Announcing Public Preview of DLP for M365 Copilot in Word, Excel, and PowerPoint
Today, we are excited to announce the public preview of Data Loss Prevention (DLP) for M365 Copilot in Word, Excel, and PowerPoint. This development extends the capabilities you rely on for safeguarding data in M365 Copilot Chat, bringing DLP protections to everyday Copilot scenarios within these core productivity apps. Building on Our Foundation Data oversharing and leakage is a top concern for organizations using generative AI technology, and securing AI-based workflows can feel overwhelming. We’ve been laying a strong foundation with Microsoft Purview Data Loss Prevention—especially with DLP for M365 Copilot—and are excited to expand its reach to further reduce the risk of AI-related oversharing at scale. In the original public preview release, we enabled admins to configure DLP rules that block Copilot from processing or summarizing sensitive documents in M365 Copilot Chat. However, these controls didn’t extend to the powerful in-app Copilot experiences, such as rewriting text in Word, summarizing presentations in PowerPoint, or generating helpful formulas in Excel. That changes now with this public preview. The Next Phase of DLP for M365 Copilot Similar to our original approach for M365 Copilot Chat, we are bringing consistent, flexible protection to M365 Copilot for Word, Excel, and PowerPoint. Here’s how it works in this preview: Current file DLP checks: Copilot now respects sensitivity labels on an opened document or workbook. If a document has a sensitivity label and a DLP rule that excludes its content from Copilot processing, Copilot actions like summarizing or auto-generating content directly in the canvas are blocked. Chatting with Copilot is also unavailable. File reference DLP checks: When a user tries to reference other files in a prompt – like pulling data or slides from other labeled documents – Copilot checks DLP policies before retrieving the content. If there is a DLP policy configured to block Copilot processing of files with that file’s sensitivity label, Copilot will show an apology message rather than summarizing that content – so no accidental oversharing occurs. You can learn more about DLP for M365 Copilot here: Learn about the Microsoft 365 Copilot policy location (preview) Getting Started Enabling DLP for M365 Copilot in Word, Excel, and PowerPoint follows a setup similar to configuring DLP policies for other workloads. From the Purview compliance portal, you can configure the DLP policy for a specific sensitivity label at a file, group, site, and/or user level. If you have already enabled a DLP for M365 Copilot policy with the ongoing DLP for M65 Copilot Chat preview, no further action is needed – the policy will automatically begin to apply in Word, Excel, and PowerPoint Copilot experiences. In this preview, our focus is on ensuring reliability, performance, and seamless integration with the Office apps you use every day. We’ll continue to refine the user experience as we move toward general availability, including improvements to error messages and user guidance for each scenario. Join the Preview This public preview reflects our ongoing commitment to deliver robust data protection for AI-powered workflows. By extending the same DLP principles you trust to Word, Excel, and PowerPoint, we’re empowering you to embrace AI confidently without sacrificing control over your organization’s most valuable information. We invite you to start testing these capabilities in your environment. Your feedback is invaluable to us – we encourage all customers to share their experiences and insights, helping shape the next evolution of DLP for M365 Copilot in Office.How to use DSPM for AI Data Risk Assessment to Address Internal Oversharing
Background Oversharing and data leak risks may occur with or without GenAI use. However, leaders are concerned that GenAI tools might grant faster access to content with incorrect permissions, making these files easier to locate. Oversharing occurs when an employee has access to information beyond what is necessary to do their jobs. It often happens accidentally, for example if a user saves sensitive files to a SharePoint site without realizing everyone has access to that location. It could also happen when people share files too broadly (e.g. everyone in the organization sharing a link). Or it can happen when files lack protection regardless of location. Microsoft Purview Data Security for Posture Management (DSPM) for AI’s Data Risk Assessment helps to address oversharing by allowing security teams to scan files containing sensitive data and identifying data repositories such as SharePoint sites with overly permissive user access. It provides visibility into overshared content, risk assessment, remediation actions, and detailed reports. Introduction Purview Data Security Posture Management for AI (DSPM for AI)’s Data Risk Assessment is for you if you: Are an existing Microsoft 365 Copilot customer, or someone wanting to deploy Microsoft 365 Copilot: or Want to address oversharing but have not yet deployed Microsoft 365 Copilot. Prerequisites Please refer to the prerequisites for DSPM for AI in the Microsoft Learn Docs. Log in to the Purview portal To begin, start by logging into Microsoft 365 Purview portal with your admin credentials: In the Microsoft Purview portal, go to the Home page. Find DSPM for AI under solutions. Head to Purview DSPM for AI -> Data Assessment. The Data Assessments tool identifies potential oversharing risks in your organization. It also provides fixes to limit access to sensitive data. As shown on the Data Risk Assessment landing page, there are two types of assessments: A Default Assessment. This assessment runs automatically every week. Custom Assessments. This assessment is user-triggered. This blog will focus on the Default assessment and will not cover Custom assessments. The Default assessment will run automatically weekly. Additionally, the Default assessment runs weekly and targets the top 100 SharePoint sites based on usage. Default assessment Next, click the View details button for the Default data risk assessment report on the Overview page. In the Oversharing Assessment for the week page, locate the visual reports bar. The visual reports bar provides a general overview of, Assessment details, which includes: Description. Top 100 accessed SharePoint sites by usage. Last updated, next updated, and frequency. Frequency of updates for the default assessment. Total items - a visual graph of the number of items scanned and/or not scanned for sensitive information types (SITs). Sensitivity labels on data – a visual graph that includes, The number of labeled SITs detected and not detected. The number of Not labeled SITs detected and not detected. The number of data not scanned. Items shared with – a visual graph that includes the number of links, Shared with anyone. Shared organization wide. Shared with specific people. Shared outside your organization. The following data points may indicate that oversharing has occurred in the tenant: Large amount of data not scanned. Large amount of data containing SITs but not labeled. Large amount of data shared externally. Site-specific data Next, locate the list of sites (Data source ID) and their info on the table below the visual reports bar, which includes information on: Source type Total items Total items accessed Times users accessed items Unique users accessing items Total Sensitive items Total scanned items Total unscanned items Items shared with Scroll through the list and identify potential sites that may contain oversharing based on the knowledge of whether the site is private or public, and the possible conditions below: A private site that is being shared externally based on sharing links info. A private site that has a high level of documents being shared outside of the org based on a high level of total items accessed and/or unique users accessed and/or times users accessed. A public site that has a high level of sensitive items based on total sensitive items count. A site that has a high level of total unscanned items. By clicking on the Export button, you can export the Data source IDs to an Excel, CSV, JSON, and TSV file. The rollout of the export capability has started and will be complete by end of the week (week of April 28, 2025). Secure and Govern Each Site Click into each site of interest, or sites may have potential oversharing, to review the site info in the flyout panel. Overview – provides an overview of the details for the site. Data source details – provides details of where the data comes from (i.e. SharePoint) and its corresponding URL Data coverage – displays the total items scanned in the site that are either: Labeled and SITs detected, or No SITs detected Not labeled and SITs detected, or No SITs detected *Data points that may indicate that oversharing has occurred in the tenant: 1. Lots of unscanned documents. 2. Lots of documents that contain SITs but not labeled. Identify – scans your data for sensitive information. Use Microsoft Purview On-demand classification data scan to scan for sensitive information for all content in this site. Microsoft Purview On-demand classification data scan is a feature to help discover and classify sensitive content in historical data across Microsoft 365. Protect – provides remediation actions that you can take to address internal oversharing: Limit Microsoft 365 Copilot access to this site - Restrict access or block processing of certain content in SharePoint - you can choose two methods of how Copilot accesses data in SharePoint: Restrict access by label – Block processing of content with a specific sensitivity label using Purview Data Loss Prevention (DLP) policy for Copilot Restrict all items – Restrict access to site(s) using SharePoint Advanced Management (SAM) restricted content discovery (RCD) Other labeling policies - Create sensitivity label taxonomy and publish labels to SharePoint via: Default sensitivity label for SharePoint document library Default labels – setup default labels to label all new items by default using sensitivity labels. Sensitive information auto-labeling policy - Use auto-labeling policies based on sensitive content or keywords. You can click View items to view the files with SITs. SharePoint site sensitivity label to apply a sensitivity container label to the site. Review unused files - Protect sensitive data from oversharing by deleting unused files with Purview Data Lifecycle Management (DLM) retention policies. Monitor – Ongoing access monitoring Run a site access review This section displays the number of sites: Shared with anyone. Shared organization wide. Shared with specific people. Shared externally. You can then run a SharePoint site access review using SAM Run an access review through Microsoft Entra to make sure access granted is up to date. Conclusion In this blog, we explored the concept of oversharing and its implications in collaborative environments. We discussed how Microsoft Purview DSPM for AI Data Risk Assessments can help identify and mitigate risks associated with sensitive data. Additionally, this blog provided a detailed guide on using the Data Risk Assessments tool, focusing on the Default assessment, which runs automatically every week. We covered how to interpret the visual reports and identify potential oversharing risks based on various data points. Additionally, we outlined steps to secure and govern each site, including remediation actions and access monitoring. For detailed guidance on all Purview + SAM features to address oversharing, please reference the oversharing blueprint - https://aka.ms/Copilot/Oversharing. Be sure to also check out the blog on How to deploy DSPM for AI to secure and govern all types of AI, including Microsoft Copilot experiences, Enterprise AI apps, and other AI apps! Resources Address oversharing concerns with Microsoft 365 blueprint - aka.ms/Copilot/Oversharing Public webinar on oversharing - Secure AI: Practical Steps for Addressing Oversharing Concerns Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn Downloadable whitepaper - Data Security for AI Adoption | Microsoft Public roadmap for DSPM for AI - Microsoft 365 Roadmap | Microsoft 365How to deploy Microsoft Purview DSPM for AI to secure your AI apps
Microsoft Purview Data Security Posture Management (DSPM for AI) is designed to enhance data security for the following AI applications: Microsoft Copilot experiences, including Microsoft 365 Copilot. Enterprise AI apps, including ChatGPT enterprise integration. Other AI apps, including all other AI applications like ChatGPT consumer, Microsoft Copilot, DeepSeek, and Google Gemini, accessed through the browser. In this blog, we will dive into the different policies and reporting we have to discover, protect and govern these three types of AI applications. Prerequisites Please refer to the prerequisites for DSPM for AI in the Microsoft Learn Docs. Login to the Purview portal To begin, start by logging into Microsoft 365 Purview portal with your admin credentials: In the Microsoft Purview portal, go to the Home page. Find DSPM for AI under solutions. 1. Securing Microsoft 365 Copilot Be sure to check out our blog on How to use the DSPM for AI data assessment report to help you address oversharing concerns when you deploy Microsoft 365 Copilot. Discover potential data security risks in Microsoft 365 Copilot interactions In the Overview tab of DSPM for AI, start with the tasks in “Get Started” and Activate Purview Audit if you have not yet activated it in your tenant to get insights into user interactions with Microsoft Copilot experiences In the Recommendations tab, review the recommendations that are under “Not Started”. Create the following data discovery policies to discover sensitive information in AI interactions by clicking into each of them and select “Create policies”. Detect risky interactions in AI apps - This public preview Purview Insider Risk Management policy helps calculate user risk by detecting risky prompts and responses in Microsoft 365 Copilot experiences. Click here to learn more about Risky AI usage policy. With the policies to discover sensitive information in Microsoft Copilot experiences in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter to Microsoft Copilot Experiences, and review the following for Microsoft Copilot experiences: Total interactions over time (Microsoft Copilot) Sensitive interactions per AI app Top unethical AI interactions Top sensitivity labels references in Microsoft 365 Copilot Insider Risk severity Insider risk severity per AI app Potential risky AI usage Protect sensitive data in Microsoft 365 Copilot interactions From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities from Microsoft Copilot experiences based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. Then drill down to each activity to view details including the capability to view prompts and response with the right permissions. To protect the sensitive data in interactions for Microsoft 365 Copilot, review the Not Started policies in the Recommendations tab and create these policies: Information Protection Policy for Sensitivity Labels - This option creates default sensitivity labels and sensitivity label policies. If you've already configured sensitivity labels and their policies, this configuration is skipped. Protect sensitive data referenced in Microsoft 365 Copilot - This guides you through the process of creating a Purview Data Loss Prevention (DLP) policy to restrict the processing of content with specific sensitivity labels in Copilot interactions. Click here to learn more about Data Loss Prevention for Microsoft 365 Copilot. Protect sensitive data referenced in Copilot responses - Sensitivity labels help protect files by controlling user access to data. Microsoft 365 Copilot honors sensitivity labels on files and only shows users files they already have access to in prompts and responses. Use Data assessments to identify potential oversharing risks, including unlabeled files. Stay tuned for an upcoming blog post on using DSPM for AI data assessments! Use Copilot to improve your data security posture - Data Security Posture Management combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Govern the prompts and responses in Microsoft 365 Copilot interactions Understand and comply with AI regulations by selecting “Guided assistance to AI regulations” in the Recommendations tab and walking through the “Actions to take”. From the Recommendations tab, create a Control unethical behavior in AI Purview Communications Compliance policy to detect sensitive information in prompts and responses and address potentially unethical behavior in Microsoft Copilot experiences and ChatGPT for Enterprise. This policy covers all users and groups in your organization. To retain and/or delete Microsoft 365 Copilot prompts and responses, setup a Data Lifecycle policy by navigating to Microsoft Purview Data Lifecycle Management and find Retention Policies under the Policies header. You can also preserve, collect, analyze, review, and export Microsoft 365 Copilot interactions by creating an eDiscovery case. 2. Securing Enterprise AI apps Please refer to this amazing blog on Unlocking the Power of Microsoft Purview for ChatGPT Enterprise | Microsoft Community Hub for detailed information on how to integrate with ChatGPT for enterprise, the Purview solutions it currently supports through Purview Communication Compliance, Insider Risk Management, eDiscovery, and Data Lifecycle Management. Learn more about the feature also through our public documentation. 3. Securing other AI Microsoft Purview DSPM for AI currently supports the following list of AI sites. Be sure to also check out our blog on the new Microsoft Purview data security controls for the browser & network to secure other AI apps. Discover potential data security risks in prompts sent to other AI apps In the Overview tab of DSPM for AI, go through these three steps in “Get Started” to discover potential data security risk in other AI interactions: Install Microsoft Purview browser extension For Windows users: The Purview extension is not necessary for the enforcement of data loss prevention on the Edge browser but required for Chrome to detect sensitive info pasted or uploaded to AI sites. The extension is also required to detect browsing to other AI sites through an Insider Risk Management policy for both Edge and Chrome browser. Therefore, Purview browser extension is required for both Edge and Chrome in Windows. For MacOS users: The Purview extension is not necessary for the enforcement of data loss prevention on macOS devices, and currently, browsing to other AI sites through Purview Insider Risk Management is not supported on MacOS, therefore, no Purview browser extension is required for MacOS. Extend your insights for data discovery – this one-click collection policy will setup three separate Purview detection policies for other AI apps: Detect sensitive info shared in AI prompts in Edge – a Purview collection policy that detects prompts sent to ChatGPT consumer, Micrsoft Copilot, DeepSeek, and Google Gemini in Microsoft Edge and discovers sensitive information shared in prompt contents. This policy covers all users and groups in your organization in audit mode only. Detect when users visit AI sites – a Purview Insider Risk Management policy that detects when users use a browser to visit AI sites. Detect sensitive info pasted or uploaded to AI sites – a Purview Endpoint Data loss prevention (eDLP) policy that discovers sensitive content pasted or uploaded in Microsoft Edge, Chrome, and Firefox to AI sites. This policy covers all users and groups in your org in audit mode only. With the policies to discover sensitive information in other AI apps in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter by Other AI Apps, and review the following for other AI apps: Total interactions over time (other AI apps) Total visits (other AI apps) Sensitive interactions per AI app Insider Risk severity Insider risk severity per AI app Protect sensitive info shared with other AI apps From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. To protect the sensitive data in interactions for other AI apps, review the Not Started policies in the Recommendations tab and create these policies: Fortify your data security – This will create three policies to manage your data security risks with other AI apps: 1) Block elevated risk users from pasting or uploading sensitive info on AI sites – this will create a Microsoft Purview endpoint data loss prevention (eDLP) policy that uses adaptive protection to give a warn-with-override to elevated risk users attempting to paste or upload sensitive information to other AI apps in Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Learn more about adaptive protection in Data loss prevention. 2) Block elevated risk users from submitting prompts to AI apps in Microsoft Edge – this will create a Microsoft Purview browser data loss prevention (DLP) policy, and using adaptive protection, this policy will block elevated, moderate, and minor risk users attempting to put information in other AI apps using Microsoft Edge. This integration is built-in to Microsoft Edge. Learn more about adaptive protection in Data loss prevention. 3) Block sensitive info from being sent to AI apps in Microsoft Edge - this will create a Microsoft Purview browser data loss prevention (DLP) policy to detect inline for a selection of common sensitive information types and blocks prompts being sent to AI apps while using Microsoft Edge. This integration is built-in to Microsoft Edge. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Conclusion Microsoft Purview DSPM for AI can help you discover, protect, and govern the interactions from AI applications in Microsoft Copilot experiences, Enterprise AI apps, and other AI apps. We recommend you review the Reports in DSPM for AI routinely to discover any new interactions that may be of concern, and to create policies to secure and govern those interactions as necessary. We also recommend you utilize the Activity Explorer in DSPM for AI to review different Activity explorer events while users interacting with AI, including the capability to view prompts and response with the right permissions. We will continue to update this blog with new features that become available in DSPM for AI, so be sure to bookmark this page! Follow-up Reading Check out this blog on the details of each recommended policies in DSPM for AI: Microsoft Purview – Data Security Posture Management (DSPM) for AI | Microsoft Community Hub Address oversharing concerns with Microsoft 365 blueprint - aka.ms/Copilot/Oversharing Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn Commonly used properties in Copilot audit logs - Audit logs for Copilot and AI activities | Microsoft Learn Supported AI sites by Microsoft Purview for data security and compliance protections | Microsoft Learn Where Copilot usage data is stored and how you can audit it - Microsoft 365 Copilot data protection and auditing architecture | Microsoft Learn Downloadable whitepaper: Data Security for AI Adoption | Microsoft Public roadmap for DSPM for AI - Microsoft 365 Roadmap | Microsoft 365
New Purview pricing options for protecting AI apps and agents
AI innovation is impacting every industry, business process, and individual. About 75% of knowledge workers today are currently using some sort of AI in their day to day [Work Trends Index] At the same time, the regulatory landscape is evolving at an unprecedented pace. Around the world, at least 69 countries have proposed more than 1,000 AI-related policy initiatives and legal frameworks to address public concerns around AI safety and governance [AI Regulations Around the World 2025]. Microsoft Purview offers integrated data security, governance, and compliance solutions for the era of AI—helping reduce risk and complexities, increase team productivity, and improve overall data security, governance and regulatory compliance. To help customers effectively secure and govern data in the era of AI, the Microsoft Purview business model is evolving to keep pace with where your data lives, flows, and is accessed. This evolution offers a mix of entitlement (per-user-per-month, PUPM) and consumptive (pay-as-you-go, PAYG) options to best meet your needs in this ever-changing technology environment. Purview capability was born in a world where data usage was closely associated with the users who accessed that data. This close association of data and user created a logical alignment with the traditional PUPM model – Microsoft 365 ME5 or Microsoft 365 E5 Compliance licensing options, as examples. As technology changes how data is accessed and used through its lifecycle, our business model needs to be purpose-built to ensure you have the right model for the right use. More specifically, data must be protected as it moves through networks, DataOps, data pipelines, application architectures, and more urgently, into and through your AI models + agents. Additionally, you need value that goes beyond protection and offers AI-based visibility, alerts, and actions. Collectively, these new scenarios are less user-oriented and more compute-dependent which gives you more flexibility to only pay for what you use based on the volume or complexity of your data estate or compute needs. On May 1, 2025, Purview will introduce a set of new PAYG meters optimized to help your data as it moves across networks and through GenAI applications. These new PAYG meters join the existing PAYG meters for Purview data governance and initial set of data security meters which were activated January 6, 2025. The new Purview meters are as follows with corresponding prices noted in USD: Category SKU PAYG Model Price Data Security In Transit Protection (Information Protection and Data Loss Prevention) 10K requests $0.5 Insider Risk Management 10K events $25 Data Compliance Audit Standard* 1M Audit records ingested $15 Data Lifecycle Management Premium 1M text messages / month $6 eDiscovery Premium GBs stored / month $20 Communication Compliance Standard 1M text records $300 Communication Compliance Premium 1M text records $500 *Note: Standard Audit will be billed under the PAYG model for third-party AI applications, like ChatGPT Enterprise. All Microsoft first party applications such as Microsoft 365 applications, Fabric, and Microsoft first party AI apps like Microsoft 365 Copilot, Security Copilot or AI applications custom-built using Copilot Studio are inclusive of Audit Standard. Audit Standard will retain audit records for 180 days. Customers using Purview value in the following scenarios will activate one or more of the new meters and will accrue charges on the Azure subscription linked to your Microsoft 365 tenant. If you do not have a linked Azure subscription to your Microsoft 365 tenant these metered capabilities will stop working on June 30, 2025. Applicable AI app use cases Customers using Purview preview capabilities with the following AI scenarios will be subject to relevant meters. Customers using Purview preview capabilities with the following AI scenarios will be subject to relevant meters. For more information, please visit the Purview consumption pricing page as of May 1, 2025 or contact your Microsoft representative.
Unlocking the Power of Microsoft Purview for ChatGPT Enterprise
In today's rapidly evolving technology landscape, data security and compliance are key. Microsoft Purview offers a robust solution for managing and securing interactions with AI based solutions. This integration not only enhances data governance but also ensures that sensitive information is handled with the appropriate controls. Let's dive into the benefits of this integration and outline the steps to integrate with ChatGPT Enterprise in specific. The integration works for Entra connected users on the ChatGPT workspace, if you have needs that goes beyond this, please tell us why and how it impacts you. Important update 1: Effective May 1, these capabilities require you to enable pay-as-you-go billing in your organization. Important update 2: From May 19, you are required to create a collection policy to ingest ChatGPT Enterprise information. In DSPM for AI you will find this one click process. Benefits of Integrating ChatGPT Enterprise with Microsoft Purview Enhanced Data Security: By integrating ChatGPT Enterprise with Microsoft Purview, organizations can ensure that interactions are securely captured and stored within their Microsoft 365 tenant. This includes user text prompts and AI app text responses, providing a comprehensive record of communications. Compliance and Governance: Microsoft Purview offers a range of compliance solutions, including Insider Risk Management, eDiscovery, Communication Compliance, and Data Lifecycle & Records Management. These tools help organizations meet regulatory requirements and manage data effectively. Customizable Detection: The integration allows for the detection of built in can custom classifiers for sensitive information, which can be customized to meet the specific needs of the organization. To help ensures that sensitive data is identified and protected. The audit data streams into Advanced Hunting and the Unified Audit events that can generate visualisations of trends and other insights. Seamless Integration: The ChatGPT Enterprise integration uses the Purview API to push data into Compliant Storage, ensuring that external data sources cannot access and push data directly. This provides an additional layer of security and control. Step-by-Step Guide to Setting Up the Integration 1. Get Object ID for the Purview account in Your Tenant: Go to portal.azure.com and search for "Microsoft Purview" in the search bar. Click on "Microsoft Purview accounts" from the search results. Select the Purview account you are using and copy the account name. Go to portal.azure.com and search for “Enterprise" in the search bar. Click on Enterprise applications. Remove the filter for Enterprise Applications Select All applications under manage, search for the name and copy the Object ID. 2. Assign Graph API Roles to Your Managed Identity Application: Assign Purview API roles to your managed identity application by connecting to MS Graph utilizing Cloud Shell in the Azure portal. Open a PowerShell window in portal.azure.com and run the command Connect-MgGraph. Authenticate and sign in to your account. Run the following cmdlet to get the ServicePrincipal ID for your organization for the Purview API app. (Get-MgServicePrincipal -Filter "AppId eq '9ec59623-ce40-4dc8-a635-ed0275b5d58a'").id This command provides the permission of Purview.ProcessConversationMessages.All to the Microsoft Purview Account allowing classification processing. Update the ObjectId to the one retrieved in step 1 for command and body parameter. Update the ResourceId to the ServicePrincipal ID retrieved in the last step. $bodyParam= @{ "PrincipalId"= "{ObjectID}" "ResourceId" = "{ResourceId}" "AppRoleId" = "{a4543e1f-6e5d-4ec9-a54a-f3b8c156163f}" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '{ObjectId}' -BodyParameter $bodyParam It will look something like this from the command line We also need to add the permission for the application to read the user accounts to correctly map the ChatGPT Enterprise user with Entra accounts. First run the following command to get the ServicePrincipal ID for your organization for the GRAPH app. (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id The following step adds the permission User.Read.All to the Purview application. Update the ObjectId with the one retrieved in step 1. Update the ResourceId with the ServicePrincipal ID retrieved in the last step. $bodyParam= @{ "PrincipalId"= "{ObjectID}" "ResourceId" = "{ResourceId}" "AppRoleId" = "{df021288-bdef-4463-88db-98f22de89214}" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '{ObjectId}' -BodyParameter $bodyParam 3. Store the ChatGPT Enterprise API Key in Key Vault The steps for setting up Key vault integration for Data Map can be found here Create and manage credentials for scans in the Microsoft Purview Data Map | Microsoft Learn When setup you will see something like this in Key vault. 4. Integrate ChatGPT Enterprise Workspace to Purview: Create a new data source in Purview Data Map that connects to the ChatGPT Enterprise workspace. Go to purview.microsoft.com and select Data Map, search if you do not see it on the first screen. Select Data sources Select Register Search for ChatGPT Enterprise and select Provide your ChatGPT Enterprise ID Create the first scan by selecting Table view and filter on ChatGPT Add your key vault credentials to the scan Test the connection and once complete click continue When you click continue the following screen will show up, if everything is ok click Save and run. Validate the progress by clicking on the name, completion of the first full scan may take an extended period of time. Depending on size it may take more than 24h to complete. If you click on the scan name you expand to all the runs for that scan. When the scan completes you can start to make use of the DSPM for AI experience to review interactions with ChatGPT Enterprise. The mapping to the users is based on the ChatGPT Enterprise connection to Entra, with prompts and responses stored in the user's mailbox. 5. Review and Monitor Data: Please see this article for required permissions and guidance around Microsoft Purview Data Security Posture Management (DSPM) for AI, Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Use Purview DSPM for AI analytics and Activity Explorer to review interactions and classifications. You can expand on prompts and responses in ChatGPT Enterprise 6. Microsoft Purview Communication Compliance Communication Compliance (here after CC) is a feature of Microsoft Purview that allows you to monitor and detect inappropriate or risky interactions with ChatGPT Enterprise. You can monitor and detect requests and responses that are inappropriate based on ML models, regular Sensitive Information Types, and other classifiers in Purview. This can help you identify Jailbreak and Prompt injection attacks and flag them to IRM and for case management. Detailed steps to configure CC policies and supported configurations can be found here. 7. Microsoft Purview Insider Risk Management We believe that Microsoft Purview Insider Risk Management (here after IRM) can serve a key role in protecting your AI workloads long term. With its adaptive protection capabilities, IRM dynamically adjusts user access based on evolving risk levels. In the event of heightened risk, IRM can enforce Data Loss Prevention (DLP) policies on sensitive content, apply tailored Entra Conditional Access policies, and initiate other necessary actions to effectively mitigate potential risks. This strategic approach will help you to apply more stringent policies where it matters avoiding a boil the ocean approach to allow your team to get started using AI. To get started use the signals that are available to you including CC signals to raise IRM tickets and enforce adaptive protection. You should create your own custom IRM policy for this. Do include Defender signals as well. Based on elevated risk you may select to block users from accessing certain assets such as ChatGPT Enterprise. Please see this article for more detail Block access for users with elevated insider risk - Microsoft Entra ID | Microsoft Learn. 8. eDiscovery eDiscovery of AI interactions is crucial for legal compliance, transparency, accountability, risk management, and data privacy protection. Many industries must preserve and discover electronic communications and interactions to meet regulatory requirements. Including AI interactions in eDiscovery ensures organizations comply with these obligations and preserves relevant evidence for litigation. This process also helps maintain trust by enabling the review of AI decisions and actions, demonstrating due diligence to regulators. Microsoft Purview eDiscovery solutions | Microsoft Learn 9. Data Lifecycle Management Microsoft Purview offers robust solutions to manage AI data from creation to deletion, including classification, retention, and secure disposal. This ensures that AI interactions are preserved and retrievable for audits, litigation, and compliance purposes. Please see this article for more information Automatically retain or delete content by using retention policies | Microsoft Learn. Closing By following these steps, organizations can leverage the full potential of Microsoft Purview to enhance the security and compliance of their ChatGPT Enterprise interactions. This integration not only provides peace of mind but also empowers organizations to manage their data more effectively. We are still in preview some of the features listed are not fully integrated, please reach out to us if you have any questions or if you have additional requirements.Getting started with the eDiscovery APIs
The Microsoft Purview APIs for eDiscovery in Microsoft Graph enable organizations to automate repetitive tasks and integrate with their existing eDiscovery tools to build repeatable workflows that industry regulations might require. Before you can make any calls to the Microsoft Purview APIs for eDiscovery you must first register an app in the Microsoft’s Identity Platform, Entra ID. An app can access data in two ways: Delegated Access: an app acting on behalf of a signed-in user App-only access: an app action with its own identity For more information on access scenarios see Authentication and authorization basics. This article will demonstrate how to configure the required pre-requisites to enable access to the Microsoft Purview APIs for eDiscovery. This will based on using app-only access to the APIs, using either a client secret or a self-signed certificate to authenticate the requests. The Microsoft Purview APIs for eDiscovery have two separate APIs, they are: Microsoft Graph: Part of the Microsoft.Graph.Security namespace and used for working with Microsoft Purview eDiscovery Cases. MicrosoftPurviewEDiscovery: Used exclusively to download programmatically the export package created by a Microsoft Purview eDiscovery Export job. Currently, the eDiscovery APIs in Microsoft Graph only work with eDiscovery (Premium) cases. For a list of supported API calls within the Microsoft Graph calls, see Use the Microsoft Purview eDiscovery API. Microsoft Graph API Pre-requisites Implementing app-only access involves registering an app in Azure portal, creating client secret/certificates, assigning API permissions, setting up a service principal, and then using app-only access to call Microsoft Graph APIs. To register an app, create client secret/certificates and assign API permissions the account must be at least a Cloud Application Administrator. For more information on registering an app in the Azure portal, see Register an application with the Microsoft identity platform. Granting tenant-wide admin consent for Microsoft Purview eDiscovery API application permissions requires you to sign in as a user that is authorized to consent on behalf of the organization, see Grant tenant-wide admin consent to an application. Setting up a service principal requires the following pre-requisites: A machine with the ExchangeOnlineManagement module installed An account that has the Role Management role assigned in Microsoft Purview, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview Configuration steps For detailed steps on implementing app-only access for Microsoft Purview eDiscovery, see Set up app-only access for Microsoft Purview eDiscovery. Connecting to Microsoft Graph API using app-only access Use the Connect-MgGraph cmdlet in PowerShell to authenticate and connect to Microsoft Graph using the app-only access method. This cmdlets enables your app to interact with Microsoft Graph securely and enables you to explore the Microsoft Purview eDiscovery APIs. Connecting via client secret To connect using a client secret, update and run the following example PowerShell code. $clientSecret = "<client secret>" ## Update with client secret added to the registered app $appID = "<APP ID>" ## Update with Application ID of registered/Enterprise app $tenantId = "<Tenant ID>" ## Update with tenant ID $ClientSecretPW = ConvertTo-SecureString "$clientSecret" -AsPlainText -Force $clientSecretCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("$appID", $clientSecretPW) Connect-MgGraph -TenantId "$tenantId" -ClientSecretCredential $clientSecretCred Connecting via certificate To connect using a certificate, update and run the following example PowerShell code. $certPath = "Cert:\currentuser\my\<xxxxxxxxxx>" ## Update with the cert thumbnail $appID = "<APP ID>" ## Update with Application ID of registered/Enterprise app $tenantId = "<Tenant ID>" ## Update with tenant ID $ClientCert = Get-ChildItem $certPath Connect-MgGraph -TenantId $TenantId -ClientId $appId -Certificate $ClientCert Invoke Microsoft Graph API calls Once connected you can start making calls to the Microsoft Graph API. For example, lets look at listing the eDiscovery cases within the tenant, see List ediscoveryCases. Within the documentation, for each operation it will list the following information: Permissions required to make the API call HTTP request and method Request header and body information Response Examples (HTTP, C#, CLI, Go, Java, PHP, PowerShell, Python) As we are connected via the Microsoft Graph PowerShell module we can either use the HTTP or the eDiscovery specific cmdlets within the Microsoft Graph PowerShell module. First let’s look at the PowerShell cmdlet example. As you can see it returns a list of all the cases within the tenant. When delving deeper into a case it is important to record the Case ID as you will use this in future calls. Then we can look at the HTTP example, we will use the Invoke-MgGraphRequest cmdlet to make the call via PowerShell. First we need to store the URL in a variable as below. $uri = "https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases" Then we will use the Invoke-MgGraphRequest cmdlet to make the API call. Invoke-MgGraphRequest -Method Get -Uri $uri As you can see from the output below, we need to extract the values from the returned response. This can be done by saving the Value elements of the response to a new variable using the following command. $cases = (Invoke-MgGraphRequest -Method Get -Uri $uri).value This returns a collection of Hashtables; optionally you can run a small bit of PowerShell code to convert the hash tables into PS Objects for easier use with cmdlets such as format-table and format-list. $CasesAsObjects = @() foreach($i in $cases) {$CasesAsObjects += [pscustomobject]$i} MicrosoftPurviewEDiscovery API You can also configure the MicrosoftPurviewEDiscovery API to enable the programmatic download of export packages and the item report from an export job in a Microsoft Purview eDiscovery case. Pre-requisites Prior to executing the configuration steps in this section it is assumed that you have completed and validated the configuration detailed in the Microsoft Graph API section. The previously registered app in Entra ID will be extended to include the required permissions to achieve programmatic download of the export package. This already provides the following pre-requisites: Registered App in Azure portal configured with the appropriate client secret/certificate Service principal in Microsoft Purview assigned the relevant eDiscovery roles Microsoft eDiscovery API permissions configured for the Microsoft Graph To extend the existing registered apps API permissions to enable programmatic download, the following steps must be completed Registering a new Microsoft Application and service principal in the tenant Assign additional API permissions to the previously registered app in the Azure Portal Granting tenant-wide admin consent for Microsoft Purview eDiscovery APIs application permissions requires you to sign in as a user that is authorized to consent on behalf of the organization, see Grant tenant-wide admin consent to an application. Configuration steps Step 1 – Register the MicrosoftPurviewEDiscovery app in Entra ID First validate that the MicrosoftPurviewEDiscovery app is not already registered by logging into the Azure Portal and browsing to Microsoft Entra ID > Enterprise Applications. Change the application type filter to show Microsoft Applications and in the search box enter MicrosoftPurviewEDiscovery. If this returns a result as below, move to step 2. If the search returns no results as per the example below, proceed with registering the app in Entra ID. The Microsoft.Graph PowerShell Module can be used to register the MicrosoftPurviewEDiscovery App in Entra ID, see Install the Microsoft Graph PowerShell SDK. Once installed on a machine, run the following cmdlet to connect to the Microsoft Graph via PowerShell. Connect-MgGraph -scopes "Application.ReadWrite.All" If this is the first time using the Microsoft.Graph PowerShell cmdlets you may be prompted to consent to the following permissions. To register the MicrosoftPurviewEDiscovery app, run the following PowerShell commands. $spId = @{"AppId" = "b26e684c-5068-4120-a679-64a5d2c909d9" } New-MgServicePrincipal -BodyParameter $spId; Step 2 – Assign additional MicrosoftPurviewEDiscovery permissions to the registered app Now that the Service Principal has been added you can update the permissions on your previously registered app created in the Microsoft Graph API section of this document. Log into the Azure Portal and browse to Microsoft Entra ID > App Registrations. Find and select the app you created in the Microsoft Graph API section of this document. Select API Permissions from the navigation menu. Select Add a permission and then APIs my organization uses. Search for MicrosoftPurviewEDiscovery and select it. Then select Application Permissions and select the tick box for eDiscovery.Download.Read before selecting Add Permissions. You will be returned to the API permissions screen, now you must select Grant Admin Consent.. to approve the newly added permissions. User.Read Microsoft Graph API permissions have been added and admin consent granted. It also shows that the eDiscovery.Download.Read MicrosoftPurviewEDiscovery API application permissions have been added but admin consent has not yet been granted. Once admin consent is granted you will see the Status of the newly added permissions update to Granted for... Downloading the export packages and reports Retrieving the case ID and export Job ID To successfully download the export packages and reports of an export job in an eDiscovery case, you must first retrieve the case ID and the operation/job ID for the export job. To gather this information via the Purview Portal you can open the eDiscovery Case, locate the export job and select Copy support information before pasting this information into Notepad. , case ID, job ID, job state, created by, created timestamp, completed timestamp and support information generation time. To access this information programmatically you can make the following Graph API calls to locate the case ID and the job ID you wish to export. First connect to the Microsoft Graph using the steps detailed in the previous section titled "Connecting to Microsoft Graph API using app-only access" Using the eDiscovery Graph PowerShell Cmdlets you can use the following command if you know the case name. Get-MgSecurityCaseEdiscoveryCase | where {$_.displayname -eq "<Name of case>"} Once you have the case ID you can look up the operations in the case to identify the job ID for the export using the following command. Get-MgSecurityCaseEdiscoveryCaseOperation -EdiscoveryCaseId "<case ID>" Export jobs will either be logged under an action of exportResult (direct export) or ContentExport (export from review set). The name of the export jobs are not returned by this API call, to find the name of the export job you must query the specific operation ID. This can be achieved using the following command. Get-MgSecurityCaseEdiscoveryCaseOperation -EdiscoveryCaseId "<case ID>" -CaseOperationId “<operation ID>” The name of the export operation is contained within the property AdditionalProperties. If you wish to make the HTTP API calls directly to list cases in the tenant, see List ediscoveryCases - Microsoft Graph v1.0 | Microsoft Learn. If you wish to make the HTTP API calls directly to list the operations for a case, see List caseOperations - Microsoft Graph v1.0 | Microsoft Learn. You will need to use the Case ID in the API call to indicate which case you wish to list the operations from. For example: https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/<CaseID>/operations/ The name of the export jobs are not returned with this API call, to find the name of the export job you must query the specific job ID. For example: https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/<CaseID>/operations/<OperationID> Downloading the Export Package Retrieving the download URLs for export packages The URL required to download the export packages and reports are contained within a property called exportFileMetaData. To retrieve this information we need to know the case ID of the eDiscovery case that the export job was run in, as well as the operation ID for the export job. Using the eDiscovery Graph PowerShell Cmdlets you can retrieve this property use the following commands. $Operation = Get-MgSecurityCaseEdiscoveryCaseOperation -EdiscoveryCaseId "<case ID>" -CaseOperationId “<operation ID>” $Operation.AdditionalProperties.exportFileMetadata If you wish to make the HTTP API calls directly to return the exportFileMetaData for an operation, see List caseOperations - Microsoft Graph v1.0 | Microsoft Learn. For each export package visible in the Microsoft Purview Portal there will be an entry in the exportFileMetaData property. Each entry will list the following: The export package file name The downloadUrl to retrieve the export package The size of the export package Example scripts to download the Export Package As the MicrosoftPurviewEDiscovery API is separate to the Microsoft Graph API, it requires a separate authentication token to authorise the download request. As a result, you must use the MSAL.PS PowerShell Module and the Get-MSALToken cmdlet to acquire a separate token in addition to connecting to the Microsoft Graph APIs via the Connect-MgGraph cmdlet. The following example scripts can be used to as a reference when developing your own scripts to enable the programmatic download of the export packages. Connecting with a client secret If you have configured your app to use a client secret, then you can use the following example script for reference to download the export package and reports programmatically. Copy the contents into notepad and save it as DownloadExportUsingApp.ps1. [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string]$tenantId, [Parameter(Mandatory = $true)] [string]$appId, [Parameter(Mandatory = $true)] [string]$appSecret, [Parameter(Mandatory = $true)] [string]$caseId, [Parameter(Mandatory = $true)] [string]$exportId, [Parameter(Mandatory = $true)] [string]$path = "D:\Temp", [ValidateSet($null, 'USGov', 'USGovDoD')] [string]$environment = $null ) if (-not(Get-Module -Name Microsoft.Graph -ListAvailable)) { Write-Host "Installing Microsoft.Graph module" Install-Module Microsoft.Graph -Scope CurrentUser } if (-not(Get-Module -Name MSAL.PS -ListAvailable)) { Write-Host "Installing MSAL.PS module" Install-Module MSAL.PS -Scope CurrentUser } $password = ConvertTo-SecureString $appSecret -AsPlainText -Force $clientSecretCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($appId, $password) if (-not(Get-MgContext)) { Write-Host "Connect with credentials of a ediscovery admin (token for graph)" if (-not($environment)) { Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $clientSecretCred } else { Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $clientSecretCred -Environment $environment } } Write-Host "Connect with credentials of a ediscovery admin (token for export)" $exportToken = Get-MsalToken -ClientId $appId -Scopes "b26e684c-5068-4120-a679-64a5d2c909d9/.default" -TenantId $tenantId -RedirectUri "http://localhost" -ClientSecret $password $uri = "/v1.0/security/cases/ediscoveryCases/$($caseId)/operations/$($exportId)" $export = Invoke-MgGraphRequest -Uri $uri; if (-not($export)){ Write-Host "Export not found" exit } else{ $export.exportFileMetadata | % { Write-Host "Downloading $($_.fileName)" Invoke-WebRequest -Uri $_.downloadUrl -OutFile "$($path)\$($_.fileName)" -Headers @{"Authorization" = "Bearer $($exportToken.AccessToken)"; "X-AllowWithAADToken" = "true" } } } Once saved, open a new PowerShell windows which has the following PowerShell Modules installed: Microsoft.Graph MSAL.PS Browse to the directory you have saved the script and issue the following command. .\DownloadExportUsingApp.ps1 -tenantId “<tenant ID>” -appId “<App ID>” -appSecret “<Client Secret>” -caseId “<CaseID>” -exportId “<ExportID>” -path “<Output Path>” Review the folder which you have specified as the Path to view the downloaded files. Connecting with a certificate If you have configured your app to use a certificate then you can use the following example script for reference to download the export package and reports programmatically. Copy the contents into notepad and save it as DownloadExportUsingAppCert.ps1. [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string]$tenantId, [Parameter(Mandatory = $true)] [string]$appId, [Parameter(Mandatory = $true)] [String]$certPath, [Parameter(Mandatory = $true)] [string]$caseId, [Parameter(Mandatory = $true)] [string]$exportId, [Parameter(Mandatory = $true)] [string]$path = "D:\Temp", [ValidateSet($null, 'USGov', 'USGovDoD')] [string]$environment = $null ) if (-not(Get-Module -Name Microsoft.Graph -ListAvailable)) { Write-Host "Installing Microsoft.Graph module" Install-Module Microsoft.Graph -Scope CurrentUser } if (-not(Get-Module -Name MSAL.PS -ListAvailable)) { Write-Host "Installing MSAL.PS module" Install-Module MSAL.PS -Scope CurrentUser } ##$password = ConvertTo-SecureString $appSecret -AsPlainText -Force ##$clientSecretCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($appId, $password) $ClientCert = Get-ChildItem $certPath if (-not(Get-MgContext)) { Write-Host "Connect with credentials of a ediscovery admin (token for graph)" if (-not($environment)) { Connect-MgGraph -TenantId $TenantId -ClientId $appId -Certificate $ClientCert } else { Connect-MgGraph -TenantId $TenantId -ClientId $appId -Certificate $ClientCert -Environment $environment } } Write-Host "Connect with credentials of a ediscovery admin (token for export)" $connectionDetails = @{ 'TenantId' = $tenantId 'ClientId' = $appID 'ClientCertificate' = $ClientCert 'Scope' = "b26e684c-5068-4120-a679-64a5d2c909d9/.default" } $exportToken = Get-MsalToken @connectionDetails $uri = "/v1.0/security/cases/ediscoveryCases/$($caseId)/operations/$($exportId)" $export = Invoke-MgGraphRequest -Uri $uri; if (-not($export)){ Write-Host "Export not found" exit } else{ $export.exportFileMetadata | % { Write-Host "Downloading $($_.fileName)" Invoke-WebRequest -Uri $_.downloadUrl -OutFile "$($path)\$($_.fileName)" -Headers @{"Authorization" = "Bearer $($exportToken.AccessToken)"; "X-AllowWithAADToken" = "true" } } } Once saved open a new PowerShell windows which has the following PowerShell Modules installed: Microsoft.Graph MSAL.PS Browse to the directory you have saved the script and issue the following command. .\DownloadExportUsingAppCert.ps1 -tenantId “<tenant ID>” -appId “<App ID>” -certPath “<Certificate Path>” -caseId “<CaseID>” -exportId “<ExportID>” -path “<Output Path>” Review the folder which you have specified as the Path to view the downloaded files. Conclusion Congratulations you have now configured your environment to enable access to the eDiscovery APIs! It is a great opportunity to further explore the available Microsoft Purview eDiscovery REST API calls using the Microsoft.Graph PowerShell module. For a full list of API calls available, see Use the Microsoft Purview eDiscovery API. Stay tuned for future blog posts covering other aspects of the eDiscovery APIs and examples on how it can be used to automate existing eDiscovery workflows.General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint
In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public. Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. Key Features User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document. Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string. Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android. Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks. Benefits & Differentiators Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators: Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android. Cross-platform support: Web, Windows, Mac, iOS, and Android. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files. Get Started with Dynamic Watermarking When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption. You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here. For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks. To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.General Availability: Dynamic watermarking for sensitivity labels with user-defined permissions
We previously announced the general availability of dynamic watermarking for sensitivity labels with admin-defined permissions in Word, Excel, and PowerPoint. Today, we are excited to announce that dynamic watermarking is now supported for labels with user-defined permissions as well as admin-defined permissions. This enhancement allows users to apply sensitivity labels with dynamic watermarks to documents with custom permissions, providing even greater flexibility and control over sensitive information. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. You can learn more about this feature in our original GA announcement and our M365 Insiders blog post.Getting started with the new Purview Content Search
“I’m looking to get started with the new Content Search experience in Purview. Where do I get started?” Welcome to the exciting new world of Content Search! This revamped experience is designed to be more intuitive, making it easier for you to navigate and find what you need. The modern Content Search experience offers additional capabilities like enhanced data sources to make it easier to identify the locations that you want to search, an improved condition builder, and a streamlined export experience. Also, you will now be able to take advantage of Premier features if you have E5 licensing, further elevating your search experience. Privacy is a key focus in this update, allowing you to restrict access to your content searches and ensure that sensitive information remains secure. Additionally, the ability to configure Role-Based Access Control (RBAC) permissions means you can customize Content Search functionality to suit your needs, granting or limiting access as necessary. There are two different ways of accessing Content Search. You can access content search by clicking on the eDiscovery solution card under the Purview portal and select Content Search on the left nav. ation pane within the eDiscovery section. The "Content Search" option is highlighted, indicating its selection for searching emails, documents, and other content across Microsoft 365. This is a shortcut that will take you to the Content Search case in the new unified Purview eDiscovery. You will see all of your existing content searches here. “What do I need to do first?” First, let’s talk about permissions and privacy. The first step in using the new content search is to make sure that you have access to the new Content Search. eDiscovery managers and administrators will automatically have access to new content search. However, if you are not a member of either of these built-in role groups or in a custom role group, you may need to have either an eDiscovery manager or an eDiscovery administrator grant you access to the new content search. You will need to take the following steps if you receive this message when attempting to access the new content search: Figure 2: A screenshot of a web application displaying a 'Permission Error' message in a pop-up window, indicating that the user does not have access to the requested page. Here are the steps for assigning a custom RBAC group or individual user to the Content Search: 1) NOTE: You will need to have someone with eDiscovery manager or eDiscovery admin permissions to assign these permissions. This is done through the Case settings button under Content Search: & Eliza Gallager Incident" is listed with details such as description, query text, created by, created date, modified by, and modified date. 2) This will take you to the case settings page. You will need to click Permissions. After you select Permissions, you will have the options to add an individual user (Users) or all members of a built-in or custom role group (Role groups) You can see where I have added a custom role group named “Content Search” in this example. 3) Once you have added either the user or the role group, they will then be able to access the new Content Search! “Thanks! I can now access the new Content Search, but it looks like I now have access to holds. My team should not have the ability to place holds. What can we do?” Have no fear! The new Content Search will not provide admins the permission to apply holds. This is tightly controlled via the Purview roles assigned to you by an authorized administrator. If the holds tab is present in the new Content Search case, it is because you already have the Hold Purview role assigned to you. You can learn more about the different roles that eDiscovery and Content Search use in this article: Assign permissions in eDiscovery. You can customize what content search activities a user can perform by using Purview custom role groups. Let’s say that you want to restrict the ability to create and manage holds with Microsoft Purview. We are going to do that by creating a new custom role group named Content Search. Here are the steps for creating a custom role group. 1) The Microsoft Purview portal supports directly managing permissions for users who perform tasks within Microsoft Purview including eDiscovery and Content Search. Using the Roles and scopes area in Settings in the Purview portal, you can manage permissions for your users. IMPORTANT: To view Role groups in the Roles and scopes area in the Microsoft Purview portal, users need to be a global administrator or need to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups. 2) Next, click the +Create role group button to create a new role group in Purview. You can learn more about the different roles that eDiscovery and Content Search use in this article: Assign permissions in eDiscovery. After reviewing the different Content Search-related roles, select the ones applicable to your Content Search users. Here are the roles that we selected for our Content Search users: 3) Microsoft always recommends that you use roles with the fewest permissions. When planning your access control strategy, it's a best practice to manage access for the least privilege for your eDiscovery and Content Search users. Least privilege means you grant your administrators exactly the permission they need to do their job. 4) Please refer to this article if you need any other assistance creating custom role groups in Purview: Permissions in the Microsoft Purview portal. “Excellent! I can’t see the holds tab anymore. However, I’m noticing that I have access to E5 features like review sets. We only have E3 licenses. What can we do to disable the Premium features?” Depending on your tenant configuration, the new Content Search may have eDiscovery (Premium) features enabled (these features include review sets, advanced indexing, cloud attachment support, and many others). The eDiscovery (Premium) features can be disabled via the Content Search case settings. This can be done by clicking on the Case settings button from the new Content Search. Within the Case details page there is a toggle to enable or disable the eDiscovery (Premium) features. & analytics, and Review sets. The Case details section shows information such as the license type (eDiscovery Premium), premium features toggle, case name ('Content Search'), case number, and a description field. The status of the case is marked as active with a creation date and time. “Thanks! It looks like I have the correct permissions and settings. Where do I get started?” 1) Let’s start with creating a new search. Under the new Content Search, you’re going to click the Create a search button. ry text, created by, last modified date, and status. 2) Give your new search a unique name and description. 3) Under the Query tab in your new search, you will see Data sources on the left side. The new Content Search’s enhanced data sources will make it a lot easier for you to set the locations that you would like to search. You can use Content Search to search for M365 content such as email, documents, and instant messaging conversations in your organization. Use search to find content in these cloud-based Microsoft 365 data sources: Exchange Online mailboxes SharePoint sites OneDrive accounts Microsoft Teams Microsoft 365 Groups Viva Engage In this example, we will be searching a Nestor’s mailbox and OneDrive site for an email sent in March 2025 that contains the keyword string “Project 9” 4) Click Add sources under Data sources to add your locations (you can also search all your mailboxes or sites by selecting Add tenant-wide sources if needed) 5) Type in the name of the user or their email address to find the user that you’re wanting to search and then select them. reenshot shows the 'Search for sources' interface in Microsoft 365 compliance center, where users can add people, groups, SharePoint sites, OneDrive accounts, and Microsoft Teams as sources. The search results display one item matching the query 'Nestor Wilke,' with an option to select or deselect it. 6) Click the Manage button to see the locations associated with this user. The enhanced data source experience will automatically identify a user’s mailbox and OneDrive site if they have one enabled. 7) Select Save to continue. Optional: you can exclude either their Mailbox or OneDrive site by unchecking them under the Manage sources view. 8) Now that we have identified the locations that we want to search. The next step is to create a query to define what we are wanting to search for within the locations. 9) Under the Keywords condition, make sure that Equal is selected, and type in Project 9 and hit enter. This will let you specify that you are looking for any chat, email, or document that contains the phrase “Project 9” 10) Next, click on the + Add conditions button to add the date range condition. Select Date from the list and hit Apply. 11) Switch the Date operator from Before to Between and select March 1, 2025 through March 31, 2025 as the date range. 12) Click the Run query button to generate the search estimate. Then click Run Query after selecting any additional options that you may want. 13) After the search has run, the Statistics tab will help you verify whether the relevant content was found. You can also generate a sample of the results by going under the Sample tab and hitting the Generate sample results button. 14) You can export the results of your search after you have verified that the relevant content has been returned by your search by selecting the Export button. Please give your export a name and description. 15) You can choose what format you want the results to be exported in by scrolling down. enshot displays the "Export" settings window from a software application, detailing options for exporting data. Users can choose to include Teams and Viva Engage conversations, organize conversations into an HTML transcript, and collect items linked to SharePoint or OneDrive. Additional settings allow users to select the export type, format the export into PSTs or .msg files, organize data into separate folders, condense paths to fit within 259 characters, and give items a friendly name. In the Export type section, choose one of the following options: Export items report only: Only the summary and item report are created. The various options for organizing data, folder and path structure, condensing paths, and other structures are hidden. Export items with items report: Items are exported with the item report. Other export format options are available with this option in the Export format section. In the Export formatsection, choose one of the following options: Create PSTs for messages: This option creates .pst files for messages. Create .msg files for messages: This option creates .msg files for messages Select one or more of the following output package options: Organize data from different locations into separate folders or PSTs: This option organizes data into separate folders for each data location. Include folder and path of the source: This option includes the original folder and folder path structure for items. Condense paths to fit within 256 characters: This option condenses the folder path for each item to 259 characters or less. Give each item a friendly name: This option creates a friendly name for each item. 16) After you have selected the options for your export, select the Export button. 17) Click the Export button to go to the Export tab. 18) Select your export once the status shows as “Complete” 19) Select the export packages that you wish to download and hit the Download button. Clicking the Download button will kick off a browser download. The new Content Search does not use classic Content Search and eDiscovery (Standard)’s .NET eDiscovery Export Tool application. NOTE: You may have to disable popup blocking depending on your browser settings. The download report relating to the export is named Reports-caseName-EntityName-ProcessName-timestamp.zip. With EntityName being the user given name to the export. This will include several .CSV files including items.csv which provides details of all items exported, including information such as item ID, location of the item, subject/title of the item, item class/type, and success/error status. The .PST files exported will be included in an export package called "PSTs.00x.zip" 20) Files exported (e.g. files stored in OneDrive and SharePoint) will be included in an export package called Items.00x.zip To learn more about the Microsoft Purview eDiscovery and Content Search solutions and become an eDiscovery Ninja, please check out our eDiscovery Ninja Guide at https://aka.ms/eDiscoNinja!
