purview
154 TopicsMissing activity names from Audit Log documentation
We all know that the documentation team is A-tier and amazing at what they do and isn't just copy and pasting marketing materials. But I've noticed that some really obscure functionalities like 'user registered a device' or 'user joined a device' or about half the other things a user can do, are not documented on this list of activity names. The ironically named 'friendly' list doesn't work. So I actually can't audit the unfamiliar devices under our tenants? It appears that this KB is actually locked down, so more can't be added when they are discovered. How are we supposed to use the tool Microsoft has forced everyone towards, when the Documentation team is too bad to document anything, so they outsource it to the community (Microsoft victims), but then they lock down contributions (presumably, because they have some metric that keeps them from being useful - atleast based on my interactions with them). Documentation seems to be a massive fail on Microsoft's part. How did it get this way? Is there a reliable way of finding the activity name - one that ISN'T some preview Graph endpoint that I can't teach my techs to use, because I'm not teaching my techs to program?26Views0likes1CommentStruggling with running DQ Scans (Long queuing and Retry Count Error Issues)
Hi everyone, I have been exploring Microsoft Purview Data Quality quite extensively. At this point, I have configured more than 4,000 data quality rules across more than 10 Microsoft Fabric capacities, each with a minimum capacity of F16. Fabric is the source for all assets registered in Purview. I have identified several issues with the product, but the two that are currently impacting me the most are the following: DQ scans failing with a generic error“Max Retry Count Reached. Ending Workflow. Current Task HandleError”The challenge is that the error message does not identify which rule is causing the failure. As a result, I have to troubleshoot manually by disabling groups of rules, rerunning the scans, and repeating the process until I find the problematic rule. This trial-and-error approach is very time-consuming, especially at this scale. This seems to be caused by issues in some of the DQ rules, even though all rules are marked as “Good to go” in Purview. When running Data Quality scans, I often receive the following error: DQ scans remain queued for a long timeI am not sure why this happens or what resource, orchestration, or scheduling constraint is causing the delay. Whenever I run these DQ scans, they remain in a Queued state for at least 10 minutes, even when there is nothing running on the Fabric capacities. Has anyone experienced similar behavior with Purview Data Quality at this scale? Specifically, I would appreciate any guidance on: How to identify which DQ rule is causing a scan failure Why scans remain queued even when Fabric capacity appears to be idle Whether there are known limitations or best practices for running thousands of DQ rules in Purview Thank you.52Views0likes1CommentOnboarding Devices to Purview
I am not clear on how can I onboard devices to MDE so that I can enforce EDLP policies. We have CrowdStrike as Primary AV and other policies. Devices are managed through Intune for Bitlocker encryption and all the other settings except they don't have Defender. These devices are not showing up in Purview nor under "Endpoint detection and response" location under Endpoint Security. If we create an EDR onboarding policy and deploy to devices, then it shows the devices and says that AMRUnningMode is Passive, but Antivirus is true. Which I feel like Defender is taking over CrowdStrike? or am I wrong. My goal is to make sure CrowdStrike still primary AV and devices should be onboarded to MDE and then to Purview so that we can scope EDLP policies properly. Can anyone help me to understand or provide right steps?77Views0likes1CommentConfusion around Purview Definitions and Risk Scoring
In the early days of implementation and we've done our 'Quick setup' of Insider Risk Management which created our Adaptive Protection Policy for IRM, two IRM DLP policies (Endpoint & Teams/Exchange) and the Conditional Access policy. My question is around 'Triggering events', Indicators and Insider Risk Levels. To my understanding, a triggering event is the event that decides when the policy will start assigning risk scores to user activity which will then allow us to then give users risk levels. We have the option to either set this triggering event to either the DLP policies, or when a user performs an exfiltration activity/ sequence. The DLP policies only match activity when a user has a defined risk level and attempts to perform a specific activity i.e. sharing M365 with people outside the organisation. I'm not sure if I'm thinking about this backwards, but if I set my Adaptive protection policy to only start assigning risk scores to user activity when they match a DLP policy, how can they trigger a DLP policy if they wont be assigned a risk level until that scoring begins to happen? Should I be setting my triggering events to be "User performs an Exfiltration Activity" instead of "User Matches a DLP policy"?57Views0likes1CommentManaged VNET Integration Runtime failing with 502 error.
Good afternoon everyone. I'm a DevOps Engineer who is new to Purview. I used Terraform to deploy a Purview account for a POC for a client, however, I'm having a real issue creating a Managed VNET IR. The private endpoints are all visible and approved and if I check in the shell I can see the IR and the Managed VNET both exist (names sanitized). { "name": "SAMPLENAME", "properties": { "managedVirtualNetwork": { "referenceName": "ManagedVnet-name" }, "typeProperties": { "computeProperties": { "location": "WestEurope" } } } } But in the Purview portal the status shows as failed and if I try update it, I get a popup notification stating that the process timed out due to a 502 error. The URL in the error is " https://api.purview-service.microsoft.com/scan/integrationRuntimes/{NAME}?api-version=2022-02-01-preview" I thought this might be an issue with permissions or that I'm not in the admin role group in my client environment so I did the same process in my local purview account (where I'm global admin and in the Purview Administrators role group) and I'm having exactly the same problem. The managed vnet and IR exist when queried in the cloud shell but the state in the portal shows as failed. I am a "Data source Admin" in both purview accounts but I'm wondering if there's some other role assignment or role group assignment that I'm missing? Thanks in advance. Devon Britton.56Views0likes1CommentAnthropic Claude Purview Data Connector showing all users as Guests..
It appears this connector is not mapping fields properly causing internal users to be mapped as "guests", and since prompts/data isn't maintained for guest users the connector is effectively not gathering anything but noise. Unlike the other data connectors, one cannot create field mappings. Also the app being named using the guid of Microsoft's own "dataassessments" service principal I don't think is intended either. Has anybody else experienced this? See below for an example.463Views2likes7CommentsData System Wide Lineage via API Request
I'm struggling with finding a solution. My goal is to identify all existing lineage relationships for any data objects within a specific data system they belong to. I've been using the Purview REST API (Datamap Dataplane) but I haven't found an endpoint returning data system side lineage/relationships. For my scenario I have a Databricks metastore and need to know the existing lineage relationships of those data objects within Purview so I can purge them out when we are doing our scheduled lineage refresh.Solved144Views1like3CommentsGet-AdaptiveScopeMembers doesn't show the SiteURL for OneDrive
I am working through reporting for Adaptive Scopes and Adaptive Retention policies. I'm so close. But I discovered a problem with my script in that when people return to the company after their account has been deleted, they get a new OneDrive URL. This is expected. While they can have the same email address as an inactive mailbox, they cannot have the same OneDrive URL as an inactive URL. Since we keep all data for a minimum of 7 years, it is possible for a UPN to be the "owner" of 2 or more OneDrive URLs (one active and the others are from previous accounts). I have no easy way of seeing which OneDrive URL is active short of looking for digits at the end of the URL and taking the highest digit. But, what I want to know, is why isn't it here? Why doesn't "Get-AdaptiveScopeMember" return the SiteURL for the user? I thought maybe it was because my test user didn't have a OneDrive site when the account was added to the scope, so I added my actual user account to the scope and it shows the same thing. Is SiteURL only for SharePoint sites and not OneDrive sites? This makes no sense. Does it just take more time to show up? what's the time frame on that?109Views0likes2CommentsPurview DLP Behaviours in Outlook Desktop
We are currently testing Microsoft Purview DLP policies for user awareness, where sensitive information shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured. We are observing the following behaviours in Outlook Desktop: Inconsistent policy tip display (across Outlook Desktop Windows clients) – For some users, the policy tip renders correctly, while for others it appears with duplicated/stacked lines of text. This is occurring across users with similar configurations. Override without justification – Users are able to click “Send Anyway/Confirm and send” without selecting any justification option (e.g. business justification, manager approval, etc.), which bypasses the intended control. New Outlook: Classic Outlook: This has been observed on Outlook Desktop (Microsoft 365 Apps), including: Version 2602 (Build 19725.20170 Click-to-Run) Version 2602 (Build 16.0.19725.20126 MSO) Has anyone experienced similar behaviour with DLP policy tips or override enforcement in Outlook Desktop? Keen to understand if this is a known issue or if there are any recommended fixes or workarounds.360Views0likes3CommentsDLP Policy - DSPM Block sensitive info from AI sites
Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc. Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge. Troubleshooting\testing done: Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer. Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.). Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule. Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top). Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered. Validated Target domain = chatgpt.com in Activity Explorer for paste events. Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs. Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity). Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload. Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false. Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).438Views0likes9Comments