Content

▪ Know Your Data

▪ Microsoft Purview Information Protection | Data Loss Prevention
▪ Microsoft Purview Data Lifecycle Management | Records Management
▪ Microsoft Purview Insider Risk | Communication Compliance
▪ Microsoft Purview eDiscovery
▪ Microsoft Copilot for Security in Purview

I published the original article of E5 Purview Phase Deployment about 2 years ago
(2022), lets call that version 1.0. So this is an updated version, let’s call this V1.1.

I’ve kept most in this new version, the core thinking of this approach, that itself has
not change, compliance and governance doesn’t change but it’s the external factors,
like regulations and new features that support the on-going trends of data security

Below are the key updates on this new version (1.1) and I’ve updated the sections
where these new features fit in.

• Name Changes (Everything is now Purview e.g. Microsoft Purview Records

Management, Microsoft Purview Data Loss Prevention)
• Insider Risk in Conditional Access (plus lots of new features)
• Adaptive Scopes
• Adaptive in DLP (in preview)
• Adaptive in Insider Risk (in preview)
• Premium eDiscovery (Premium)
• Copilot for Security for Purview
Lets begin - The two most common questions I get from customers who
have just purchased or upgraded to E5 is ‘Where do I start? What should I
turn on first?

So here is my personal guide (based on helping 100s of customers deploy Purview in

various industries) on where your E5 Purview journey should start and finish (there’s
really never a finish line).

Firstly, here’s a snapshot of what’s available in E5

A sample high level Gant chart of a Purview Project deployment of each tool.
Bear in mind this is just a sample I created to show you that each tool can be
‘enabled’ without relying on the other, some can be completed such as Phase 5
before Phase 4 or even deploy in parallel if you have the right resources to do so...

A BIGG However!! Each tool can be more enriched and data quality improved if
each one is deployed. For example, DLP enriches Insider Risks with certain policies,
Information Governance/RM can leverage sensitivity labels, DLP can leverage
Retention Labels. Information Governance helps reduced irrelevant data when doing
a Discovery search in Premium eDiscovery (AeD). So yes, you can turn them on
individually but they’re better when they’re all enabled and you see the beautiful
synergies between the tools working nicely.

So these phases are my personal take on what to turn on first… The time to deploy of
all of this varies from size of the business, number devices, staff, complexity of office
locations and regions, business priority, relevant resources from Project Managers,
Change Managers, Test Users, Business Analyst, knowledge of your M365
Techies/Security Analyst/Purview Specialist etc.

But let’s say you have these resources, here’s your to start first.

Phase 1 – Know Your Data – 75 days

Phase 2 - Microsoft Information Protection / Data Loss Prevention – 180 days

Phase 3 - Microsoft Information Governance / Records Management – 120 days

Phase 4 - Insider Risk Management | Communication Compliance – 60-90 days

Phase 5- Discovery & Respond (Premium eDiscovery) – 60 days

Phase 1 - Know Your Data – Mapping out where you data lives is a springboard to a
lot of tools.

Resources – Project Manager, Change Manager, IT (M365 Engineer), Test Users,

Pilot Users – Stakeholders (Finance, HR, Management)
In this phase, the key is essentially figuring out where you data lives and if they’re in
the appropriate locations, are these locations secure and who has access to this
location. What is data being used for? To collaborate? Are they active files or
archived files that are kept for legal reasons?

This part of your project is crucial for several reasons and one that helps you
identify the first part of Phase 2.

• What locations do we need to secure?

• Which users are accessing them?
• What tools do we need to put in place AIP / DLP?
• Is there a retention policy in-place in that location, what type of retention do
we need

We have 3 tools you can locate and identify your most confidential / secret data

• Content Explorer
• AIP Scanner (E5)
• Your own users / IT – level up your users with training, communication, and
adoption plan. Build a governance around Data Security and awareness. Your
best firewall are your users.

Firstly, you can leverage the Out of Box tool, Content Explorer. Without having to do
too much, Content explorer uses out of the box sensitive info types.

You can find Content explore in your Purview Admin, Data Classification
As you can see in the figure below, there are number out of the box Sensitive Info
Types and on the right is Files with this pattern that is detected sitting in various
location, Exchange, OneDrive and SharePoint

There are two roles that grant access to content explorer and it is granted using
the Microsoft Purview compliance portal:

• Content Explorer List viewer: Membership in this role group allows you to
see each item and its location in list view. The data classification list
viewer role has been pre-assigned to this role group.
• Content Explorer Content viewer: Membership in this role group allows you
to view the contents of each item in the list. The data classification content
viewer role has been pre-assigned to this role group.
Some customers have asked why some Sensitive Info Types exist in their
environment e.g. Polish Region Number. As the sensors detect patterns, this could be
a false positive. You can drill into this IF needed but be careful snooping into users’s
OneDrive or mailboxes so ensure you’re the correct person doing this task. But here’s
an example of a false positive-. When opening a file, it tells you how many potential
SITS this could be.
If you’re one of those that are still behind the Modern Ways of Working and still
living off Files Shares or On-Prem SharePoint servers We can help you.

AIP Scanner, we can detect, classify, and protect your important

information.

This scanner runs as a service on Windows Server and lets you discover, classify, and
protect files on the following data stores:

• UNC paths for network shares that use the SMB or NFS (Preview) protocols.
• SharePoint document libraries and folder for SharePoint Server 2019
through SharePoint Server 2013.

With the AIP Scanner, you can configure your scan as needed

• Run the scanner in discovery mode only to create reports that check to see
what happens when your files are labeled.
• Run the scanner to discover files with sensitive information, without
configuring labels that apply automatic classification.
• Run the scanner automatically to apply labels as configured.
• Define a file types list to specify specific files to scan or to exclu

There are a few steps in order to install and configure this and this is possibly the
best article to assist you, its pretty straight forward. If you have any issues enabling it,
please reach out to my team at FastTrack, Microsoft to help you onboard.
You can scan multiple File Shares or SharePoint Servers at the same time

Policy Enforcement gives you the ability to create user experience and leverage the
AI feature of base on content.

Enabling Azure Log Analytics you can built a nice reporting overview.. However, in
the past year or so, we have centralized the reports for AIP Scanner.
What you see in Purview, Activity Explorer. You can see up to 30 days data and see
how sensitive data is being handled

Phase 2 – Microsoft Information Protection (AIP/DLP) | Classify or

Encrypt

Resources – Project Manager, Change Manager, IT (M365 Engineer), Test Users,

Pilot Users – Stakeholders (Finance, HR, Management)

The heart and soul of M365 Purview, MIP. Once you start getting getting picture of
what’s happening with your data, where it lives? who uses it? what does that person
do with it? does it get shared with external parties? etc. You can start building your
Data Classification Taxonomy, meaning creating sensitivity labels that supports all
scenarios supporting what’s happening in your organisation as well based granularly
targeting information such as Sensitive Info Types (SITs) e.g. Credit Cards. Based on
your staff’s education and adoption culture etc. Some customers based their Data
Classification on Government recommendation or specific National or Global
Regulation they need to adhere to. This, most times help guide Customers in their
Data Classification Taxonomy. Other guides will be specific regulations like
ISO200701 or GDPR. To help determine where your estate is, you can leverage
Compliance Manager as starting point of building your Data Classification
Taxonomy.

Compliance Manager can help you throughout your Purview journey, from taking
inventory of your data protection risks to managing the complexities of
implementing controls, staying current with regulations and certifications, and
reporting to auditors.
Microsoft provides a default assessment in Compliance Manager for the Microsoft
365 data protection baseline. This baseline assessment has a set of controls for key
regulations and standards for data protection and general data governance. This
baseline draws elements primarily from NIST CSF (National Institute of Standards and
Technology Cybersecurity Framework) and ISO (International Organization for
Standardization), as well as from FedRAMP (Federal Risk and Authorization
Management Program) and GDPR (General Data Protection Regulation of the
European Union)

Multicloud Support in Compliance Manager

A key update is the integration of Compliance Manager to Defender for Cloud, which
allows you to assess your compliance posture across M365, Azure, Google Cloud
Platform, AWS and cloud specific guidance

As an example regulation is NIST which is a premium assessment that you can

leverage and other bunch of assessments, like Essential 8, GDPR, ISO
The Out of the box Data Protection Baselinee is a great way to get started

A more recent update is our data connectors with non-microsoft applications. This
allows you to audit your compliance against these 3rd party applications
Data Classification Taxonomy (example)

Taxonomy for Auto-Labelling. There are two way you can do Auto-labelling

Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365

Purview | Microsoft Docs
Important Note: Please see Office App limitation article before diving into this,
the version of Office app you have installed may cause various experiences for
your users. In short, using ‘built-in’ Office labelling and having your Office to
the latest channel is our recommendation.

Manage sensitivity labels in Office apps | Microsoft Learn

When deploying Sensitivity Labels , we recommend to start small just like you would
any ‘new’ product deployment in your organisation. As we say at Microsoft, we take
the Crawl, Walk and Run phase approach or most organisation would say, Test, Pilot
and General deployment..

Crawl Phase - At this point, you probably know what you want to achieve, already
have a draft Project Plan to propose to your management team, have a Change team
in-place to help with Adoption and Communication and have 1 or 2 IT Security
Analyst identified creating the sensitivity labels. For them, this is the time to get to
the technology for your IT Security Analyst. There’s probably two phases within Crawl

· IT Security Analyst create a small PoC and only publish labels to himself and to a
few colleagues. Play around with the technology until she/he is confident who it
works, limitations, how long some labels appear in Office apps etc. Work with
Change Manager early, get them to experience what it looks like in their PC, I’m sure
at this stage, they will have more Questions humanable possible as they will be your
biggest ad

· Extend the labels to other IT folks, learn how to create and publish to a wider
team. Have your Change Team test their communication to the extended IT
colleagues, get some feedback, establish a medium where they can easily feedback
issues or changes to labels before publishing to the wider business.

• Test the different scenarios, devices, such as PC or Mobile, SharePoint,

OneDrive.
• Use dummy external accounts. Test the pre-defined accounts
• Test the various user experience, such as mandatory labelling, recommended,
access expiration etc
Test the Use Access to Content Expire feature

Test each pre-defined permission, groups, using dummy accounts. This is particularly
handy for external collaboration and mimic their user experiences.
Test the pre-defined Permissions and connect any use case scenarios and tighten any
risk that data maybe leak

Sensitivity Labels/DLP Architecture

Final thoughts – take your time in the Crawl Phase, un-pack and test all different
scenarios, get user feedback. Take advantage of the Activity Explorer, learn how to
use it and how to use it to build, change and maybe restart your Label Taxonomy. On
top of this, we will enable Data Loss Prevention to stop any Data Leakage.

Walk Phase – Now that you have most of your key IT folks on-board, your Change
Person familiar with the technology and has built a draft Change approach, your IT
folks has ironed out any issues, and you’ve built a draft version of your Data
Classification Taxonomy. Now you are ready to bring in your Pilot users from the
Business. The length on this phase depends on how much worked you’ve done
during your Crawl phase and how confident you are bringing folks from the business
and able to articulate this technology and the need for it. You still need to leave a lot
of room for feedback, leverage the Activity Explorer and use that as a reference for
any changes. The feedback will give you an opportunity to scale and take advantage
of the AI features such as use of Auto-Labelling whether its Client Side (when users
edit, reply or fwd documents and emails) or Service Side labelling (Data at Rest, EXO,
SPO, ODfB), if during your Walk Phase you’ve determine that users are not labelling
documents, you have features that can help you from Mandatory Labelling or Auto-
Labelling.
 These Pilot users are key personnel across your Business Estate, from HR to Finance
to Management and Collaboration Leads, owners of key SharePoint sites or Teams
that houses sensitive information shared internally or externally. These folks will be
your advocate for this change and give you the positive marketing you need to
deploy during your ‘Run Phase’. The Walk is also the phase when you will create your
final detailed Project Plan before proposing your implementation plan to
management So you need key resources, budget, materials for education and
adoption, backup plans and risk mitigations in place at this stage.

Run….RUNNNNN!!!

At this point, you’re ready to publish all your Sensitivity Labels to all your users. Bear
in mind, it takes about 24-48hrs for to appear. So before sending communication
that ‘you will be deploying by xxdatexx, ensure that you do publish it 24hrs before
the date you say it will appear.I would imagine that your IT folk/Change team would
build the Label Description so this will appear in the Description when hovering over
Labels seen below. Also for added guidance, you can create a guide and put this on a
SharePoint site that all your users can access, when publishing the label, you should
see this section to include a link

Added Guidance, you can added a page with a detailed description and allow users
to click on ‘Learn More’ when expanding the Sensitivity Labels in Office apps
The Run phase doesn’t mean it’s the end of your MIP journey, this is just the
beginning, the framework is scalable and you need to look at the bigger picture of
your entire data estate

Trainable Classifiers

Trainable classifiers is a component of Purview that is design to help orgs customised

their own sensitivity labels based on specific, repeatable content.

Timeline

The
The way this works is that you first have to present it with many samples of the type of
content that are in the category. This feeding of samples to the trainable classifier is known
as seeding. Seed content is selected by a human and is judged to represent the category of
content.

Data Loss Prevention

Resources – Project Manager, Change Manager, IT (M365 Engineer), Test Users,

Pilot Users

So a question I commonly get asked. Do I need enable Data Loss Prevention (DLP) If
I’ve already implemented Information Protection (sensitivity labels) to control who
has access to my data ?? Simple Answer…. YES!!! And I’m not just saying that because
I work for Microsoft, is because if you care about your sensitive data, I highly
recommend it! We are humans, we make mistakes, we forget, we lose things, just like
we may accidental press send or copy or upload secret information, who hasn’t
texted or emailed people accidentally? I sure have! DLP reduces those risk and
technology helps us humans.

A feature part of the Microsoft Information Protection Framework , Data Loss

Prevention (DLP). Similarly with Information Protection (Sensitivity Labels), DLP can
leverage the built in Sensitive Info Types that is ready to use without having to do
much leg work. Though, we recommend following the same approach of Crawl,
Walk and Run approach. DLP can also leverage Sensitivity Labels but not a pre-req.
So you can start implementing DLP in parallel with deploying Data Classification
(Phase 1). I have seen some customers enable DLP without deploying Phase 1 but
this is on leveraging SITs and not Sensitivity Labels

In a nutshell, to further protect your important data, reducing the risk and preventing
users accidentally sharing information with others that shouldn’t have access to it, we
leverage DLP.

When creating your DLP policy, we have categorized the different Sensitive Info
Types based on Industry or regulation to help you find the right Info type for you.
The custom category helps you build your own Policy
 When creating a DLP Policy, you can choose the locations you want to apply the
policy. Picking what location gives you different Conditions in the following section of
Policy Settings. Bear in mind, the list you’re seeing is an E5 license customer
Note. For EndPoint DLP you need to onboard the devices in Microsoft 365

Onboard Windows 10 or Windows 11 devices into Microsoft 365 overview -

Microsoft 365 Purview | Microsoft Docs

Most recently, a lot of our Exchange DLP Rules has been DLMrated to the DLP Policy,
as seen below. This allows for granular support for protecting your sensitive
information based on a number of conditions in Exchange/Email
As seen below, you can leverage Sensitive Info Types, Labels or Retention Labels (we’ll
get to that next) when trying to put a DLP policy on your collaboration tools like
SharePoint or OneDrive.
Just like Information Protection, you can leverage the Activity Explorer. Drill down on
the Alerts and activities. Use the ‘Test’ Mode to assess the policies you’ve created and
see if they’re working or tweak if you’re not seeing the DLP you’re after

Turn on Test Mode first before Turning it on.

Key Update

Adaptive Protection in Data Loss Prevention (Preview)

This has been in preview for a few months now but a game changer with Insider Risk
using UEBA to interact and activate DLP

Adaptive Protection in Microsoft Purview integrates Microsoft Purview Insider Risk

Management with Microsoft Purview Data Loss Prevention (DLP). When insider risk
identifies a user who is engaging in risky behaviour, they are dynamically assigned to
a inside risk level. Then adaptive protection can automatically create a DLP policy to
help protect the organization against the risky behaviour that's associated with that
inside risk level. As users insider risk levels change in insider risk management, the
DLP policies applied to users can adjust.

You can manually create DLP policies that help protect against risky behaviours that
insider risk identifies too.

To enable it
These risk levels have built-in risk level definitions, but these definitions can be
customized as needed:

• Elevated risk level: This is the highest risk level. It includes built-in definitions
for users with high severity alerts, users with at least three sequence insights
that each have a high severity alert for specific risk activities, or one or more
confirmed high severity alerts.
• Moderate risk level: The medium risk level includes built-in definitions for
users with medium severity alerts or users with at least two data exfiltration
activities with high severity scores.
• Minor risk level: The lowest risk level includes built-in definitions for users with
low severity alerts or users with at least one data exfiltration activity with a
high severity score.

For a risk level to be assigned to a user, the number of insights and the severity
assigned to the activity need to match the definition for the risk level. The number of
activities for an insight may be a single activity or multiple activities accruing to the
single insight. The number of insights are evaluated for the risk level definition, not
the number of activities contained in an insight.
Phase 3 - Microsoft Information Governance (DLM) / Records Management (RM)

Key update on DLM/RM

• Retention for Copilot Interaction

 • Adaptive Scope
• Admin Unit

This is probably where most customers I meet find challenging. When a customer 1.
Unsure which regulation to follow 2. Doesn’t have a dedicated internal Data
Governance Expert, this workload tends to be put in the back burner or done very
slowly, like a couple of years slow. So my personal suggestion, before shouting we
need to this! Find someone that knows about what regulation you are trying to
adhere to, whether is ISO vs NIST or something regional or government directed. In
Australia, each state would have their own set of regulation for local governments for
example in Victoria is VDPDSF.

Resources - Project Manager, Change Manager, IT (M365 Engineer), Test Users,

Pilot Users

So where does Data Lifecycle Management DLM/Records Management RM fit into all
M365 Purview Story? It’s simple, imagine your mum or dad, being a hoarder of
books, years and years of collection shoved into a room. Not categorised, some read,
some not. She/he had ONE RULE, she will not throw any books away. 10-15-20 years
passes by. So in those years, a few things inevitably will happen

• The room gets filled to the ceiling and there’s just no more space
• She/he decides to look for a book in the room and out of all the thousands of
book, can’t find it?
 • The landlord decides to kick sell the house and now what? Where / which
ones do you take with you to the new house? You’ll be there for weeks and
months trying to figure that out
• Sometimes you may even throw a book or two to make space (in real world
this could be sensitive information)

Now imagine you had a tool that helps you retain, delete (then confirms) if you really
want to move it, categorises, and puts a lifecycle on each location your
book?…Imagine that!? Wallah…. There’s your analogy with you keeping every data
for years from your mailboxes, SharePoint, OneDrive, Teams, Viva Engage, file shares
without any data lifecycle it could get messy. DLM/RM helps you put retention labels
and retention policies in place. These labels can also be leveraged by other tools
such as DLP and Premium eDiscovery (will get to that soon). DLM/RM also helps you
comply with certain regulations/law within your country about data retention

Microsoft Information Governance (DLM) provides capabilities to manage the

lifecycle of your content and govern your data for Purview or regulatory
requirements. Records management (RM) manages high-value content for legal,
business, or regulatory obligations, and adds advanced capabilities such as
disposition review and file plans
Just like the first two phases, we follow the Crawl, Walk and Run approach. Start
simple, with your Crawl, test the technology and extend your testing group. In some
cases with DLM/RM, you need to bring in colleagues that know what regulations that
your company needs to comply with, this will structure what File Plan, Label Policies
and Retention policies you need to create.

Walk phase is when you really start feeling comfortable with the technology and start
leveraging the Advanced Solutions, leveraging Sensitivity Labels and the built in
Sensitive Info Types (SITs)

Common Scenarios
Lets quickly create a retention policy and see what new options we get these days

Type in the name

• Admin Units are Entra ID specifics to Users, Groups and Devices which we
previously didn’t have in the old article
• Adaptive scope was still at the very stages of Preview.

• One of the latest feature is our retention scope for Teams and Copilot
Interaction
This is the part I love, I call this the automatic vacuum option. You just schedule it
and woolah, dirt is gone!

I won’t go deeper in terms of the difference between DLM vs Records Management.

But here is an article I wrote which I’ve also just updated. It goes deep dive on when
to you DLM or Records Management

Phase 4 and 5 somewhat go hand and hand, internal threat to potentially creating a
case in Premium eDiscovery if you deem that threat is

suitable be put through an official legal case

Phase 4 – Microsoft Purview Insider Risk Management (IRM)/Communication
Compliance

Resources – HR, Legal, Management Stakeholders, Project Manager, Change

Team, SOC Analyst.

IRM I think has had the most updates in the past couple of years. There’s been a lot
of amazing updates which its important to call out here.

Key updates on:

1. Enhancements to triage and detection capabilities

2. Information type and trainable classifier exclusions
3. Integration between Insider Risk Management and Communication
Compliance
4. HR data connector capabilities
5. Forensic evidence capabilities
6. Insights for risky actions by potential high impact users
7. Improved analytics assessment insights with anomaly detection

Slightly different to our first 3 phases, these next 2 phases is focused more on your
internal risk. ‘We are so focus on external risks that we do sometimes forget that
internal risks is just as important and often not monitored’ Internal staff have more
capabilities and knowledge where your important information are located, so in actual
fact, they are sometimes more of a threat?

I’ve seen this feature enable quickly and even much earlier in the phases. You can
turn this on possibly the first 30 days upon purchasing E5 but I’m putting this on
Phase 4, as it helps enriched this product when other features are deployed like
Sensitivity Labels, DLP policies and Defender for EndPoint. These risks may include
data theft by departing employees and data leaks of information outside your
organization by accidental oversharing or malicious intent.

With Insider Risk Management, the stakeholders and resources are more involved
than other workloads. From the get go, It’s important to run a deep dive overview
with HR/Legal and management and ensure that they understand what this product
is for and what is capable of doing. This will allow them to be able to change or add
processes and build upon how the alerts are designed

Once you’ve done your overview, I recommend following the simple deployment
rule of Crawl, Walk and Run. Start small and simple as always, get to know the alerts
and how to triage these alerts, what indicators you want to enable, how to manage
alerts. Enabling the product is the easy part, like most of the Purview products. Once
you open IRM in Purview, there is a dashboard on our top recommendation feature
to enable to get going.

For organizations just getting started on their Insider Risk Management journey, or
those looking to understand data risks within their environment, an analytics
assessment is an easy way to start. Within 48 hours of turning on analytics,
assessment results will provide aggregated and anonymized insights into how your
data is being accessed, shared, or exfiltrated. The results from analytics can help in
establishing a data risk baseline for your organization and can be used to help you
build or fine-tune your Insider Risk Management or data loss protection policies.

One of the first recommendation suggest to setup the insider risk settings. Your first
decision is to keep the users anonymous or not. This is key decision as HR may not
want to allow IT to see names of their colleagues or those what are looking at reports
that maybe outside of HR, you may not want them to see colleague’s names for
compliance reasons – rest of the setting explanation is found here

Secondly, decisions on what type of indicators you feel its important. This section
relies on your knowledge of where your sensitive information is located, access that
your users also may have, the ability to download or share will test your access
governance to these collaboration products. So this may be a good time to also
assess this.
The last setting I think its important is that you can now collate all the IRM alerts into
XDR

For all the other settings explained. You can find them here. They’re all important to
get to know and decide whether you want to enable them or not.

Learn about insider risk management settings | Microsoft Learn

Once you start creating your first policy you will notice two key settings to enable,
These two are the HR Data Connector and Detect Activity on Devices. If you’ve
already onboarded your Windows 10/11 devices because of Defender for Endpoint
or Endpoint for DLP, then you’ve done most of the work already.
As seen below these Triggers are based on DLP policies
The next option is your indicator threshold. Sometimes, I hear customers
complaining about alert fatigue, and this has been a huge help with customers. Like
most alerts, they will come at you

One of the cool things you can do now to help you fine-tune your policies. Rather
than having go to the policy configuration wizard to modify a policy, designated
admins, investigators and analysts can now fine-tune security policies directly
from the alert review experience.
Released about a year ago, another cool addition to IRM is new priority content-
only scoring, to help security admins better detect and respond to potential user
actions that put the highest priority data at risk.

During the Crawl Phase, only include your test users, determine what you deem
important to monitor and who to monitor. The HR data connector will help
determine on-going collaboration with your HR team and determine staff who may
be leaving the company and may feel risky. Crawl Phase will also give your HR team
as chance to ensure that the process of filling out the spreadsheet gets ironed out,
your IT person who will need Azure access will need to create the HR Connector.

Here you can see the nice integration with Premium eDiscovery which will discuss
next. If you HR deems that the activities have breached internal policies and want to
escalate this and create a case. You can action this as a case and start collecting
evidence as you’ll see in the following Phase 5.
When you’ve escalated a case, this is what it looks like in Premium eDiscovery (AeD)
and you can start building the appropriate evidence

Communication Purview

Since I first released this article, this feature has gained a lot of demand. With layoffs,
mergers, internal threats, it empowered orgs to detect, triage, and remediate
communications with potential business conduct and/or regulatory compliance
violations.

Communication compliance provides the following policy templates that use

machine learning classifiers for users:

• Business conduct: Discrimination, Profanity, Threat, and Targeted harassment

classifiers
 • Regulatory compliance: Corporate sabotage, customer complaints, gifts &
entertainment, money laundering, regulatory collusion, stock manipulation,
unauthorized disclosure classifiers

How to create Policies

Learn about the alerts

Learn about the reports

Case study - Contoso quickly configures an inappropriate content policy for

Microsoft Teams, Exchange, and Yammer communications - Microsoft 365 Purview |
Microsoft Docs
Phase 5 – eDiscovery

Resources – Project Manager, Change Team, IT (M365 Engineer) , Legal / HR

and potentially 3rd party collaboration with external Lawyers

So our final Phase of your Purview Journey. YAY!!! And one of my personal favourite
and maybe cause you can pretend to be a detective, searching for clues and
evidence and even use OCR to find proof of evidence. I’ve seen this feature use nicely
in various industries, like Banks, Customer Service, Legal services, Finance, Non-
profits. So this feature isn’t industry specific, and right off the bat you may think
there’s no need for this, and that could be very true. But knowing that you have this
powerful tool available, know how to use it carefully, its very important.

Just think of the traditional ways of finding evidence say a staff is taking his or her
manager to court. The IT person in the traditional way will have to search through
gigs of mailboxes, do a scan and search in File Shares and SharePoint sites, possible
write a script or purchase a 3rd party software, it may takes months and even years
to find the right evidence you need in a case as you don’t really know where to start
or know who’s involved and even potentially breaking privacy. Premium eDiscovery
gives you that leg up with the help of Information Protection and Governance, it
enables you and empowers you to search specific areas and active data to present to
your lawyers. From a cost perspective, the more unstructured data handed over to
legal services, may sometimes cost heavily. P.s. I AINT A LAWYER!

Now, and reminder this Phase doesn’t need to be in your last Phase, if there’s a
need to use this tool such as discovery of critical information, you can go ahead
and use.

Microsoft Purview provides three eDiscovery solutions: Content search,

eDiscovery (Standard), and eDiscovery (Premium

As this article is focused on E5, we will just talk about Premium eDiscovery which you
can see, does hell of a lot more than both content search and standard eDiscovery.
To help frame the Premium eDiscovery solution it helps showing you a comparison
that this was formed to match the Electronic Discovery Reference Model (EDRM)
model. If you think of a litigation process, this is the ‘discovery’ of evidence in that
process.

So here’s the EDRM mode.

Here’s the AeD model in Microsoft 365

As you can see on that first section, the important of having Data Protection and
Data Governance in place to help this model flow nicely. Going back to Phase 3, the
analogy of having a clean room with all the wanted books retained and unwanted
books removed.
When opening a case, you can see from the tabs, it mimics that process. Starting
from the Data Sources where by setting up custodians to quickly identify and
preserve data sources with which they are associated including mailboxes, SharePoint
sites, Teams, Yammer groups, you can include additional mailboxes if needed

To begin, give your case a name, add members into the case or groups, build the
criteria and governance around search and optical recognition.
This is the suggested linear workflow

The other key feature to note as I wont detail each tab is the Settings. This gives you
the option to give specific users or teams access to a case e.g. HR or your legal team.
You’re also able to be more specific on your searches and give your case the right
information. If you’re a service that provides this, you may want to have the right
naming convention.
So how do you implement this? As always, use the Crawl, Walk and Run approach.
Most times, IT doesn’t even initiate this implementation but legal or HR reaches out
to IT. So right in the beginning your legal team is willing to collaborate and yes, this
tool is all about collaboration. IT may own the tool but the process could be entirely
your HR or Legal team.

Start simple, create a dummy Case, pull in dummy custodians, pull in dummy
sharepoint sites and Teams, follow the Tabs as that’s essentially the flow you want to
follow.

Create and manage Premium eDiscovery cases in Microsoft 365 - Microsoft 365
Purview | Microsoft Docs

Note, beware that when putting custodians or SPO sites on preservation holds, this is
essentially doubling up the sizes of those mailbox or site. So just be aware. The two
diagrams below shows what’s in blue that is being preserved. Users cannot see this,
so they will simply continue working whilst the original documents or emails are
being preserved. If they’re manipulating evidence or deleting evidence, this will all be
captured. On another note, you can see that the site of sites will be double if data is
being preserved, so think of your provisioning governance for sites, you may need to
double their sizes or request for additional storage. The power of preservation but be
careful
It’s worth mentioning the arrival of Copilot for Security in Microsoft Purview, the
AI can assist you in identifying, summarizing, triaging, and remediating alerts and
events in Microsoft Purview for:

• Microsoft Purview Data Loss Prevention (DLP)

• Microsoft Purview Insider Risk Management
• Microsoft Purview Communication Compliance
• Microsoft Purview eDiscovery

This has only been released this month April 2024, so we will continue to see a fair
bit of integration and improvement in this space by the end of the year
New Purview Portal

The Purview Portal got some make over the past few months. As this portal is fairly new and is in
its infancy stage, this will continue to integrate for more features.

Lastly, I also want to share that at Microsoft, we have an amazing Advanced

Deployment Guide that Admins can access. The guides are also done in sequence
from Purview to Identity and Security. So please also take a look at that

Advanced deployment guides for Microsoft 365 and Office 365 products - Microsoft 365
Enterprise | Microsoft Learn
Soooooo…. There you go. A Phase deployment of the Microsoft 365 E5 Purview
products I hope for our evergreen customers or existing E5 customers this guide
helps you. Just a little bit

Others features to note and not discussed here

Defender for Cloud Apps integration Integrate Microsoft Purview Information Protection -
Microsoft Defender for Cloud Apps | Microsoft Learn

Exact Data - Get started with exact data match based sensitive information types | Microsoft
Learn

Audit - Learn about auditing solutions in Microsoft Purview | Microsoft Learn

Information Barriers - Information barriers | Microsoft Learn