Identifying and

Protecting Sensitive Data

at Enterprise Scale

1
Agenda
• Microsoft Purview Security,
Governance and Compliance
• What’s new for Information
Protection
• Expanding beyond M365 to the
enterprise data estate
• Securing M365 Copilot
• Q&A

2
Meet the Microsoft Purview family
D ATA S E C U R I T Y
Secure data across its
lifecycle, wherever it lives
Data Loss Prevention
Insider Risk Management
Information Protection
Unstructured & Structured data
Shared platform capabilities
D ATA G O V E R N A N C E D ATA C O M P L I A N C E
Govern data seamlessly to Manage critical risks and
empower your organization regulatory requirements
Compliance Manager
Data Map
eDiscovery
Data Catalog
Audit
Data Estate Insights
Communication Compliance
Data Lifecycle Management
Records Management
Traditional and AI generated data Microsoft 365 and Multi-cloud
Fidelis
3
The most urgent
data security
challenges
• Discover sensitive data,
whether structured or
unstructured,
on-premises or in the clouds
• Secure configuration to
prevent sophisticated attacks
• Detect how users are
interacting with data and
identify insider risks
• Ensure your data remains
secure from data leakage
and data exfiltration
activities
4
Data security incidents can happen anytime,
anywhere
Data at risk of misuse if organization has no visibility into their data
estate

1 2 3

User falls prey to phishing User copies file to a USB, then User negligently shares
attack, compromises user uploads to a personal Dropbox sensitive data in generative AI
credentials apps

Data Data theft by Data exposure

compromise by malicious by negligent
external threat insider insider

5
Security concerns associated with AI usage

Insufficient visibility into the usage of AI applications can result in security and compliance
challenges.

1 2 3

Data leak: Data oversharing: Non-compliance usage:

Users may inadvertently leak Users may access sensitive data Users use AI apps to generate
sensitive data to AI apps via unethical or other high-risk content
AI apps they are not authorized to
view or edit

Project x

COMPLIANT

6
Organizations need to…

Discover and protect Understand user activity Prevent data from

sensitive data throughout context around the data unauthorized use across
its lifecycle and identify risks apps, services, and devices

Balance data security and productivity

7
 Blue circle indicates data loss
prevention where the green
circle is integrating

Fortify data security with an integrated approach

Information
Discover and auto-classify data Protection
and prevent it from unauthorized
use across apps, services, and
devices
Understand the user intent and
context around sensitive data
to identify the most critical risks

Prevent data from unauthorized

use across apps, services, and
devices
Data Loss Insider Risk
Prevention Management

Support for multi-cloud, hybrid, SaaS and all data | Partner ecosystem

8
 Microsoft Purview Information Protection
XXXXXX Data classification Sensitivity Labels
service
Sensitive Info Defender
Desktop & for cloud
Types (SITs)
Mobile devices apps
Named
Entities Public

Exact Data General

Match
Confidential On-premises
Trainable OCR
Office 365 Classifiers …

Fingerprin
Credentials
t ADLS SQL Azure
SITs
SITs DB Files

Context-based Extendable via SDK Multi-cloud

Endpoint DLP
Classification to 3rd party tools
Blobs Cosmo S3
s DB
Rights management
service
Protection using encryption as the outcome
of classification and labeling

Advanced compliance solutions

Uniform content & context-based classification

eDiscove
Insider risk
ry Communicatio Microsoft
Native integration with Microsoft apps and services managemen
(premiu n compliance Priva
t
m)
Broad support with 3rd party solutions, data repositories, and LOB
applications
 Our focus is to expand Purview to more
workloads, new data types, with more protection
capabilities
Microsoft
Purview Portal
(unified & coherent)

Access control (allow read/write)

Protections: Conditional access
Dynamic watermarking
Extended SPO permissions with RMS
Automatic labeling with inheritance
Just-in-time

Files, Emails,
Data Types: Meetings
Power BI, Synapse,
*Transcripts,
ADLS, ADF, Relational S3 buckets
Recordings, Loop,
DB (SQL, Cosmos DB),
OneNote, Embedded
Power apps
images, Planner,
Microsoft 365Forms Azure (Fabric, SQL ADLS), Dataverse 3P

Workloads:
Sensitivity
labels span Public General Confidentia
l
Restricted

your entire
data estate
• They are a
representation of your Content labels Container labels
information taxonomy.
Applied To: Office apps, Power Applied To: SharePoint sites,
• They describe the BI reports, Azure Data Teams channels, Microsoft 365
priority assigned to your groups
Protections: Encryption and
categories of sensitive visual markings Protections: Access control,
information. privacy settings, conditional
Automation: Can be applied access
either manually by users or
automatically based on Automation: Can be applied
classification manually by site/Team or group
owners

Powerful controls that ensure labels are applied where needed

Apply labels by default, make them mandatory, prevent label downgrades
Default sensitivity labels

Secure SharePoint and OneDrive document libraries with

default sensitivity labels (Office files and PDFs)

Classify and protect Document Libraries, within a site, with

labels-based policies

12
Best-in-class classification technologies
Sensitive info Optical Character
Named entities Exact data match
types Recognition (OCR)
300+ out of the box info types 50+ entities covering person Provides a lookup to exactly Expanded OCR for EXO, SPO,
like SSN, CCN name, medical terms, and drug match content with unique ODB, Teams & endpoint
Clone, edit, or create your own names customer data devices
Supports regex, keywords, Best used in combination with Supports 100m rows and Supports over 150 languages
and dictionaries other sensitive info types multiple lookup fields Supports image files and
images embedded in PDFs

Trainable Context-based
Credentials SITs Fingerprint SITs
classifiers classification
35+ pre-trained 42 new SITs for digital Detect exact or partial ODSP default site label
ready-to-use trainable authentication credential types matching of sensitive Service-side auto-labeling
classifiers Use in auto-labeling and DLP intellectual property • File extension
Create your own classifier policies to detect sensitive Use in Exchange, SharePoint, • Document name contains word
based on business data credentials in files Teams and Devices • Document property is
• Document size greater than
• Document created by
Templates
Provide pre-defined policies
that use available classifiers

Cover multiple industry

and geographical
regulatory requirements

Easily customizable, can be

edited to meet customer
needs

Get started easily with

simulations, rerun as needed
to fine tune
Context-based classification

New contextual predicates in service-side auto-labeling

Supports the following new contextual based predicates

• Document property is
• File extension is
• Document size equals or is greater than
• Document created by (only available in advanced rules in OneDrive and
SharePoint locations)
• Document name contains words or phrases

16
MIP and DLP Analytics Page
Policy simulation
1 2
Pick your scope
• Option 1: ALL – SharePoint
sites, OneDrive accounts
and Email users
• Option 2: Subset of sites
or accounts – Can use
PowerShell for longer lists
Supported in auto labeling
and DLM today, DLP by
Jun’23
Simulate in your
production environment
• Simulation is fast – It
normally takes a few
hours to run depending on
the size of
your tenant
• Simulation is not intrusive
– No actions are applied
• Simulation for EXO
triggers in near real time
on email activity (not
emails at rest)
• Simulation for ODSP
triggers on files at rest
• Insights are best achieved
on real production data
3 4
Gain confidence in your
protection policy
• Review simulation results
(both aggregate and
sample files)
• Iterate and experiment to
improve accuracy
Turn on protection
policies after validating
simulation results
• Existing Office Files at rest
(Word, Excel, PowerPoint)
in OneDrive & SharePoint
are automatically
protected
• New files added after the
policy is enforced are
also protected
• Emails in transit are
automatically scanned for
sensitive information
and protected
• Cold data crawl: private
preview coming in Q3’23
Labeling data at scale – Guiding principles
Apply labels by
Apply labels based on
default using
context
Label Policy
• When content is • By location, for sensitive
created or SPO libraries, site owners
accessed, set a can set a default label per
default label for library
• Files • For documents at rest
• Emails • Use service-side auto
• Meetings labeling by file size,
extension, properties …
• PBI Reports
• Use SetLabel Graph API
• Containers
to label specific files
•… based on your criteria
• For emails in motion
• Use service-side auto
labeling to trigger labels
based on predicates like
Apply labels
automatically
based on content
• Client-side auto-
labeling for content
when files are in-use
and mails are
being composed
• Service side auto-
labeling policy for
files at-rest in SPO,
ODB and mails in-
transit
in Exchange
Roadmap
 Pu
bl
ic
Pr
Expanding auto-labeling

ev
ie
w
–
Ap
r
1. New actions & workloads:
Configure auto-labeling policies for
Azure, ADLS, and AWS S3
individually.

2. New workloads: Granular scoping

allows admins to confidently enable
auto-labeling in SQL, ADLS, & AWS
S3 without impacting existing
workloads.

3. Coherence: Single location to

author auto-labeling policies for all
workloads.
 Pu
bl
ic
Pr
Label-based access in Azure SQL, ADLS, & AWS

ev
ie
w
–
Ap
1.S3

r
New workloads: Labeling and
classification available across Azure
SQL, ADLS, & AWS S3.

2. New protection actions: Enforce

protection actions (access) for Azure
SQL, ADLS, & AWS S3.

3. Coherence: Configure unified

policies, allowing comprehensive
visibility of sensitive data from single
control plane.
 G
at
ed
Pr
MIP and DLP for Fabric

ev
ie
w
–
Ap
r
1. New Protection Policy actions:
As a result of applying labels,
admins can set MIP Protection
Policies for items in Fabric (Allow
read, Allow write).

2. Extend label protection actions:

Extend Power BI Desktop protection
actions to match Office protections
more closely (Open, Edit,
Republish)

3. New DLP Policy: Customers will

be able to apply DLP policies (Policy
Tips & auditing) and scope to
specific Fabric workspaces
(available in Power BI).
Label Scheme Modernization
 Goal is to reduce confusion and
complexity of label hierarchy
configuration for admins and users:
 Inconsistent user experience across apps when parent labels
are published without any sub labels
 Prevent orphaned labels – as requirements evolve, adding a
sub label to a standalone causes all prior data assets to be
orphaned
 Stand-alone and child labels will
remain as-is today.
 Label Groups (what used to be Parent
labels) will represent a group of labels.
 With proposed change, there will only
be two types of entities:
 Label group (new)
 Labels (includes standalone & child labels)

Today (Before) Proposal (After)

Label

Label grouping (previous

parent)
Label
Label scheme modernization: Pre-Migration Readiness

Parent labels do not have any conditions or

actions

Parent labels have the right scope (superset of

their child label scopes).

Parent labels are published with child labels

• They are not published by themselves.

Parent labels are not used as defaults,

recommended, or in Auto-labeling, Protection,
or DLP policies.
 Ti
m
Admin has defined default sensitivity label for

in
Extended
SharePoint site

g
-T
BD
SharePoint
Permissions with
Brings together permissions in
Henry is a member of the
SharePoint site

RMS
SharePoint Online and Microsoft
Purview Information Protection.
Admin removes Henry from the
site

Henry can download file from SPO and open the

• ACLs for MIP encrypted docs are inherited file
from the SPO site – fewer access issues to
debug [2 ACLs  1 ACL].

• Managing ACLs is delegated to the site

admin (== data owner) – less overhead Henry cannot re-open already downloaded file – instantly loses
for the compliance admin access!

• Simple and consistent enforcement of access

to encrypted data – makes online and
offline/downloaded files instantly
inaccessible when user is removed from the
site

• No need to create a label per project/site -

Prevents label sprawl
 Just-in-time on SPOD
With Just in time protection Admins can be sure
that each file will be evaluated and protected
by DLP on the latest policy posture

• Admin can turn on JIT for both OneDrive and

SharePoint.

• A cold file which hasn’t been evaluated by

DLP will appear as non-sensitive to both
internal and external user

• With JIT protection on – every access will be

evaluated and enforced as per the latest
policy posture
 Pr
iv
at
e
Pr
Conditional Access with Labels

ev
ie
w
-M
ay
• Label-Based Conditional Access combines familiar
sensitivity labeling-based protections with Entra ID
Conditional Access policies to give administrators Admin configures conditional access when defining a sensitivity

more control over where and how sensitive label

information can be accessed.

• Label policies can be extended to restrict access

based on user attributes, user risk posture, device Policy checks that user is accessing file from an allowed
location
status, user location, and more.

Scenario in which a user is granted access:

A user trying to access Swiss customer data
from Switzerland will be granted access to files File opens for the
labeled as “Confidential\Swiss Customer Data” user

Scenario in which a user is denied access:

A user trying to access Swiss customer data
from Germany will be denied access to files
labeled as “Confidential\Swiss Customer Data”
 Pr
iv
at
e
Pr
Dynamic Watermarking

ev
ie
w
–
M
ar
• Dynamic watermarking provides
customers with the controls to
require virtualized watermarks on
labeled documents.

• Renders user’s email address across

the document.

• Discourages unauthorized photos and

sharing in Teams.
 Pr
iv
at
e
Pr
Labeling meetings recordings, transcripts with

ev
ie
w
–
Q
inheritance

3
Labeled meetings will
automatically inherit the label
to meeting artifacts:

1. Support labeling for

recording and transcripts

2. Meeting recording and

transcripts inherit the same
label after a meeting is
finished

3. Labeled recordings can be

protected from oversharing
by preventing file download

4. Labeled transcripts can

restrict sensitive chats
from being processed by
Copilot
 Pr
iv
at
e
Pr
Automatic labeling of meetings from sensitive

ev
ie
w
-J
ul
docsmeeting will

y
Protected
automatically label based
on the most sensitive
shared content:

1. Labeled documents
shared through chats or
windows share can
upgrade label on meeting

2. Labels can be
recommended or
automatically applied to
meeting from shared
documents
 Pr
iv
at
e
Pr
Labeling in OneNote

ev
ie
w
–
Q
3
• Extending OneNote to support sensitivity labeling
and protection.
Embedded OCR

• With embedded OCR support across

workloads, customers will be able to scan
images which are embedded inside office
and archive files

• Images inside hybrid PDF files which

contain images as well as searchable text
will also get scanned using OCR.

• No admin intervention: The existing OCR

settings will seamlessly extend and apply
to embedded images
 Protect your most important PDF files
1 2 3 4

Office PDF SharePoint SharePoint Adobe Acrobat

support renders auto-labeling native support
protected support for for labels
PDFs PDF
User-defined permissions for secure
collaboration
Users can choose specific users/groups for read/change
permissions at the file level​(no need for admins to create
labels)
Protection travels with the document, no matter where
and how the document travels
Co-authoring support of encrypted Office files with user-
defined permissions in SharePoint

36
Sensitivity labels to protect Microsoft Teams
shared channels
Private Teams discoverability control

Shared channel controls provide access controls to shared

channels based on the label applied to the Team: internal
only, same team only (internal), or private Teams only.

38
Configure policy tips as popups for labeled
emails and attachments
Configure DLP rules that display warnings in a popup
dialog before sending emails.

Admins can set up rules to provide warnings, require

business justifications, or request explicit
acknowledgements before sending emails

Generally
available in Office
version v2302

39
Double Key Encryption (DKE)

Use double-key encryption to protect your most sensitive

files and emails in Microsoft 365 Apps on Windows with
built-in labeling

With DKE, Microsoft stores one key in Microsoft Azure and

you hold the other key, ensuring that only you can ever
decrypt protected content, under all circumstances

40
Tracking and Revocation
Native in Information Protection

Users can access the Microsoft Purview compliance portal

to check who has tried accessing their sensitivity labeled
and encrypted local Office files and revoke access when
needed

41
 Growing
ecosystem
200+ Purview and Priva
partners

75 MISA partners

111 MISA products and

services

“MISA transformed our ability to deliver a

premium solution to our clients quickly by
enriching our solution through integrations
with Information Protection and Defender for
Cloud Apps, allowing us to focus on our AI
designed to automate Microsoft security
tools.”
Ami Marueli, Chief Technology Officer & Cofounder, Cognni
Microsoft Purview Information Protection SDK
Platform
s
Cross-platform SDK

Extend classification, labeling,

and protection

Broadens the reach of

information protection Language
capabilities s
Used in Microsoft Purview
Information Protection solutions

Graph (REST) endpoint for Policy

Graph Service
API
 Components of the SDK

Abstraction of Policy and Protection API

Can read labels from supported files
Can apply labels to supported files
File SDK “Supported” files can be expanded

Useful for client applications Protects plaintext content

Exposes policy for current Decrypts protected content
user Rights enforcement is up to the
Exposes actions for each developer
Policy SDK label Protection SDK
Information Protection and Microsoft 365 Copilot

Microsoft Copilot BRK298H Security for

AI: Prepare, protect,
AI-powered data for Microsoft and defend in the AI
classification 365 era

AI
Copilot will honor access control restrictions on labeled
content
Only content from references where
the user has appropriate RMS
permission will be included in
responses.

If a user lacks the right RMS

permissions, Copilot will inform the
user and provide a link, but will not
include the content for generating
responses.

Copilot will not include

information from
referenced files where
the user does not have
appropriate access
rights.
Copilot can reason
over data sensitivity

Users can see the

sensitivity of the document
that they reference within
the Copilot prompt
Copilot can
reason over data
sensitivity
Users can see the
sensitivity of the document
that they reference within
the citations of the Copilot
output
Copilot can reason
over data
sensitivity
A sensitivity label applies to
the entire conversation.

Conversations inherit the most

restrictive sensitivity labels
from the references used to
formulate a response.
Copilot generated
output is
Document inherits the sensitivity label of
the chat

automatically
labeled
Microsoft Purview provides
end-to-end data protection
that transitively protects
sensitive data across
application experiences.
Copilot generated
output is auto-
matically labeled
Use existing Microsoft Purview
auto-labeling rules and admin-
defined sensitive information
types to detect sensitive content
and automatically label the
files/emails.
How to get started

Define Publish labels Contextual Automatic Data Loss

label schema to end user classification labeling Prevention

Establish labeling Allow your end users Classify based on Assist your end users Ensure data is
scheme with parent to start manually location. in labelling with protected with DLP
and sub-labels, user labelling. Classify based on file recommendations. policies.
descriptions, and extension, size, Protect your most Use content and
priority. custom properties. sensitive content at context triggers for
Classify based on rest with labels. DLP policies.
email predicates like
sender recipient,
domain.
Intelligent: Default labels & policies with simple one-click
turn on
Intelligent: Flexibility to further configure and learn more
Next steps/Learn more

• Blogs: https://aka.ms/ipgblog
• Interactive guide: aka.ms/InfoProtectionInteractiveGuide
• Mechanics videos: aka.ms/InfoProtectionMechanics
• Automatically Classify & Protect Documents & Data | Microsoft P
urview Information Protection
– YouTube
• AI-powered Data Classification | Microsoft Purview - YouTube
• Start a free trial aka.ms/PurviewTrial
• Licensing: https://aka.ms/compliancesd
Deploying Information Protection
• Deployment acceleration guide
• Service-side auto labeling playbook
• Protecting source code playbook

55
Other resources
Blogs: https://aka.ms/ipgblog
Online roadmap tool: https://aka.ms/mipc/roadmap
Interactive guide: aka.ms/
InfoProtectionInteractiveGuide
Mechanics video: aka.ms/InfoProtectionMechanics

Start a free trial aka.ms/PurviewTrial

Licensing: https://aka.ms/compliancesd
Microsoft Purview Information Protection SDK
information
• SDK documentation:
https://aka.ms/MIPSDKDocs
• SDK sample: https://aka.ms/MIPSDKSamples
• SDK blog: https://aka.ms/MIPDevelopers
Deploying Information Protection/DLP
• Deployment acceleration guide
• Service-side auto labeling playbook

Data Loss Prevention

Blogs: aka.ms/DLPblog
Docs: aka.ms/DLPdocs
Thank You

© Copyright Microsoft Corporation. All rights reserved.