Field Notes: Implementing Microsoft Purview in the Real World

(ARMA Canada)

I was kindly invited by Microsoft (Jason Bero more specifically) to speak during their full day workshop at the ARMA Canada 2023 Conference in Toronto. The workshop was titled Pre-Conference Workshop: Microsoft 365 Purview or Data Security, Information Governance, and Risk Mitigation and it was held on Sunday July 16, 2023. You can find it listed here: Conference Program/Sessions (goeshow.com).

Jason asked me to talk about what I have seen in the real world, when helping our customers implement Microsoft Purview. A huge thank you to all the people that spent their Sunday with us! I hope you enjoyed the session and found my part helpful.

These are my notes from that session for both those attendees and anyone else that might be looking for recommendations or suggestions on how we implement Microsoft Purview. These recommendations may or may not work in your organization… you may require something very different… and your mileage may vary! Please reach out if you have questions on either Twitter Twitter (@AntonioMaio2) or Antonio Maio | LinkedIn.

Microsoft Purview Implementation Order

This of course depends on a customer’s priorities, but we often recommend implementing Microsoft Purview solutions in the following order:

1. Information Protection & Sensitivity Labels

• Sensitivity labels are a fundamental component within Microsoft Purview and Microsoft Defender that helps the other security and compliance solutions be much more aware of the type of data that they are enforcing policies on… this is often why we start here. It allows us to make policies in those other solutions very specific to the type of data they are dealing with.
• We typically break this roll out into 2 high-level phases:
  • Phase 1: Roll out Sensitivity Labels to Users (emails/docs & teams/sites)
  • Phase 2: Bulk Classify Existing Content (online & on-premise)

2. Data Loss Prevention

• Crawl, Walk, Run Approach
• Start with Cloud, Endpoint and then Non-Microsoft Data Sources (via Defender for Cloud Apps)

3. Records Management & Data Lifecycle Management

After that, the order varies greatly depending on the customer’s priorities. Often we move onto the following solutions:

4. eDiscovery Premium
5. Insider Risk Management
6. etc.

Or the order might change depending on where the customer wants to go next.

Microsoft Purview Information Protection

Always Start with a Pilot

• Pick a friendly business group (or two)
• Do not pick your hardest groups
• Partnership between IM & Cyber
• Consider including some sensitivity labels with Encryption & User Defined Permissions Be open to changing your labels based on Business User feedback

Include Sensitivity Labels applied to Documents and Emails

• Metadata (automatically added)
• Content Markings
• Protection
• Rights Management

Include Sensitivity Labels applied to Teams & Sites

• Private or Public Group
• Allow Group Owners to Add External Guests
• Control sharing options from SharePoint Sites
• Unmanaged Device Access

Keep your sensitivity labels to a manageable number

• The number should be manageable for your employees to use & understand
• Recommendation: between 3 and 5 labels

Naming is Everything

• Choose a name for your Data Classification initiative
• Name your sensitivity labels
• Build your glossary
• Be consistent everywhere

Pick a default label and make it required

• Default Label
  • Select a default label that does not encrypt content
  • Make the default label the one that represents the majority of content in your organization, which for many is the mundane content we create and share everyday. It is not particularly sensitive, but we don’t want it to leak out either.
  • This will be the hardest label to pick and the hardest one to name – we typically choose names like General or Internal or General Business.
• Make it Required – From this day forward, as a matter of corporate policy, we are labeling all emails, documents, teams and sites.

Unified Labeling Client vs. Built-In Labeling

• Unified Labeling Client entered Maintenance Mode Jan 1/22 (Announcing AIP unified labeling client maintenance mode and sunset of mobile viewer – Microsoft Tech Community)
• Built-In/Native Office Labeling is now Recommended by Microsoft
  • Biggest Immediate Gap: PDF Files
• The unified labeling client, with its right-click ‘Classify and Protect’ menu, is still recommended for deployment to desktops by Microsoft when you have a requirement to label PDF files that already exist in your environment.

Determine how many policies to deploy

• Consider desired configuration for file & container labeling
• Consider the risk of making changes in Production
• Try to minimize the number of policies that each users receives to 1 – Information Protection can have a hard time when a user receives multiple policies that have conflicting labels.

Display your labels

• Consider carefully the settings for the following options. Consider the culture of your organization, what some words might mean and remember those that might be color blind as well.
  • Header
  • Footer
  • Watermark
  • Color-coding

Make use of the “Learn More” link

• This is one of your first or second opportunities to give users more information about when they should use certain labels, when they should not use them, give them examples and give them non-examples.
• This is one of the places where user education starts for Microsoft Purview Information Protection and Sensitivity Labels.

Adoption requires employees understand…

• WHY we’re doing this
• WHAT the labels are used for (downstream impacts)
• WHY they should care (what’s in it for them)

Microsoft Purview Data Loss Prevention (DLP)

Always Start with a Pilot

• Partnership between IM & Cyber
• Use a Crawl – Walk – Run Approach
• Crawl phase = Pilot
• Pilot is not defined by Business Groups or Friendly Pilot users
• Include the entire organization in all phases
• Start with Cloud Microsoft 365 DLP
  • Email, SharePoint, OneDrive, Teams

DLP Deployment Crawl Phase

• Determine which Sensitive Information Types (SITs) DLP will scan for
  • Do not choose all SITs
  • Recommend country specific SITs + Technology SITs
• Monitor Mode only
  • No impact to end users
• Include Entire Organization in configured policies
• Evaluate results for False Positives, fine tune, and move on to WALK

DLP Deployment Walk Phase

• Again… include entire org
• Fine Tuned SITs
  • Include additional SITs if needed
  • Include custom SITs if needed
• Introduce low-impacts changes to user experience
  • Policy Tips/Recommendations
  • Warnings
• IMPORTANT: Introduce communications to users & change management planning/activities

DLP Deployment Run Phase

• Again… include entire org
• Fine Tuned SITs
• Introduce Blocks, more warnings, more policy tips… more user impacts
• May require Corporate Policy changes
• IMPORTANT: Communications to users & change management activities

Microsoft Purview has 4 kinds of DLP

• Cloud DLP (focused on Email, SharePoint, OneDrive, Teams chat/channel and Teams Files) – we always start by rolling out Cloud DLP
• Endpoint DLP
• DLP for Non-Microsoft SaaS Apps (through policies in Microsoft Defender for Cloud Apps)
• On-Premises DLP

Microsoft Purview Records Management & Data Lifecycle Management

Records Management: Core Part of the Cybersecurity Team

• Traditional IM roles do not highlight its importance
• Real (defensible) disposition reduces an org’s attack surface
  • Key cybersecurity objective
• Risks to both under-retaining & over-retaining data
  • Key cybersecurity objective
• RM is at the table as part of Cybersecurity decision making

Always Start with a Pilot

• Pick a friendly business group (or two)
• Do not pick your hardest groups
• Consider your SharePoint Online information architecture
• Consider both retention schedule/file plan & business processes

Define Spaces Approved for Records & Transitory Information

• Email -> Transitory
• OneDrive -> Transitory
• SharePoint -> Records and Transitory
• Microsoft Teams Files -> Records and Transitory
• Microsoft Teams Chat & Channel Conversations -> Transitory

Automate as Much as Possible

• Users do not provide a lot metadata
• Users are even less likely to specify a document’s retention label
• Users often do not understand the retention schedule or file plan
  • And we should not expect them to!

Don’t Underestimate the SharePoint Information Architecture

• IA includes… Sites, libraries, folders, document sets, content types, taxonomy, metadata fields, search, navigation
• Work towards a balance between locking it down and allowing users to establish IA for their business
• Typically drives automation in RM & Sensitivity

Customize Disposition Process

• Built-in review & approval experience
• Multi-stage approvals
• Full customization through Power Automate & SharePoint
  • Retention Ends -> trigger a flow
  • Flow adds item to a list
  • Power Automate batches items, determines disposition authorities,  sends batch notifications, tracks approvals
• Performing customization of the disposition process is typically not part of a pilot, but the need for it is often an outcome of analyzing the pilot feedback

Complexities of Event-Based Retention

• Supports any type of event
• Complex infrastructure makes triggering events challenging
• Consider integration & customization options
  • Enable those triggering event with access to Purview Portal (RM solution)
  • Integration with 3^rd party system
  • Power App/Power Automate on SPO page
  • Power Automate to inspect event date metadata column on documents periodically
  • Power Automate to assign label at time of event (label triggers on labeled date)

Retention of Audit Logs

• 90 days -> Microsoft 365 E3
• 1 year -> Microsoft 365 E5 (includes faster access to audit date)
• Up to 10 years -> Microsoft 365 E5 + 10-Year Audit Log Retention add-on license
• These are per-user licenses, which means that the audit logs for users that have a particular license are retained for that long. So if you’re in a mixed license environment, some logs may be retained for 90 days and some may be retained for longer.
• What if you need to retain audit logs (for disposition records & other) longer?
  • Manual: Periodically (once per month) export disposition logs & store CSV in SPO library
  • Automatic: Build a custom solution/configuration which ingests audit logs into Azure Sentinel (which retains them up to 2 years) & route to another SIEM where you control how long logs are retained, into SQL or into Data Lake

Thanks again to Jason and Microsoft for the opportunity to share my insights with you on implementing Microsoft Purview!

Enjoy,

– Antonio