Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview brings together data security, data governance, and data compliance solutions in a unified platform, the Microsoft Purview portal. These solutions share capabilities, exchange signals, and reinforce each other to give your organization comprehensive visibility and control over its data.
But with its breadth of solutions and capabilities, it can be hard to know where to begin with Purview. There's no single path that works for every organization because priorities differ based on your industry, regulatory requirements, and how far along you are in your AI adoption. However, most organizations follow a similar progression:
- Discover and understand your data: Find out what data you have, where it lives, and how much of it is sensitive.
- Protect your sensitive data: Apply labels, encryption, and policies to prevent data loss.
- Govern your data estate: Catalog your assets, ensure data quality, and establish accountability.
- Control access and user behavior: Make sure users can only reach the data they need and that they interact with it safely.
- Secure AI interactions: Extend your protections and compliance controls to Copilot, agents, and other AI apps.
This article walks through each stage and explains which Purview solutions apply, how they connect, and where to start.
Tip
Before you begin configuring solutions, make sure the right people in your organization have the roles and permissions they need. Most exploration tasks, like viewing Data Security Posture Management dashboards, require only reader roles.
Discover and understand your data
Before you can protect or govern anything, you need to know what data you have and identify which data is sensitive. Discovery is the foundation for every other stage, and Purview provides several ways to build that picture.
Assess your data security posture
Data Security Posture Management (DSPM) brings together signals from across Purview to give you a unified view of sensitive data risks. DSPM helps you discover where sensitive data lives, identify oversharing risks, and get personalized recommendations for remediation. If your organization uses AI apps, DSPM provides extra visibility into how AI interacts with your data.
DSPM is a good starting point if you want a single dashboard that shows what needs attention first.
Classify sensitive data
Sensitive information types and trainable classifiers identify sensitive items across your Microsoft 365 environment by using pattern matching, machine learning, or examples of data you provide. These classifiers are shared across Purview, so a sensitive information type you configure here is also available to Data Loss Prevention policies, Insider Risk Management, Communication Compliance, and data classification reports.
Data classification provides dashboards and explorers that show how data is classified and used across your organization. Use activity explorer to see how users interact with sensitive data, including labeling activity and AI interactions.
To learn more, see Get started with data classification.
Scan and catalog data assets
Data Map scans your data sources and multicloud environments to capture metadata about your data assets. This process creates a comprehensive inventory that spans your entire data estate and feeds the Unified Catalog, where data owners and stewards curate data products and data consumers discover trusted datasets. Data Map and Purview share data to support various shared capabilities, as detailed in How data flows in Microsoft Purview.
To learn more, see Plan for data governance.
Protect your sensitive data
After you understand what sensitive data you have and where it lives, the next step is to apply protections. Purview data security solutions work together to protect data throughout its lifecycle.
Apply sensitivity labels
Sensitivity labels are the foundational protection mechanism in Purview. Labels provide visibility into the sensitivity of data and can apply encryption, access restrictions, and visual markings. When you apply a label to a document or email, the protection travels with the content wherever it goes - across services, devices, and into AI interactions.
Many solutions use sensitivity labels. Data Loss Prevention enforces them, AI apps honor them, Microsoft Purview Audit logs capture them, Microsoft Purview eDiscovery makes them searchable, and DSPM makes them visible. When you define and apply your labels, you build the foundation for protections that extend across the entire platform.
To learn more, see Get started with sensitivity labels.
Prevent data loss
Data Loss Prevention (DLP) policies monitor for sensitive information across Microsoft 365 services and endpoints. In a DLP policy, you define the sensitive information to monitor, the locations to monitor, the conditions that must be matched, and the actions to take when a match is found. DLP uses the same classifiers and sensitivity labels that other solutions rely on, so your protection policies are consistent across the platform.
To learn more, see Learn about data loss prevention.
Manage data retention and deletion
Data Lifecycle Management provides retention and deletion policies that help you keep content you need and delete content you don't. Retaining data often addresses compliance and regulatory requirements. Deleting data that no longer has business value reduces your exposure to cyberattacks and data breaches. These policies apply across Exchange, SharePoint, OneDrive, Teams, and other Microsoft 365 services.
To learn more, see Get started with data lifecycle management.
Govern your data estate
With sensitive data protected, your organization can focus on making sure all data is well-organized, trustworthy, and accessible to the right people. Purview data governance solutions help your organization establish a federated governance model where a central data office sets the rules and domain experts manage the data they know best.
Curate data in Unified Catalog
Unified Catalog is a searchable catalog powered by the metadata captured in Data Map. Data owners and stewards use it to curate data products, manage data quality, and grant access to data consumers. Data consumers discover trusted datasets through a self-service experience with natural language search.
Governance domains organize data products and business concepts to make data easier to find and use. Built-in data quality capabilities help data owners measure and improve the health of their data, which is especially important in the era of AI because AI systems that ingest trusted, high-quality data produce more accurate and reliable results.
How governance supports security and compliance
Governance and security complement each other. Data governance helps you understand what data you have and where it lives. Data security helps you protect that data. For example, when Data Map identifies sensitive data sources, your security team can prioritize applying sensitivity labels and DLP policies to those sources.
Governance also supports compliance. Data lineage capabilities in Unified Catalog help you see the relationships between data products and their sources, which is useful for responding to regulatory inquiries and demonstrating compliance.
To learn more, see Plan for data governance and Get started with data governance.
Control access and user behavior
Protecting data and governing data assets addresses the data itself. But you also need to make sure that people interact with data in safe, secure, and compliant ways. Purview provides several solutions that monitor user behavior, enforce access boundaries, and help you respond to incidents.
Detect and act on insider risks
Insider Risk Management identifies potentially risky user activities by correlating signals from Microsoft 365 and third-party sources. It can detect behaviors such as unusual data downloads, sensitive data sharing, and risky AI usage patterns. Insights from insider risk signals are integrated into Microsoft Defender XDR for a comprehensive view of security threats.
To learn more, see Learn about insider risk management.
Restrict communication and collaboration
Information Barriers restrict two-way communication and collaboration between groups and users in Teams, SharePoint, and OneDrive. Often used in highly regulated industries, Microsoft Purview Information Barriers help avoid conflicts of interest and safeguard internal information between users and organizational areas.
To learn more, see Learn about information barriers.
Limit privileged access
Privileged Access Management helps protect your organization by limiting standing access to sensitive data or critical configuration settings. Instead of administrators having constant access, just-in-time access rules are implemented for tasks that need elevated permissions.
To learn more, see Learn about privileged access management.
Monitor organizational activity
Audit captures, records, and retains user and admin activities across Microsoft 365 services. Audit logs are essential for security investigations, compliance obligations, and forensic analysis. Audit records include AI interactions, such as user prompts and responses with Copilot and other AI apps.
To learn more, see Get started with auditing solutions.
Detect inappropriate communications
Communication Compliance monitors email and Teams communications for regulatory violations, harassment, threats, and inappropriate sharing of sensitive information. You can also set policies to monitor interactions with generative AI apps.
For more information, see Learn about communication compliance.
Investigate data security incidents
Data Security Investigations uses generative AI to help your security team analyze and respond to data security incidents, identify risks from sensitive data exposure, and collaborate more effectively on remediation.
Meet regulatory requirements
Compliance Manager helps your organization assess its compliance posture against more than 360 industry and regional regulatory standards. It provides risk-based scoring, improvement actions, and prebuilt assessment templates, including templates for AI regulations.
eDiscovery helps your organization identify, collect, preserve, and export electronic information for legal cases and regulatory investigations. Records Management helps declare content as records or regulatory records, manage retention schedules, and conduct disposition reviews with proof of deletion.
For more information, see Get started with data compliance solutions.
Secure AI interactions
The rapid adoption of generative AI adds a new dimension to every stage described in this article. AI apps can surface content faster and at greater scale, which amplifies the risk of oversharing and sensitive data leakage. Purview provides data security and compliance capabilities for AI that span Copilot experiences and agents, enterprise AI apps, and other AI apps.
The protections you built in earlier stages carry forward into AI scenarios:
Sensitivity labels applied to content are honored by AI apps. If a user doesn't have permission to access data, AI apps don't return that data. Users must have the EXTRACT usage right, as well as VIEW, for AI apps to return labeled, encrypted data.
DLP policies can block sensitive information from being shared with third-party AI apps. Endpoint DLP policies can warn or block users from pasting sensitive data into AI sites accessed through a browser.
Insider Risk Management includes a risky AI usage policy template that can detect prompt injection attacks and attempts to access protected materials.
DSPM provides visibility into how AI is used across your organization, surfaces AI-specific risks, and offers one-click policies to address them.
Audit captures user prompts and AI responses, and these records flow into activity explorer for monitoring and analysis.
Communication Compliance can monitor AI-generated communications for regulatory violations.
Retention policies from Data Lifecycle Management apply to AI interaction data, ensuring it's kept for the required period and then deleted.
Compliance Manager provides assessment templates specifically for AI regulations.
Data governance ensures the data feeding your AI apps is high quality, well-curated, and trustworthy, so AI systems produce accurate and reliable results.
To learn more, see Microsoft Purview data security and compliance for AI.
Shared capabilities across solutions
Purview solutions work well together because they share a common foundation of capabilities. When you configure these capabilities in one solution, they're available everywhere:
| Shared capability | How it's used |
|---|---|
| Classifiers (sensitive information types and trainable classifiers) | Used by DLP, Information Protection, Insider Risk Management, Communication Compliance, and data classification reports. Define once, use everywhere. |
| Sensitivity labels | Applied by Information Protection, enforced by DLP, honored by AI apps, captured by Audit, searchable in eDiscovery, and visible in DSPM. |
| Connectors | Bring third-party data into Microsoft 365 for compliance, governance, and security scenarios. |
| Activity explorer | Surfaces user and admin activities related to sensitive data, labeling, and AI interactions across solutions. |
Iterate and improve over time
Deploying Purview isn't a one-time project. The deployment guides in Microsoft Purview deployment models consistently emphasize an operational phase where you expand scope, refine policies, and act on what you learn. You don't need to get everything right upfront. Start with foundational protections and improve over time.
As your deployment matures, revisit these key areas:
Refine your classifiers. Start with built-in sensitive information types and expand to Exact Data Match, trainable classifiers, and document fingerprinting as you learn which detections produce false positives and which miss important content.
Enable Adaptive Protection. Adaptive Protection connects Insider Risk Management signals to DLP policies so that protections adjust dynamically based on user risk level. This approach reduces friction for low-risk users while applying stricter controls when risk increases.
Expand to new locations and workloads. Most organizations start with a subset of locations (for example, SharePoint and Exchange). Over time, expand DLP policies to endpoints, Teams chat, and third-party apps. Extend sensitivity labels retroactively to existing content using auto-labeling policies.
Use data security objectives. DSPM provides guided data security objectives that group relevant Purview solutions into end-to-end workflows. Each objective focuses on a specific security goal, such as preventing oversharing or data exfiltration, with prioritized actions, progress tracking, and one-click policy configuration.
The key principle is to start simple, monitor results, and expand when ready. Each improvement you make builds on the foundation you already have in place.
Next steps
- Learn about Microsoft Purview and explore the full range of solutions.
- Get started with data security solutions to protect sensitive data.
- Plan for data governance and get started with Unified Catalog and Data Map.
- Get started with data compliance solutions to meet regulatory requirements.
- Explore Microsoft Purview data security and compliance for AI to secure your AI adoption.
- Explore Microsoft Purview deployment models for scenario-based step-by-step guides.