Step-by-Step Guide to Configure Microsoft Purview in Microsoft 365 and Azure

Configurar Microsoft Purview
Step-by-Step Guide to Configure Microsoft Purview in Microsoft 365 and Azure

Step-by-Step Guide to Configure Microsoft Purview

This “A-to-Z” guide covers the entire Microsoft Purview life-cycle—from license activation to automating reports in Power BI. You’ll find PowerShell commands, GUI paths, sample scripts, regulatory templates (GDPR, PCI-DSS, ENS, HIPAA) and best practices we’ve applied in real projects across banking, healthcare and the public sector.

Quick Navigation

  1. Prerequisites, Architecture and Licensing
  2. Creating and Distributing Labels (Information Protection)
  3. Data Loss Prevention: Exchange, Teams, SharePoint and Devices
  4. Endpoint DLP: Windows 11, macOS and Servers
  5. AIP / Purview On-Prem Scanner (File Servers & SharePoint 2013)
  6. Insider Risk Management: Policies, Signals and Workflows
  7. eDiscovery Premium: Hold, Review and AI Relevance
  8. Audit Standard & Premium + Sentinel Ingest
  9. Data Governance: Data Map, Glossary & Lineage
  10. Monitoring, Reporting and Automation
  11. Advanced Use Cases
  12. 30-60-90-Day Checklist

1. Prerequisites, Architecture and Licensing

1.1 Technical dependencies

  • Microsoft 365 tenant with verified domains.
  • “Compliance Administrator” and “Global Administrator” roles for setup.
  • Intune (or ConfigMgr + co-management) if you plan to use Endpoint DLP.
  • Microsoft Defender for Cloud Apps to enforce DLP on third-party SaaS (Shadow IT).
  • Hybrid network if you want to scan on-prem data with the AIP Scanner.

1.2 Recommended PowerShell modules

Install-Module ExchangeOnlineManagement     # EXO + DLP commands
Install-Module AzureAD                      # Role management
Install-Module AzureInformationProtection   # AIP / Scanner
Install-Module Microsoft.Graph.Compliance   # Purview Graph (beta)
Install-Module Az.Purview                   # Multi-cloud scanner (Data Map)

1.3 Granular licensing

If budget is tight you can mix licenses:

  • E3 + E5 Compliance Add-on: unlocks Auto-labeling, Endpoint DLP, IRM and Audit Premium.
  • Business Premium + AIP P1 Add-on: good starting point for SMBs needing manual encryption and Exchange DLP only.
  • Purview Governance SKU: billed by “capacity units” (scans/hour) for the Data Map.

2. Creating and Distributing Labels (Information Protection)

2.1 Classification methodology

  1. Inventory data: use “Content Explorer” to detect PII, PCI and secrets.
  2. Design taxonomy: no more than 5–7 easy-to-grasp levels.
  3. Map controls: Confidential ≡ encryption + external restriction; Public ≡ no encryption.

2.2 Quick creation via Portal

  1. Purview ▸ Information Protection ▸ + Create sensitivity label.
  2. Set the Scope (File & Email / Site / Group / Teams).
  3. Tick Encryption: “Only people in your organization.”
  4. Configure Content Marking: header + watermark.

2.3 Full PowerShell example (double-key label)

# Requires AzureInformationProtection module
Import-Module AzureInformationProtection

$rights = New-AipServiceRightsDefinition -Rights "VIEW,EDIT" -Users "user@company.com"
New-AipServiceTemplate -Name "Ultra-Secret" -Description "Strategic data" `
  -ProtectionLevel "DoubleKeyEncryption" `
  -RightsDefinitions $rights `
  -Domain "company.com"

2.4 Implement Auto-labeling with custom rules

Sensitive PatternThresholdApplied Label
Credit-card + CVV + customer name>= 1 matchConfidential-PCI
IBAN number and word “Transfer”>= 1 matchConfidential-Finance
Regex “(secret|token)=”>= 2 matchesSecret-Key

3. Data Loss Prevention: Exchange, Teams, SharePoint and Devices

3.1 Out-of-the-box regulatory templates

  • PCI DSS v4.0
  • GDPR – Article 32 (EU)
  • ENS High (Spain)
  • HIPAA (US Health)

These templates ship with pre-configured rules you can deploy in just three clicks—then customize.

3.2 DLP policy with exceptions (real example)

# Goal: allow sending encrypted PDF contracts
New-DlpCompliancePolicy -Name "Block External PII" `
 -SharePointLocation All -OneDriveLocation All -Mode Enforced

# Main rule
$r = New-DlpComplianceRule -Policy "Block External PII" `
 -Name "Block PII*" -BlockAccess $true `
 -ContentContainsSensitiveInformation @{Name="EU PII"; minCount=1}

# Exception: files labeled "Contracts-Encrypted"
Set-DlpComplianceRule $r.Identity -ExceptIfContentContainsSensitivityLabelIds `
  (Get-Label -Name "Contracts-Encrypted").Guid

3.3 Enable notifications and user coaching

In the same rule, enable User notifications with a template in your corporate language and include a link to the internal policy (SharePoint intranet).

4. Endpoint DLP: Windows 11, macOS and Servers

4.1 Workflow

  1. Onboard the device to Defender for Endpoint.
  2. Intune ▸ Endpoint Security ▸ Data Loss Prevention ▸ Create policy.
  3. Select scenario: “Block copying to clipboard data labeled Confidential.”
  4. Enable File Activity Exploder to inspect ZIP and ChatGPT-generated files.

4.2 Granular control by process

E.g., block Microsoft Edge uploading to *://*.mega.nz/* but allow Edge to sharepoint.com.

4.3 Real-time monitoring

  • Security Portal ▸ Activity explorer → filter by Endpoint DLP.
  • Create an automated alert “>10 blocks in 5 minutes” → Logic Apps → Teams SecOps.

5. AIP / Purview On-Prem Scanner (File Servers)

  1. Install the Azure Information Protection Unified Labeling client.
  2. Register the scanner: 
    Install-AIPScanner
Set-AIPAuthentication -AppId <GUID> -AppSecret <Secret>
  3. Define repositories: Set-AIPScannerRepository -Path "\\fileserver\legal"
  4. Add an incremental scan schedule every 6 h.
  5. View results in “Content Explorer ▸ On-premises scanner.”

Tip: If you scan very large PDFs, tweak MaxConsecutiveErrors and thread pool settings to avoid timeouts.

6. Insider Risk Management (IRM)

6.1 Available signals

CategoryExamplesSource
File activityMass copies, printing, USBEndpoint DLP
Email & ChatToxic language, resignation intentDefender for Office 365
IdentityImpossible travel, MFA removalEntra ID Protection

6.2 Recommended policies

  • Data theft by departing users: active 45 days before / 30 days after.
  • VPN / RDP anomalies: correlate with Sentinel via the “Advanced Hunting” connector.

6.3 Workflows

Integrate with Communication Compliance to review toxic language and send corrective plans to HR. Add Teams approvals.

7. eDiscovery Premium: Hold, Review and AI

7.1 Script to create a legal hold for ten custodians

$custodians = "alice@corp.com","bob@corp.com" …
New-ComplianceCase -Name "Litigation-2024"
$custodians | % { Add-ComplianceCaseCustodian -Case "Litigation-2024" -User $_ }
Enable-CaseHoldPolicy "Litigation-2024" -Query "label:Confidential"

7.2 Review with “Themes” and “Near duplicates”

Cuts review volume by 40 %. Enable “Conversation thread” for Teams.

8. Audit Standard & Premium + Sentinel Ingest

8.1 Continuous export to Sentinel (Azure Monitor Agent)

Set-MailboxAuditBypassAssociation -Identity "AzureSentinelCollector" -AuditEnabled $true
New-DataConnector -Name "PurviewAudit" -Kind Office365

8.2 Sample KQL queries

// Massive downloads >500 MB
OfficeActivity
| where Operation == "FileDownloaded"
| summarize TotalMB = sum(FileSize)/1024/1024 by UserId
| where TotalMB > 500

9. Data Governance: Data Map, Glossary & Lineage

9.1 Scan S3 and SQL Server

az purview account show --name corp-purview
az purview scan rule-set create --account-name corp-purview \
 --scan-ruleset-name "S3_GDPR" --data-source-type AmazonS3
az purview scan run --account-name corp-purview --name "S3_GDPR_Scan"

9.2 Create an enterprise glossary

Define terms (CustomerID, MRN, IBAN) and link them to discovered columns; this simplifies search for analysts and avoids duplication.

10. Monitoring, Reporting and Automation

10.1 Power BI Dashboard

  1. Use the “Microsoft 365 Compliance” connector (OData).
  2. Import tables LabelActivity, DLPIncidents, IRMAlerts.
  3. Visualize PII-leak trends vs. previous quarter.

10.2 Logic Apps → executive email

Send a weekly email to the CISO with Audit events “MailboxPermissionChanged.”

10.3 Azure Functions for auto-remediation

If OfficeActivity.DeviceName contains “Kiosk-” and Endpoint DLP detects a print blocked event, instantly revoke Entra ID access.

11. Advanced Use Cases

11.1 Generative AI and Confidential Data

Block users from uploading classified code to ChatGPT web using Endpoint DLP + the “AI services” URL category.

11.2 Multicloud – DLP in Box and Google Drive

Defender for Cloud Apps applies the same DLP policy as OneDrive via session proxy—no agents needed.

11.3 Secret control in Git repositories

GitHub Advanced Security alerts feed Purview Classification, achieving a unified inventory.

12. 30-60-90-Day Checklist

PhaseKey Objectives
0-30 dLabels published, DLP Test, Endpoint pilot, Audit Std
31-60 dDLP Enforced, IRM “Departing” policy, On-prem Scanner
61-90 dAudit Premium, eDiscovery live, Data Map three sources

Conclusion

Microsoft Purview isn’t “just another security product”—it’s the backbone connecting data classification, protection, detection and governance. By following this guide—from PowerShell scripts to GUI portals, Sentinel integration and Power BI—you can deploy Purview robustly, gain measurable insights and meet regulations without stifling innovation.

Need to speed up your project? Contact Cloud Fighters for mentoring, implementation or managed services.

Leave a Reply

Your email address will not be published. Required fields are marked *