Microsoft SC200 Certification - Microsoft Purview - Part 4

Microsoft Purview is a unified data protection and governance platform that combines legacy Microsoft security tools with new, advanced capabilities to help organizations safeguard their data. It provides a broad range of solutions, enabling multiple teams within an organization to collaborate effectively in achieving data protection, governance, and compliance.

Why Microsoft Purview Stands Out

1. Extensive Coverage – It integrates Data Governance, Data Loss Prevention (DLP), Insider Risk Management, eDiscovery, and more, eliminating the need for multiple third-party solutions.

2. Seamless Microsoft Integration – If your organization is a Microsoft-centric environment, Purview provides deep visibility and control over data across Exchange, SharePoint, OneDrive, Teams, and Azure. Additionally, it integrates security alerts directly into Microsoft Defender, streamlining SOC monitoring and incident response.

Core Areas of Microsoft Purview

1. Data Governance

Microsoft Purview Data Governance offers a centralized approach to managing and protecting data across on-premises, multi-cloud, and SaaS environments.

• Data Map: A cloud-native service that scans, catalogs, and maps an organization’s data estate, automatically capturing metadata and identifying sensitive data.

• Unified Data Catalog: A tool for data discovery and classification, transforming governance from a compliance mechanism into a business enabler by making data more accessible and useful for decision-makers.

• Data Sharing: Securely shares data in Azure Data Lake Storage Gen2 and Azure Storage accounts within and across organizations without duplication.

• Data Estate Insights: Provides governance teams with actionable insights into data usage, compliance, and potential governance gaps.

2. Data Security

Purview enhances data security by offering robust data protection, loss prevention, and insider threat management tools.

• Data Loss Prevention (DLP):

  • Detects sensitive information (e.g., credit card numbers, SSNs, classified documents).

  • Enforces protection through DLP policies that define where data is protected (Exchange, SharePoint, Teams, etc.) and how (blocking, alerting, logging).

  • Integrates with Microsoft Defender, ensuring security teams can monitor DLP alerts in both Purview Compliance Portal and the Defender Portal.

• Insider Risk Management:

  • Identifies malicious or accidental insider threats (e.g., data exfiltration, IP theft, and security violations).

  • Uses AI-driven signals to detect suspicious behavior, such as employees moving sensitive data before leaving the company.

• Privileged Access Management (PAM):

  • Implements "just-in-time" and "just-enough" access, reducing the risk of unauthorized access to sensitive data.

• Information Barriers (IB):

  • Restricts communication between specific groups in Teams, SharePoint, and OneDrive to prevent conflicts of interest and ensure compliance.

3. Risk & Compliance

Purview offers compliance monitoring and eDiscovery tools to help organizations manage regulatory requirements and legal obligations.

• Compliance Monitoring:

  • Scans emails, Teams messages, and files for threatening, obscene, or policy-violating language to maintain corporate standards.

• eDiscovery:

  • Supports legal investigations by identifying, preserving, analyzing, and exporting relevant data.

  • Searches across multiple Microsoft sources, including Exchange Online, OneDrive, SharePoint, Teams, and Yammer.

  • Allows escalation from insider risk alerts to full eDiscovery cases, ensuring organizations can respond quickly to compliance incidents.

Microsoft Purview - Data Loss Prevention (DLP) Components

Sensitive Information Types

Sensitive information types (SITs) are patterns detected using regular expressions, functions, keywords, and checksums. Microsoft Purview includes built-in SITs like Credit Card Numbers and Bank Accounts, with options to create custom SITs using regex, keyword lists, or dictionaries.

Sensitivity Labels

Sensitivity labels classify and protect documents (e.g., Public, Private, Classified) and can apply controls such as encryption. Labels can be applied manually or automatically based on SITs.

DLP Policies

A DLP policy defines:

• Where to protect content (Exchange Online, SharePoint, OneDrive, Teams, etc.).

• When & how to enforce protection through conditions (e.g., detecting Social Security numbers shared externally) and actions (e.g., blocking access, notifying users).

Defender for Cloud Apps – File Policies

Microsoft Defender for Cloud Apps (MDCA) file policies enable organizations to enforce continuous compliance scanning, support legal eDiscovery, and implement data loss prevention (DLP) controls for sensitive content, including files shared publicly. File policies can monitor any file type using more than 20 metadata filters, such as access level, ownership, and file type, and can leverage either built-in DLP capabilities or Microsoft Data Classification services for content inspection. Using cloud provider APIs, these policies support automated actions to reduce data exposure and maintain compliance at scale.

In addition to file policies, MDCA provides complementary policy types to address broader cloud security needs. Access policies deliver real-time monitoring and control over user access to cloud apps based on factors such as user identity, location, device, and application. Session policies extend this capability by enabling granular, session-level controls, including real-time DLP enforcement during active user sessions. App discovery policies generate alerts when new cloud applications are detected, improving visibility into shadow IT. Alert policies allow security teams to categorize alerts, define thresholds, apply policies across the organization, and configure email notifications.

MDCA also integrates with Microsoft Entra Identity Governance access reviews, which help organizations regularly validate group memberships, application access, and role assignments. Based on review outcomes, user access can be automatically removed to ensure that only authorized users retain access over time.

Microsoft Purview - eDiscovery & Content Search

ediscovery workflow

1. Receive alert

2. Create an insider risk management case

3. escalate to eDiscovery

Common Search Scenarios

• Search all Microsoft 365 data with no mailbox/document limits.

• Apply search permission filtering for eDiscovery managers.

• Export search results and generate reports.

• Search for and delete sensitive email messages.

eDiscovery Tools in Microsoft Purview

Organizations can use eDiscovery across:

• Exchange Online

• OneDrive for Business

• SharePoint Online

• Microsoft Teams

• Microsoft 365 Groups & Yammer

eDiscovery Levels

1. Content Search – Locate content across Microsoft 365 data sources and export results.

   1. Key feature in MS365 compliance center

   2. Ideal for quick searches in MS365

   3. Useful for large searches across all mailboxes and Sharepoint sites that exceed the limitations of eDiscovery search

   4. Can configure filtered search permissions

2. eDiscovery (Standard) – Enables case creation, holds, and assigned access for legal teams (Can identity, hold and export content found in mailboxes and sites).

3. eDiscovery (Premium) – Adds advanced analytics, machine learning-based coding, and custodian management for in-depth investigations.

• Audit standard is enabled by default for most 365 orgs: verify subscription, enable permissions, search audit log (180 days)

• Audit premium is available for orgs with an office 365 E5/A5/G5 or Microsoft 365 Enterprise E5/A5/G5 subscription.

Questions for creating contents searches:

• Who should create and run the content search?

• What type of content search do you want to cerate (new search, KQL, search queries, search y ID, etc)?

• What keywords should be used in the search?

• What conditions should be used (type of data, sender, date, subject, etc)?

• Do you want to search all locations or only specific locations (SharePoint, Teams, etc)?

Search permissions filtering

• Allows an eDiscovery manager to search only a subset of mailboxes, or meets a specific criteria.

• Create a search permission filter by creating a filter that uses a supported recipient filter to limit the mailboxes or site content that can be searched.

eDiscovery Roles and permissions

• case management

• Compliance management

• Hold

• search and Purge

Insider Risk policies

Microsoft Purview Insider Risk Management policies are built using predefined templates and configurable policy conditions that determine which triggering events and risk indicators are evaluated within the organization. These policies define how risk indicators generate alerts, which users are in scope, which Microsoft 365 services are prioritized, and the time window over which activity is analyzed. This structured approach enables consistent, repeatable detection of potential insider risk while allowing organizations to tailor monitoring to their specific risk profile.

To accelerate deployment, Purview provides several out-of-the-box policy templates aligned to common insider risk scenarios, including data theft by departing users, data leaks, data leaks by priority or risky users, and security policy violations (including variants for departing, risky, or priority users). Industry-specific and behavior-focused templates are also available, such as patient data misuse and risky browser usage, allowing organizations to address both general and specialized insider risk use cases with minimal configuration.

Purview Review Questions

Question 1

Your organization wants its legal team to manage custodians and control the legal hold notification workflow. Which Microsoft Purview eDiscovery solution should you use?

A. eDiscovery (Standard)

B. eDiscovery (Core)

C. eDiscovery (Premium)

D. Content search

Correct Answer: C

Explanation: eDiscovery (Premium) provides advanced legal workflows, including custodian management and legal hold notifications.

Question 2

Which criterion must be met for items to be available for preview in a Microsoft Purview content search?

A. All search results must be previewable

B. A maximum of 1,000 randomly selected items per mailbox or site can be previewed

C. Only items under 10 MB can be previewed

D. Preview is limited to email items only

Correct Answer: B

Explanation: Content search previews are limited to 1,000 randomly selected items per mailbox or site.

Question 3

You are downloading content search results and want to minimize the impact on network performance. What should you do?

A. Limit the export to PST format only

B. Disable antivirus scanning for the download folder

C. Reduce the number of custodians

D. Use incremental export

Correct Answer: B

Explanation: Disabling antivirus scanning on the download folder improves download performance and reduces network impact.

Question 4

To perform threat hunting using compliance security filter cmdlets in Windows PowerShell, what prerequisite must be met?

A. You must be assigned the Global Administrator role

B. You must be a member of the Organization Management role group

C. You must have the eDiscovery Manager role

D. You must enable audit logging

Correct Answer: B

Explanation: Membership in the Organization Management role group is required to run compliance security filter cmdlets.

Question 5

As a security operations analyst, you need access to create content searches, preview results, and export data in Microsoft Purview. Which role must be assigned?

A. Compliance Administrator

B. Organization Management

C. eDiscovery Manager

D. Global Reader

Correct Answer: C

Explanation: The eDiscovery Manager role grants permissions to search, preview, and export content.

Question 6

You created and ran a content search and now want to preview the results. What is the maximum number of randomly selected items available for preview?

A. 100

B. 500

C. 1,000

D. 5,000

Correct Answer: C

Question 7

While creating a new content search, you set the Exchange mailboxes toggle to On the Locations page. What does this enable?

A. You can apply retention labels to mailboxes

B. You can specify which mailboxes to include in the search or hold

C. You can enable mailbox auditing

D. You can export mailbox data automatically

Correct Answer: B

Explanation: Enabling the Exchange mailboxes toggle allows you to select specific mailboxes for search or hold.

References

Purview Information protection:

https://learn.microsoft.com/en-us/purview/information-protection

Purview Overview:

https://sharegate.com/blog/how-microsoft-purview-protects-your-sensitive-data-in-teams

Purview Unified Catalogue:

https://learn.microsoft.com/en-us/purview/unified-catalog

Purview Data Sharing:

https://learn.microsoft.com/en-us/purview/legacy/concept-data-share

Purview Privileged Access Management:

https://learn.microsoft.com/en-us/purview/privileged-access-management

Purview Information Barriers:

https://learn.microsoft.com/en-us/purview/information-barriers