purview
78 TopicsCompliance Meets AI: Wrapping Up an Incredible Series and Looking Ahead
Over the past six sessions, the Compliance Meets AI webinar series has taken us on a journey through the evolving landscape of compliance, security, and generative AI. From SharePoint advanced management and data security posture for AI to eDiscovery, auditing, and communication compliance, we’ve explored how Microsoft Purview and Copilot can transform governance strategies. Today’s final session, Deep Dive: Insider Risk for Copilot, was a powerful close to the series. Led by Kevin Uy and supported by our team, we unpacked how Insider Risk Management (IRM) helps organizations detect and mitigate risky behaviors—intentional or accidental—before they become costly incidents. Key highlights included: Risky AI Usage Policies: How to monitor prompts and responses for sensitive data exposure across Copilot and third-party AI tools. Policy Templates & Indicators: Leveraging built-in templates for data leaks, health record misuse, and AI-specific risks. Integration with DLP: Understanding how IRM complements real-time blocking by providing investigative context. Adaptive Protection: Moving from passive monitoring to proactive enforcement by linking IRM insights with DLP policies. If you missed today's session: No worries you can watch the recording here https://aka.ms/Compliance-Meets-Ai-Session-Six We also shared practical tips on policy configuration, threshold tuning, and privacy controls, plus a sneak peek at forensic evidence and case escalation workflows. Why This Series Matters Compliance isn’t just about meeting regulatory requirements—it’s about building trust in an era of AI-driven innovation. This series brought together experts and practitioners to demystify complex topics and provide actionable strategies for safeguarding sensitive data while enabling productivity. What’s Next? The conversation doesn’t stop here. We’re thrilled to announce that Compliance Meets AI will return in 2026 with new topics, deeper demos, and fresh insights into governance for emerging technologies. Expect sessions on advanced AI risk scenarios, cross-cloud compliance, and automation strategies that redefine security operations. Stay tuned for registration links early next year—and in the meantime, revisit all six recorded sessions here and follow me on LinkedIn for ongoing updates. Thank you to everyone who joined us for this series. Your engagement and feedback shape what comes next. Here’s to a future where compliance and AI work hand in hand to empower secure innovation.🚀 Compliance Meets AI: Communication Compliance for Copilot – What You Missed!
Last Friday’s session was a game-changer for anyone looking to keep AI use safe, ethical, and compliant. We didn’t just talk theory—we showed real-world strategies for monitoring Copilot interactions and protecting sensitive data with Microsoft Purview Communication Compliance. Missed the session? No worries we have you covered. You can watch it here https://aka.ms/Compliance-Meets-Ai-Session-Five 🔥 Top Highlights The Big Picture Copilot is transforming productivity—but with great power comes great responsibility. Communication Compliance helps you spot risky prompts, prevent data leaks, and enforce ethical AI use across Copilot, Copilot Chat, Agents and Copilot Studio. Policy Power Moves Learn how to build smart policies that detect sensitive info like MRNs, credit card numbers, or custom keywords. We explored trainable classifiers for prompt injection attacks and inappropriate content—plus tips for scoping policies to specific teams or roles. From Alerts to Action Tag it. Resolve it. Escalate it. Even kick off Power Automate workflows for instant notifications. We showed how to turn alerts into actionable compliance steps that keep your organization secure. Insights That Matter Dive into dashboards that reveal top triggered policies, sensitive data trends, and user activity—so you can make informed decisions and strengthen governance. ✅ Next Up: Insider Risk Management for Copilot 📅 Date: 11.7.25 🎤 Host: Kevin Uy 👉 https://aka.ms/ComplianceMeetsAI Don’t miss this one—we’re taking compliance to the next level!1.4KViews0likes0CommentsCompliance Meets AI: Deep Dive into Sensitivity Labels and DLP for Copilot
Last Friday’s session was packed with insights on Data Loss Prevention (DLP) and Sensitivity Labels in Microsoft Purview, and how they integrate with Copilot for M365 to keep your data secure while enabling productivity. If you missed the session, we have you covered you can watch it here https://aka.ms/Compliance-Meets-Ai-Session-Three Key Highlights: Sensitivity Labels & Copilot: We explored how labels inherit across Copilot-generated content, why label priority matters, and the critical role of extract permissions for Copilot responses. Endpoint DLP: Ben Perkins walked us through onboarding endpoints, using Purview clients, and applying policies to prevent sensitive data egress to browsers, USB devices, and even generative AI sites. Policy Design Tips: From inline browser protection to advanced classification scanning, we covered best practices for creating robust DLP rules without sacrificing Copilot’s power. Licensing & Integration: E5 licensing simplifies DLP coverage across Exchange, SharePoint, OneDrive, Teams, and endpoints—plus integration with Microsoft Defender for Cloud Apps for cloud-based controls. Upcoming Features: Expect expanded support for sensitive information types in Copilot DLP policies soon, and adaptive protection tied to insider risk levels. Ben’s live demo showcased real-world configurations, including auto-labeling, simulation mode, and advanced rule tuning. The Q&A touched on practical challenges like encrypted PDFs, trainable classifiers, and overlapping policies with MDCA. What’s Next? Don’t miss our next session on Retention and Unified Audit Logs—critical for compliance and Copilot investigations. We’ll also dive into eDiscovery strategies. 📅 Next Session: Friday, October 24 🕛 Time: Noon Eastern ✅ Register here: Compliance Meets Ai: Microsoft Purview in the Age of Ai | Microsoft Community Hub1.5KViews0likes0CommentsMicrosoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
Optimized deployment leverages advanced compliance and automation capabilities available in Microsoft 365 E5. This episode outlines how E5 customers can proactively secure data and enhance Copilot performance.1.8KViews0likes0CommentsMicrosoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
In regulated industries, internal oversharing can compromise data integrity and Copilot effectiveness. This episode defines what “Foundational” means for Microsoft 365 E3 customers and outlines actionable steps to mitigate oversharing risks during Copilot deployment.1.6KViews0likes0CommentsMicrosoft Purview - Paint By Numbers Series (Part 2f) – Automatic Labeling Emails and Files
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be covering the auto-labeling of data at rest. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will be using a previously created Data Classification called “Automatic_Label_Contoso_medical”. The keyword I am tracking within that data classifier is “Contoso_medical”. I am doing this to avoid labeling any files by accident by using an out-of-the-box classifier. For information on how you create your own data classifier, refer back to “Part 1 – Sensitivity Information Types” of this blog series. This document is only meant to be an introduction to the topic of multiple Sensitivity labels. Always refer back to official Microsoft documentation or your Microsoft account team for the latest information. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. Overview of Document Create a Sensitivity Label Verify automatic policy is published Publish your automatic Sensitivity labeling policy Changing between Simulation and “Enabled” mode Reporting on simulations of label application Test the Sensitivity Label is applied to existing files Test the Sensitivity Label is applied to existing emails Use Case Applying Sensitivity labels to data at rest in OneDrive, SharePoint sites, Teams Sites, and Exchange mailboxes. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant Notes Remember it can take 24-48 hours for a new Sensitive Information Type (SIT) to start to be found in your tenant. So create your SIT ahead of time and place it in Exchange mails and SharePoint/Teams sites, and OneDrive for your testing. Types of labels: Automatic labels are applied to data at rest. Default labels are applied to data upon creation (and based on what is in the file/email). Recommended labels do not label data, but appear when a specific piece of Sensitive Information Type (ex. Contoso_Medical) are added to a file/email. It is up to the user to apply or not apply the recommended label. . Here are some very important things to note about Simulation vs “Enabled” automatic labeling policies. Automatic labeling policies should be thoroughly tested in your dev tenant and you should work with your data security team (or equivalent) should be consulted when using labels, especially automatic labeling. Here is a screenshot of the enablement mode (simulation, off, on) that will be referred to several times in this blog. When in doubt, run the default of Run policy in simulation mode. If you want to apply a label in your dev tenant, you will need to check the box next to Automatically turn on policy if not modified after 7 days in simulation. I recommend you only do this in a dev tenant and after much consideration. If you want to do this in production, I recommend: you consult with your Microsoft support team or certified Microsoft partner be certain know you have thoroughly defined your relevant a) data classification, b) taxonomy, and c) ramifications of applying sensitivity labels to your production data. For this blog, I will be enabling automatic labeling so I can demonstrate labels being applied to files and emails in my demonstration tenant. Pre-requisites You have read Parts 0, 1 and 2 of this blog series You have a Sensitive Information Type (SIT) that will be tied to this automatic label. Populate emails and files with your test information several days before you create your policies. In my environment, I am testing with the phrase “Contoso_Medical”. This will be important during the simulation and testing done later in this blog. Part 1 – Create an automatic Sensitivity label We will first set up our automatic label. Give the label a name and description (and color marker, if you wish). Then click Next. For the Scope, select Items and be sure that Files and Emails are selected. Then click Next. Under the Items section of the wizard, select Apply or remove encryption and Apply content marking, then click Next. We now arrive at Encryption. Click Configure encryption settings. Under Assign Permissions now or let users decide? and chose Assign permissions now. Leave the rest of the settings at the default. under In Assign permissions to specific users and groups, click Assign permissions. For the purpose of this blog, I will click Add all users and groups in your organization, click Save. Click for Apply content watermarking, I like to use the header option as it is the easiest because it is at the top of each electronic page. Next, we will Enable auto-labeling for files and emails. At the top of this page, for the Content contains, we will select the SIT that we created previously. In my case, I am using the “Recommended_Label_Contoso_medical”. The keyword I am tracking within that data classifier is “Contoso_medical”. At the bottom of this page, for the When content matches these conditions select Automatically apply the label. Note – this is the proverbial switch that needs to be flipped for a label to enable Recommend vs. Automatic vs Default labels. We also want to provide an explanation in Word, Excel, etc. for the users. So in the field Display this message to users when the label is applied, type the message you want your user to see when the label is recommended. Then click Next. On the protection settings for Groups and Sites, we will not be enabling anything as they are not applicable for this label and policy. Accept the defaults and click Next. On the schematized data assets, we will leave this at the default of Off. Click Next. Review your label and click Create Label. Under Next steps, select Automatically apply label to sensitive content. Note – If you select Publish label to user’s apps, you’ll have to follow the steps in the “Publish your automatic label” section below. Click Done and then Create Policy and then Close. Part 2 – Verify Automatic policy is published If at the “Create your automatic label section above”, you clicked, Automatically apply label to sensitive content, proceed to the test label on new file/email sections below. If you did NOT click Automatically apply label to sensitive content above, then go to the “Publish your automatic policy” section below. If you are not sure, if you policy was created, you can find that out by doing the following. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created on the last step of creating your label. Part 3 – Publish your automatic Sensitivity label (if needed) If needed, you can set up your automated labeling policy. You do this by doing the following: Go to Information Protection –> Auto-labeling. Click Create auto-labeling policy. On the first step of the wizard, select Custom -> Custom policy. Then click Next. Give the policy and name and click Next. In the next step of the wizard, you can assign a specific administrative team to manage this policy. We will not be doing that in this blog. Click Next. Next, choose the locations and where this automatic policy will be applied. These locations include Exchange (for users or groups), SharePoint (and Teams) sites, and OneDrive (for users or groups). As I am in a test tenant, I will accept the defaults. I recommend you narrow your locations to a test user(s) or SharePoint sites for your initial testing. For the next step, I will accept the Common rules. Feel free to explore the advanced rules on your own. Click Next Now we will create a rule with to go with our automatic label above. Click New rule. Give your rule a name, description, and add a condition. I’ll be using the Sensitive Information Type I created previously (Automatic_Label_Contoso_Medical). When you are ready, click Save and then click Next. Next, choose a label to be applied. To do this, click a Choose a label, chose a label and click Save. When you are satisfied, click Next. Under additional settings, accept the defaults and click Next. The next step is to either turn on or off the policy. I will leave the default of Run policy in simulation mode. When you are ready click Next. Review your automatic policy and click Create policy and then click Done. You are now ready to move to the testing phase of this blog. Part 4 – Changing between Simulation mode &. “Enabled” mode Do the following to change from simulation mode to “enabled” mode or vice versa. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created on the last step of creating your label. Select the Edit policy. In the wizard, go to Policy Mode (on the left). When you are ready click Next. When you have made the change you want, click Next, review your automatic policy and click Create policy and then click Done. Part 5 –Reporting on simulations of automatic labeling To know what files/emails would be labeled if your automatic labeling policy had actually run, you will need to go to the following location. Note – Remember that it can take several days for your tenant to start reporting back on existing data matching your policy. This is due to back data processing and indexing that we will not discuss at this time. Go to Information Protection –> Auto-labeling. Under Simulation, you should find the policy created above. Open your policy. At the bottom of the policy, you will see results for files and emails that will match your policy. Note #1 – You should pre-populate your test SharePoint sites, OneDrive sites with data that possess your SIT data (ex. “constoso_medical”). Note #2 – For emails, you need to send those after your policy is created for them to be seen by your automatic labeling policy. Before we can apply our “test” automated labels against the data in our tenant, we have to enable our policy. Do this by clicking Turn on policy as seen in the screenshot above. Now move to the next section. Part 6 –Test label on new file Before we start our file and email tests, remember that labels and policies can take a while to replicate throughout your tenant. One hour is usually a good amount of time to wait, but it might be quicker or slower to populate based on several variables in your tenant we will not cover at this time. With that understanding, let us move on to our testing. Because Automatic labeling takes place on cloud work loads at this point in time (not on endpoint devices), we will do our testing against a file(s) created on a OneDrive or SharePoint Site (related to your test locations mentioned above ins Part 3). Create a new Word, Excel or PowerPoint document. I will create a Word document. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label (I am using the compound word “contoso_medical”) and save your file. Wait a few minutes for the automatic labeling to run on the backend in the cloud. Reopen the file in your browser. At the bottom you should see your label next to a padlock icon. If you then open that file in your local version of word, you will see the label information marked in 2 locations. This is the end of the file testing. Part 7 –Test label on new email We will now test this automatic label against a newly created email. Open Outlook. Create a New Email. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label (I am using the compound word “contoso_medical”) and send it to/from your test user (See my example email below). Note – If you have a default label configured like I do, you might see that on the left of your From/To/CC/BCC fields. As this is the easiest way to see a change in your label, let us look at an example. Once you receive the email, you should see something similar the following in your Inbox/email Preview panel (or when you open your email). This is the end of the email testing. Appendix and Links Create and publish sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Labeling in the Microsoft Purview Data Map - Microsoft Purview | Microsoft Learn Enable sensitivity labels in Power BI - Power BI | Microsoft Learn Automatically apply a sensitivity label in Microsoft 365 - Microsoft Purview (compliance) | Microsoft Learn Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Enable archive mailboxes in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Restrict access to content using sensitivity labels to apply encryption - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply sensitivity labels to your data - Azure Purview | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft Docs Mandatory label policy in Power BI - Power BI | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.Microsoft Purview - Paint By Numbers Series (Part 2g) – Recommended Labeling of Files and Emails
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be covering the recommendation of labels for new files and emails based on the Sensitive Information Type within those files and emails. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will be using a previously created Data Classification called “Recommended_Label_Contoso_medicine”. The keyword I am tracking within that data classifier is “Contoso_medicine”. I am doing this to avoid labeling any files by accident by using an out-of-the-box classifier. For information on how you create your own data classifier, refer back to “Part 1 – Sensitivity Information Types” of this blog series. This document is only meant to be an introduction to the topic of multiple Sensitivity labels. Always refer back to official Microsoft documentation or your Microsoft account team for the latest information. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. We will not be covering the auto-labeling of data at rest. That will be covered in another blog post and those auto-labeling policies should not be done until after you have locked down your Sensitivity labeling of all “net new” data. Overview of Document Create a recommended Sensitivity Label Create a recommended Sensitivity labeling policy Verify that the user is prompted to apply the specific Sensitivity Label to a new file Verify that the user is prompted to apply the specific Sensitivity Label to a new email Use Case The prompting of users to apply a Sensitivity Label when sensitive data is detected within a new file or email. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant Notes Types of labels: Automatic labels are applied to data at rest in Exchange mailboxes, SharePoint/Teams sites and users’ OneDrives. Default labels are applied to data upon creation (and based on what is in the file/email). Recommended labels do not label data, but appear when a specific piece of Sensitive Information Type (ex. Contoso_Medicine) are added to a file/email. It is up to the user to apply or not apply the recommended label. Pre-requisites You have read Parts 0, 1 and 2 of this blog series You have a Sensitive Information Type (SIT) that will be tied to this automatic label. Part 1 – Create a Recommended Sensitivity label We will first set up our recommended label. Give the label a name and description (and color marker, if you wish). Then click Next. For the Scope, select Items and be sure that Files and Emails are selected. Then click Next. Under the Items section of the wizard, select Apply or remove encryption and Apply content marking, then click Next. We now arrive at Encryption. Click Configure encryption settings. Assign Permissions now or let users decide? and chose Let users assign permissions when they apply the label. For the purpose of this blog, under In Outlook, enforce one of the following restrictions -> Do Not Forward. We want this label to be applied to MS Office related workloads. So, select In Word, Powerpoint, and Excel, prompt users to specify permissions. Click for Apply content watermarking, I like to use the header option as it is the easiest because it is at the top of each electronic page. I will be using this watermark – “Contoso Medicine (Blog Recommended Label)”. Next, we will Enable auto-labeling for files and emails. At the top of this page, for the Content contains, we will select the SIT that we created previously. In my case, I am using the “Recommended_Label_Contoso_medicine”. The keyword I am tracking within that data classifier is “Contoso_medicine”. At the bottom of this page, for the When content matches these conditions select Recommend that the users apply the label. Note – this is the proverbial switch that needs to be flipped for a label to enable Recommend vs. Automatic vs Default labels. We also want to provide an explanation in Word, Excel, etc. for the users. So in the field Display this message to users when the label is applied, type the message you want your user to see when the label is recommended. Then click Next. On the protection settings for Groups and Sites, we will not be enabling anything as they are not applicable for this label and policy. Accept the defaults and click Next. On the schematized data assets, we will leave this at the default of Off. Click Next. Review your label and click Create Label. Accept the defaults and then click Done and then Create Policy and then Close. You are now ready to publish your policy. Part 2 – Publish your Recommended Sensitivity label We will now publish your label to your tenant. On the left click on Information protection -> Label policies. Click Publish label to start the publication wizard. On the first step of the wizard, click Choose sensitivity labels to publish. Select your recommended above label and click Add. Note – you can publish (or republish) 1, many or all your labels in a Publish label wizard. Click Next. In the next step of the wizard, you can assign a specific administrative team to manage this policy. We will not be doing that in this blog. Click Next. Next, you can decide who will see the published label. I will be using the default of all Users and groups, but I recommend you only use your own test user accounts here to limit the who will be seeing this label. Under Policy Settings, you can leave all of these boxes blank. I will leave the first 3 boxes blankc and enter a URL into the last box (Provide users with a link to a customer help page). When you are ready, click Next. On Default settings for documents, we will not be selecting any Default labels. Accept the default and click Next. On Default settings for emails, leave things as the default of Same as docuemtn. Click Next. On Default settings for meetings and calendar events, leave things as the default of None. Click Next. On Default settings for Power BI content, leave things as the default of None. Click Next. Now give your policy a name and description and click Next. Tk Review your settings. When you are satisfied, click Submit and Done. You are not ready to start the testing phase of this blog. Note – it can take 24-48 hours for labels and policies to replicated within a tenant. Part 3 – Test Recommended label on new file Before we start our file and email tests, remember that labels and policies can take a while to replicate throughout your tenant. One hour is usually a good amount of time to wait, but it might be quicker or slow to populate based on several variables in your tenant we will not cover at this time. Open Word, Excel or PowerPoint Create a New File. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label. I am using the compound word “contoso_medicine”. When you do, you will see a Policy Tip bar appear at the top of your document. Here is an example. Here is a magnification of the left side above. Here is a magnification of the left side above. This is the end of the file testing. Part 4 – Test Recommended label on new email We will now test this recommended label against a newly created email. Open Outlook. Create a New Email. Type in the Sensitive Information Type that you have associated with your recommended Sensitivity label. I am using the compound word “contoso_medicine”. When you do, you will see a Policy Tip bar appear at the top of your document. Here is an example. Here is a magnification of the left side above. Here is a magnification of the left side above. This is the end of the email testing. You have now reached the end of this blog entry. Appendix and Links Create and publish sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Labeling in the Microsoft Purview Data Map - Microsoft Purview | Microsoft Learn Enable sensitivity labels in Power BI - Power BI | Microsoft Learn Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Enable archive mailboxes in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Restrict access to content using sensitivity labels to apply encryption - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Automatically apply sensitivity labels to your data - Azure Purview | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft Docs Mandatory label policy in Power BI - Power BI | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.6.2KViews0likes0CommentsMicrosoft Purview- Paint By Numbers Series (Part 10)- Defender for Cloud Apps & DLP - Overview
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Microsoft Defender for Cloud Apps section of this blog series is aimed at Security and Compliance officers who need protect data through a Cloud App, meaning a third-party cloud-based application. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through. In this blog entry, we want to understand how Microsoft Defender for Cloud Apps (MDCA) is leveraged for Data Loss Prevention. Microsoft Defender for Cloud Apps (MDCA) can be used for things such as Conditional Access, Shadow IT, and other security features. However, in this blog entry, we are focused only on how MDCA can be used for Data Loss Prevention (DLP). This is limited in scope and meant to walk you through the basic process configuring a DLP activity. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Information Barriers Communications Compliance Licensing This is limited in scope and meant to walk you through the basic process configuring a Data Loss Prevention activity in Microsoft Defender for Cloud Apps. It is presumed that you have a pre-existing understanding of what Microsoft E5 Purview does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. Overview of Document What MDCA Does DLP features supported by MDCAs Use Case An organization who wants to configure Data Loss Prevention (DLP) against a cloud-based application. In this blog we will only look at general DLP use cases. Definitions Cloud App – meaning a third-party cloud-based application. Session Policy – a session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. Policy Control – these policies “detect risky behavior, violations, or suspicious data points and activities in your cloud environment.” Notes None. Pre-requisites You have read Part 0 of this blog series. What MDCA does Microsoft Defender for Cloud Apps (MDCA) is the Microsoft Cloud App Security Broker (CASB). So even though we are looking at it in this blog series to provide DLP functionality, it has a broader range of security features. Here is a list of the other things you can do with MDCA: Thread Detection – “Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.” Information Protection – “Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real time across all your cloud apps.” Conditional Access – “Real-time monitoring and control over access to cloud apps based on user, location, device, and app.” This also allows for “real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session.” Shadow IT – “Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 31,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.” DLP features supported by MDCA For data protection with MDCA, you can do 3 different types of policies: File Policy Access Policy Session Policy Of these three policies, the one you will use the most for DLP activities will be the Session Policy. The reason is Session policies allow for the following types of Session control types (which are the most similar to service and device level DLP functionalities): Monitor Only Block Activities Control file download (with inspection) Control file upload (with inspection) Here are the Activities related to DLP: Cut/Paste item Paste item Print Send item (Exchange/Teams message) Here are the Actions (in addition to the Session control types mentioned above) related to the above Activities. Test Block Apply Microsoft Sensitivity Labels Apply custom permissions. Appendix and Links Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Data security and privacy practices - Microsoft Defender for Cloud Apps | Microsoft Learn What's new - Microsoft Defender for Cloud Apps | Microsoft Learn Session policies - Microsoft Defender for Cloud Apps | Microsoft Learn Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn Protect apps with Conditional Access App Control - Microsoft Defender for Cloud Apps | Microsoft Learn Deploy Conditional Access App Control for catalog apps with Azure AD - Microsoft Defender for Cloud Apps | Microsoft Learn Control cloud apps with policies - Microsoft Defender for Cloud Apps | Microsoft Learn2.5KViews0likes0Comments