Data System Wide Lineage via API Request
I'm struggling with finding a solution. My goal is to identify all existing lineage relationships for any data objects within a specific data system they belong to. I've been using the Purview REST API (Datamap Dataplane) but I haven't found an endpoint returning data system side lineage/relationships. For my scenario I have a Databricks metastore and need to know the existing lineage relationships of those data objects within Purview so I can purge them out when we are doing our scheduled lineage refresh.
DLP Policy - DSPM Block sensitive info from AI sites
Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc. Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge. Troubleshooting\testing done: Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer. Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.). Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule. Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top). Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered. Validated Target domain = chatgpt.com in Activity Explorer for paste events. Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs. Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity). Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload. Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false. Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).
Get-AdaptiveScopeMembers doesn't show the SiteURL for OneDrive
I am working through reporting for Adaptive Scopes and Adaptive Retention policies. I'm so close. But I discovered a problem with my script in that when people return to the company after their account has been deleted, they get a new OneDrive URL. This is expected. While they can have the same email address as an inactive mailbox, they cannot have the same OneDrive URL as an inactive URL. Since we keep all data for a minimum of 7 years, it is possible for a UPN to be the "owner" of 2 or more OneDrive URLs (one active and the others are from previous accounts). I have no easy way of seeing which OneDrive URL is active short of looking for digits at the end of the URL and taking the highest digit. But, what I want to know, is why isn't it here? Why doesn't "Get-AdaptiveScopeMember" return the SiteURL for the user? I thought maybe it was because my test user didn't have a OneDrive site when the account was added to the scope, so I added my actual user account to the scope and it shows the same thing. Is SiteURL only for SharePoint sites and not OneDrive sites? This makes no sense. Does it just take more time to show up? what's the time frame on that?Sharing: PDF readers that support Purview labels
As I was researching on Adobe Acrobat reader and Sensitivity labels, I decided to check if the common alternative PDF readers out there are able to support Purview MIP Sensitivity labels. There is already a published documentation on this for SharePoint-Compatible PDF readers that supports Microsoft IRM: https://learn.microsoft.com/en-us/purview/sp-compatible-pdf-readers-for-irm (last updated Nov-2023) but I wanted to see if these same PDF readers supports the ability for end-users to use/ select labels similar to that of Adobe Acrobat As of 11-June-2025; atleast one of them clearly do: Nitro PDF: Yes. Documentation shows that users can see and use the sensitivity labels. PDF -X.change Editor: Yes. Documentation show that users can see and use the sensitivity labels. (check the official website, I can't hyperlink it because the site is blocked. FOX PDF editor: No. Documentation only states RMS and not clear if it show Purview labels. This is for F.O.X.I.T editor (spelled without the ".") but for some reason there is a community ban on that word and it won't allow me to post the full name PDFescape: No. Sumatra PDF: No Okular: No If there are other PDF readers that I've missed, I encourage you list it down in the comment below. Would love to grow this list.Purview DLP Behaviours in Outlook Desktop
We are currently testing Microsoft Purview DLP policies for user awareness, where sensitive information shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured. We are observing the following behaviours in Outlook Desktop: Inconsistent policy tip display (across Outlook Desktop Windows clients) – For some users, the policy tip renders correctly, while for others it appears with duplicated/stacked lines of text. This is occurring across users with similar configurations. Override without justification – Users are able to click “Send Anyway/Confirm and send” without selecting any justification option (e.g. business justification, manager approval, etc.), which bypasses the intended control. New Outlook: Classic Outlook: This has been observed on Outlook Desktop (Microsoft 365 Apps), including: Version 2602 (Build 19725.20170 Click-to-Run) Version 2602 (Build 16.0.19725.20126 MSO) Has anyone experienced similar behaviour with DLP policy tips or override enforcement in Outlook Desktop? Keen to understand if this is a known issue or if there are any recommended fixes or workarounds.
Adaptive Scopes
I'm setting up adaptive scopes in MS Purview for data retention testing, focusing on Entra groups. However, when I create a test adaptive scope using the 365 groups scope and add a query with the group's display name, it doesn't populate. Some scopes are over 7 days old, despite MS stating it can take up to 3 days for queries to sync. Does anyone have a better method for creating adaptive scopes for Entra groups?
[HELP] "Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with Device location. After several scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the orange alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, only for the error to return. Please help!
Getting sensitivity label working for specific domain
Good morning all I am trying to setup a sensitivity label to work so anyone with '@mail.com' will have access to a document that has this label. I have attempted to apply this in the control access settings with the label under 'Add specific email addresses or domains' However for the life of me, I cannot get this to work, I have tried "*@mail.com. mail.com, mail.com", nothing seems to work. I have run through the MS material on this and can't see anything specific to setting this up. Has anyone been successful in setting this up? Is there a trick I am missing? Grateful for anyone who can help on this!Connection Failed Issue scanning Google BigQuery from Microsoft Purview Azure environment
Hi everyone, I am currently setting up a laboratory environment in Microsoft Purview to catalog data from Google BigQuery, but I am encountering a connection error during the testing phase. I have verified that the Service Account has the required permissions in GCP (BigQuery Metadata Viewer and BigQuery Data Viewer) and the JSON key is correctly stored in Azure Key Vault. Has anyone faced a similar issue when connecting BigQuery to Purview recently? I want to rule out if this is a networking issue or a specific configuration requirement for the BigQuery connector that I might be missing. Thanks in advance for your help!
