Use the query below in the code snippet to define the dynamic membership. user.assignedPlans -any (assignedPlan.servicePlanId -eq "5dbe027f-2339-4123-9542-606e4d348a72" -and assignedPlan.capabilityStatus -eq "Enabled") Click on 'Save' to update the Dynamic membership rules Click on 'Save' to update the Administrative unit changes. Open the Administrative Unit and click on the 'Users' tab to check if users have started to populate. Note: It may take some time to replicate all users, depending on the size of your organization. Please wait for minutes and then check again. Step 3: Create Adaptive Scope under Purview Portal: Access https://purview.microsoft.com Navigate to ‘Settings’ Expand ‘Roles & scopes’ and click on ‘Adaptive scopes’ Create a new adaptive scope, providing ‘Name’ and ‘Description’. Proceed to select the Administrative unit which was created earlier. (It takes time for the Admin/Administrative Unit to become visible. Please wait for some time if it does not appear immediately.) Click on ‘Add’ and ‘Next’ Select ‘Users’ and 'Next' Once the Admin unit is selected, we need to specify the criteria which allows to select users within the Admin unit (this is the second level of filtering available). However, in this case since we needed to select all users of the admin unit, hence the below criteria was used. Click 'Add attribute' and form the below query. Email addresses is not equal to $null Note: You can apply any other filter if you need to select a subset of users within the Admin Unit based on your business use case. Click on ‘Next’ Review and ‘Submit’ the adaptive scope. Step 4: Create Retention Policy using Adaptive Scope: Access https://purview.microsoft.com/datalifecyclemanagement/overview Navigate to ‘Policies’ and then go to ‘Retention Policies’. Create a ‘New Retention policy’, providing a ‘Name’ and ‘Description’. Proceed to select the Administrative unit created earlier. Click on ‘Add or remove admin units’ Choose ‘Adaptive’ and click on ‘Next’. Click on ‘Add scopes’ and Select the previously created Adaptive scope. Click on ‘Next’ to proceed and select the desired retention settings. Click Next and Finish Outcome By implementing Admin Units with adaptive scopes, organizations can effectively overcome challenges associated with applying OneDrive retention policies for distinguished and large set of users. This approach facilitates the dynamic addition of required users, eliminating the need for custom attributes and manual user management. Users are dynamically added or removed from the policy based on license status, ensuring seamless compliance management. FAQ: Why is it important to differentiate retention policies based on user licensing tiers? It is important to differentiate retention policies based on user licensing tiers to ensure that each user group has policies tailored to their specific needs and constraints, avoiding issues such as storage limitations for users with lower-tier licenses like F3. How many Exchange custom attributes are typically available? There are typically 15 Exchange custom attributes available, which can limit scalability when dealing with a large user base. What challenge does Adaptive Scoping face when including a large number of OneDrive sites? Adaptive Scoping faces the challenge of including a large number of OneDrive sites due to limitations in the number of custom attributes allowed. While these custom attributes help in categorizing and managing OneDrive sites, the finite number of attributes available can restrict scalability and flexibility. Why are refinable strings a limitation for Adaptive Scoping in OneDrive? Refinable strings are a limitation for Adaptive Scoping in OneDrive because their usage is restricted to SharePoint only. What are the limitations of Static Scoping for OneDrive sites? Static Scoping for OneDrive sites is limited by the strict limit of including or excluding only 100 sites, making it usage limited for larger environments. Do we need any licenses to create an administrative unit with dynamic membership? Yes, a Microsoft Entra ID P1 license is required for all members of the group.Select the 'Adaptive' retention policy type
