Purview DLP Behaviours in Outlook Desktop
We are currently testing Microsoft Purview DLP policies for user awareness, where sensitive information shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured. We are observing the following behaviours in Outlook Desktop: Inconsistent policy tip display (across Outlook Desktop Windows clients) – For some users, the policy tip renders correctly, while for others it appears with duplicated/stacked lines of text. This is occurring across users with similar configurations. Override without justification – Users are able to click “Send Anyway/Confirm and send” without selecting any justification option (e.g. business justification, manager approval, etc.), which bypasses the intended control. New Outlook: Classic Outlook: This has been observed on Outlook Desktop (Microsoft 365 Apps), including: Version 2602 (Build 19725.20170 Click-to-Run) Version 2602 (Build 16.0.19725.20126 MSO) Has anyone experienced similar behaviour with DLP policy tips or override enforcement in Outlook Desktop? Keen to understand if this is a known issue or if there are any recommended fixes or workarounds.
Endpoint DLP Collection Evidence on Devices
Hello team, I am trying to setup the feature collect evidence when endpoint DLP match. Official feature documentation: https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-learn https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started unfortunately, it is not working as described in the official documentation, I opened ticket with Microsoft support and MIcrosoft Service Hub, Unfortunatetly, they don't know how to setup it, or they are unable to solve the issue. Support ticket: TrackingID#26040XXXXXXX9201 Service Hub ticket: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create TrackingID#26040XXXXXXXX924 I follow the steps to configure: based on the Microsoft documentation, I should be able to see the evidence in Activity explorer or Purview DLP alert or Defender Alerts/Incidents.
Adaptive Scopes
I'm setting up adaptive scopes in MS Purview for data retention testing, focusing on Entra groups. However, when I create a test adaptive scope using the 365 groups scope and add a query with the group's display name, it doesn't populate. Some scopes are over 7 days old, despite MS stating it can take up to 3 days for queries to sync. Does anyone have a better method for creating adaptive scopes for Entra groups?
Priority Cleanup V2: Faster, Simpler Data Purging for Exchange Online
Enhancements Achieved with Exchange Priority Cleanup V2 Priority Cleanup (Use priority cleanup to expedite the permanent deletion of sensitive information from mailboxes | Microsoft Learn) was introduced to provide administrators with a powerful tool for permanently deleting mailbox content, even when under retention or eDiscovery hold, to address scenarios such as data spillage and urgent removals. Priority Cleanup addressed a key need in Exchange Online by allowing hold overrides. Through real-world use, we received valuable insights regarding the approval process, deletion speed, and reviewer experience. These learnings have guided our ongoing enhancements, ensuring that the solution evolves to better meet customer needs for efficiency and ease of use while maintaining robust security and compliance standards. What's New in Priority Cleanup V2 Priority Cleanup V2 is currently in the planning stage. We’re sharing the proposed updates early to gather feedback before we begin implementation. The goal is to address the core limitations of V1 with enhancements focused on speed and simplicity. Faster Data Deletion & Simplified Approval Workflow: We’re proposing to streamline the process to two key checkpoints: Policy enforcement approval when moving from simulation to active mode (requires approval from a different Priority Cleanup admin). We’re proposing to minimize approval overhead by removing unnecessary review stages. Disposition review by eDiscovery admins will be required only for mailboxes under eDiscovery hold. For other mailboxes, items will be permanently deleted soon after the Priority Cleanup policy is applied to speed up processing from days to hours. This would reduce the number of required users with admin privileges from four to two. Controlled Purge Limits: Administrators will be able to efficiently manage substantial purges by securely processing deletions in batches, with a configurable limit of up to 100 items per mailbox per ELC run. A default limit of 100 items is applied, with the ability to adjust this value through an organization‑level configuration. This configurable limit provides an additional safeguard for system operations while offering flexibility to meet varying organizational needs. Note: A default limit of 100 items will apply, with the ability to adjust this value via an organization-level configuration. V1 vs V2 Feature Comparison Feature V1 Behavior V2 Improvement Deletion Speed Multi-stage process taking 6+ days for small purges Significantly faster with immediate deletion for non-hold mailboxes Approval Workflow 3-stage approval (Priority Cleanup Admin, Retention Admin, eDiscovery Admin) 2-stage approval (policy enforcement + eDiscovery review only when needed) Proposed Improvements in Admin Experience and Control Streamlined Policy Management: We are considering making policies easier to enable or disable directly from the main list view, potentially through a simple toggle, so administrators would no longer need to use the setup wizard for this task. Enhanced Review Interface: Proposed updates include adding new, informative columns to the interface, such as a dedicated Mailbox/Site column to help identify the source location. We are also looking at providing clearly labeled date fields to indicate when items were received or created, which would replace the potentially confusing ExpiryDate label. Comprehensive Audit Trails: It is proposed that every action would be thoroughly documented with a unique Cleanup ID. This ID could then be used in Audit Search to locate all events related to a specific cleanup operation, helping to simplify verification and post-incident analysis. Note: Priority Cleanup V2 enhancements are specific to Exchange Online. These changes do not affect Priority Cleanup for OneDrive and SharePoint (PC ODSP), including its rollout timelines or behavior. Key Benefits for Administrators Priority Cleanup V2 delivers tangible improvements across the entire data purging workflow. Accelerated Deletion: Requests for data removal are fulfilled much faster, enabling urgent incidents to be resolved within hours rather than days, and minimizing risk exposure. Reduced Administrative Overhead: Coordination requirements are simplified, decreasing the number of users involved from four to two in most cases, which makes Priority Cleanup V2 more practical for smaller teams. Enhanced Transparency: Improved user interface labels and robust audit logs help administrators clearly understand what data is being deleted and who authorized the action. Maintained Security and Compliance: Segregation of duties is preserved so that no single individual can delete protected content alone, supporting security and compliance requirements. Availability and Rollout Priority Cleanup V2 is currently in development with rollout planned for the end of 2026. As with all Exchange Online features, we will publish a Microsoft 365 Roadmap item and send Message Center notifications to affected tenants before general availability We Want Your Feedback Priority Cleanup V2 represents a significant evolution based on customer feedback from V1 users who emphasized the need for faster, simpler data purging without compromising security. We've addressed the core pain points around speed, approval complexity, and admin experience, but we know there's always room for improvement. We'd love to hear your thoughts: Does the simplified approval workflow meet your security requirements? What visibility or reporting capabilities would make you more confident in using Priority Cleanup for urgent data removal scenarios? Your feedback directly shapes how we prioritize future enhancements. Please share your experiences and suggestions through your regular Microsoft support channels or customer success contacts. Together, we can continue refining Priority Cleanup to better serve your data governance needs. Aniket Gupta, Mehul Kaushik, Victor Legat & Purview Data Lifecycle Management TeamDeploy scalable ring‑fenced Purview operations with Administrative Units
As Microsoft Purview deployments mature, many organisations encounter the same scaling challenge: how do you decentralize operations without fragmenting governance or losing visibility? Administrative Units (AUs) provide a native way to solve this by enabling ring‑fenced operations—allowing teams to operate independently within clearly defined boundaries, while preserving central oversight. This post focuses on the why behind using Administrative Units in Microsoft Purview, with a particular emphasis on scalable, ring‑fenced operations. We’ll walk through three reference architectures that illustrate how Administrative Units support real‑world operating models—without requiring multiple tenants or separate DLP platforms. note: this article and visuals will focus on Administrative Units support in Purview Data Loss Prevention. However, Administrative Units are supported in additional solutions of Microsoft Purview. Refer to Administrative units in Microsoft Purview | Microsoft Learn for more details and support. Why Administrative Units matter for scalable operations Many large organisations operate with decentralized compliance and DLP teams, often aligned to regions, business units, or regulated functions. Historically, this led to one of two sub‑optimal patterns: Multiple, disconnected DLP solutions or tenants Centralized teams managing policies and alerts for parts of the business they don’t own Administrative Units change this model by allowing organisations to: Partition users (and supported resources) into logical units Assign restricted administrators who can only see and act within their unit Apply both global and AU‑scoped policies together, with predictable behavior From a Purview perspective, this enables true business function autonomy, enforced through RBAC and data visibility boundaries, while keeping global services—such as classification—centralized. Reference architecture 1: Layered governance with ring‑fenced operations Scenario An organisation wants to migrate from multiple legacy DLP solutions into Microsoft Purview while preserving independent operations for each business function or region. Architecture highlights This model introduces three distinct layers: Central governance (Global) Global administrators define baseline policies applicable across the tenant Shared services such as classifiers and reusable components remain central Central teams retain cross‑tenant monitoring and reporting capabilities Administrative Units (per business function) Each business function or region is mapped to an Administrative Unit RBAC, policy visibility, and alert management are strictly scoped to the AU Policies created here only affect users within that unit Business function‑level operations Scoped DLP admins manage local policies Alerts and incidents are handled by the owning team Controls can be tuned to meet specific regulatory or operational needs Why this matters This architecture enables a phased migration: Start with a single entity Gradually scale across additional business functions Avoid policy sprawl by consolidating and retiring legacy configurations Crucially, tenant‑wide limits and global services remain unchanged, ensuring consistent performance as scale increases. Reference architecture 2: Ring‑fencing user activity visibility to sub‑business functions Scenario “We have dedicated DLP analysts for executives. DLP alerts and activities for these users must only be visible to that team.” Architecture highlights This model refines the first architecture and allowing to have DLP analysts for a subset of users only. Executive users are placed into a dedicated Administrative Unit representing a subset of users of a business unit. Policies can be published to multiple Administrative Units (ex: Americas + Americas - Execs) In this model: Some DLP administrators may be assigned to multiple AUs so they can publish policies across them Users must belong to a single AU to ensure clean visibility boundaries Why this matters This pattern is particularly effective for: Executive monitoring HR or Legal teams Highly sensitive populations It delivers strict separation of duties without duplicating policies or creating isolated tenants, and aligns with how Purview scopes alerts, activity explorer, and audit data when Administrative Units are used. Reference architecture 3: User activity visibility for multi‑AU users Scenario Some users operate across multiple business functions—for example, executives or shared service leaders—while still requiring controlled visibility for analysts. Architecture highlights User activities are stamped with the sum of all Administrative Units the user belonged to at the time of the activity Scoped DLP administrators: Can only create policies affecting users within their assigned AU. However the sum of their policies will be applicable. Scoped DLP analysts: See all activities for users in their AU, even if those activities were generated by policies scoped to a different AU. Why this matters This model ensures: No loss of investigative context for analysts Predictable visibility when users span multiple organizational boundaries Continued enforcement of AU‑based separation of duties It also reinforces a key principle: Administrative Units control visibility and management scope — not the existence of the underlying activity data. Once a user's in scope of a policy, its related activities/alerts are visible to DLP analysts allowed to review this user's activities. When not to use Administrative Units Administrative Units are a powerful enabler for decentralized, ring‑fenced operations—but they are not required in every Purview deployment. You may choose not to introduce Administrative Units in the following situations: Single, centralized compliance team. If one team owns all policy creation, alert triage, and investigations across the organisation—and there is no requirement to restrict visibility—Administrative Units add limited value. In this model, global role groups already provide sufficient control. No need for visibility or management separation. Administrative Units are primarily about scoping visibility and permissions. If all administrators are expected to see all users, alerts, and activities, AU‑based scoping may introduce unnecessary complexity without operational benefit. Early or small‑scale Purview deployments. Organisations at an early stage of Purview adoption—running a small number of global policies—may find it simpler to start without AUs and introduce them later as operating models mature. Administrative Units do not change tenant limits or global services, so adoption can be phased over time. Requirements driven purely by policy targeting. If the primary requirement is targeting users dynamically for policy application (rather than restricting administrator access or visibility), adaptive scopes alone may be sufficient. Administrative Units become relevant when who can see and manage data is as important as which users are in scope. In short, Administrative Units are best introduced when organisations need to scale operations with clear ownership boundaries, not simply to organise users. Centralized vs. Decentralized Functions in a Ring‑Fenced Operating Model A scalable Microsoft Purview operating model relies on a deliberate split between functions that remain centralized at the tenant level and those that are decentralized to business functions or regions via Administrative Units (AUs). This balance enables autonomy without fragmentation, preserving global consistency while allowing teams to operate independently within defined boundaries. Functions that Remain Centralized Certain capabilities are intentionally retained at the global (tenant) level to ensure consistency, performance, and governance across the organisation. These functions are not delegated to Administrative Units: Global governance and baseline policy definition Central teams define tenant‑wide baseline policies that apply consistently across all users, regardless of AU membership. This ensures minimum protection standards and avoids divergent interpretations of risk. Shared services and reusable components Core services such as classifiers and other reusable components remain centralized to prevent duplication, reduce administrative overhead, and maintain consistent detection behavior across the tenant. Cross‑tenant monitoring and reporting Central teams retain visibility across Administrative Units for monitoring, reporting, and oversight purposes, ensuring that decentralization does not result in blind spots at the organizational level. Tenant‑wide limits and platform behavior Administrative Units do not alter tenant‑wide service limits or global platform characteristics. Keeping these aspects centralized ensures predictable performance and scalability as additional business functions are onboarded. Functions that Are Decentralized via Administrative Units Operational responsibility is decentralized to business functions or regions by mapping them to Administrative Units, with strict scoping enforced through RBAC and data visibility boundaries: Policy creation and management scoped to the AU Business function teams can create and manage policies that only affect users within their Administrative Unit, allowing controls to be tailored to local regulatory or operational requirements without impacting other parts of the organisation. Scoped visibility of alerts, activities, and incidents Administrators and analysts assigned to an AU can only see alerts, activities, and incidents for users in that unit. This enforces separation of duties and prevents unintended access to sensitive data belonging to other functions. Local alert handling and incident response Decentralized teams own the investigation and remediation of alerts generated within their AU, enabling faster response times and clearer accountability. Operational tuning per business function Controls can be adjusted within an AU to reflect specific risk tolerances, regulatory obligations, or operational realities, without creating policy sprawl or requiring separate tenants. Why This Split Matters By clearly separating centralized governance and shared services from decentralized, AU‑scoped operations, organisations can scale Purview deployments in a phased and controlled manner—starting with a single business function and expanding over time—while maintaining consistent governance, visibility, and performance across the tenant. Key takeaways Administrative Units in Microsoft Purview are not just a permissions feature—they are an operating model enabler. Used correctly, they allow organisations to: Scale decentralized operations with confidence Enforce ring‑fenced visibility and management boundaries Combine global consistency with local autonomy For organisations planning large‑scale Purview deployments or consolidating legacy compliance tooling, Administrative Units provide a foundational architecture for sustainable growth. Learn more Administrative units in Microsoft Purview (presentation) Administrative units in Microsoft Purview | Microsoft Learn
DLP Policy - DSPM Block sensitive info from AI sites
Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc. Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge. Troubleshooting\testing done: Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer. Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.). Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule. Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top). Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered. Validated Target domain = chatgpt.com in Activity Explorer for paste events. Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs. Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity). Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload. Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false. Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).Microsoft Purview Referential Architecture Diagrams
Microsoft Purview architecture diagrams provide a reference view of how classification, sensitivity labelling, Data Loss Prevention (DLP), Insider Risk Management, and Microsoft 365 Copilot protections work together across Microsoft 365 workloads. They illustrate how organisations can consistently identify, label, and protect sensitive data across endpoints, email, collaboration services, browsers, and AI‑assisted workflows—without prescribing a single deployment model. Classification generates sensitivity signals, labels express organizational protection intent, and DLP enforces that intent in real time across devices, apps, and services. Together, these patterns show how Copilot inherits existing security controls so AI‑generated content remains governed within the same compliance boundaries as organizational data.Data Security Posture Reports
Proving Your Data Security Posture with Confidence Microsoft Purview Posture Reports help organizations prove (not just assume) that their data security controls are working. They provide a clear, outcome‑based view of how effectively sensitivity labels and Data Loss Prevention (DLP) policies are protecting sensitive data across Microsoft 365. Rather than focusing on individual events or alerts, Posture Reports answer a higher‑level question: Are our data protection controls consistently applied and enforced across the organization? We designed Posture Reports to give security, compliance, and business leaders a defensible, measurable view of data security posture, especially critical as organizations adopt Copilot and other AI tools. Purview reporting offers unified data security insights, helping teams identify and address top risks quickly. By consolidating intelligence, it highlights vulnerabilities so you can take prompt action. With contextual information and measurable results, Purview streamlines responses to threats, improves resilience, and supports a proactive security strategy. Microsoft Purview reporting dashboards drive security decisions because they convert massive, fragmented security telemetry into decision‑ready insights: what’s happening, where the risk is, whether controls are effective, and what to do next. For insights on customizing these reports, check out this article. Where can I access these reports? Three Locations: Purview.microsoft.com -> Information Protection -> Reports Purview.microsoft.com -> Data Loss Prevention -> Posture Reports Purview.microsoft.com -> DSPM -> Reports Posture Reports Basics The out-of-box (OOB) reports are built with a combination of Metric and Analytic cards. Note: these reports are refreshed hourly. What is a Metric Card? What is an Analytic Card? Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context. Analytics cards provide richer visualizations that help users explore patterns and trends in the data. What they do: A Metric card is used to create a card that pairs a primary metric with its historical trend This allows users to answer not just “What is the value?” but also “Is it improving or declining?” Metric cards are commonly used for adoption, growth, and compliance health indicators These cards focus on showing trends over time What they do: Show distributions, breakdowns, or trends over time Enable comparison across locations, labels, or workloads Support investigation and analysis rather than just reporting These are useful when you need a visual representation rather than a single metric. Display data using charts such as bars, lines, or other visual formats These cards are commonly used for trend analysis, distribution views, and comparative reporting. Both make patterns easier to understand. Report Insights The following table goes into each OOB report and breaks down different viewpoints to help understand how to use them. Report Where it shows Data Security Decision Intent Why What it shows Key Metrics Filter by Label distribution and adoption in Microsoft 365 DSPM Reports Information Protection Reports Expand auto labeling to high volume unlabeled areas Simplify or consolidate confusing labels Look for high label coverage areas as additional enforcement opportunities Prioritize training/auto-labeling in areas with low label adoption Label coverage is the foundational signal for downstream controls Label activities by workload Sensitivity labels by platform for endpoint devices Sensitivity label usage Label activities by application methods Total labeled items Auto-labeled items Manually labeled items Labeled by default How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User Auto-labeling coverage DSPM Reports Information Protection Reports Which auto-labeling polices to promote from audit to enforce Where false positives need tuning before enforcement Which sensitive data types are under-protected Whether auto-labeling can safely scale further Can we trust our classification signal enough to automate protection? Auto-labeling by enforcement (which are in sim mode vs. enforcement mode) Auto-labeled items by policies Top auto-labeling policies (most active auto-labeling policies by number of items they have labeled) Auto-labeling policies by platform for endpoint devices Total labeled items Auto-labeled items Auto-labeled emails Auto-labeled files How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User Sensitivity Label Changes DSPM Reports Information Protection Reports Whether to restrict or justify label downgrades Where insider risk controls may be needed (users downgrading heavily) Which labels need stronger default enforcement? Whether user behavior is increasing data exposure Label changes are often an early warning signal of oversharing or misuse Sensitivity label transition trends (timelines for label upgraded/downgraded/removed over time) Sensitivity label removed across workloads (where labels have been removed) Types of Sensitivity labels downgraded (to which sensitivity labels items were often downgraded) Sensitivity label downgrade methods (Analyze sensitivity label downgrades by application method/workload. Dual chart helps identify if this is happening manual or automatic) Sensitivity label downgrades by user (which users are most frequently downgrading) Labels upgraded Labels removed Labels downgraded Labels downgraded manually How applied Activity Location Platform Sensitivity label Sensitive info type Policy Rule How applied detail Sensitive info type confidence User Top users triggering DLP Policies DSPM Reports Data Loss Prevention Posture Reports Whether activity reflects risky behavior or broken workflows Which users or roles need targeted controls or guidance If DLP policies are too broad or too noisy If insider risk investigations should be warranted or considered Distinguish Real risk vs policy misalignment vs. normal business activity DLP Policies Triggered by Users (DLP rule match per rule) Unique users involved in triggers Total users with repeated triggers Policy Location (Workload) Endpoint Device Activity Most triggered DLP Rules or Activities DSPM Reports Data Loss Prevention Posture Reports Which policies need tuning or scoping Where enforcement can be strengthened safely Which risks are systemic vs. isolated Whether DLP is actually aligned to sensitive data High volume DLP rules should drive prioritization, not alert fatigue Top DLP Rules Triggered DLP Rules Triggered by Device Activity (most common endpoint activities triggered) Total rules triggered Unique users involved in triggers Total protective actions taken Policy Location (Workload) Endpoint Device Activity Most triggered DLP policies DSPM Reports Data Loss Prevention Posture Reports Are my highest‑priority policies aligned to real user behavior Shows whether your most critical policies are: Actively protecting data, or rarely triggered (possibly mis-scoped or irrelevant) Which DLP policies are most actively protecting sensitive data, is this the highest risk? DLP Policies Triggered by Workload Total policy trigger volume Unique users involved in triggers Total rules triggered Policy Location (Workload) Endpoint Device Activity Customer Use Cases What are some customer concerns Posture Reports address OOB? Use Case Situation Guidance Labeling & auto-labeling program rollout: “Are we increasing coverage and preventing drift?” Customer situation: A customer is rolling out sensitivity labels and auto-labeling. Leadership asks: “Are we labeling more content?” Security asks: “Are sensitive items still unprotected?” And compliance asks: “Are users downgrading labels?” In posture reports, Information Protection coverage includes label distribution/adoption, auto-labeling posture, and posture drift through label transitions (e.g., label downgrades). This maps directly to “coverage + drift + enforcement” conversations. The built-in IP posture set also calls out label distribution and adoption, auto-labeling policy coverage, and sensitivity label activity as core reports. For “active data” posture, the design intent explicitly includes questions like “What % of my active data estate is labeled vs not labeled?” and “What %/count of unlabeled data has sensitive info?” and “How is labeling protection trending over 30 days?”: perfect for proving program progress (or identifying gaps). DLP tuning & noise reduction: “Which policies/rules are actually firing, and who’s tripping them?” Customer situation: The DLP admin is overwhelmed: policies exist, but they don’t know which ones are actually driving volume (or pain), and which users are repeatedly triggering violations. They need to prioritize tuning based on real-world triggers. Surfaces most triggered DLP rules, most triggered DLP policies, and top users triggering DLP policies. This is directly aligned to the operational question “Are our policies effective?” The service-description blurb explicitly frames DLP posture reports as highlighting most triggered rules, highest-volume policies, and top policy violators. This is exactly what admins use to decide what to tune first. Helps teams move from anecdotal “DLP is noisy” to a ranked view of where to focus (policy/rule/user). CISO Reports, “Are we safer this quarter?” posture readout Customer situation: A CISO (or compliance leader) needs a repeatable, executive-ready snapshot of how the organization is protecting sensitive data, without stitching together audit logs, Activity Explorer screenshots, and spreadsheets. Posture Reports are explicitly positioned as “executive-ready visibility” across Information Protection + DLP. Provides OOB, executive-ready visibility into data protection posture across Information Protection and Data Loss Prevention, so the CISO can answer “Is Purview doing what we intend it to do?” and “Where are the gaps?” quickly. Enables a consistent monthly/quarterly narrative from built-in metrics and trends, with hourly refresh called out as a customer/partner value driver (great for “freshness” credibility in leadership reviews). Uses a rolling window approach; guidance is to save/export what you want to retain for future reference (great for recurring readouts). Frequently Asked Questions (FAQs) Question Guidance What is the least permission required to see Posture Report section for DLP? Information Protection Reader We can see Activity Explorer details inside the reports in a non-simplified view, where all confidential information is visible. If someone has the Security Reader role, will they be able to see these things? Security Reader can see Activity Explorer content surfaced inside Posture Reports, including user/activity-level details that may expose sensitive metadata. If you want a role that can view posture reports but not see confidential item-level signals, Security Reader is not the safe minimum; Information Protection Reader is. Why are our DLP "Device Posture" reports are not in the Posture Reports and only on the DLP Overview page? It will move. Right now, the traffic on home page is high, so we launched there. There will eventually be a deep clone into our "Posture Reports" section, however, it will take some time before it shows up. Can I get reports going back longer than 30 days? We're working on increasing this number but at this time, the reports go back a max of 30 days. Is there any impact on tenant performance when enabling new reporting features? How quickly will reports populate after enabling the feature? No significant impact is expected. If labeling, scanning, and/or DLP policies are already active, reports populate instantly when the feature is enabled (assuming E5 is in place). No additional intrusive operations are performed on the tenant. Can we customize these reports? We have a current public preview in place for posture report customization. Stay tuned for more updates as we continue to build out Microsoft Purview Reporting. Co-Authors: Kevin Kirkpatrick and Jane SwitzerData Security Posture Reports (Custom Workspace and Charts)
For more insights on OOB Reports, check out this article. Overview: NOW IN PUBLIC PREVIEW Microsoft Purview Posture Reports provide a clear, outcome‑based view of how effectively data protection controls, such as Sensitivity Labels and Data Loss Prevention (DLP) policies, are working across Microsoft 365. Rather than focusing on individual alerts or isolated events, Posture Reports help organizations answer a higher‑level, executive‑ready question: Are our data protection controls consistently applied and actually reducing risk at scale? Posture Reports transform complex telemetry from Audit logs, Activity Explorer, and policy enforcement into measurable, defensible insights that security, compliance, and business leaders can act on with confidence. Building on the out‑of‑the‑box experience, Custom Posture Reports enable teams to create scenario‑specific views tailored to their organization’s risk priorities. Key capabilities include: Custom dashboards with drag‑and‑drop sections and cards Built‑in and custom metric or chart cards powered by Activity Explorer data Flexible filtering to support focused investigations and reporting Tips: Start with clear questions, then choose cards that answer them Avoid overcrowding reports; fewer, well‑chosen cards are more effective Use metric cards for status, analytics cards for understanding Treat custom reports as living assets, iterate as needs evolve This allows security teams to move beyond one‑size‑fits‑all reporting and build views aligned to their unique data protection strategy. Preview note: As this feature is in Preview, capabilities, terminology, and UX may change, and not all scenarios are fully documented yet. Key Concepts Where can I access these reports? Three Locations: Purview.microsoft.com -> Information Protection -> Reports Purview.microsoft.com -> Data Loss Prevention -> Posture Reports Purview.microsoft.com -> DSPM -> Reports (CUSTOM COMING) What is a Custom Report? A Custom Report is a user‑created report container where you assemble one or more cards to visualize Information Protection–related data (for example, labeling, classification, or protection activity). Unlike the built‑in reports, custom reports are designed to be adaptable to different audiences and questions. Typical use cases include: Tracking adoption of sensitivity labels over time Monitoring where sensitive data is most concentrated Creating executive‑friendly, KPI‑style summaries Building analyst views for deeper investigation Core Actions in the Custom Reports Experience Add Report creates a new, empty report canvas. This is the starting point where you define: The report name and purpose Create custom reports with your preferred cards and analytics. Add section is used to create a logical grouping within a custom report. A section acts as a container that helps organize cards on the report canvas into meaningful groupings based on purpose, audience, or storyline. What a section does How sections are used Provides structure to a report by grouping related cards together Improves readability and navigation, especially in reports with multiple cards Helps separate different analytical themes within the same report A report can contain one or more sections Each section can include multiple cards (metric cards, chart cards, analytics cards, or custom cards) Sections are added before cards, serving as the layout framework for the report Add Card lets you place a visualization or metric onto the report canvas. Each card answers a specific question, such as “How much data is labeled Confidential?” or “Where is sensitive content growing fastest?” Cards are the building blocks of custom reports and can be mixed and matched within the same report. Permissions: in order to create these reports, you must have permissions to create labels and DLP policies. Built‑in (OOB – Out of the Box) cards: Custom reports include two built‑in card types that can be added to sections: Metric cards – predefined cards used to display key metrics and trends Analytics cards – predefined cards that provide deeper analytical insights Note: In addition to built‑in cards, you can add custom cards (such as metric‑based or chart‑based custom cards) to tailor the report to your scenario. What is a Metric Card? What is an Analytic Card? Metric cards are designed to highlight a single, high‑level value or KPI and are also the foundation for building custom cards that combine metrics with trend context. Analytics cards provide richer visualizations that help users explore patterns and trends in the data. What they do: A Metric card is used to create a card that pairs a primary metric with its historical trend This allows users to answer not just “What is the value?” but also “Is it improving or declining?” Metric cards are commonly used for adoption, growth, and compliance health indicators These cards focus on showing trends over time What they do: Show distributions, breakdowns, or trends over time Enable comparison across locations, labels, or workloads Support investigation and analysis rather than just reporting These are useful when you need a visual representation rather than a single metric. Display data using charts such as bars, lines, or other visual formats Custom cards allow you to define tailored views aligned to your organization’s unique questions. What they do: Focus on specific scenarios not covered by default cards Combine dimensions or filters relevant to your business context Adapt reporting to regulatory, regional, or operational needs When to use them: Organization‑specific KPIs Regulatory or audit‑driven reporting Advanced scenarios that go beyond standard dashboards Custom cards are especially useful for mature programs where built‑in reports are no longer sufficient on their own. Custom Card Configuration The following example illustrates how a metric‑based custom card can be configured to track adoption trends. Scenario: Track adoption of the Confidential sensitivity label over the last 30 days. Card type: Custom card (built from a Metric card) Metric configuration Filters applied What this card shows Metric: Number of items labeled Confidential Time range: Last 30 days (custom) Display format: Compound (shows total count with trend direction) Sensitivity label: Confidential Workload: SharePoint The current total number of items labeled Confidential Whether labeling activity is increasing or decreasing over the last 30 days A focused view of adoption for a specific label and workload This type of custom card is well‑suited for adoption tracking, executive summaries, and ongoing compliance health monitoring. Metric card configuration: Metric cards currently surface up to 7 days of data, providing recent context for the selected metric. Custom surfaces up to the last 30 days of data. You can choose different display formats, such as: Number – a raw count or value Percentage – a proportional view of the metric Compound – a combination of value and trend for quick interpretation You can apply filters to limit the data set to specific criteria (for example, a particular label, location, or workload), allowing the metric to reflect a targeted scenario rather than all data Chart cards are used to visualize data as a graphical chart and can be created as custom cards when you need a visual representation rather than a single metric. Click on Chart Card and under Chart card configuration, select the primary activities: Sensitivity Label Then define the Chart Type Based on the configuration options shown in the UI, the following chart types are available: Vertical bar – compares values across categories using vertical bars; commonly used for side‑by‑side comparisons Horizontal bar – compares values across categories using horizontal bars; useful when category labels are long Pie – shows proportional distribution of values across categories Donut – similar to a pie chart, with a central area that improves readability Line chart – visualizes trends or changes over time Selecting the appropriate chart type helps ensure the custom card clearly communicates the intended insight and improves overall report readability. These cards are commonly used for trend analysis, distribution views, and comparative reporting. Both make patterns easier to understand. Real World Example The business goal this report is addressing is to prove security value and risk reduction, especially to leadership and stakeholders, by tying data protection investments to measurable outcomes. Primary Business Goal: demonstrate that the organization’s data protection controls are effective in reducing financial data risk. The report shows that sensitive financial data is not only being found, but consistently labeled and enforced through DLP, validating that controls are working as intended. Supporting Business Objectives Executive assurance & trust Provide leadership with evidence that compliance and security controls are actively protecting financial data, not just configured. Risk reduction validation Show that financial SITs are being systematically identified and governed, reducing exposure and improper data handling. Value justification for security investments Correlate auto labeling and DLP outcomes to demonstrate ROI on Purview, labeling, and policy investments. Operational confidence Confirm that auto‑labeling policies are accurately detecting sensitive data at scale and triggering appropriate DLP enforcement. Audit and compliance readiness Establish defensible proof that sensitive financial data is discovered, classified, and protected consistently across the environment. Step 1: Create a report, add a name, and description Step 2: Add a section called Key Outcomes (title and description) and add metric cards to show the data at a glance. Step 3: Add another section. Include the following two out of the box charts available. Step 4: Add another section with the out of the box charts Step 5: Add the last section that ties everything together. One out of the box chart and another custom chart. Step 6: for the custom chart above, Do a vertical bar, pivot (the groupings at the bottom of the chart) to Activity. Then, add filters (Sensitive info type: the SITs and Activity: DLPRuleMatch. The report highlights key outcomes, label adoption, application areas, and auto labeling policies. It identifies the main SITs used in labeling and connects them to DLP, demonstrating that the admin's data security measures are effective, particularly with financial information. Using AI to simplify insights This AI integration builds on Microsoft Purview’s existing reporting stack (Posture Reports, Activity Explorer and Audit) and introduces AI-assisted interpretation, summarization, and report composition to reduce manual analysis and accelerate decision-making. To access the report AI Summary: Click on the report and open “View Details” AI will prepare and summarize the report. AI Report Components Executive Summary Delivers a high level, leadership friendly narrative of the most important insights. Highlights overall posture, major risks, and notable improvements or regressions. Summarizes overall activity (for example, total labeled items and dominant platforms) Calls out major observations and limitations (such as lack of trend comparison due to retention) Provides a concise interpretation of what the data means at a point in time This section answers: “What happened, and what should I know without reading the full report?” Key metrics This section provides the essential quantitative data that forms the foundation of the report. Establishes a baseline that can be tracked over time Quantitative measures such as: Number of policy triggers or Label adoption rates Lists the primary counts, categories, and time range used for analysis Clarifies what measurements are available and which are not (such as trends) This section answers: “What are the exact numbers this report is based on?” Distribution Breakdown This section shows how activity is distributed across categories or dimensions. Breaks total activity into meaningful segments (for example, Mac vs. Web Browser) Displays proportional impact using counts and percentages Helps identify concentration areas or imbalances across platforms This section answers: “Where is activity happening the most?” Trend Analysis Evaluates changes over time when historical data is available. Compares current activity to prior periods Highlights increases, decreases, or stability in behavior Clearly calls out when trend analysis is not possible due to data limitations This section answers: “is behavior improving, worsening, or staying the same over time?” Key Findings Synthesizes insights derived from metrics, distributions, and trends. Interprets the data rather than restating it Identifies notable patterns, gaps, or risks (for example, platform skew or low adoption) Connects observations to possible operational or policy implications. This section answers: “What stands out as important or concerning?” Assessment Provides an overall evaluation of the security or compliance posture Combines findings into a holistic judgment Assesses scope, coverage, and effectiveness of current practices Describes whether the posture is sufficient or limited This section answers: “How healthy is our current posture?” Status Summarizes the assessment into a simple outcome indicator. Recommendations Guides next steps based on observed gaps and risks. Suggests practical actions to improve coverage or effectiveness. Aligns recommendations to best practices and product capabilities. Prioritizes changes that reduce risk and improve consistency. This section answers: “What should we do nex References Provides traceability and supporting documentation. Links to authoritative Microsoft documentation used to inform recommendations Allows readers to validate guidance or explore implementation details This section answers: “Where can I verify or learn more?” Full AI Report Summary Summary Posture Reports represent a shift from security configuration to security outcomes. They empower organizations to confidently answer critical questions about risk, readiness, and return on security investment, especially in an AI‑driven world. As reporting continues to evolve, Posture Reports will play a foundational role in how customers prove, improve, and communicate their data security posture.Governing Entra‑Registered AI Apps with Microsoft Purview
As the enterprise adoption of AI agents and intelligent applications continues to accelerate, organizations are rapidly moving beyond simple productivity tools toward autonomous, Entra‑registered AI workloads that can access, reason over, and act on enterprise data. While these capabilities unlock significant business value, they also introduce new governance, security, and compliance risks—particularly around data oversharing, identity trust boundaries, and auditability. In this context, it becomes imperative to govern AI interactions at the data layer, not just the identity layer. This is where Microsoft Purview, working alongside Microsoft Entra ID, provides a critical foundation for securing AI adoption—ensuring that AI agents can operate safely, compliantly, and transparently without undermining existing data protection controls. Lets look at the role of each solution Entra ID vs Microsoft Purview A very common misconception is that Purview “manages AI apps.” In reality, Purview and Entra serve distinct but complementary roles: Microsoft Entra ID Registers the AI app Controls authentication and authorization Enforces Conditional Access and identity governance Microsoft Purview Governs data interactions once access is granted Applies classification, sensitivity labels, DLP, auditing, and compliance controls Monitors and mitigates oversharing risks in AI prompts and responses Microsoft formally documents this split in its guidance for Entra‑registered AI apps, where Purview operates as the data governance and compliance layer on top of Entra‑secured identities. Lets look at how purview governs the Entra registered AI apps. Below is the high level reference architecture which can be extended to low level details 1. Visibility and inventory of AI usage Once an AI app is registered in Entra ID and integrated with Microsoft Purview APIs or SDK, Purview can surface AI interaction telemetry through Data Security Posture Management (DSPM). DSPM for AI provides: Visibility into which AI apps are being used Which users are invoking them What data locations and labels are touched during interactions Early indicators of oversharing risk This observability layer becomes increasingly important as organizations adopt Copilot extensions, custom agents and third‑party AI apps. 2. Classification and sensitivity awareness Purview does not rely on the AI app to “understand” sensitivity. Instead the Data remains classified and labeled at rest. AI interactions inherit that metadata at runtime Prompts and responses are evaluated against existing sensitivity labels If an AI app accesses content labeled Confidential or Highly Confidential, that classification travels with the interaction and becomes enforceable through policy. This ensures AI does not silently bypass years of data classification work already in place. 3. DLP for AI prompts and responses One of the most powerful but yet misunderstood purview capabilities is the AI‑aware DLP. Using DSPM for AI and standard Purview DLP: Prompts sent to AI apps are inspected Responses generated by AI can be validated Sensitive data types (PII, PCI, credentials, etc.) can be blocked, warned, or audited Policies are enforced consistently across M365 and AI workloads Microsoft specifically highlights this capability to prevent sensitive data from leaving trust boundaries via AI interactions. 4. Auditing and investigation Every AI interaction governed by Purview can be recorded in the Unified Audit Log, enabling: Forensic investigation Compliance validation Insider risk analysis eDiscovery for legal or regulatory needs This becomes critical when AI output influences business decisions and regulatory scrutiny increases. Audit records treat AI interactions as first‑class compliance events, not opaque system actions 5. Oversharing risk management Rather than waiting for a breach, Purview proactively highlights oversharing patterns using DSPM: AI repeatedly accessing broadly shared SharePoint sites High volumes of sensitive data referenced in prompts Excessive AI access to business‑critical repositories These insights feed remediation workflows, enabling administrators to tighten permissions, re‑scope access, or restrict AI visibility into specific datasets. In a nutshell, With agentic AI accelerating rapidly, Microsoft has made it clear that organizations must move governance closer to data, not embed it into individual AI apps. Purview provides a scalable way to enforce governance without rewriting every AI workload, while Entra continues to enforce who is allowed to act in the first place. This journey makes every organizations adopt Zero Trust at scale as its no longer limited to users, devices, and applications; It must now extend to AI apps and autonomous agents that act on behalf of the business. If you find the article insightful and you appreciate my time, please do not forget to like it 🙂
