
Welcome to empowering resilience with MS Purview. This is probably going to be the most boring talk of the day because no one can make compliance interesting. And in light of this, hopefully I will be able to scatter this with varying levels of bad jokes because no one's written an ISO standard on how to do a good one yet. Uh my name is Aaron. This is the allseeing eye of data compliance that keeps me up at night. So let's get started. Um so just a brief overview go over what is perview how it can help everyone's favorite roles and licensing uh licensing the information protection compliance manager and data security posture management sections of this but
first up my least favorite section talking about myself. So uh I'm an infosc professional allegedly uh with a CNI background uh across nuclear and defense environments. Uh, I fell into GRC insurance a couple of years ago after being uh volunte,01. Um, I'm a two-time Lancaster University dropout. So, I greatly love being stood here and I'm now a student at the Open University for some reason. Um, and I'm not a Microsoft shell. I just got really annoyed at the fact that the docs when I first came across Purview were non-existent. So, with that in mind, this is your final chance to escape before it gets awkward. So, feel free to go. There is someone with playing with 3D printed
robots around the corner. That will be much more interesting or I'm sure something else is happening outside. No takers. All right. So, uh, what is MS Purview? Uh, it's one of those fantastic Microsoft platforms that exists that no one actually tells you about until you come across it by accident when you're looking to reset a user's password or something. Um, focused purely around the data security and management of all information held within your tenant. that's not exclusive to a Microsoft tenant as well. You can connect it up to to all of the cloud providers AWS, Google, etc., etc. And it complements Defender and Sentinel really well. And by that I mean Defender will tell you, oh yeah, you can do this, but
you have to do it in this other platform. Uh, which sometimes works, sometimes doesn't, depends on how Microsoft woke up that morning. The tooling is geared primarily at ensuring, limiting, or automating what can happen with your data. Now that can be in a great range of ways. Hopefully can tell you a few interesting ones of that. You can also use it to investigate data leakage problems and where data is living around your environment through another part of the platform called eiscocovery which is quite interesting and I will be honest I still haven't fully figured out how to use um but it can be quite useful. Uh the other thing to start with is it is not a panacea. It
will not solve all of your problems, but it can certainly make them a little bit smaller. Um, in the last few weeks, I have found a colossal problem with it, which did change how I was addressing this. But before that, something that really annoys me about perview, just to lay up that I am not going to completely shell the platform. Just because you have a global admin account within your tenant does not mean that you can actually do anything in purview. Uh, purview has its own role set and permissions which you cannot access from enter ID or you couldn't last night when I double checked. you probably can by tomorrow. Um, and because of this, it is a colossal
pain in the ass to set up the first time round because you are trying to figure out why can't I do this? Yes, I am in my account that allows me to do literally everything else. What's going on? And then you find that page somewhere hidden behind several other things that doesn't tell you about. Um, the one you actually want is that compliance administrator. That's the one that does everything. But nowhere will tell you that. You've just got to figure that out or have an MSP that will tell you that and then they don't do it for you anyway. Not that helpful. So, how does it help with perview? You can look at the document or the file or
whatever it is. You can extend this out to SharePoint sites and Teams channels and M365 groups in the back end. Not entirely sure what that benefit is, but you can do it. um you can severely limit what anyone can do with said information, whether they're inside your tenant, outside your tenant, if it's being sent, if it's being stored. Uh the lifetime of said documentation. And a fun one that I found by accident a while ago is you can see how your users interact with everyone's favorite AI stuff. Um which is quite interesting when you start to go through it and you realize what people are asking chat GPT um about their job that they should know more
about. Anyway, so uh wanted to talk about Microsoft product that doesn't include an entire section dedicated to licenses. A thought that everyone who ever talks about Microsoft stuff has ever had. Um here is a table generated by Copilot that isn't actually correct as I realized last night because there's another license set on that that doesn't exist yet. Um Microsoft helpfully introduced the E7 at some point recently apparently which does all of this and then some. And if you are a Loly Loly Business Premium user, there is a specific Defender and Purview add-on you can get for about the same cost as that license that will give you all of the feature set. Anyway, Microsoft licensing once again a black
hole of stuff that no one knows anything about apart from Microsoft and even then they can't give you a straight answer. So section one, uh, information protection. The ones listed on screen are all generic and publicly available as what you can do with those. Um, so as you can see, some of these here have a folder icon beside them. So, HM government and corporate labels are what called a label group. Go into that in a bit more in a minute. And the other three, unclassified, UK official, and company commercial, are the actual labels themselves. Now, these are where you can start to do the really fun stuff. And hopefully these slides are in the order
I think they are. Uh, yep. So, what does it cover off? I thought given that it's complaint, I'd give you some standard sets. So on the left is all the standards that you could well that I've come across at least and everything that they cover off by setting this up correctly according to the auditors that have looked at my stuff in the past. So it's kind of useful if you do it right. So labels and label groups this is how you go through and create it. It's basically the same process apart from one lets you actually do something the document and the other just tells you this is everything that falls under this category. So if we go back to that one.
So with HM government markings, anything you put into there can come from well, it's a custommade one, but that allows you to group them together so your users can find them nice and easily. It also means that you can go a layer deep. So something that I probably should have covered off with this uh under say that UK official heading there, you could then put any caveat that follows that. So under that marking, you could have UK official. You could then have UK official sensitive and then UK official sensitive commercial blah blah blah blah blah whatever else they invent today. And you can do the same at all label levels priority uh in the middle there
going from 0 to four. So zero being the lowest, four being the highest. You can set this so it can be really sporadic and weird if you learn. Um but it also means that it comes to the user as this is the lowest to this is the highest level of protection that you can apply to a document set within there. um settings that you can do that I haven't taken a screenshot of for this presentation which probably should have. Um you can set that uh everything has to be labeled. So before a user is allowed to leave a document set they have to put a label onto it whatever that may be which is where unclassified or
non-marked comes in really useful. But the other side of that you can also state that if you have something at a really high level um in this set company commercial and you want to lower that down you can make a user tell you why and create the audit log of I have marked this lower down for whatever reason that they may come up with. Uh from there you can put in some nice descriptions for what they're used for. So description for users is presented to them as they put the label on. So it's saying this is what this falls under. This is what you should use this for. Really useful if you need to differentiate between uh export control
licenses for instance is one that's been done in the past that I've seen. Descriptions admins is only a v visible in perview port itself on the back end and is more for this is why this label exists. Please don't mess with it. So as you go further through that you can define the scope. As stated you can apply this to anything that you wish. I still have yet to figure out how to do it for teams, groups, and shareoint sites because the docs are shite. Um, but that's by the buy from Microsoft in my experience. Uh, going down, you can ask whether the permission set is what you define it at the point of creation
or when it gets to the user. I've always done point of creation because it feels easier and it means you have an enforced set of what to expect for each label. And if you disallow offline access, if your user wants to do something on their laptop and they're not connected to the internet and your document is stored on SharePoint, they can't do jack with it, even if they've got it cached. So, kind of useful, kind of not. And that bit in the top right there, the assigned permissions, this is where you can do some really fun things. So, if you wanted to be hyper specific about stuff and say you can only share this document
mark with this with this individual, click on that add all users and put that person's email address in and if it goes to anyone else, they can't open it. which has been really helpful. Uh again, authenticated users, anyone within an MS tenant that has that there and specific email addresses or domains is quite helpful when sending outside of your tenant, which does also mean that when somebody accidentally sends something to the wrong person, and it's helpfully marked with one that says you can't open this unless you work for my company, you have just prevented data leakage uh accidentally by setting something up wrong the first time around. Uh not that I've ever done that because I know what
I'm doing, I promise. And finally, a fun one on this one is content marking. You can tell the perview as a platform. If you mark it with this label as a user, this is what the content must have in it. Useful when doing government stuff and you have to put official headings on everything and people will do that differently. So standardizing from there is quite helpful. Compliance manager. This is a fun bit fun bit of the platform to make life easier. So you might be familiar with enter ID secure sort secure score or defender secure score basically the same thing. Uh complaint score broadly follows the same path. You can ask it to look at all of these standard sets that
Microsoft has access to which includes the ones that you should be paying for but you're probably not because who actually pays for ISO standards? Good on you. Um so what this does is you can give Microsoft these are all the standards I must comply with. And what it will then do is it will go away and go this is everything we think you need to do about that and aggregate it into a nice setting of this is how much of it you've done. So for the organization who I stole the screenshot from they're at 58%. Which well that's my job. So we'll leave that for now. So I can set your own assessments in there. So I've picked
defan 5138 and 2701 as the two that I'm mostly concerned about at the minute. And by doing that, it allows me to see what Microsoft has already done on my behalf in the back end and what I need to do. Evidently, not very far through, but we'll gloss over that for now. So, the Microsoft actions are largely already in place or you can send them an email and say, "Hey, turn this setting up uh if you can't do that in the front end." And the your improvement score is quite an interesting section because it just does everything that Microsoft thinks you need to do irrespective of whether that actually applies to your tenants or not. So, one of the ones that
I've always had within 27 is anything to do with Apple. I don't manage any Apple devices. So, immediately out scope all that score goes up and you've done 10 seconds of work. Fantastically helpful. And a nice little graph in the bottom right about how many of those assessment actions you have actually completed or are waiting to be done. And if you go into the individual standard, it gives breakdown as put as done by Microsoft to see how far through it you actually are and some nice metrics on what these are. I'll be honest, I don't actually use this. It's just nice to put in front of people who think that data like this is useful to
them despite the fact they don't know what they're looking at. Take it as you will. So, uh, what is a cyber security talk in 2026? We got the obligatory AI bollocks section. Um, image helpfully generated by core pilot at about 10 1 this morning. Um, so data security posture management. This is a really fun bit because it was called for AI and now it's just classic or I don't know they changed the name of it again. So through here each one of these interactions um the time stamp is actually wrong. I have figured that out. Uh none of my users are interacting with chat GPT at 10 3 in the morning. That guy is very much asleep. Uh anyway, so
within these if you click through them what you can do is you can see which model the person is interacting with what they've said what the response was and what the thought process was for said AI thing in the back end which is quite useful and it does mean that when people are asking you questions or when they ask you to do things and you say that's not technically possible and they go yes it is and provide you a nice output of what chart GPT has told them you can figure out what they put into the front end and then tell them why they're wrong. Not that I've done that that often. Um, but it is quite a useful
thing to come across, especially when it comes to trying to figure out where is all of this going and why are people starting to know stuff that they shouldn't, which I found to be quite useful. Now, I don't know what the time frame on that is, but thank you for suffering through this with me. Useful's there. If you want to hear anything, I will open it up.
question over here. That's the easy one. >> Hi, I just wondering does it work just with um copilers or can you have any like clawed anything? >> You can add uh perview will give you a browser extension in your other management platform like entra or other MDMs are available. You add that as a browser extension to every browser that's deployed in your tenant and then it can see every chatbot people interact with. about his club code. >> Unsure. There may be a web hook for it though. >> Thank you. >> Any more questions? >> I've put everyone to sleep.
>> AI things as well. >> Someone says um Yeah. Someone's put uh confidential data into somewhere they shouldn't have. Yes, if someone uploads a document into it to say refactor this or make this email sound nicer, it will show you the document source and where it came from, which can also then be used to figure out why certain things are appearing in additional folders. >> Okay. And do DLP rules kick in at any point in this? >> They should do. It depends how you've configured them. Um, I had a fun one uh with a previous organization. It was all information that I created. But uh the way I tested it was I had a spreadsheet
that was quite nice that I built that I blanked out a I made a second copy of blanked it out so I could take it with me. And that's how I found out that I misconfigured every DLP thing and it didn't work in the slightest. >> Fair enough. >> But it is possible. >> Thank you. >> Another question out here. Just a yo-yo.
>> I've got so many questions about this. Sorry. Um uh can you do like alerting of uh so like if someone in the company has uploaded a document that they shouldn't and they've used some sort of sensitive data. Is there a way to like do smart alerting and let you know so you don't have to search through all the logs and find things like that? >> You can set that up through the data loss prevention platform of this. Uh I will freely admit I did want to do more on the data loss prevention side but I forgot that life happens and I got quite busy. Um, so I did change a few of the sections on this about half 11 last
night because I realized that I wasn't going to have time to finish it all. Uh, but that is something you can do uh in before you get to the point of having someone upload it into those environments. >> Um, you also mentioned it works on the uh browser and whatnot, but does it actually work on like the cloud software and GBT as well? >> In terms of as an actual app, I'm not sure. >> Right. Okay. browser level possibly. There is a workar around you get from that by just not allowing people to install the cloud native app and then say if you want to interact with this you do it through browser and have the
browser extension set. >> Okay, perfect. Great lecture by the way >> work around for that.
>> Hey Aaron. So right my question is is this I guess I I had conversations with people in the university here that did not actually know they didn't know that purview existed as a governance tool um and as a an educational establishment surely you know these tool sets are extremely important why why do you think Microsoft are not beating the drum about this more because it seems like such a useful thing to have why aren't they um more aggressively pushing this >> as part of Microsoft's standard set of do something and don't tell anyone. It's probably something to do with that. Um, that I can't answer. I don't I'm not Microsoft sales, but my experience with
it is a lot of useful things within Microsoft environments is hidden away behind menus and in dumb places where it shouldn't be. So, for instance, the way that I actually found Purview is very much by accident looking for something else. I was trying to set something up in Defender and it went, "No, you can't do that here. You've got to go and do it this other platform." And I was like, "I've never heard of this. What is it?" click through and it wasn't even called perview at the time. It was the old thing which was complaints something. Um, so down to Microsoft again not really well advertising what it is they do for you as an enterprise client. Uh,
the other thing go back to that. Um, it comes down to as well what sort of license pack they want you to actually use because you get everything with E5 apart from that page you go on Azure thing at the bottom. Uh, and I don't know where the educational equivalent of that will end up. It's cut A5 off there, but uh, so it'll come down to an element of are you actually paying for the platform? How much of it are you paying for? Because a lot of perview still kind of new. So there's they will actually give you quite a lot for free right off the bat um on trial basis which you can then choose to either continue with or
leave but is is the best I've got um they don't like telling you when they move stuff so why would they tell you that they've introduced something new
does every user need to have an E5 license or can just have one E5 license for the whole tenant? >> Oh, that's a good question. Um, my guess based on other things from Microsoft is it would ask for everyone to have an E5. depends on the size of your org because you can get away with the business premium and defender and perview add-on which will save you about 30 quid a month per user and you get effectively the same feature set in terms of security and compliance uh data on the back end with everything that you get with the business premium license. And if you've ever seen an organization that actually use uses everything you get
with an E52, let me know who they are. I'm curious. Um, but my assumption based on other tooling is they would need it. You may be able to enforce that separately. I haven't tried. I haven't been in an organization big enough to do that yet. I have yet to reach the 300 person cap on business premium. Start running, Rob. questions already. >> Um, so I mean if they're if they're putting it into the all of the features into a kind of E5 or even this E7 format and stuff like that, it's not particularly essentially useful for small medium uh organizations, is it? or I know you said there was a limited tool set in the uh business premium and stuff
like that but you know are you do you think it's useful for the for the value that you're getting out of it for a small medium scale uh organization or you know are there alternatives that they should be considering >> that would depend on what you're implementing perview for so in the environments that I've come from it's been useful to have it there because it covers off everything I need but the flip inside of one of those particular things. We go back to this one. One of the problems I've encountered with this recently is you can only apply one label at once. So if you have multiple label sets for instance, so if you wanted to apply a
government and a corporate label that you set, you can't enable that within perview itself. So there are separate tooling for that. One's called Titus I think um that allows you to do all that. It comes down to what is why why are you introducing all of this tooling? If you're just doing it to have the generic um this is ordinary, this is personal, this is commercial, you'll be fine. But if you need to go beyond that, that's when it starts to become difficult as to what it is. The other side of it, the amount you get of business premium is quite useful for small logs. It they don't actually limit a lot of the immediate quicky quick and easy wins
when it comes to setting up the environment for that secure and compliant way of working with the standards that you have to comply with. in my experience at least.
>> Um, does it cover just documents or can you do anything in your tenant? like data links, databases, managing >> you can connect it up to dynamics dynamics fabric one leg if it exists within a Microsoft environment you can do it and through things like lighthouse seam cm not sim uh you can then link it to your AWS environment or your GCP environment or digital ocean or your on-rem stuff if you do the hybrid connections. >> Yeah. Okay. Very powerful. >> Surprisingly so. >> Thank you. Um I also had a question in addition to something that she asked uh about the data leaks. Can we notice if someone has uploaded some sensitive data onto like copilot or any other chat
board if you have a web hook up put onto the browser? Yes, through the data loss prevention tool set when you have that configured will say where data can and can't go as well as something else called records management which will also come into that if you are looking at personal information in that sense something that would fall under GDPR.
You're liking making rob you as a question next. Yeah, I'm I'm sorry if you've already covered it, but usually when companies decide to apply sensitivity labels and things like that, they already have existing files everywhere. Does it does can Perview do automated discovery and automated labeling because there are solutions claiming to be able to do it? >> I have yet to see a solution do that. Well, if you have one, let me know. um you can set up auto labeling within the information protection subset. It does allow you to go through that and say look for these classifiers and put that on there which is really nice if it's something that's really clear and obvious. For instance, if you wanted to
go through this and say anything that says weapon system, slap that with it until I say otherwise, that would be great. But unfortunately, information usually isn't that plain and simple to use. So it can do it. It won't do a perfect job, but that's by the buy with every product that claims to be able to do that. >> There's a lull in questions. My legs get to recover. Um, Erin, I think you win the award for most number of questions today and they're only halfway through the day. But I think that implies that the questions being asked aren't a question of understanding, but questions of how they can take this away and implement some of the advice and guidance. So I
think that's a testament to the focus of your presentation and the material we covered because I'm sure there's a few people who are going to go back to the office and do things very differently as a lot we've just shared which is up to go. So thank you very much. Much appreciated.