External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.Purview Priority Cleanup Expands to SharePoint and OneDrive
Purview Priority Cleanup is growing its capabilities to be able to process files stored in SharePoint Online and OneDrive for Business. Public preview begins in mid-August, and the solution should be generally available at the end of September 2025. Removing files without regard for retention holds is much more complicated than removing mailbox items. The question is who needs this feature and how will it be used? https://office365itpros.com/2025/08/13/priority-cleanup-spo-od4b/Microsoft Purview Data Security Posture Management (DSPM) for AI
Now with Microsoft Copilot in Fabric and Microsoft Security Copilot Integration In today’s data-driven world, organizations are racing to adopt AI-powered solutions like Microsoft Copilot in Fabric and Microsoft Security Copilot. While these tools dramatically increase productivity and decision-making capabilities, they also introduce new layers of complexity in securing sensitive data across platforms. To help organizations address these challenges, Microsoft Purview’s Data Security Posture Management (DSPM) is evolving—and now includes support for Microsoft Copilot in Fabric and Microsoft Security Copilot. https://dellenny.com/microsoft-purview-data-security-posture-management-dspm-for-ai/Navigating Compliance with Confidence A Deep Dive into Microsoft Purview Compliance Portal
In today’s evolving digital landscape, organizations face increasing regulatory pressure to secure sensitive data, manage risk, and ensure compliance. Microsoft has stepped up to this challenge with Microsoft Purview, a comprehensive suite for data governance and compliance. At the heart of this suite lies the Microsoft Purview Compliance Portal, a centralized hub that empowers organizations to manage compliance across their Microsoft 365 environment with clarity and confidence. https://dellenny.com/navigating-compliance-with-confidence-a-deep-dive-into-microsoft-purview-compliance-portal/
Purview and auditing file modifications
I have full M365 E5 license and use Purview auditing a lot for investigations. I noticed is reports file modified which is create but some of my files would get modified constantly. I'm curious if it can log and provide a report on what exactly was modified. For example: If text was added or deleted, can it tell me what was added or deleted i.e. the actual text and the action (Add\Delete) If an image was pasted into a word document, can it tell me that? If possible, down to a copy of the image that was inserted? If it can't do this level of detail anyone have suggestions of a product that can?
Compliance search is not returning any data (Powershell)
At our organization, we have an SOP for purging phishing emails from all mailboxes. Part of that is creating a search and then examining it for any legit emails before going on to the purge step. The commands below are no longer returning any data, and they used to work. What has changed? PS C:\Windows\system32> Connect-IPPSSession -UserPrincipalName email address removed for privacy reasons PS C:\Windows\system32> New-ComplianceSearch -Name "Broken" -ExchangeLocation All -ContentMatchQuery 'Subject:"invoice"' Name RunBy JobEndTime Status ---- ----- ---------- ------ Broken NotStarted PS C:\Windows\system32> Start-compliancesearch -identity "broken" PS C:\Windows\system32> Get-compliancesearch -identity "broken" Name RunBy JobEndTime Status ---- ----- ---------- ------ Broken admin 7/14/2025 8:17:09 PM Completed PS C:\Windows\system32> Get-ComplianceSearch -Identity "broken" | >> Select-Object Name, Status, ItemsFound, Size, CreatedBy, CreatedTime | >> Export-Csv -Path "C:\filename.csv" -NoTypeInformation The resultant .csv has only the headers, but no information about emails, so any purge commands have nothing to purge. Thank youSecuring the Modern Workplace: Transitioning from Legacy Authentication to Conditional Access
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction In today’s threat landscape, legacy authentication is one of the weakest links in enterprise security. Protocols like POP, IMAP, SMTP Basic, and MAPI are inherently vulnerable — they don’t support modern authentication methods like MFA and are frequently targeted in credential stuffing and password spray attacks. Despite the known risks, many organizations still allow legacy authentication to persist for “just one app” or “just a few users.” This article outlines a real-world, enterprise-tested strategy for eliminating legacy authentication and implementing a Zero Trust-aligned Conditional Access model using Microsoft Entra ID. Why Legacy Authentication Must Die No support for MFA: Enables attackers to bypass the most critical security control Password spray heaven: Common vector for brute-force and scripted login attempts Audit blind spots: Limited logging and correlation in modern SIEM tools Blocks Zero Trust progress: Hinders enforcement of identity- and device-based policies Removing legacy auth isn’t a nice-to-have — it’s a prerequisite for a modern security strategy. Phase 1: Auditing Your Environment A successful transition starts with visibility. Before blocking anything, I led an environment-wide audit to identify: All sign-ins using legacy protocols (POP, IMAP, SMTP AUTH, MAPI) App IDs and service principals requesting basic auth Users with outdated clients (Office 2010/2013) Devices and applications integrated via PowerShell, Azure Sign-In Logs, and Workbooks Tools used: Microsoft 365 Sign-In Logs Conditional Access insights workbook PowerShell (Get-SignInLogs, Get-CASMailbox, etc.) Phase 2: Policy Design and Strategy The goal is not just to block — it’s to transform authentication securely and gradually. My Conditional Access strategy included: Blocking legacy authentication protocols while allowing scoped exceptions Report-only mode to assess potential impact Role-based access rules (admins, execs, vendors, apps) Geo-aware policies and MFA enforcement Service account handling and migration to Graph or Modern Auth-compatible apps Key considerations: Apps that support legacy auth only Delegates and shared mailbox access scenarios BYOD and conditional registration enforcement Phase 3: Staged Rollout and Enforcement A phased approach reduced friction: Pilot group enforcement (IT, InfoSec, willing users) Report-only monitoring across business units Clear communications to stakeholders and impacted users User education campaigns on legacy app retirement Gradual enforcement by department, geography, or risk tier We used Microsoft Entra’s built-in messaging and Service Health alerts to notify users of policy triggers. Phase 4: Monitoring, Tuning, and Incident Readiness Once policies were in place: Monitored Sign-in logs for policy match rates and unexpected denials Used Microsoft Defender for Identity to correlate legacy sign-in attempts Created alerts and response playbooks for blocked sign-in anomalies Results: 100% of all user and app traffic transitioned to Modern Auth Drastic reduction in brute force traffic from foreign IPs Fewer support tickets around password lockouts and MFA prompts Lessons Learned Report-only mode is your best friend. Avoids surprise outages. Communication beats configuration. Even a perfect policy fails if users are caught off guard. Legacy mail clients still exist in vendor tools and old mobile apps. Service accounts can break silently. Replace or modernize them early. CA exclusions are dangerous. Every exception must be time-bound and documented. Conclusion Eliminating legacy authentication is not just a policy update — it’s a cultural shift toward Zero Trust. By combining deep visibility, staged enforcement, and a user-centric approach, organizations can securely modernize their identity perimeter. Microsoft Entra Conditional Access is more than a policy engine — it is the architectural pillar of enterprise-grade identity security. Author’s Note: This article is based on my real-world experience designing and enforcing Conditional Access strategies across global hybrid environments with Microsoft 365 and Azure AD/Entra ID. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.Building Enterprise-Grade DLP with Microsoft Purview in Hybrid & Multi-Cloud Environments
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction Data is the lifeblood of every modern organization, yet it remains one of the most exposed assets. As organizations embrace hybrid and multi-cloud models, traditional endpoint or email-only DLP solutions no longer provide sufficient protection. The explosion of data across Exchange, SharePoint, Teams, OneDrive, and third-party SaaS applications introduces new risks and compliance challenges. Microsoft Purview Data Loss Prevention (DLP) provides a powerful solution that unifies data governance, sensitivity labeling, and policy enforcement across your cloud ecosystem. However, building an enterprise-grade DLP strategy goes far beyond enabling policies. Why Traditional DLP Fails in Modern Environments Traditional DLP approaches often: Protect only endpoints or email without covering cloud services Lack integration with data classification and labeling frameworks Generate excessive false positives due to generic rule sets Create operational friction for end users In hybrid environments with Teams, SharePoint, and OneDrive, these limitations lead to fragmented coverage, compliance blind spots, and user workarounds that expose sensitive data. The Microsoft Purview Advantage Microsoft Purview DLP offers: Unified policy management across Exchange Online, SharePoint, Teams, and OneDrive Integration with Sensitivity Labels for data classification and encryption Real-time policy tips that educate users without blocking productivity Built-in compliance manager integration for audit readiness When architected properly, Purview becomes a strategic enabler of data governance and compliance rather than just a security checkbox. Key Components of an Enterprise-Grade DLP Strategy 1. Data Classification and Labeling Implement Sensitivity Labels with auto-labeling policies to classify and protect sensitive data at scale. 2. Policy Scoping and Exceptions Handling Design DLP policies that balance security with operational needs, incorporating exceptions for justified business processes. 3. Insider Risk Management Integration Correlate DLP events with insider risk signals to identify intentional or accidental data misuse. 4. Audit, Reporting, and Compliance Evidence Configure alerting, detailed reporting, and data residency mapping to fulfill regulatory and internal audit requirements. Implementation Framework: Your Step-by-Step Guide 1. Preparation Conduct a data inventory and sensitivity assessment Identify regulatory and contractual compliance obligations Engage business stakeholders for adoption readiness 2. Pilot Deployment Roll out policies to a controlled user group Review policy matches and refine rules to minimize false positives Provide targeted user training on policy tips and data handling expectations 3. Full Deployment Scale DLP policies across workloads (Exchange, SharePoint, Teams, OneDrive) Implement automated remediation actions with user notifications and audit logs 4. Optimization and Continuous Improvement Review policy match reports regularly to fine-tune thresholds and rules Incorporate feedback from security, compliance, and end users Integrate with eDiscovery workflows for legal readiness Best Practices and Lessons Learned Start with monitor-only policies to baseline activity before enforcing blocks Combine DLP with Sensitivity Labels and encryption policies for holistic protection Regularly educate users on data classification and handling standards Create clear governance structures for DLP ownership and policy management Balance security controls with user productivity to avoid shadow IT workarounds Conclusion Data Loss Prevention is no longer optional – it is a critical enabler of trust, compliance, and operational excellence. By architecting Microsoft Purview DLP as part of an enterprise data governance strategy, organizations can protect their most valuable asset – data – while empowering users to work securely and efficiently. Author’s Note: This article is based on my extensive professional experience designing and implementing Microsoft Purview DLP solutions for global enterprises across hybrid and multi-cloud environments. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.
Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.Microsoft 365 Purview Your Unified Shield for Data Governance & Compliance
In a world where data is the new currency, organizations are under immense pressure to protect, govern, and manage it responsibly. Enter Microsoft 365 Purview—a powerful suite that unifies compliance, risk, and data governance into one intelligent platform. https://dellenny.com/microsoft-365-purview-your-unified-shield-for-data-governance-compliance/
