How to Use Microsoft Purview to Protect Your Customers in 3 Easy Steps

Data policies and strategies aren’t just handy, they may be essential to a company’s ability to survive. As data breeches become more plentiful, data protection becomes more essential and as regulations increase (think HIPAA, etc.) companies must rise to the data protection occasion. Microsoft has a simple and highly effective 3 phase framework for building solid solutions for all your customer’s data types and structures: Know - Protect - Prevent. We will also touch on Data Governance, which you can consider the fourth phase. Data Governance applies once the first 3 phases are completed. It consists of a lifecycle management of these 3 phases in interaction with each other over time. 

In this article, we will give a high-level overview of how to utilize the power of Microsoft Purview Information Protection tools to help your customers find, categorize and protect their company’s sensitive information. We’ll also aim to answer common questions your customers might ask of you when looking for a suitable M/CSP (Managed/Cloud Solution Provider) to help them design their data policies and strategies.

The graphic below highlights this approach (the Microsoft Purview Information Protection Framework) and will help you get a quick overall look at the process in an easy-to-use format. 

Using this framework, you can quickly identify elements that will help answer questions relating to each of the 3 stages mentioned above and what tools to primarily leverage in tech-sales or feature-request conversations. 

Since most SMBs that have Microsoft 365 cloud-only infrastructures will use Sensitivity, Retention, and DLP (Data Loss Prevention)Policies, we will focus on those in this article (although there are other tools within the Microsoft Information Purview ecosystem). 

Phase 1: Know Your Data 

It is always necessary to start with a discovery phase in which we try to have the most accurate representation of the customer’s data, in all its aspects. There is data and then there is sensitive data. We need to unearth which is which and where it is to protect it. If you do not properly approach this phase, all the following stages will suffer. 

The first thing you should do is to go to https://compliance.microsoft.com and head to Data Classification. 

When you are in this discovery phase (Phase 1: Know Your Data) this menu will be your main reference point.  

By guiding the company Admin through the following menus, you will be able to provide them with a wealth of insights on their data that they likely do not already have simply because of the complexity and sometimes premature data lifecycle management stages of SMBs. 

Overview Tab

The welcoming wizard will pop up to indicate the first tool: Overview tab.

This will provide an overview of the SITs (Sensitive Info Types) most used in your customer’s content and will ensure a good start to understanding which they will need to include in their label protection settings as well as in their DLP and Retention Policies. 

Click on View all sensitive info types to see more details.

Content Explorer Tab

Once you click on View all sensitive info types, you will immediately have a clear starting point to define the SITs the company's data is comprised of and where it is residing. It will be ordered by SIT (there are 300+ listed currently). 

For a complete list, check the Sensitive information type entity definitions.

Trainable Classifiers

If your customer wants to dig in further (this is not necessary on this first sweep but we wanted to show you how to do it) you can also use this tool to group your SITs by categories & locations. In this situation, the categories are not SITs themselves, one-by-one, but rather logical/functional information groups. 

FYI: This feature requires a first scan of your data that can take up to a week to complete. While this obviously provides a deeper knowledge of the data structure, we suggest advising a customer of this potential deeper dive at the end of the first call as something that can be done in your next follow-up. 

Once the first scan is done, it becomes possible to use Trainable Classifiers in your Sensitivity Label & DLP policies instead of adding SITs one by one.

What else should be considered when defining your data during Phase 1? 

Industry Regulatory Requirements and Internal Company Policies 

Now it is time to get specific: what are the rules and regulations the customer’s specific industry is subjected to?  

In addition, take into account the company’s internal policies and practices and any company values that contribute to protecting (or, on the contrary, could put at risk) their confidential information. 

Data Access Management, Workflows & Processes 

Finally, before you can adequately plan the protection settings, you’ll need to have a general idea of how the data is internally and externally shared. Ideally this would be mapped out but as a start, simply learn the basics: who shares what, with whom, and from where? Are there restrictions or simply limitations? Are processes enforced or simply encouraged? Every company will be different. 

Phase Two: Protect Your Data

As mentioned earlier the main key components to protecting your data are: 

• Sensitivity labels to encrypt data at rest and in transit 

• DLP to restrict data leakage 

In addition, you can also mention OME (Office Message Encryption) that focuses on Exchange Online and can be utilized with very little user interaction. For example, automatically encrypting all internal or all external communications based on their content. 

Also, if the organization has an on-premises infrastructure, you can consider other features like DKE (Double Key Encryption), RMS Connector (Microsoft Rights Management), or Microsoft Purview Information Protection Scanner.  

These will expand Purview capabilities to their local environment providing greater control over the encryption key by storing it locally. 

Phase Three: Prevent Data Loss

At this point, the customer’s data is either automatically encrypted or manually encrypted by user actions. However, you can also add a new layer to prevent accidental sharing or leakage by setting up policies like DLP. 

These can also be set up for Teams Channels and Chats by creating a DLP Policy in the Compliance Admin Center. 

In the perspective of the mid to long-term, your customers can now truly begin enacting Data Governance by consulting the reports of activities detected and thus adapting their posture by tweaking the policies over time. 

Here are the different components of DLP: 

• Purview DLP 

• • Which we just mentioned in the Compliance Center 

• Endpoint DLP 

  • These policies are enforced on the device level and can protect data exfiltration to a 3rd party cloud storage provider, for example, or at least audit it. 

• List of Activities un/supported by Endpoint DLP on Win10/11 & MacOSx: 

• Microsoft Purview Extension 

  • More than half of the internet browsing is done through the Chrome browser and let’s not mention the Google services usage. This solution will extend Purview DLP capabilities to the end-users' devices (endpoints) but specifically on Chrome & Google activities listed below. It's required when onboarding devices and with any installment of extensions (either manual or managed via Intune

  • More details about Endpoint DLP device onboarding 

     

  • List of Activities supported by Microsoft Purview Extension (for Google/Chrome) on Windows 10:

• Microsoft Purview Information Protection & DLP On-premises scanners 

  • With both working in tandem, the customer will be able to accomplish analog results for the cloud discovery stage described in the start of this article.  

  • Again, it is not common that SMBs will prefer keeping a local infrastructure and go through a modernization process with new cloud resources while simultaneously configuring their information protection on hybrid environments, but solutions exist if needed. Unless specific business requirements prohibit doing so, a migration to cloud-only prior will be much more efficient.

     

Licensing requirements 

Now that you know the three stages of Purview, which licenses will be required to complete them? With Microsoft 365 E5 you will be able to take advantage of all the features in Microsoft Purview Information Protection. 

Microsoft Business Premium supports many of the features as well, but Auto-labeling for example or DLP for Teams are not available. 
 

Purview is complex, and no two companies are the same. For some added ease, all the licensing information regarding Microsoft Security & Compliance services are available in this Microsoft doc. If you have any questions or if your customers are looking for help with creating their framework, please feel free to reach out! 
 
Did we answer all of your questions? If not, we want to hear from you. Leave a comment below or reach out to me on LinkedIn.