In some cases you may want to be informed immediately when certain actions are being performed in your Microsoft 365 environment by your users. Examples are documents being shared with external parties that should not have access to the documents, or maybe you have a certain user that you want keep tabs on. Of course there a many ways to achieve this in Microsoft Purview, and the configuration of alert policies for these high risk activities is one of them.

❗On March 24, 2025 Microsoft retired the event alerts capability within Microsoft Purview Audit. However, the theory behind this functionality could still be part of the SC-400 exam. For more information take a look at message center message ID MC1006620. You can use Data Loss Prevention Alerts as an alternative.

A word on RBAC Permissions

To start off with the necessities, the required RBAC permissions to view alerts can be found on this Microsoft Learn page. However this isn’t one simple permission that grants a user or administrator the permissions to view all alerts. As alerts are categorized, the user or admin tasked with viewing alerts has to have permissions to view alerts in the specific category.

Alert Policies Overview

Continue reading “Microsoft Purview 101: Configuring Alert Policies for High Risk Activities” →

The Microsoft Purview (Unified) Audit Log. Not the first component of Purview you think of when there’s Data Loss Prevention, Data Lifecycle Management and other cool features. However, the most basic feature like the Audit Log can be quite interesting. So in this article, I want to take you through the basics of the Unified Audit Log.

The Audit log is the place where a lot of user and administrator interactions with the various Microsoft 365 services are stored so they are accessible and searchable for security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. That’s exactly why it’s called the unified audit log. It collects almost everything from the various services in your Microsoft 365 subscription.

Let’s talk basics

The Purview Audit Solution comes in 2 flavors: Audit Standard and Audit Premium. Both are enabled by default in newer M365 tenants. If you have an older tenant, you’ll need to use the following command in Exchange Online PowerShell to verify whether the Audit Solution is enabled in your tenant:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

While both flavors come packed with the Audit Search tool in Purview and Compliance portals and Search-UnifiedAuditLog PowerShell cmdlet to search through audit events, exportable audit records to CSV’s and access to audit logs via the Office 365 Management Activity API (albeit that Audit Premium includes higher bandwidth access to the API), differences are noticeable in the following area’s:

Continue reading “Microsoft Purview 101: Mastering the (Unified) Audit Log” →

Data Loss Prevention (DLP) in Microsoft Purview can be used to prevent your users from oversharing information. Oversharing information is the process of accidently or purposely sharing information with recipients that are not allowed to have or view this information.

While there are various ways to implement DLP with Microsoft Purview, one of the main ones is by leveraging DLP Policies. When taking a look at the DLP Policies pages in Purview, Microsoft gives us the following introductory text:

Use data loss prevention (DLP) policies to help identify and protect your organization’s sensitive info. For example you can set up policies to help make sure information in email and docs isn’t shared with the wrong people.

DLP makes use of so-called Sensitive info types, often referred to as SIT’s. Microsoft includes an enormous list of SIT’s you can use out-of-the-box. You can look at SIT’s as the engine in DLP, as each SIT holds a pattern and/or logic for recognizing content. A few examples of these classifiers are:

• Credit Card Number
• U.K. Physical Addresses
• User Login Credentials

If you want to take a look at the entire list I would recommend to navigate to the Purview portal, Data classification, Classifiers, Sensitive info types. At the time of writing this article the list consists of 324 items. If the pattern/logic for classifying a piece of information in your environment isn’t present, you also have the option to create a SIT yourself.

Plan first, implement second

A few questions that you should ask yourself before heading out and start configuring DLP enthusiastically:

• Which stakeholders do I have to interview or include in my team to select the right types of sensitive information for my company?
• How do I validate my setup before enforcing policies on users?
• What is my scope? What is included in my scope and what is not?
• What is my business planning and what is my planning on technology?
• How do I introduce DLP to my end-users. Should I include training or adoption?

Generally, the following step-by-step action plan would give you the opportunity to get some insights and let your users get acquainted with the introduction of DLP in their day to day jobs.

Continue reading “Microsoft Purview 101: How to set up Data Loss Prevention (DLP)” →

In a previous article, I explained the process of setting up Purview Records Management to protect your business-critical items that have to adhere to regulatory and legal standards. In this article I want to show you 3 global settings that change the behavior of Records Management.

To find this settings, navigate to the Purview portal, select Records Management and click the ‘Records Management Settings’ button in the top right.

Continue reading “3 Settings that set Purview Records Management to adhere to your requirements” →

One of the most distinct features of Purview is of course sensitivity labeling, which is part of the information protection section in the Purview portal. Before we head off to configuring sensitivity labeling and dive into what it looks like from a users perspective, let’s first talk about what sensitivity labels are.

Introduction

You can think of a sensitivity label like a stamp, which you can apply to content like documents, email and meetings. The cool thing is that the sensitivity label is added in clear text to the metadata of the files, so it travels together with the content (hence the reference to the stamp 😉). Because it’s stored in clear text, applications and services can use the sensitivity label to apply logic to it. Examples of this logic is adding a watermark to a document, protecting content from being openend by unauthorized people or content being protected from being sent outside your organization. This protection part can be done by Microsoft 365 or a third-party application. But a sensitivity label by itself can inform users of the sensitivity level of a certain item.

There are various automatic methods of applying labels to your content, but for this article we’ll focus on manually adding labels to content so we understand how the basic process works before we move on to some form of automatic labeling.

Continue reading “Microsoft Purview 101: How To Implement Sensitivity Labels” →

Records Management in Microsoft Purview can be used to:

• Setup a retention schedule for your files or folders (Just as with Purview Data Lifecycle Management)
• Mark items such as Word, Excel or Powerpoint files as records.

When an item such as a file or folder becomes a record, the item or it’s contents cannot be changed any more. This is often done to comply with legal requirements, such as those that require a certain company to retain their documents for a certain period of time and during that time, the files (that have become records) cannot be altered by anyone. This article will explain how to configure the basics of Records Management, and will show you the end-user experience.

Differences between Records Management (RM) and Data Lifecycle Management (DLM)

Let’s start by looking at the differences between Data Lifecycle Management and Records Management.

Continue reading “Microsoft Purview 101: How to Setup Records Management” →