Connect to and manage ChatGPT Enterprise AI interactions in Microsoft Purview (preview)

2025-07-14

This article outlines how to register ChatGPT Enterprise workspaces as a data source in Microsoft Purview. This connector allows you to discover and govern interactions with ChatGPT Enterprise AI across your organization.

Important

Beginning in May 2025, any scans run are subject to the new Microsoft Purview billing model. Be sure to enable pay-as-you-go billing in your organization.

Find more information about how Microsoft Purview solutions support AI interactions with ChatGPT Enterprise.

Supported capabilities

Choose to scan all user interactions from the current date or pick a specific start date from past when configuring your scan.

Metadata Extraction	Full Scan	Incremental Scan	Scoped Scan	Classification	Labeling	Access Policy	Lineage	Data Sharing	Live view
Yes	Yes	Yes	No	Yes	No	No	No	No	No

When scanning ChatGPT Enterprise sources, Microsoft Purview supports:

Extracting technical metadata including:
Text prompts
Text responses

Prerequisites

An Azure account with an active subscription.
An active Enterprise Microsoft Purview account.
- If you create a classic Microsoft Purview instance for the first time in your organization, the instance is automatically upgraded to the enterprise version of Microsoft Purview.
Data Source Administrator and Data Reader permissions must be assigned to register a source and manage it in the Microsoft Purview governance portal.
A ChatGPT Enterprise plan.
Have pay-as-you-go billing enabled in your organization.
Have a collection policy allowing for the ingestion of prompts and responses. There are two ways you can set up the policy:
- Set up a one-click policy to capture interactions for enterprise AI apps.
- Set up a collection policy for enterprise AI apps in Microsoft Purview Data Loss Prevention.

Required permissions for scan

Your organization must set permissions for the Microsoft Purview API used by the third party connector. The Microsoft Purview application permission Purview.ProcessConversationMessages.All and the Graph permission User.Read.All will be granted to the Microsoft Purview resource service principal.

Complete the following steps to assign the Microsoft Purview API permissions using Microsoft Graph PowerShell:

Get the friendly name for your Microsoft Purview resource from the Azure portal. Search for Microsoft Purview in the search bar, and select Microsoft Purview accounts from the search results.
Select your Microsoft Purview account and copy the resource name.
Assign Microsoft Purview API roles to your managed identity application using the Microsoft Graph PowerShell module. In portal.azure.com, open PowerShell and run Connect-MgGraph and sign in.

Run the following PowerShell script to add the required permissions. Be sure to modify the variable on the first line to contain the friendly name of the Microsoft Purview resource.

$purviewFriendlyName = "**UPDATE TO THE RESOURCE NAME FROM STEP ONE**"
$purviewObjectId = (Get-MgServicePrincipal -Filter "displayName eq '$purviewFriendlyName'").id
$msGraphServicePrincipalId = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id

$purviewApiServicePrincipalId = (Get-MgServicePrincipal -Filter "AppId eq '9ec59623-ce40-4dc8-a635-ed0275b5d58a'").Id

# Add Purview.ProcessConversationMessages.All (a4543e1f-6e5d-4ec9-a54a-f3b8c156163f) to the Purview resource
$bodyParam= @{
"PrincipalId"= "{$purviewObjectId}" 
"ResourceId" = "{$purviewApiServicePrincipalId}"
"AppRoleId" = "{a4543e1f-6e5d-4ec9-a54a-f3b8c156163f}"
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "{$purviewObjectId}" -BodyParameter $bodyParam

# Add User.Read.All (df021288-bdef-4463-88db-98f22de89214) to the Purview resource
$bodyParam = @{
"PrincipalId"= "{$purviewObjectId}"
"ResourceId" = "{$msGraphServicePrincipalId}"
"AppRoleId" = "{df021288-bdef-4463-88db-98f22de89214}"
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "{$purviewObjectId}" -BodyParameter $bodyParam

You must also add the necessary permission for other Microsoft Purview solutions used as a part of this scanning:

Microsoft Purview uses the OAuth 2.0 protocol for accessing ChatGPT Enterprise workspaces. Set up the credential by following the instruction in the Scan section later in this article.

Register

This section describes how to register a ChatGPT Enterprise workspace in Microsoft Purview using the Microsoft Purview governance portal.

Complete the following steps to register:

Open the Azure portal and complete the following steps:
1. Search for Key Vault to create/manage the secret to use for this connector.
2. Create a Key Vault.
3. Grant role assignments to your Key Vault. Assign Key Vault administrators and Key Vault secret users for the required members. For other roles, check the Key Vault roles in the Required permissions section.
4. Create a secret for your Key Vault.
5. For your Key Vault, assign access policy.
Open the Microsoft Purview governance portal and complete the following steps:
1. Search for Microsoft Purview accounts, select the account you want to use and select Open Microsoft Purview governance portal.
2. Select Data Map in left navigation and select the Data source.
3. Select Register data source.
4. On register sources, select ChatGPT Enterprise and select Continue.
Open the ChatGPT Enterprise register source and complete the following steps:
1. Enter a name for the data source within the catalog.
2. Enter the WorkspaceID for your Enterprise workspace.
3. Select a domain and collection.
4. Select Register.
Open the Microsoft Purview portal and complete the following steps:
1. Select Source management under Data Map, and select Credentials.
2. Select New.
3. Create and manage credentials for scans in Microsoft Purview Data Map
4. Enter the name, description, and select the domain.
5. For authentication method, select API key.
6. For Key Vault connection, select the Azure key vault created for ChatGPT Enterprise.
7. Enter the secret name and secret version.

Scan

Complete the following steps to scan a ChatGPT Enterprise workspace to automatically identify messages. For more information about scanning in general, see our introduction to scans and ingestion.

Navigate to Sources.
Select the registered ChatGPT Enterprise workspace.
Select New scan and complete the following:
1. Name: The name of the scan.
2. Capture data since: Select if the scan should capture data from the current date of the new scan or choose a specific date from the past.
3. Credential: Select the credential mapping to the correct Key Vault for this connector.
4. Domain: Select a domain from the existing list or choose default domain.
5. Collection: Select a collection from your domain.
Select Test connection to ensure the connection is established successfully. Select Continue.
Review your scan and select Save and Run.

For future scans, we recommend running an incremental scan. Avoid creating a new scan to avoid duplicate ingestion of data.

View scans

To view existing scans, complete the following steps:

Open the Microsoft Purview portal and select Data Map.
Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
Select the scan that has results you want to view. The pane shows you all the previous scans, along with the status and metrics for each scan.
Select the scan ID to check the scan details. During scanning, the organization is considered an asset, but isn't classified. The number of assets classified in the scan details are always one less than the number of assets ingested.
Review added data to Microsoft Purview in Data Security Posture Management (DSPM) for AI.
1. View analytics for AI interactions, sensitive data, and insider risk in DSPM for AI reports.
2. View the AI interactions for prompts and responses in Activity explorer.
3. View the sensitive info type data identified in prompts and responses in Activity explorer. \

Use other Microsoft Purview solutions with this data: