Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Configure Microsoft Purview solutions in Data Security Posture Management (DSPM) for AI for Custom AI Applications
For DSPM for AI to collect your Prompts and Responses from your GenAI applications and enable all capabilities and Risk Analytics from other Microsoft Purview solutions, configuration and policies need to be enabled with respect to each Microsoft Purview solution within DSPM for AI. This table shows the list of solutions that need to be enabled.
| Microsoft Purview Solution | Configuration | Validation |
|---|---|---|
| Microsoft Purview Audit | Enable Microsoft Purview Audit in DSPM for AI Overview | Audit status is enabled |
| DSPM for AI | Enable KYD Policy, "Secure interactions from enterprise apps (preview)" | Policy status is "ON" |
| Communication Compliance | Enable Policy, "Control Unethical Behavior in AI Policy" | Policy status is "ON" |
| Insider Risk Management | Enable Policy, "Detect risky AI usage Policy" | Policy status is "ON" |
| Ediscovery | No extra steps or policies needed | N/A |
Enable Microsoft Purview Audit
Microsoft Purview auditing is enabled for your organization by default, but you might want to confirm to turn it ON.
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your organization. More details on Microsoft Purview Audit
Using the DSPM for AI portal
- Browse to the Overview page in DSPM for AI solution in Microsoft Purview
- In Get Started section, Select "Activate Microsoft Purview Audit"
- Click Activate
- Monitor to check status is turned Green as shown below.
Create DSPM for AI One-Click Policies
You can use the View all recommendations link, or Recommendations from the navigation pane to see all the available recommendations for your tenant. Select the one of the below policies and select "create policy" to activate the policy in your tenant. After the default policies are created, you can view and edit them at any time from their respective solution areas in the portal. For example, you want to scope the policies to specific users during testing, or for business requirements. Or, you want to add or remove classifiers that are used to detect sensitive information. Use the Policies page to quickly navigate to the right place in the portal. Use the Policies page to monitor the status of the default one-click policies created and AI-related policies from other Microsoft Purview solutions. To edit the policies, use the corresponding management solution in the portal. For example, for DSPM for AI - Unethical behavior in AI, you can review and remediate the matches from the Communication Compliance solution.
Policies for Data discovery
The policies below are created to allow DSPM for AI to collect, analyze, and display data and analytics in DSPM for AI Reports and Activity Explorer,
Create DSPM for AI - Secure interactions from enterprise apps (preview) Policy
To build on the Microsoft Purview APIs, you need to create a Microsoft Purview Know Your Data(KYD) policy. To develop and test your app create a policy that applies to all apps, turn on storing prompts and responses in Microsoft Purview, and detecting sensitive data. This enables you to see the results of your apps calls to the Microsoft Purview APIs in the Microsoft Purview portal.
Using the DSPM for AI portal
- Browse to the Recommendations or Policies page in DSPM for AI solution in Microsoft Purview
- Select "Secure interactions from enterprise apps (preview)"
- Click Create policies
- Monitor to check status of the policy is turned "ON"
The same KYD Policy can be created using PowerShell, if any reason having an issue with the Portal follow instructions here
Create DSPM for AI - Control Unethical Behavior in AI Policy
This policy detects sensitive information in prompts and responses in AI using Microsoft Purview Communication Compliance. This policy covers all users and groups in your organization.
Microsoft Purview Communication Compliance is an insider risk solution that helps minimize communication risks by helping you detect, capture, and act on potentially inappropriate messages in your organization. Predefined and custom policies allow you to check internal and external communications for policy matches so they can be examined by designated reviewers. You can review and remediate the matches from the Communication Compliance Microsoft Purview solution. More details on Communication Compliance
Using the DSPM for AI portal
- Browse to the Recommendations or Policies page in DSPM for AI solution in Microsoft Purview
- Select "Control Unethical Behavior in AI"
- Click Create policies
- Monitor to check status of the policy is turned "ON"
Create DSPM for AI - Detect risky AI usage Policy
This policy helps calculate user risk by detecting risky prompts and responses in Microsoft 365 Copilot and other generative AI apps using Microsoft Purview Insider Risk Management Solution.
Users might inadvertently or purposefully create prompts in Microsoft AI tools that might contain sensitive information or risky intent. Additionally, AI tools might inappropriately use sensitive information to provide responses to user prompts that might expose your organization to increased risks. To help protect against these risks, this policy can help detect and enable risk scoring for these types of prompts and responses across AI tools in your organization. More Details on Insider Risk Management
Using the DSPM for AI portal
- Browse to the Recommendations or Policies page in DSPM for AI solution in Microsoft Purview
- Select "Detect risky AI usage"
- Click Create policies
- Monitor to check status of the policy is turned "ON"
Testing your Microsoft Purview DSPM for AI Configuration for your GenAI App Integration
Once all the Policies are created, you should start seeing your GenAI Apps Prompts/Responses activity, sensitive detections, and analytics in DSPM for AI. Details on AI App integration validation can be found at Test Microsoft Purview Configuration
Use the Reports section or the Reports page from the navigation pane to view the results of the default policies created. You need to wait at least a day for the reports to be populated. Select the categories of Microsoft Copilot Experiences and Enterprise AI apps to help you identify the specific generative AI app.
Select Activity explorer to see details of the data collected from your policies. This more detailed information includes activity type and user, date and time, AI app category and app, app accessed in, any sensitive information types, files referenced, and sensitive files referenced.
Creating DSPM for AI Know Your Data (KYD) policies using PowerShell
You can also create the Microsoft Purview Know Your Data policy using PowerShell. This is useful if you want to automate the creation of the policy, or if you aren't able to use the portal for some reason.
Install PowerShell 7 if you haven't already. See Install PowerShell
Connect to Security & Compliance PowerShell
Collection policy with Ingestion ON
With ingestion ON, the Microsoft Purview APIs store the prompts and responses in Microsoft Purview AI Interactions.
New-FeatureConfiguration -FeatureScenario KnowYourData -Name "DSPM for AI - Collection policy for enterprise AI apps" -Mode Enable -ScenarioConfig '{"Activities": ["UploadText", "DownloadText"], "EnforcementPlanes": ["Entra"], "SensitiveTypeIds": ["All"], "IsIngestionEnabled": true}' -Locations '[{"Workload": "Applications","Location": "ee1680d0-702f-4090-b26c-c49091e86531","LocationSource":"Entra","LocationType":"Group","Inclusions": [{"Type": "Tenant","Identity": "All"}]}]'
Collection policy with Ingestion OFF
With ingestion OFF, the Microsoft Purview APIs won't store the prompts and responses in Microsoft Purview AI Interactions.
Set-FeatureConfiguration "DSPM for AI - Collection policy for enterprise AI apps" -ScenarioConfig '{"Activities": ["UploadText", "DownloadText"], "EnforcementPlanes": ["Entra"], "SensitiveTypeIds": ["All"], "IsIngestionEnabled": false}'
Troubleshooting
You shouldn't receive any error messages when running these commands. Some common reasons you may receive errors:
The policy already exists
To resolve, either remove the policy using
Remove-FeatureConfiguration "DSPM for AI - Collection policy for enterprise AI apps"
The formatting was incorrect
To resolve, try pasting into Notepad, and turning off word wrap. This command should be one continuous line.
The feature hasn't been fully enabled for the tenant, in which case it says the cmdlet doesn't exist.
To resolve, contact your Microsoft Purview contact