Microsoft Purview - A scenario-based overview - Part 2

Last week I published an article covering some scenario-based overviews of Microsoft Purview and advised that I has split the article in half - it was too long for one read through. That said, I promised I would publish the other 4 this week and so here we are!

The the first article covering scenarios can be found here:

Just to quickly cover again, or if you have not read my previous article - Microsoft recently went through a rebrand of our Compliance stack - this is now called Microsoft Purview, a mapping of the old terminology to the new is shown in the image below:

Microsoft 365 Purview solutions provide integrated, intelligent tools to reduce risks without compromising worker productivity. These tools can help you improve how you classify and manage information, enhancing your ability to assess risk, govern and protect sensitive and business-critical data while efficiently responding to legal and regulatory obligations with intelligence and efficiency.

The following scenarios describe standard compliance requirements and how you can achieve them using the Purview features in Microsoft 365

Purview Scenarios

Scenario 4: Prevent the accidental disclosure of sensitive information

Increasingly, organisations are required to store and protect sensitive data, whether business-critical data such as financial information or customer-centric data such as credit card numbers, health records or other Personal Identifiable Information (PII).?

As this data grows exponentially over time, it becomes more challenging to monitor and protect this data from being exfiltrated, either maliciously or accidentally. To protect this data and reduce risk, an organisation needs to prevent users from sharing it with people who should not have access to this data – this practice is called Data Loss Prevention (DLP).

Microsoft DLP is a suite of technologies covering Office DLP, Endpoint DLP, Teams DLP, on-premises DLP and the existing MCAS DLP functionality. It is implemented by defining and applying policies, allowing you to identify, protect and monitor sensitive items across Microsoft 365 Services, Office applications, Windows 10 Endpoints, non-Microsoft Cloud applications, on-premises file shares, and on-premises SharePoint.?

Policies are created to provide the functionality to monitor the activities that end users take on data both in rest and in transit and take preventative actions, such as blocking the sharing of sensitive data. These activities are recorded into the Microsoft 365 Audit log and routed to Activity Explorer for additional visibility. If the policy is created to generate an alert once an action occurs, these will appear in the DLP management dashboard. For review.

More information about Microsoft DLP can be found at:?

Sensitive data does not only exist within the cloud but commonly exists on the user's endpoint device. Endpoint DLP extends the activity monitoring and capabilities to sensitive items on Windows 10 and 11 devices. Once these devices are onboard to the solution, activity related to sensitive items on the device is visible through Activity Explorer, and Endpoint DLP can enforce further protective actions via DLP policies.

An organisation can configure these policies for endpoint protection, such as restricting access to uploading by unapproved browsers or auditing the copying of data across a remote session.?

Additional information for Endpoint DLP can be found at:

With businesses adopting more collaboration tools to facilitate remote work, monitoring and protecting information across those tools have become increasingly important. You can use Teams DLP to define policies that monitor and protect sensitive data in Microsoft Teams' conversations and documents.?

You can use a DLP policy to detect when sensitive information is shared in a channel with guest users and delete this sensitive data within seconds. In addition, policy tips can be created to assist in the education of users and advise when and why a DLP policy was triggered.?

More information or Teams DLP can be found here:?

Microsoft Defender for Cloud Apps (MDCA)?can be used to extend these DLP capabilities to non-Microsoft Cloud applications. With this solution, an organisation can use DLP policies to monitor and detect when sensitive data is used and shared across non-Microsoft cloud applications.?

In order to use DLP policies for specific non-Microsoft cloud applications, the application must be connected to MDCA. Once connected, you can monitor and protect sensitive data that these applications share.?

File policies allow for the control of actions you can execute within MCDA once a policy match has been detected, whilst DLP policies allow for additional control over non-Microsoft cloud applications.?

Additional information for MDCA can be found at:

A business may also have a sizeable on-premises infrastructure that may contain sensitive data, ranging from legacy infrastructure to systems prepared for migration to the cloud.?

In this instance, you can utilise the Microsoft 365 Data Loss Prevention on-premises Scanner. The scanner crawls on-premises file shares and SharePoint document libraries and folders for sensitive data that can pose a risk of a Purview policy violation to provide additional visibility and control to manage sensitive data on-premises.?

It detects sensitive information using the built-in sensitive information types, custom information types, defined sensitivity labels, or different file properties.?

This information is then visible in the Activity Monitor while protective actions are enforced via DLP policies. The on-premises DLP scanner relies on fully implementing the Azure Information Protection Unified labelling Scanner to monitor, label, and protect sensitive data.?

Additional information can be found at:

Scenario 5: Discover and prevent inappropriate or malicious activity inside an Organisation

Managing and minimising risk starts with understanding what risks the organisation could face in the modern workplace. Some are driven by external events outside the organisation's control, while others are caused by internal events and user behaviour that can be controlled and avoided.?

These may come in the form of unethical, inappropriate, and malicious activities within your organisation or can result from negligent acts such as the accidental sharing of sensitive information.

Microsoft 365 provides the capability to detect, investigate and act on an organisation's malicious and inadvertent internal activities. With Insider Risk, you define the types of risks you want to identify and detect, such as potential IP theft or intentional/accidental leaks of information, with the additional capability of escalating cases into Advanced eDiscovery if required. Utilising Insider Risk Analytics enhances these capabilities without configuring different risk policies. It enables you to evaluate potential insider risks within your organisation to provide a high-level view of your users' activities and any developing trends.?

More information is available from:

Communication Compliance helps to minimise communication risks by capturing and acting on inappropriate messages within your organisation. Using custom and pre-defined policies allows you to scan both internal and external communications for policy matches within email, Microsoft Teams, Yammer, and third-party communications to enable you to take appropriate actions to ensure that you remain compliant with message standards or corporate policy.

Once a policy detects a violation, you can use remediation workflows to take automatic actions, including the option to escalate messages to a reviewer or email the user who had the policy violation.?

Additional information is available from:

The Microsoft cloud includes many assertive communication and collaboration capabilities, but suppose you need to restrict these communications between groups to avoid conflicts of interest within your organisation – such as teams that work with highly confidential information??

Information Barriers provides the capability to restrict information across Microsoft Teams, SharePoint Online and OneDrive for Business by defining policies to either allow or deny communications between groups.?

These policies can prevent users from calling or communicating with users outside of the policy or limit their communications to a subset of user groups.?

More information is available from:

Scenario 6: Provide greater visibility and control over your data

Microsoft 365 provides a record of all activity performed by users and admins in the tenant's unified audit log, which is leveraged by many of the features described previously in this document.?

Audit (Standard) is enabled by default; for more information:?

The Office 365 Management Activity API enables exporting audit log details for external retention or connection to a Security Information and Event Management (SIEM) solution such as Azure Sentinel.?

For those without a SIEM, Office 365 alert policies would allow you to raise alerts based on activity recorded in the tenant. Alert policies will enable you to define the action you wish to know about, for example, malware detected in SharePoint and OneDrive or the creation of an anonymous sharing link, assign a severity, and configure how often to notify you.?

More information on alert policies is available from:

Microsoft Defender for Cloud Apps gives you visibility into all the activities from your connected apps and provides a much richer investigative experience for the Microsoft 365 audit log. In addition, MDCA can provide advanced alerts through a correlation of activities and anomaly detection policies, as well as detailed information on cloud application usage and data loss prevention events.?

While Audit (Standard) provides 90-day audit log retention, Audit (Premium) allows for retention for up to 1 year (or 10 years with an additional license). In addition to long-term retention, Advanced Audit enables the recording of high-value events that may be useful in forensic or compliance investigations, for example, when a user accessed messages, replied to or forwarded, or what they searched for in Exchange or SharePoint Online.?

More information on Advanced Audit is available from:

For highly regulated customers or those with extremely sensitive data, Microsoft offers several capabilities that allow you to enforce strict control over access to information. While Microsoft engineers do not have access to your data by default, in limited cases, it may be necessary to obtain customer data access to fix a support issue. In such a case, the required permissions would be granted for a limited time through an approval workflow, the details of which you would see in the ticket history and the audit log.?

With Customer Lockbox, nominated administrators have the final say in the approval workflow, and no access to data is permitted without your explicit consent.?

More information on Customer Lockbox is available here:?

Office 365 utilises advanced encryption to protect content at rest in services such as Exchange Online and SharePoint Online. In addition, for customers with regulatory requirements to control encryption keys, Microsoft offers Service Encryption with Customer Key, which adds an additional layer of encryption using keys held by the organisation.?

Note that this does not affect access to your data by Microsoft support personnel as the encryption is transparent to the services. However, it ensures the content is not accessible if the keys are revoked (in other words, this capability is effectively a "kill switch").?

Finally, for customers with extremely sensitive content, Double Key Encryption uses two keys to encrypt files, one stored by Microsoft in Azure and the other provided by the customer.?

Both keys are needed to decrypt files. Since Microsoft would not have access to your key, this ensures only those users authorised explicitly by the organisation have access to the content.?

Double Key Encryption considerably impacts the functionality the services can offer related to those files, so this should only be used when necessary.?

The following features are not available with Double Key Encryption:

• Transport rules, including anti-malware and spam that require visibility into the attachment
• Microsoft Delve
• eDiscovery
• Content search and indexing
• Office Web Apps, including co-authoring functionality

More information on Double Key Encryption is available from:

Scenario 7: Manage your organisation's regulatory compliance requirements

The Microsoft 365 Purview Centre includes Compliance Manager, an enhancement to the version in the Service Trust Portal and a replacement for the Compliance Score preview. Compliance Manager is an end-to-end compliance management solution and helps simplify compliance and reduce risk by providing:

• Pre-built assessments for common industry and regional standards and regulations or custom assessments to meet your unique compliance needs.
• Workflow capabilities help you efficiently complete risk assessments through a single tool.
• Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organisation. You'll see implementation details and audit results for activities that Microsoft manages.
• A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Compliance Manager includes the Data Protection Baseline assessment, however, Microsoft 365 E5 Purview adds assessments for GDPR, NIST 800-53, and ISO 27001. Additionally, customers can use custom assessments and premium assessment templates, which are available to purchase as an add-on.

There are currently over 300 premium templates available, including the Australian Privacy Act, IRAP v3, APRA CPS, Australian Energy Sector Cyber Security Framework, and the ASD Essential 8.?

For the complete list of templates, see:

For more information on Compliance Manager:

Summary

I hope you enjoyed this article and that it provides you with some much needed context and visibility into the Purview stack. I have purposefully not been too specific on any of these subjects, as I prefer to write about them separately. I am looking for feedback on if you want more scenarios, or if you want me to dive deeper into the ones that I have captured and be more specific.

As I write in any article, completely open to feedback and recommendations - if there is anything, in particular, you want to see, please let me know, and I'll do my best to accommodate.?