Microsoft Purview - Paint By Numbers Series (Part 2f) – Automatic Labeling Emails and Files
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be covering the auto-labeling of data at rest. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will be using a previously created Data Classification called “Automatic_Label_Contoso_medical”. The keyword I am tracking within that data classifier is “Contoso_medical”. I am doing this to avoid labeling any files by accident by using an out-of-the-box classifier. For information on how you create your own data classifier, refer back to “Part 1 – Sensitivity Information Types” of this blog series. This document is only meant to be an introduction to the topic of multiple Sensitivity labels. Always refer back to official Microsoft documentation or your Microsoft account team for the latest information. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. Overview of Document Create a Sensitivity Label Verify automatic policy is published Publish your automatic Sensitivity labeling policy Changing between Simulation and “Enabled” mode Reporting on simulations of label application Test the Sensitivity Label is applied to existing files Test the Sensitivity Label is applied to existing emails Use Case Applying Sensitivity labels to data at rest in OneDrive, SharePoint sites, Teams Sites, and Exchange mailboxes. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant Notes Remember it can take 24-48 hours for a new Sensitive Information Type (SIT) to start to be found in your tenant. So create your SIT ahead of time and place it in Exchange mails and SharePoint/Teams sites, and OneDrive for your testing. Types of labels: Automatic labels are applied to data at rest. Default labels are applied to data upon creation (and based on what is in the file/email). Recommended labels do not label data, but appear when a specific piece of Sensitive Information Type (ex. Contoso_Medical) are added to a file/email. It is up to the user to apply or not apply the recommended label. . Here are some very important things to note about Simulation vs “Enabled” automatic labeling policies. Automatic labeling policies should be thoroughly tested in your dev tenant and you should work with your data security team (or equivalent) should be consulted when using labels, especially automatic labeling. Here is a screenshot of the enablement mode (simulation, off, on) that will be referred to several times in this blog. When in doubt, run the default of Run policy in simulation mode. If you want to apply a label in your dev tenant, you will need to check the box next to Automatically turn on policy if not modified after 7 days in simulation. I recommend you only do this in a dev tenant and after much consideration. If you want to do this in production, I recommend: you consult with your Microsoft support team or certified Microsoft partner be certain know you have thoroughly defined your relevant a) data classification, b) taxonomy, and c) ramifications of applying sensitivity labels to your production data. For this blog, I will be enabling automatic labeling so I can demonstrate labels being applied to files and emails in my demonstration tenant. Pre-requisites You have read Parts 0, 1 and 2 of this blog series You have a Sensitive Information Type (SIT) that will be tied to this automatic label. Populate emails and files with your test information several days before you create your policies. In my environment, I am testing with the phrase “Contoso_Medical”. This will be important during the simulation and testing done later in this blog. Part 1 – Create an automatic Sensitivity label We will first set up our automatic label. Give the label a name and description (and color marker, if you wish). Then click Next. For the Scope, select Items and be sure that Files and Emails are selected. Then click Next. Under the Items section of the wizard, select Apply or remove encryption and Apply content marking, then click Next. We now arrive at Encryption. Click Configure encryption settings. Under Assign Permissions now or let users decide? and chose Assign permissions now. Leave the rest of the settings at the default. under In Assign permissions to specific users and groups, click Assign permissions. For the purpose of this blog, I will click Add all users and groups in your organization, click Save. Click for Apply content watermarking, I like to use the header option as it is the easiest because it is at the top of each electronic page. Next, we will Enable auto-labeling for files and emails. At the top of this page, for the Content contains, we will select the SIT that we created previously. In my case, I am using the “Recommended_Label_Contoso_medical”. The keyword I am tracking within that data classifier is “Contoso_medical”. At the bottom of this page, for the When content matches these conditions select Automatically apply the label. Note – this is the proverbial switch that needs to be flipped for a label to enable Recommend vs. Automatic vs Default labels. We also want to provide an explanation in Word, Excel, etc. for the users. So in the field Display this message to users when the label is applied, type the message you want your user to see when the label is recommended. Then click Next. On the protection settings for Groups and Sites, we will not be enabling anything as they are not applicable for this label and policy. Accept the defaults and click Next. On the schematized data assets, we will leave this at the default of Off. Click Next. Review your label and click Create Label. Under Next steps, select Automatically apply label to sensitive content. Note – If you select Publish label to user’s apps, you’ll have to follow the steps in the “Publish your automatic label” section below. Click Done and then Create Policy and then Close. Part 2 – Verify Automatic policy is published If at the “Create your automatic label section above”, you clicked, Automatically apply label to sensitive content, proceed to the test label on new file/email sections below. If you did NOT click Automatically apply label to sensitive content above, then go to the “Publish your automatic policy” section below. If you are not sure, if you policy was created, you can find that out by doing the following. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created on the last step of creating your label. Part 3 – Publish your automatic Sensitivity label (if needed) If needed, you can set up your automated labeling policy. You do this by doing the following: Go to Information Protection –> Auto-labeling. Click Create auto-labeling policy. On the first step of the wizard, select Custom -> Custom policy. Then click Next. Give the policy and name and click Next. In the next step of the wizard, you can assign a specific administrative team to manage this policy. We will not be doing that in this blog. Click Next. Next, choose the locations and where this automatic policy will be applied. These locations include Exchange (for users or groups), SharePoint (and Teams) sites, and OneDrive (for users or groups). As I am in a test tenant, I will accept the defaults. I recommend you narrow your locations to a test user(s) or SharePoint sites for your initial testing. For the next step, I will accept the Common rules. Feel free to explore the advanced rules on your own. Click Next Now we will create a rule with to go with our automatic label above. Click New rule. Give your rule a name, description, and add a condition. I’ll be using the Sensitive Information Type I created previously (Automatic_Label_Contoso_Medical). When you are ready, click Save and then click Next. Next, choose a label to be applied. To do this, click a Choose a label, chose a label and click Save. When you are satisfied, click Next. Under additional settings, accept the defaults and click Next. The next step is to either turn on or off the policy. I will leave the default of Run policy in simulation mode. When you are ready click Next. Review your automatic policy and click Create policy and then click Done. You are now ready to move to the testing phase of this blog. Part 4 – Changing between Simulation mode &. “Enabled” mode Do the following to change from simulation mode to “enabled” mode or vice versa. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created on the last step of creating your label. Select the Edit policy. In the wizard, go to Policy Mode (on the left). When you are ready click Next. When you have made the change you want, click Next, review your automatic policy and click Create policy and then click Done. Part 5 –Reporting on simulations of automatic labeling To know what files/emails would be labeled if your automatic labeling policy had actually run, you will need to go to the following location. Note – Remember that it can take several days for your tenant to start reporting back on existing data matching your policy. This is due to back data processing and indexing that we will not discuss at this time. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created above. Open your policy. At the bottom of the policy, you will see results for files and emails that will match your policy. Note #1 – You should pre-populate your test SharePoint sites, OneDrive sites with data that possess your SIT data (ex. “constoso_medical”). Note #2 – For emails, you need to send those after your policy is created for them to be seen by your automatic labeling policy. Before we can apply our “test” automated labels against the data in our tenant, we have to enable our policy. Do this by clicking Turn on policy as seen in the screenshot above. Now move to the next section. Part 6 –Test label on new file Before we start our file and email tests, remember that labels and policies can take a while to replicate throughout your tenant. One hour is usually a good amount of time to wait, but it might be quicker or slower to populate based on several variables in your tenant we will not cover at this time. With that understanding, let us move on to our testing. Because Automatic labeling takes place on cloud work loads at this point in time (not on endpoint devices), we will do our testing against a file(s) created on a OneDrive or SharePoint Site (related to your test locations mentioned above ins Part 3). Create a new Word, Excel or PowerPoint document. I will create a Word document. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label (I am using the compound word “contoso_medical”) and save your file. Wait a few minutes for the automatic labeling to run on the backend in the cloud. Reopen the file in your browser. At the bottom you should see your label next to a padlock icon. If you then open that file in your local version of word, you will see the label information marked in 2 locations. This is the end of the file testing. Part 7 –Test label on new email We will now test this automatic label against a newly created email. Open Outlook. Create a New Email. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label (I am using the compound word “contoso_medical”) and send it to/from your test user (See my example email below). Note – If you have a default label configured like I do, you might see that on the left of your From/To/CC/BCC fields. As this is the easiest way to see a change in your label, let us look at an example. Once you receive the email, you should see something similar the following in your Inbox/email Preview panel (or when you open your email). This is the end of the email testing. Appendix and Links Create and publish sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Labeling in the Microsoft Purview Data Map - Microsoft Purview | Microsoft Learn Enable sensitivity labels in Power BI - Power BI | Microsoft Learn Automatically apply a sensitivity label in Microsoft 365 - Microsoft Purview (compliance) | Microsoft Learn Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Enable archive mailboxes in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Restrict access to content using sensitivity labels to apply encryption - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply sensitivity labels to your data - Azure Purview | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft Docs Mandatory label policy in Power BI - Power BI | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.Microsoft Purview - Compliance Score (Part 5) - GDPR
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview - Compliance Score (Part 1) - Overview Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs. Document Scope This document will only be discussing the assessment specific to General Data Protection Regulation (GDPR) and which Purview components are needed to meet those requirements in the assessment and its associated regulation. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Compliance Manager (configuration) Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. We will not be walking through the General Data Protection Regulation (GDPR) assessment step-by-step. For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below. Overview of Document We will be walking through how the General Data Protection Regulation (GDPR) assessment can be leveraged to meet GDPR and provide quantifiable results for meeting that regulation. What is the General Data Protection Regulation (GDPR)? What is the Compliance Manager General Data Protection Regulation (GDPR) assessment? Process of taking assessment information and score and narrowing to Purview related solutions GDPR assessment details (control Family, Purview relevant solutions breakdown and Purview Compliance Score) Use Case Looking at a General Data Protection Regulation (GDPR) assessment at a high level Definitions Actions– the things that need to be done to mark a Control as completed and Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment. Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world. Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. Controls – the various requirements in your tenant that must be met to meet a part of an assessment Control Family – a grouping of Controls Microsoft Actions – These are actions that Microsoft has performed inside of your tenant to help it meet a specific assessment. Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment. Notes It is highly recommended that you run your own General Data Protection Regulation (GDPR) assessment to see the following information in your own Tenant. Pre-requisites It is highly recommended that you run your own General Data Protection Regulation (GDPR) assessment to see the following information in your own Tenant. What is General Data Protection Regulation (GDPR)? Here is the definition listed in Microsoft Purview Compliance Manager. “The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. GDPR is applicable if your organization sells to, provides services to, or employs citizens of the EU.” You can also find more information at the General Data Protection Regulation (GDPR) official website, listed in the Appendix and Links section below. What is the Compliance Manager General Data Protection Regulation (GDPR) assessment? This is the official Microsoft tool that scans your tenant and compares it to the GDPR. It then provides a report and workflow on how to meet this regulation. Narrowing General Data Protection Regulation (GDPR) to applicable Purview tools We narrow the scope of All General Data Protection Regulation (GDPR) Control Families (5x) the Assessment runs to just the Compliance applicable GDPR Control Families (6x). Then we can take those tactical Control Families and leverage the applicable Microsoft Purview tools that, when applied, can help you meet these Control Families. Here is one way to view this All Control Families (5x) -> Compliance applicable Control Families (5x) -> applicable Microsoft Purview tools This graphic shows another way to visualize this. General Data Protection Regulation (GDPR) Assessment details Let us look at the details of the General Data Protection Regulation (GDPR) assessment as they related to Microsoft Compliance Purview solutions and your Compliance Score for your Microsoft tenant. All Control Families (5x) The General Data Protection Regulation (GDPR) assessment will report back on ALL the Control Families that are part of the GDPR. Compliance applicable All Control Families (5x) From a Purview perspective, here are the 5 Control Families that are applicable to General Data Protection Regulation (GDPR) workloads. Relevant Purview Solutions (12x) Now that you know which Control Families are relevant to General Data Protection Regulation (GDPR), here are the Purview solutions that are part will help you meet those regulatory needs. Purview Compliance Score Let us look at a diagram the General Data Protection Regulation (GDPR) assessment’s points that it applies 1) GDPR Controls overall, 2) points that can specifically be addressed by Purview related tools, and 3) then the percentage of the GDPR assessment points covered by implementing the Purview tools. Appendix and Links General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu) Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Compliance score calculation - Microsoft Purview (compliance) | Microsoft Learn Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Learn Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.Microsoft Purview – Data Security Posture Management (DSPM) for AI
Introduction to DSPM for AI In an age where Artificial Intelligence (AI) is rapidly transforming industries, ensuring the security and compliance of AI integrations is paramount. Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorised data exposure. Microsoft Purview Data Security Posture Management (DSPM) for AI addresses three primary areas: Recommendations, Reports, and Data Assessments. DSPM for AI assists in identifying vulnerabilities associated with unprotected data and enables prompt action to enhance data security posture and mitigate risks effectively. Getting Started with DSPM for AI To manage and mitigate AI-related risks, Microsoft Purview provides easy-to-use graphical tools and comprehensive reports. These features allow you to quickly gain insights into AI use within your organization. The one-click policies offered by Microsoft Purview simplify the process of protecting your data and ensuring compliance with regulatory requirements. Prerequisites for Data Security Posture Management for AI To use DSPM for AI from the Microsoft Purview portal or the Microsoft Purview compliance portal, you must have the following prerequisites: You have the right permissions. Monitoring Copilot interactions requires: Users are assigned a license for Microsoft 365 Copilot. o Microsoft Purview auditing enabled. Check instructions for Turn auditing on or off. Required for monitoring interactions with third-party generative AI sites: Devices are onboarded to Microsoft Purview, required for: Gaining visibility into sensitive information that's shared with third-party generative AI sites. (e.g., credit card numbers pasted into ChatGPT). Applying endpoint DLP policies to warn or block users from sharing sensitive information with third-party generative AI sites. (e.g. a user identified as elevated risk in Adaptive Protection is blocked with the option to override when they paste credit card numbers into ChatGPT) The Microsoft Purview browser extension is deployed to users and required to discover site visits to third-party generative AI sites. Things to consider Recommendations may differ based on M365 licenses and features. Not all recommendations are relevant for every tenant and can be dismissed. Any default policies created while Data Security Posture Management for AI was in preview and named Microsoft Purview AI Hub won't be changed. For example, policy names will retain their Microsoft AI Hub -prefix. In this blog post we are going to focus on Recommendations. Recommendations Let's explore each of the recommendations in detail, which will encompass one-click policy creation, data assessments, step-by-step guidance, and regulations. The data in the reports section will be contingent upon the completion of each recommendation. Figure 1: Recommendations – DSPM for AI Control unethical behaviour in AI Type: One-click policy Solution: Communication Compliance Description: This policy identifies sensitive information within prompts and response activities in Microsoft 365 Copilot. Action: Create policy to setup a one-click policy. Conditions: Content matches any of these trainable classifiers: Regulatory Collusion, Stock manipulation, Unauthorized disclosure, Money laundering, Corporate Sabotage, Sexual, Violence, Hate, Self-harm By default, all users and groups are added. The customisation of the policy is also available during the one-click policy creation process. Figure 2: Recommendations – One-click policy Guided assistance to AI regulations Type: New AI regulations Solution: Compliance manager Description: This recommendation is based on the NIST AI RMF regulations, suggesting actions to help users protect data during interactions with AI systems. Action: Monitor AI interaction logs: Go to Audit logs, configure search with workload filter, select copilot and sensitive information type and review search results. Monitor AI interactions in other AI apps: Navigate to DSPM for AI and review interactions in other AI apps for sensitive content and turn on policies to discover data across AI interactions and other AI apps. Flag risky communication and content in AI interactions: Create Communication compliance policy to define the necessary conditions and fields and select Microsoft Copilot as location. Prevent sensitive data from being shared in AI apps: Create Data loss prevention (DLP) policy with sensitive information type as conditions for Teams and Channel messages location. Manage retention and deletion policies for AI interactions: Create a retention policy for Teams chat and Microsoft 365 Copilot interactions to preserve relevant AI activities for a longer duration while promptly deleting non-relevant user actions. Protect sensitive data referenced in Copilot responses Type: Assessment Solution: Data assessments Description: Use data assessments to identify potential oversharing risks, including unlabelled files. Action: Create Data Assessments, Navigate to DSPM for AI - Data Assessments and Create Assessments. Enter assessment name and description Select users and data sources to assets for oversharing data Conduct the assessment scan and review the results to gain insights into oversharing risks and recommended solutions to restrict access to sensitive data. Implement the necessary fixes to protect your data. Discover and govern interactions with ChatGPT Enterprise AI (preview) Type: ChatGPT Enterprise AI (Data discovery) Solution: Microsoft Purview Data Map Description: Register ChatGPT Enterprise workspace to discover and govern interactions with ChatGPT Enterprise AI. Action: If you’re organisation is using ChatGPT Enterprise, then enable the Connector In Microsoft Azure, use Key Vault to manage credentials for third-party connectors: Use Key Vault to create and manage the secret for the ChatGPT Enterprise AI Connector. In Microsoft Purview, configure the new connector using Data Map: How to manage data sources in the Microsoft Purview Data Map Create and start a new scan: Create a new scan, select credential, review, and run the scan. Protect sensitive data referenced in Microsoft 365 Copilot (preview) Type: Data Security Solution: Data loss prevention Description: Content with sensitivity labels will be restricted from Copilot interactions with a data loss prevention policy. Action: Create a custom DLP policy and select Microsoft 365 Copilot as the data source. Create a custom rule o Condition: content contains sensitivity labels. o Action: Prevent Copilot from processing content. Figure 3: Custom DLP policy condition and action Fortify your data security Type: Data security Solution: Data loss prevention Description: Data security risks can range from accidental oversharing of information outside of the organization to data theft with malicious intent. These policies will protect against the data security risks with AI apps. Action: A one-click policy is available to create a data loss prevention (DLP) policy for endpoints (devices), aimed at blocking the transmission of sensitive information to AI sites. It utilises Adaptive Protection to give a warn-with-override alert to users with elevated risk levels who attempt to paste or upload sensitive information to other AI assistants in browsers such as Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Figure 4: Block with override for elevated risk users Information Protection Policy for Sensitivity Labels Type: Data security Solution: Sensitivity Labels Description: This policy will set up default sensitivity labels to preserve document access rights and protect Microsoft 365 Copilot output. Action: Create policies will navigate to Information protection portal to set up sensitivity labels and publishing policy. Protect your data from potential oversharing risks Type: Data Security Solution: Data Assessment Description: Data assessments provide insights on potential oversharing risks within your organisation for SharePoint Online and OneDrive for Business (roadmap) along with fixes to limit access to sensitive data. This report will include sharing links. Action: This is a default oversharing assessment policy. To see the latest oversharing scan results: Select View latest results and choose a data source. Complete fixes to secure your data. Figure 5: Data assessments – Oversharing assessment data with sharing links report Use Copilot to improve your data security posture (preview) Type: Data security posture management Solution: Data security posture management (DSPM) Description: Data Security Posture Management (preview) combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Benefits: Data security recommendations Gain insights into your data security posture and get recommendations protecting sensitive data and closing security gaps. Data security trends Track your org's data security posture over time with reports summarizing sensitive label usage, DLP policy coverage, changes in risky user behaviour, and more. Security Copilot Security Copilot helps you investigate alerts, identify risk patterns, and pinpoint the top data security risks in your org.Microsoft Purview - Compliance Score (Part 1) - Overview
Blog Series Part 1 - Microsoft Purview - Compliance Score (Part 1) - Overview Part 2 - Microsoft Purview - Compliance Score (Part 2) - Sample Assessment Scoring Part 3 - Microsoft Purview - Compliance Score (Part 3) - HITRUST Part 4 - Microsoft Purview - Compliance Score (Part 4) - HIPAA / HITECH Part 5 - Microsoft Purview - Compliance Score (Part 5) - GDPR Part 6 - Microsoft Purview - Compliance Score (Part 6) - CCPA Part 7 - Microsoft Purview - Compliance Score (Part 7) - Data Protection Baseline Part 8 - Microsoft Purview - Compliance Score (Part 😎 - ARMA GARP Part 9 - Microsoft Purview - Compliance Score (Part 9) - NIST Privacy Framework Part 10 - Microsoft Purview - Compliance Score (Part 10) - ISO 15489 Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs. Document Scope This document will be covering: the goal of this blog series discussing Compliance Manager assessment at a high level and how to leverage them to meet a business need such as HIPAA, GDPR, CCPA, NIST, etc Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Compliance Manager (configuration) Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. We will not be walking through the HITRUST assessment step-by-step. For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below. You can also find a blog series covering how to do this and how to run other Purview functions at the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Overview of Document We will be walking through: the goal of this blog series Compliance Manager and What it does Compliance Score Compliance Manager – finding applicable Microsoft Solutions Use Case Using Compliance Manager assessments to meeting government regulations or industry certifications. Definitions Actions– the things that need to be done to mark a Control as completed and Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment. Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world. Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. Controls – the various requirements in your tenant that must be met to meet a part of an assessment Control Family – a grouping of Controls Microsoft Actions – These are actions that Microsoft has performed in side of your tenant to help it meet a specific assessment. Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment. Regulations – the regulations or standards pertaining to the action (Microsoft) Solutions – the solution where you can go to perform the action Action Types – indicates whether the improvement action is technical, meaning it can be implemented within a solution or product, or non-technical, which would be implemented outside of a technical solution Group - the group to which you assigned the action Categories – the related data protection category (such as, protect information, manage devices, etc.) Notes None Pre-requisites You should have a basic understanding of Compliance Manager and how it works. You can find this information in the blog named “Paint By Numbers” and the official Microsoft documentation found at docs.microsoft.com. You an find links to these in the section below labeled Appendix and Links. Overview of this blog series This blog will review specific Microsoft Compliance Manager Assessments and how they relate to Microsoft Purview solutions. Here is a list of the specific assessments: HITRUST for Microsoft 365 HIPAA/HITECH for Microsoft 365 GDPR for Microsoft 365 California Consumer Privacy Act (CCPA) for Microsoft 365 Data Protection Baseline for Microsoft 365 This is not meant to be an exhaustive list as there are 700+ assessments in Compliance Manager as of the writing of this blog. Overview of Compliance Manager and What it does Here is the official answer as listed in docs.microsoft.com “Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.” Compliance Manager – What does it scan and track? Each assessment in Microsoft Purview Compliance Manager tracks all the regulatory/certification requirements relative to your Microsoft 365/Office 365 environment. Here is a visualization on how this scanning and tracking works. Compliance Score Here is the official definition as found in docs.microsoft.com. The URL can be found in t Appendix and Links section below. “Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.” Compliance Manager – Finding Applicable Microsoft Solutions Built into Compliance Manager is a way to review which Microsoft Solutions will be applicable to each certification/regulation along with the Compliance Score that each of these solutions will bring to your organization. Go to Compliance Manager -> Solutions Here you will see all the Microsoft solutions that are applicable to the assessments you have run. On the right hands side, click Filters You can filter these solutions based on various criteria: Regulations – the regulations or standards pertaining to the action (Microsoft) Solutions – the solution where you can go to perform the action Action Types – indicates whether the improvement action is technical, meaning it can be implemented within a solution or product, or non-technical, which would be implemented outside of a technical solution Group - the group to which you assigned the action Categories – the related data protection category (such as, protect information, manage devices, etc.) You can filter any of these criteria, but we will choose Regulation -> Data Protection Baseline for purposes in this blog. This will narrow ALL Microsoft Solutions down to just the ones relevant to a particular Assessment/Regulation/Certification. You can narrow this further by Categories. Here I will select the categories relevant to Purview/Compliance workloads: Discover and Respond, Govern information, Manage compliance, Privacy Management, and Protect information. For now, we will not run any other filters inside the Compliance Manager -> Solutions section. Returning to the Solutions page, we will now look at the two columns relevant to your Compliance Score: Current score contribution and Potential score remaining. These will allow you to know which Microsoft Solutions will provide the most value to meeting your regulation/certification needs. We are now done with looking at the Compliance Manager – Solutions page. Microsoft Managed Scoring Compliance Manager keeps track of both 1) the organizations responsibilities (ie. Your organization) and 2) Microsoft’s responsibilities, as they pertain each assessment, and then maps a score to those responsibilities. Here is an example of where you would find both of these scores in a Compliance Manager assessment that I have already run. I have gone to Compliance Manager -> Assessment -> HITRUST Then go to Progress tab on the right side to find the Your points achieved score and Microsoft managed points achieved score. Thank Yous Before finishing this overview, I want to thank the members of the Microsoft Health Life Sciences Purview Technical Specialist team (HLS Purview TS) team for their assistance in creating, researching and developing this blog series. This includes, but is not limited to: Erfan Setork, Ken Sicinski, and Chad Lightfoot. Appendix and Links Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Build and manage assessments in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs About the Microsoft Purview Compliance Manager premium assessment trial - Microsoft Purview (compliance) | Microsoft Docs Microsoft Purview Compliance Manager alerts and alert policies - Microsoft Purview (compliance) | Microsoft Docs Get started with Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Compliance score calculation - Microsoft Purview (compliance) | Microsoft Learn Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Learn Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.Microsoft Purview - Paint By Numbers Series (Part 2g) – Recommended Labeling of Files and Emails
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be covering the recommendation of labels for new files and emails based on the Sensitive Information Type within those files and emails. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will be using a previously created Data Classification called “Recommended_Label_Contoso_medicine”. The keyword I am tracking within that data classifier is “Contoso_medicine”. I am doing this to avoid labeling any files by accident by using an out-of-the-box classifier. For information on how you create your own data classifier, refer back to “Part 1 – Sensitivity Information Types” of this blog series. This document is only meant to be an introduction to the topic of multiple Sensitivity labels. Always refer back to official Microsoft documentation or your Microsoft account team for the latest information. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. We will not be covering the auto-labeling of data at rest. That will be covered in another blog post and those auto-labeling policies should not be done until after you have locked down your Sensitivity labeling of all “net new” data. Overview of Document Create a recommended Sensitivity Label Create a recommended Sensitivity labeling policy Verify that the user is prompted to apply the specific Sensitivity Label to a new file Verify that the user is prompted to apply the specific Sensitivity Label to a new email Use Case The prompting of users to apply a Sensitivity Label when sensitive data is detected within a new file or email. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant Notes Types of labels: Automatic labels are applied to data at rest in Exchange mailboxes, SharePoint/Teams sites and users’ OneDrives. Default labels are applied to data upon creation (and based on what is in the file/email). Recommended labels do not label data, but appear when a specific piece of Sensitive Information Type (ex. Contoso_Medicine) are added to a file/email. It is up to the user to apply or not apply the recommended label. Pre-requisites You have read Parts 0, 1 and 2 of this blog series You have a Sensitive Information Type (SIT) that will be tied to this automatic label. Part 1 – Create a Recommended Sensitivity label We will first set up our recommended label. Give the label a name and description (and color marker, if you wish). Then click Next. For the Scope, select Items and be sure that Files and Emails are selected. Then click Next. Under the Items section of the wizard, select Apply or remove encryption and Apply content marking, then click Next. We now arrive at Encryption. Click Configure encryption settings. Assign Permissions now or let users decide? and chose Let users assign permissions when they apply the label. For the purpose of this blog, under In Outlook, enforce one of the following restrictions -> Do Not Forward. We want this label to be applied to MS Office related workloads. So, select In Word, Powerpoint, and Excel, prompt users to specify permissions. Click for Apply content watermarking, I like to use the header option as it is the easiest because it is at the top of each electronic page. I will be using this watermark – “Contoso Medicine (Blog Recommended Label)”. Next, we will Enable auto-labeling for files and emails. At the top of this page, for the Content contains, we will select the SIT that we created previously. In my case, I am using the “Recommended_Label_Contoso_medicine”. The keyword I am tracking within that data classifier is “Contoso_medicine”. At the bottom of this page, for the When content matches these conditions select Recommend that the users apply the label. Note – this is the proverbial switch that needs to be flipped for a label to enable Recommend vs. Automatic vs Default labels. We also want to provide an explanation in Word, Excel, etc. for the users. So in the field Display this message to users when the label is applied, type the message you want your user to see when the label is recommended. Then click Next. On the protection settings for Groups and Sites, we will not be enabling anything as they are not applicable for this label and policy. Accept the defaults and click Next. On the schematized data assets, we will leave this at the default of Off. Click Next. Review your label and click Create Label. Accept the defaults and then click Done and then Create Policy and then Close. You are now ready to publish your policy. Part 2 – Publish your Recommended Sensitivity label We will now publish your label to your tenant. On the left click on Information protection -> Label policies. Click Publish label to start the publication wizard. On the first step of the wizard, click Choose sensitivity labels to publish. Select your recommended above label and click Add. Note – you can publish (or republish) 1, many or all your labels in a Publish label wizard. Click Next. In the next step of the wizard, you can assign a specific administrative team to manage this policy. We will not be doing that in this blog. Click Next. Next, you can decide who will see the published label. I will be using the default of all Users and groups, but I recommend you only use your own test user accounts here to limit the who will be seeing this label. Under Policy Settings, you can leave all of these boxes blank. I will leave the first 3 boxes blankc and enter a URL into the last box (Provide users with a link to a customer help page). When you are ready, click Next. On Default settings for documents, we will not be selecting any Default labels. Accept the default and click Next. On Default settings for emails, leave things as the default of Same as docuemtn. Click Next. On Default settings for meetings and calendar events, leave things as the default of None. Click Next. On Default settings for Power BI content, leave things as the default of None. Click Next. Now give your policy a name and description and click Next. Tk Review your settings. When you are satisfied, click Submit and Done. You are not ready to start the testing phase of this blog. Note – it can take 24-48 hours for labels and policies to replicated within a tenant. Part 3 – Test Recommended label on new file Before we start our file and email tests, remember that labels and policies can take a while to replicate throughout your tenant. One hour is usually a good amount of time to wait, but it might be quicker or slow to populate based on several variables in your tenant we will not cover at this time. Open Word, Excel or PowerPoint Create a New File. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label. I am using the compound word “contoso_medicine”. When you do, you will see a Policy Tip bar appear at the top of your document. Here is an example. Here is a magnification of the left side above. Here is a magnification of the left side above. This is the end of the file testing. Part 4 – Test Recommended label on new email We will now test this recommended label against a newly created email. Open Outlook. Create a New Email. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label. I am using the compound word “contoso_medicine”. When you do, you will see a Policy Tip bar appear at the top of your document. Here is an example. Here is a magnification of the left side above. Here is a magnification of the left side above. This is the end of the email testing. You have now reached the end of this blog entry. Appendix and Links Create and publish sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Labeling in the Microsoft Purview Data Map - Microsoft Purview | Microsoft Learn Enable sensitivity labels in Power BI - Power BI | Microsoft Learn Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Enable archive mailboxes in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Restrict access to content using sensitivity labels to apply encryption - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply sensitivity labels to your data - Azure Purview | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft Docs Mandatory label policy in Power BI - Power BI | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
Updates to Assets Prevent Future Scan Updates
We've been working with Purview slowly over the last few days. Today I was able to scan some heavily used on-prem SQL server databases. Once the scan was complete I went into the assets, located the first asset I wanted to classify, and started to add a description. The minute I clicked Edit on the asset a warning appeared stating "Making a manual update to the asset will prevent future scans on this asset from updating it." As a software developer, I understand why this might be necessary, however as a member of the data governance team it concerns me. I need the ability to add classifications/glossary terms/contacts/descriptions to newly discovered assets, but I'd also like scanning to update the schema as the asset changes based on information found in scans. Is the functionality to edit an asset manually and receive updates from scans something that is on the roadmap? Will it be available in GA?
