Microsoft Purview 101: Howto setup Insider Risk Management (IRM)

Let’s talk about the following scenario. You have an employee that is leaving your company. Because the leaving employee thinks that he has the rights to all of the companies documents he starts downloading them for later use and sends the documents to his private email account using Dropbox. Wouldn’t you want to be notified of such a scenario?

Enter Microsoft Purview Insider Risk Management (IRM). A solution that collects information from all kinds of different sources like Microsoft 365 and perhaps other services like your HR-system. In IRM, you can create various policies that let you monitor all sorts of policy violations. A few examples are:

Data theft by departing users
Various kinds of data leaks
Various kinds of policy violations
Health record misuse
Risky browser usage

IRM provides you with workflows to help your organization detect the above potential risks, manage them by cases and take various actions on the risks that are found in your environment. Ready to find out more by using an example? Let’s go!

Prerequisites

When you first navigate to the IRM console, you are greeted with a few recommendations to get you started.

Turn on analytics

The first one is shown in the picture above and let’s you turn on analytics to scan for potential risks. When you enable this, user activities are scanned on a daily basis to identify potential risks occurring in you environment. The first scan can take 48 hours to complete as it scans your audit log and Microsoft Entra ID. When it’s done, it provides you with an email when there are insights and IRM policy recommendations to check up on. Note that if you don’t have audit logging enabled for your tenant (which is enabled by default nowadays) now is a good time to do so.

Continue reading →

Microsoft Purview 101: Setting up Communication Compliance

Communication Compliance in Microsoft Purview can detect messages in your organization that are considered to be inappropriate. Besides detection it can also capture and take action on the messages that it finds. Microsoft Purview is equipped with several out-of-the-box policies and gives you the possibility to create your own. Communication compliance policies can be used to check for inappropriate messages in internal and external communications that take place in email (Exchange), Meeting/IM (Teams chat, channel messages, meeting transcripts with recordings), Viva Engage and interactions with Microsoft 365 Copilot.

You can think of the following messages being inappropriate in your environment:

Messages that contain sensitive content.
Messages that contain inappropriate content, text or images.
Messages that contain conflict of interest.
Messages that contain information that is against laws or compliance policies.
And so on!

In this blog I want to show you how to create a communication compliance policy, what it looks like for the user that sends messages being inappropriate, how these messages are captured and how you can take action. Are you ready? Let’s go!

Continue reading →

Microsoft Purview 101: How to use eDiscovery Premium to comply with requests for information

Imagine you’re the guy in the picture above. You’re responsible for processing requests for information for a government. These requests occur worldwide and are often enshrined in legislation. Examples include:

The Netherlands: Wet Open Overheid (WOO)
United States of America: Freedom of Information Act (FOIA)
Canada: Access to Information Act
United Kingdom: Freedom of Information Act

These requests often need to be handled within a specified timeframe. Not exactly doable if you have to comb through al these boxes like the guy in the picture. Good thing in reality you are not really that guy in the picture! You use modern methods and services like Microsoft 365 to store your information. And that’s where the magic comes in that I will explain in this blog. With Microsoft 365 you can use the eDiscovery feature to fulfill the requests for information. A really handy and quick tool that takes a lot of the manual work out of your hands. Let’s see how this works by putting a request for information through it’s paces in eDiscovery Premium.

A quick note on licenses

eDiscovery within Purview comes in 2 flavours: Standard and Premium. You can see the differences in the table above. There’s also Content Search which can be used for the same purposes but has less features in terms of case management. In this blog I will use eDiscovery Premium to demonstrate what features it has in store.

Continue reading →

Microsoft Purview 101: Utilizing the Content and Activity Explorer

In the last blog, we talked about sensitive information types, classifiers and how to implement them in your environment. In this blog I want to take you along the likes of the Content Explorer and Activity Explorer. According to the Purview documentation, we can leverage the Content Explorer to explore email and documents in your environment that contains sensitive information or items that have labels applied. Activity Explorer can be used to take a look at all the actions that took place with sensitive info or items that have labels applied.

Let’s dive right in and start with the possibilities of Content Explorer

Content Explorer

Let’s start taking a look at Data classification, overview. Here you can see a glance at the sensitive information and labels used in your environment. A lot of this data is actually coming from the Content Explorer.

Continue reading →

Microsoft Purview 101: Data Classifiers Explained

When talking about Microsoft Purview, it goes often hand in hand with data classification. But how can we classify our data? Microsoft Purview provides us with a few different options to do this:

Manually by an administrator or your users.
By using automated pattern-matching.
By using classifiers

After your data has been classified, you can take a closer look at where your sensitive data resides (for example with Data Explorer or eDiscovery) to get an overview of your information, or use the various tools in Purview to protect your sensitive data. This article covers classifying your data, if you want to take a closer look at the tools that protect your data, take a look at my articles on Data Loss Prevention, Data Lifecycle Management and others.

Introduction to Data Classifiers in Purview

When talking about manually categorizing your content you can use pre-existing labels or sensitive information types or you can create custom ones yourself and use these to protect your data and manage it’s lifecycle.

Continue reading →

Microsoft Purview 101: Configuring Alert Policies for High Risk Activities

In some cases you may want to be informed immediately when certain actions are being performed in your Microsoft 365 environment by your users. Examples are documents being shared with external parties that should not have access to the documents, or maybe you have a certain user that you want keep tabs on. Of course there a many ways to achieve this in Microsoft Purview, and the configuration of alert policies for these high risk activities is one of them.

❗On March 24, 2025 Microsoft retired the event alerts capability within Microsoft Purview Audit. However, the theory behind this functionality could still be part of the SC-400 exam. For more information take a look at message center message ID MC1006620. You can use Data Loss Prevention Alerts as an alternative.

A word on RBAC Permissions

To start off with the necessities, the required RBAC permissions to view alerts can be found on this Microsoft Learn page. However this isn’t one simple permission that grants a user or administrator the permissions to view all alerts. As alerts are categorized, the user or admin tasked with viewing alerts has to have permissions to view alerts in the specific category.

Alert Policies Overview

Continue reading →

Microsoft Purview 101: Mastering the (Unified) Audit Log

The Microsoft Purview (Unified) Audit Log. Not the first component of Purview you think of when there’s Data Loss Prevention, Data Lifecycle Management and other cool features. However, the most basic feature like the Audit Log can be quite interesting. So in this article, I want to take you through the basics of the Unified Audit Log.

The Audit log is the place where a lot of user and administrator interactions with the various Microsoft 365 services are stored so they are accessible and searchable for security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. That’s exactly why it’s called the unified audit log. It collects almost everything from the various services in your Microsoft 365 subscription.

Let’s talk basics

The Purview Audit Solution comes in 2 flavors: Audit Standard and Audit Premium. Both are enabled by default in newer M365 tenants. If you have an older tenant, you’ll need to use the following command in Exchange Online PowerShell to verify whether the Audit Solution is enabled in your tenant:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

While both flavors come packed with the Audit Search tool in Purview and Compliance portals and Search-UnifiedAuditLog PowerShell cmdlet to search through audit events, exportable audit records to CSV’s and access to audit logs via the Office 365 Management Activity API (albeit that Audit Premium includes higher bandwidth access to the API), differences are noticeable in the following area’s:

Continue reading →

Microsoft Purview 101: How to set up Data Loss Prevention (DLP)

Data Loss Prevention (DLP) in Microsoft Purview can be used to prevent your users from oversharing information. Oversharing information is the process of accidently or purposely sharing information with recipients that are not allowed to have or view this information.

While there are various ways to implement DLP with Microsoft Purview, one of the main ones is by leveraging DLP Policies. When taking a look at the DLP Policies pages in Purview, Microsoft gives us the following introductory text:

Use data loss prevention (DLP) policies to help identify and protect your organization’s sensitive info. For example you can set up policies to help make sure information in email and docs isn’t shared with the wrong people.

DLP makes use of so-called Sensitive info types, often referred to as SIT’s. Microsoft includes an enormous list of SIT’s you can use out-of-the-box. You can look at SIT’s as the engine in DLP, as each SIT holds a pattern and/or logic for recognizing content. A few examples of these classifiers are:

Credit Card Number
U.K. Physical Addresses
User Login Credentials

If you want to take a look at the entire list I would recommend to navigate to the Purview portal, Data classification, Classifiers, Sensitive info types. At the time of writing this article the list consists of 324 items. If the pattern/logic for classifying a piece of information in your environment isn’t present, you also have the option to create a SIT yourself.

Plan first, implement second

A few questions that you should ask yourself before heading out and start configuring DLP enthusiastically:

Which stakeholders do I have to interview or include in my team to select the right types of sensitive information for my company?
How do I validate my setup before enforcing policies on users?
What is my scope? What is included in my scope and what is not?
What is my business planning and what is my planning on technology?
How do I introduce DLP to my end-users. Should I include training or adoption?

Generally, the following step-by-step action plan would give you the opportunity to get some insights and let your users get acquainted with the introduction of DLP in their day to day jobs.

Continue reading →

How to stay in control of data you use in Microsoft 365 Copilot

This blog was co-written with Sjoerd Schudde.

More and more organizations want to discover the power of Microsoft 365 Copilot. However, one of the biggest challenges is maintaining control over the organization’s and users’ data during this discovery phase. In this blog article, we’ll explain how you can get started with Microsoft 365 Copilot in a responsible way. We’ll walk you through the step-by-step process, from controlling current access to information to strengthening your information security and management with Microsoft Purview.

Copilot for Microsoft 365 is the smart AI assistant that will help employees and organizations work smarter in the coming years. With Copilot, you can complete more tasks in less time. Think, for example, of conversation reports that are automatically summarized, so that the most important points and agreements are immediately clear. By taking over repetitive tasks, Copilot helps companies to be more productive; You can find the information you need faster without having to switch between different screens and applications.

Continue reading →

3 Settings that set Purview Records Management to adhere to your requirements

In a previous article, I explained the process of setting up Purview Records Management to protect your business-critical items that have to adhere to regulatory and legal standards. In this article I want to show you 3 global settings that change the behavior of Records Management.

To find this settings, navigate to the Purview portal, select Records Management and click the ‘Records Management Settings’ button in the top right.

Continue reading →