Microsoft Purview – Data Security Posture Management (DSPM) for AI
Introduction to DSPM for AI In an age where Artificial Intelligence (AI) is rapidly transforming industries, ensuring the security and compliance of AI integrations is paramount. Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorised data exposure. Microsoft Purview Data Security Posture Management (DSPM) for AI addresses three primary areas: Recommendations, Reports, and Data Assessments. DSPM for AI assists in identifying vulnerabilities associated with unprotected data and enables prompt action to enhance data security posture and mitigate risks effectively. Getting Started with DSPM for AI To manage and mitigate AI-related risks, Microsoft Purview provides easy-to-use graphical tools and comprehensive reports. These features allow you to quickly gain insights into AI use within your organization. The one-click policies offered by Microsoft Purview simplify the process of protecting your data and ensuring compliance with regulatory requirements. Prerequisites for Data Security Posture Management for AI To use DSPM for AI from the Microsoft Purview portal or the Microsoft Purview compliance portal, you must have the following prerequisites: You have the right permissions. Monitoring Copilot interactions requires: Users are assigned a license for Microsoft 365 Copilot. o Microsoft Purview auditing enabled. Check instructions for Turn auditing on or off. Required for monitoring interactions with third-party generative AI sites: Devices are onboarded to Microsoft Purview, required for: Gaining visibility into sensitive information that's shared with third-party generative AI sites. (e.g., credit card numbers pasted into ChatGPT). Applying endpoint DLP policies to warn or block users from sharing sensitive information with third-party generative AI sites. (e.g. a user identified as elevated risk in Adaptive Protection is blocked with the option to override when they paste credit card numbers into ChatGPT) The Microsoft Purview browser extension is deployed to users and required to discover site visits to third-party generative AI sites. Things to consider Recommendations may differ based on M365 licenses and features. Not all recommendations are relevant for every tenant and can be dismissed. Any default policies created while Data Security Posture Management for AI was in preview and named Microsoft Purview AI Hub won't be changed. For example, policy names will retain their Microsoft AI Hub -prefix. In this blog post we are going to focus on Recommendations. Recommendations Let's explore each of the recommendations in detail, which will encompass one-click policy creation, data assessments, step-by-step guidance, and regulations. The data in the reports section will be contingent upon the completion of each recommendation. Figure 1: Recommendations – DSPM for AI Control unethical behaviour in AI Type: One-click policy Solution: Communication Compliance Description: This policy identifies sensitive information within prompts and response activities in Microsoft 365 Copilot. Action: Create policy to setup a one-click policy. Conditions: Content matches any of these trainable classifiers: Regulatory Collusion, Stock manipulation, Unauthorized disclosure, Money laundering, Corporate Sabotage, Sexual, Violence, Hate, Self-harm By default, all users and groups are added. The customisation of the policy is also available during the one-click policy creation process. Figure 2: Recommendations – One-click policy Guided assistance to AI regulations Type: New AI regulations Solution: Compliance manager Description: This recommendation is based on the NIST AI RMF regulations, suggesting actions to help users protect data during interactions with AI systems. Action: Monitor AI interaction logs: Go to Audit logs, configure search with workload filter, select copilot and sensitive information type and review search results. Monitor AI interactions in other AI apps: Navigate to DSPM for AI and review interactions in other AI apps for sensitive content and turn on policies to discover data across AI interactions and other AI apps. Flag risky communication and content in AI interactions: Create Communication compliance policy to define the necessary conditions and fields and select Microsoft Copilot as location. Prevent sensitive data from being shared in AI apps: Create Data loss prevention (DLP) policy with sensitive information type as conditions for Teams and Channel messages location. Manage retention and deletion policies for AI interactions: Create a retention policy for Teams chat and Microsoft 365 Copilot interactions to preserve relevant AI activities for a longer duration while promptly deleting non-relevant user actions. Protect sensitive data referenced in Copilot responses Type: Assessment Solution: Data assessments Description: Use data assessments to identify potential oversharing risks, including unlabelled files. Action: Create Data Assessments, Navigate to DSPM for AI - Data Assessments and Create Assessments. Enter assessment name and description Select users and data sources to assets for oversharing data Conduct the assessment scan and review the results to gain insights into oversharing risks and recommended solutions to restrict access to sensitive data. Implement the necessary fixes to protect your data. Discover and govern interactions with ChatGPT Enterprise AI (preview) Type: ChatGPT Enterprise AI (Data discovery) Solution: Microsoft Purview Data Map Description: Register ChatGPT Enterprise workspace to discover and govern interactions with ChatGPT Enterprise AI. Action: If you’re organisation is using ChatGPT Enterprise, then enable the Connector In Microsoft Azure, use Key Vault to manage credentials for third-party connectors: Use Key Vault to create and manage the secret for the ChatGPT Enterprise AI Connector. In Microsoft Purview, configure the new connector using Data Map: How to manage data sources in the Microsoft Purview Data Map Create and start a new scan: Create a new scan, select credential, review, and run the scan. Protect sensitive data referenced in Microsoft 365 Copilot (preview) Type: Data Security Solution: Data loss prevention Description: Content with sensitivity labels will be restricted from Copilot interactions with a data loss prevention policy. Action: Create a custom DLP policy and select Microsoft 365 Copilot as the data source. Create a custom rule o Condition: content contains sensitivity labels. o Action: Prevent Copilot from processing content. Figure 3: Custom DLP policy condition and action Fortify your data security Type: Data security Solution: Data loss prevention Description: Data security risks can range from accidental oversharing of information outside of the organization to data theft with malicious intent. These policies will protect against the data security risks with AI apps. Action: A one-click policy is available to create a data loss prevention (DLP) policy for endpoints (devices), aimed at blocking the transmission of sensitive information to AI sites. It utilises Adaptive Protection to give a warn-with-override alert to users with elevated risk levels who attempt to paste or upload sensitive information to other AI assistants in browsers such as Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Figure 4: Block with override for elevated risk users Information Protection Policy for Sensitivity Labels Type: Data security Solution: Sensitivity Labels Description: This policy will set up default sensitivity labels to preserve document access rights and protect Microsoft 365 Copilot output. Action: Create policies will navigate to Information protection portal to set up sensitivity labels and publishing policy. Protect your data from potential oversharing risks Type: Data Security Solution: Data Assessment Description: Data assessments provide insights on potential oversharing risks within your organisation for SharePoint Online and OneDrive for Business (roadmap) along with fixes to limit access to sensitive data. This report will include sharing links. Action: This is a default oversharing assessment policy. To see the latest oversharing scan results: Select View latest results and choose a data source. Complete fixes to secure your data. Figure 5: Data assessments – Oversharing assessment data with sharing links report Use Copilot to improve your data security posture (preview) Type: Data security posture management Solution: Data security posture management (DSPM) Description: Data Security Posture Management (preview) combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Benefits: Data security recommendations Gain insights into your data security posture and get recommendations protecting sensitive data and closing security gaps. Data security trends Track your org's data security posture over time with reports summarizing sensitive label usage, DLP policy coverage, changes in risky user behaviour, and more. Security Copilot Security Copilot helps you investigate alerts, identify risk patterns, and pinpoint the top data security risks in your org.People of Purview: Victor Wingsing, Jr.
It is our pleasure to introduce you to Microsoft Purview practitioner and MVP, Victor Wingsing Jr., who hails from “the bright and sunny London, United Kingdom” and currently serves as a Senior Manager in Technology Consulting at Protiviti. Victor has been working on Exchange and Windows since 2006, when his first tech job gave him the opportunity to work on Windows XP Migration and Exchange 2007 administration, which was also his very first Microsoft Certification! He has been working with Purview for five years. How (and when) did you get involved in the Microsoft Community? (Customer Connection Program, MVP, etc) Tell us about your journey! I've been part of the CCP for the past 3 years and the MVP community this past year when I got my MVP recognition. The CCP has been great since it has helped me get ahead of my tech learning. Each CCP call that I've attended has allowed me to immerse myself in Microsoft Security solutions. These then translated to me being able to better explain the technology to my clients. Learn More About the Customer Connection Program (CCP) What do you find most rewarding about being a community member? I find that the most rewarding part is connecting with the community. My pool of contacts and resources has significantly grown after being a member. The other thing that I value about the program is the connection with the Microsoft product groups during the Product Group feedback session. I know that we are being heard as I see our feedback from years back being introduced as part of the solution. What advice do you have for others who would like to get involved in their Microsoft Community? Get started today. You don't need to be an expert to join. Start by asking questions as there are many helpful and knowledgeable members who are ready and willing to share. The Microsoft Community is NOT just an online community. You can likely find a local community in your area. There are many Microsoft User Groups for you to join in-person or virtually. Check out Meet Up or Facebook groups for these kinds of user groups. Do you have anything you’d like to promote or recommend? (your blog or podcast, an article you recommend, a book everyone should read, etc) If you'd like to hear more about my thoughts on Information Security, Data Loss Prevention, Insider Risk Management, AI and more. Please read my blog at: https://victorwingsing.com/ Feel free to follow me on LinkedIn: https://www.linkedin.com/in/victorwingsing/ I can also be found in the Microsoft Tech Community at : Member: vicwingsing | Microsoft Community Hub For books to read: I'm a big fan of sci-fi books. Give these books a read: Of Ants and Dinosaurs by Cixin Liu Starter Villian by John Scalzi Kaiju Preservation Society by John Scalzi Rivers of London by Ben Aaronovitch (this one is a fantasy series set in real location in and around London) _____________________________________________________________________________________________________ Stay tuned to meet more People of Purview! If you'd like to get involved with the Microsoft Security Community, here are a some quick actions you can take: Log in (here, on Tech Community!) and follow: The Purview Community - post questions, respond to community members The all-up Microsoft Security Blog Join the Security Community mailing list Join the Customer Connection Program Check out this Community Choice article for a comprehensive list of Microsoft Security Community offerings. Questions? Feel free to post below or message blog author RenWoods directly.
Set Up Endpoint DLP Evidence Collection on your Azure Blob Storage
Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings. Before you start setting up the storage, you should review Get started with collecting files that match data loss prevention policies from devices | Microsoft Learn to understand the licensing, permissions, device onboarding and your requirements. Prerequisites Before you begin, ensure the following prerequisites are met: You have an active Azure subscription. You have the necessary permissions to create and configure resources in Azure. You have setup endpoint Data Loss Prevention policy on your devices Configure the Azure Blob Storage You can follow these steps to create an Azure Blob Storage using the Azure portal. For other methods refer to Create a storage account - Azure Storage | Microsoft Learn Sign in to the Azure Storage Accounts with your account credentials. Click on + Create On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account, or you accept the default options and proceed. Learn more about azure storage account properties Once you have provided all the information click on the Networking tab. In network access, select Enable public access from all networks while creating the storage account. Click on Review + create to validate the settings. Once the validation passes, click on Create to create the storage Wait for deployment of the resource to be completed and then click on Go to resource. Once the newly created Blob Storage is opened, on the left panel click on Data Storage -> Containers Click on + Containers. Provide the name and other details and then click on Create Once your container is successfully created, click on it. Assign relevant permissions to the Azure Blob Storage Once the container is created, using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on it: One for the administrators and investigators so they can view and manage evidence One for users who need to upload items to Azure from their devices Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. We will use portal to create these custom roles. Learn more about custom roles in Azure RBAC Open the container and in the left panel click on Access Control (IAM) Click on the Roles tab. It will open a list of all available roles. Open context menu of Owner role using ellipsis button (…) and click on Clone. Now you can create a custom role. Click on Start from scratch. We have to create two new custom roles. Based on the role you are creating enter basic details like name and description and then click on JSON tab. JSON tab gives you the details of the custom role including the permissions added to that role. For owner role JSON looks like this: Now edit these permissions and replace them with permissions required based on the role: Investigator Role: Copy the permissions available at Permissions on Azure blob for administrators and investigators and paste it in the JSON section. User Role: Copy the permissions available at Permissions on Azure blob for usersand paste it in the JSON section. Once you have created these two new roles, we will assign these roles to relevant users. Click on Role Assignments tab, then on Add + and on Add role assignment. Search for the role and click on it. Then click on Members tab Click on + Select Members. Add the users or user groups you want to add for that role and click on Select Investigator role – Assign this role to users who are administrators and investigators so they can view and manage evidence User role – Assign this role to users who will be under the scope of the DLP policy and from whose devices items will be uploaded to the storage Once you have added the users click on Review+Assign to save the changes. Now we can add this storage to DLP policy. For more information on configuring the Azure Blob Storage access, refer to these articles: How to authorize access to blob data in the Azure portal Assign share-level permissions. Configure storage in your DLP policy Once you have configured the required permissions on the Azure Blob Storage, we will add the storage to DLP endpoint settings. Learn more about configuring DLP policy Open the storage you want to use. In left panel click on Data Storage -> Containers. Then select the container you want to add to DLP settings. Click on the Context Menu (… button) and then Container Properties. Copy the URL Open the Data Loss Prevention Settings. Click on Endpoint Settings and then on Setup evidence collection for file activities on devices. Select Customer Managed Storage option and then click on Add Storage Give the storage name and copy the container URL we copied. Then click on Save. Storage will be added to the list. Storage will be added to the list for use in the policy configuration. You can add up to 10 URLs Now open the DLP endpoint policy configuration for which you want to collect the evidence. Configure your policy using these settings: Make sure that Devices is selected in the location. In Incident reports, toggle Send an alert to admins when a rule match occurs to On. In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint. Select the storage account you want to collect the evidence in for that rule using the dropdown menu. The dropdown menu shows the list of storages configured in the endpoint DLP settings. Select the activities for which you want to copy matched items to Azure storage Save the changes Please reach out to the support team if you face any issues. We hope this guide is helpful and we look forward to your feedback. Thank you, Microsoft Purview Data Loss Prevention TeamPeople of Purview: Nikki Chapple
Meet Nikki Chapple, from the London area of the UK, Principal Cloud Architect at CloudWay, and Microsoft MVP and Customer Connection Program member! Nikki has worked with Microsoft products for over 10 years, although her IT career spans four decades, starting in the days of paper tape and punch cards! Her background is in enterprise architecture, translating business needs into practical technical solutions. Nikki specializes in data governance, security, and change management, helping organizations adopt Microsoft 365 in a way that prioritizes people, processes, and policy, not just technology. Read on to learn more about Nikki, her experience with Microsoft Communities, and her favorite resources to share! To kick this off, tell us about your start with Microsoft Purview; when and why? I began focusing on Microsoft Purview with the rise of Microsoft Teams. I viewed it as a chance to rethink how organizations manage collaboration, prioritizing people, processes, and governance. Microsoft Purview is now essential to my work, helping organizations protect sensitive data, comply with regulations, and integrate governance into daily practices. It's about creating a trusted digital workplace where security, transparency, and user empowerment are key. When did you begin your involvement in the Microsoft Community? Tell us about your journey. I’ve been a Microsoft MVP for three years. My journey began before this, as I shared my experiences through blogs and speaking engagements. I've found that sharing our experiences, both successes and challenges, can be incredibly inspiring and motivating for others. Connecting with others who are passionate about Microsoft 365 and Purview has been inspiring and rewarding. What do you find most rewarding about being a community member? The most rewarding aspect is the people, connecting with others who share a passion for Microsoft Purview, innovation, and lifelong learning. The community is a continuous source of inspiration, insights, and support. Whether through events, forums, or collaboration, there's always a chance to grow, share, and give back. What advice do you have for others wanting to get involved in their Microsoft Community? Start small: Join forums or webinars. Share what you know in blogs, talks, or conversations. Be consistent and stay curious. Connect with others and give back when you can. Everyone has something valuable to contribute! Can you tell us more about your Microsoft Customer Connection Program (MCCP) Experience? How has it helped you, your customers, and fellow community members? Being part of the Microsoft Purview CCP has allowed me to share real-world customer scenarios directly with the product team, ensuring our clients' voices are heard. This direct line of communication has significantly boosted customer confidence and loyalty as they see their feedback shaping the platform's evolution. Knowing that their challenges are being addressed reassures them that their investment in Microsoft 365 is secure and future-proof. As a Principal Cloud Architect, I collaborate closely with customers to understand their specific needs and challenges. By influencing the design of Purview features based on these insights, I help create highly relevant and practical solutions. This real-world application results in faster adoption and greater satisfaction, as clients see immediate benefits in their day-to-day operations. The CCP provides early access to new features through private preview programs, a strategic advantage for planning governance and compliance strategies for my clients. As an MVP and consultant, this is especially advantageous when working with large or regulated organizations, where preparation and alignment with internal controls are essential. Furthermore, it enables me to share practical insights through my blog "nikkichapple.com" and my podcast "All Things M365 Compliance", benefiting the wider community. Anything else you’d like to share? I’m passionate about making complex topics like compliance and governance more accessible. Whether through writing, presenting, or mentoring, I love helping others build confidence in this space, especially those just starting their journey in Microsoft 365. Do you have anything you’d like to promote or recommend? (your blog or podcast, an article you recommend, a book everyone should read, etc.) I share my insights at nikkichapple.com, focusing on data security, governance, and compliance topics that matter. Additionally, I co-host the All Things M365 Compliance video podcast, where I team up with Ryan John Murphy from Microsoft and a former MVP to explore everything about Microsoft 365 Purview. ______________________________________________________________________________________________________ Stay tuned to meet more People of Purview! If you would like to get involved with the Microsoft Security Community, here are some quick actions you can take: Log in (here, on Tech Community!) and follow: The Purview Community - post questions, respond to community members The all-up Microsoft Security Blog Join the Security Community mailing list Join the Customer Connection Program Check out this Community Choice article for a comprehensive list of Microsoft Security Community offerings. Nikki's links: Nikki Chapple- Microsoft 365 Blog All Things M365 Compliance - YouTube Questions? Feel free to post below or message blog author RenWoods directly.Sharing: PDF readers that support Purview labels
As I was researching on Adobe Acrobat reader and Sensitivity labels, I decided to check if the common alternative PDF readers out there are able to support Purview MIP Sensitivity labels. There is already a published documentation on this for SharePoint-Compatible PDF readers that supports Microsoft IRM: https://learn.microsoft.com/en-us/purview/sp-compatible-pdf-readers-for-irm (last updated Nov-2023) but I wanted to see if these same PDF readers supports the ability for end-users to use/ select labels similar to that of Adobe Acrobat As of 11-June-2025; atleast one of them clearly do: Nitro PDF: Yes. Documentation shows that users can see and use the sensitivity labels. PDF -X.change Editor: Yes. Documentation show that users can see and use the sensitivity labels. (check the official website, I can't hyperlink it because the site is blocked. FOX PDF editor: No. Documentation only states RMS and not clear if it show Purview labels. This is for F.O.X.I.T editor (spelled without the ".") but for some reason there is a community ban on that word and it won't allow me to post the full name PDFescape: No. Sumatra PDF: No Okular: No If there are other PDF readers that I've missed, I encourage you list it down in the comment below. Would love to grow this list.Microsoft Purview eDiscovery is getting a unified, streamlined experience starting May 26, 2025!
We are announcing three major updates to Microsoft Purview eDiscovery, enhancing our commitment to data security, privacy, and compliance. Beginning May 26, 2025: Content Search will transition to the new unified Purview eDiscovery experience. The eDiscovery (Standard) classic experience will transition to the new unified Purview eDiscovery experience. The eDiscovery export PowerShell cmdlet parameters will be retired. Check out the full details in the official announcement: Upcoming changes to Microsoft Purview eDiscovery | Microsoft Community HubThe First Purview AMA of 2025 is Now On-Demand
The Microsoft Purview Community has kicked off a new year picking the brains of subject matter experts to understand all that Purview can do for their data security, governance, and compliance. The panelists: Maxime Bombardier - Purview Data Security and Horizontals Sandeep Shah - Purview Data Governance Peter Oguntoye - Purview Compliance A sampling of the questions: When will we see integration between the container sensitivity labels (groups and sites) and item sensitivity labels (files and emails)? Is there a matrix to see what capabilities in Purview can be used with which license? In Purview Activity Explorers, is there a way to save custom filters? There are the built-in filters, and then you can add additional filters, but never see an option to save. If not possible, is this a future enhancement coming? What is your advice on sharing confidential information with external users and the use of Information Protection labeling? I mean, do you recommend adding external users as guest users, or using a label configured with 'Any Authenticated Users' instead? If a large enterprise customer sees many false positives returned from trainable classifiers like profanity, how can they train or recreate these to more effectively use communication compliance The rest of the questions can be found in this post; even those that didn't make it to the live AMA are answered. Here is the full Jan 8th Purview AMA Recording: And finally, please comment below- what kind of content would you like to see from Purview experts or your fellow community members/users in the future? Thank you for engaging with the Purview Community!
