The Microsoft compliance products have always been kind of a mystery to anyone just starting to learn about them. Things haven’t gotten better since the Purview Product Polka tm (have a laugh and pronounce this like Daffy Duck) of April 2022. They will, it’ll just take time to reorganize.
I, myself, noticed I kept getting lost all the product names, capabilities and licensing. I am aware that this is probably just due to my hard-wired brain resisting change, but I got the feeling I didn’t know what I was doing anymore.
Although I may not be an expert in all Microsoft compliance products, I do subscribe to the idea that I should know (preferably more than) the basics about anything I frequently encounter or use.
Turns out I know a lot more about this stuff than I thought. Confidence restored š.
Launchpad
If you want to skip my introductory ramblings, I included a table of contents. From here you can jump directly to specific sections.
- Microsoft Purview Audit
- Microsoft Purview Communication Compliance
- Microsoft Purview Compliance Manager
- Microsoft Purview Customer Lockbox
- Microsoft Purview Data Connectors
- Microsoft Purview Data Lifecycle Management
- Microsoft Purview Data Loss Prevention
- Microsoft Purview Records Management
- Microsoft Purview eDiscovery
- Microsoft Purview Information Barriers
- Microsoft Purview Information Protection
- Microsoft Purview Insider Risk Management
- Microsoft Purview Data Map, Data Catalog and Data Estate Insights
Wait, what?!
In case you missed it: last April (April 19, 2022) Microsoft announced it would be mashing a whole bunch of (somewhat) related, separate products together under one new family name: āMicrosoft Purviewā. They then went on to rename all the products (some more than others) to reflect this.
Donāt worry, itās a good thing. Really.
No, no… Iām not talking about āAzure Purviewā, but that’s part of this now, too.
The product stack was becoming extremely fragmented, and this is a step in the right direction. It will allow for streamlining and (I assume) licensing will become easier or maybe it will even move to the pay-per-use (or pay-Purview, if you will) model used by capabilities like Purview Data Map.
I apologize for this pun. Or Pay-Punview. Oh, no! I made it worse š.
Purview Kirby
The thing is, from one day to another, the docs suddenly called everything by its new name. With that, my brain couldn’t trigger slumbering knowledge about the subject.
You see, when I re-read documentation, I tend to recognize bits and pieces (and apparently product names). This seems to reactivate knowledge I haven’t used in a while so I can get back up to speed instantly.
Granted, they left vague notes telling you something like āPurview Kirby ate this productā all over the place but as I couldn’t compare it to the old ways anymore, I got lost.
What remained was a compliancy-clueless consultant.
Believe me, I do not like being clueless. Or lost, for that matter.
My go-to resource for a structured overview of Microsoft 365 products, capabilities and licensing is (of course) the most excellent m365maps.com (thank you for saving me a lot of work, many times, @AaronDinnage). Unfortunately, it didnāt help this time. It’s last update stems from January 2022, and naturally the results of all this dancing around weren’t incorporated yet.
The āDetailed Microsoft 365 Compliance Licensing Comparison XLS (April 2021)ā (insert maximum path length warning here) only mentions the capabilities, not the product names my brain remembers, so that didn’t help either.
As my memory about these products could use a refresher anyway, I decided to write it all up in a post. Without further ado, letās see what exactly makes up this huge beast that is Microsoft Purview.
Please note that when it comes to licensing, I’m not going in-depth at all. I may note a bundle it’s included in, but there are many other, smaller bundles (not to mention add-on licenses). I bet you that’s all going to be simplified, anyway.
Microsoft Purview Audit
Formerly known as Microsoft 365 Basic Audit & Microsoft 365 Advanced Audit
You probably already use the āStandardā (any Office 365) edition of this one, but donāt know it yet. Itās enabled āfor freeā (and by default) in all Microsoft 365 and Office 365 subscriptions and is the base for all things auditing in your tenant.
This one also has a āPremiumā flavor (Office 365 E5) which allows you to create auditing policies, give you longer retention for your logs (extending a measly 90 days to a year) and makes access extended events (like when an email was accessed or forwarded or even search history) available.
Microsoft Purview Communication Compliance
Formerly known as Microsoft 365 Communication Compliance
Sometimes all they did was a simple search-and-replace š
Communication Compliance (Office 365 E5) will let you scan your communications (like email or Microsoft Teams chats) for inappropriate behavior. It also lets you report on and analyze this behavior (in the technical sense… therapy not included) and coordinate remediation.
Microsoft Purview Compliance Manager
Formerly known as Microsoft Compliance
Compliance Manager (any Office 365) lets you assess your compliance posture, compare it to Microsoftās own data protection baseline. It then scores your compliance and gives advise on how to improve this score. Oh, it also keeps checking this behind the scenes and alerts you if anything changes.
Basically, itās an automated data protection auditor and advisor.
Premium Assessments (Office 365 E5) offer these capabilities with complex standards, like GDPR, NIST 800-53, ISO 27001, and many, many more. Custom Assessments (Office 365 E5) lets you cook up your very own concoctions.
Microsoft Purview Customer Lockbox
Formerly known as Office 365 Customer Lockbox
Microsoft already has rigorous processes in place to make sure its employees canāt access your data without jumping through several approval hoops. Customer Lockbox (Office 365 E5) allows you to become part of this chain of approval and have the final say.
Unless you really, really, really donāt trust Microsoft, you will probably only use this if some external compliance obligation mandates it.
Even though Customer Lockbox implies the need for a Customer Key, the two capabilities things are completely unrelated.
Also, shouldn’t this be part of Insider Risk Management?
Microsoft Purview Data Connectors
Formerly known as Microsoft 365 Data Connectors
These things (Office 365 E5) let you pull third-party data (ranging from social media & communications to HR & healthcare) data under your compliance umbrella. There are many pre-made connectors available, ranging from physical badging, to HR, to healthcare. Most offer the full range of capabilities (eDiscovery, Data Lifecycle Management, Records Management, Communication Compliance, Insider Risk Management).
Microsoft Purview Data Lifecycle Management
Formerly known as Microsoft Information Governance
First and foremost: this oneās all about retention, allowing you to specify when data should be retained and/or deleted.
Record Labels can be applied manually (item-level) on email and files in your Microsoft cloud (Exchange Online P1, SharePoint Online P1, OneDrive for Business P1) and Microsoft Teams chats and channel posts (Microsoft 365 E5).
Of course, youāre not pleased with manual work so you need some Retention Policies (which can, thankfully, be scoped dynamically) (Exchange Online P1, SharePoint Online P2, OneDrive for Business P2).
Trainable Classifiers (Microsoft 365 E5) take automation of this labeling to the next level, allowing you to train self-learning algorithms to do the work for you.
Surprisingly (at least to me), thereās a couple of Exchange-specific capabilities (Exchange Online P2) named in this context as well: Bulk PST Imports, Inactive Mailbox Management, and In-place Archiving.
Microsoft Purview Data Loss Prevention
Formerly known as Office 365 Data Loss Prevention (and Endpoint DLP, apparently) with a dash of Microsoft/Azure Information Protection
Data Loss Prevention (DLP) is used to detect specific information types in data and prevent them from being shared with others. The simplest examples are credit card and social security numbers, but thatās just the tip of the iceberg.
For some reason, the Microsoft 365 Security & Compliance service descriptions list DLP capabilities as part of Microsoft Purview Information Protection, and although thereās some logic to it, I decided thatās wrong for now š.
You can apply DLP āfor Exchange Online, SharePoint Online, and OneDrive for Businessā (Office 365 E3) which allows you to protect exactly that data in the cloud. Keep in mind, files in Teams are stored in SharePoint Online, so thatās protected with this one as well, but communications are not. The DLP āfor Microsoft Teamsā (Office 365 E5) capability adds that to your arsenal, as well. Finally, DLP āfor Power BIā (Office 365 E5) protects your PBI workspaces (at a performance cost though).
At the time of writing, the capabilities in this product are having a bit of an identity crisis on their own. The āfor Exchange Online, SharePoint Online, and OneDrive for Businessā capability is also referred to as āfor Email and Filesā and you may see āfor Microsoft Teamsā (ambiguously) being called āfor Chatā and āfor Communicationsā. Just to keep things interesting while the docs are being reviewed.
The On-premises Scanner (Office 365 E5) allows you to apply DLP to your on-prem file shares and SharePoint libraries. This is completely dependent on Azure Information Protection (AIP) Scanner.
AIP Scanner, in turn, requires AIP (Unified Labeling) Client. AIP Client is in maintenance mode. Iām assuming that these dependencies will be resolved when AIP is retired, as Sensitivity Labels depend on it as well.
And then thereās Endpoint DLP (Office 365 E5). You use this to extend control over labelled items when they are stored on endpoints. It wasnāt part of the oldskool Office 365 DLP capabilities, afaik. It, however is not mentioned in the P-P-Polka announcement at all and the docs say “put it under this header”.
Microsoft Purview Records Management
Formerly known as Records Management in Microsoft 365
Closely related to Data Lifecycle Management, this offers retention-labels-on-steroids and calls it Record Labels (Office 365 E5).
No, it’s not a Zune revival. Basically, these are labels linked to retention policies that cannot be removed (even by an admin). These labels can automatically apply when specific events occur (Office 365 E5), like the termination of an employee or retirement of assets.
When the data is finally up for deletion, you can let managers review them and then get rid of them (and generate proof of disposal, if Audit is enabled) (Office 365 E5).
Record Labels can also use the Trainable Classifiers (Microsoft 365 E5) mentioned earlier.
Microsoft Purview eDiscovery
Formerly known as Office 365 Core eDiscovery, Office 365 Advanced eDiscovery
This eDiscovery thing all starts with Search & Export, which isn’t even part of this product. Those capabilities are handled by Content Search (Office 365 E1). I had to mention them, though, because without them, eDiscovery couldn’t work.
The āStandardā edition of eDiscovery (Exchange Online P2, SharePoint Online P2) gives you simple case management and (Legal) Hold capabilities.
If you splurge on the āPremiumā edition (Office 365 E5), you get some pretty advanced case management. That includes workflows so your legal team can manage data custodians performing search, export & hold actions for them.
And, as all things E5, thereās some degree of automation involved. Error Remediation will, for instance, automatically strip password protection on selected file formats. Predictive Code Models will try to learn what data is relevant and what is not (and filter your sets accordingly).
Microsoft Purview Information Barriers
Formerly known as Microsoft 365 Information Barriers
Information Barriers (Office 365 E5) do exactly what the name suggest: it forms barriers which data cannot cross. Youād use this to prevent data being shared within your organization. Like finance data reaching tech support staff, for example.
Microsoft Purview Information Protection
Formerly known as Microsoft/Azure Information Protection, Customer Key for Microsoft 365, Double Key Encryption for Microsoft 365, Office 365 (Advanced) Message Encryption
The main capability here (imho) are [is?] Sensitivity Labels, used to classify and protect sensitive files and emails containing sensitive information. You can simply mark them with headers, footers and/or watermarks but also require encryption and even enforce sharing policies.
Protection is enforced through the Office apps (desktop, mobile and web) or Microsoft Defender for Cloud Apps (MDCA), which allows you to protect third-party apps and services like SalesForce or DropBox.
Of course, MDCA may requires additional configuration (and maybe even licensing).
In its purest form, Sensitivity Labels are manually applied (Office 365 F1). Automatic labeling is available on the client-side as (user-rejectable) label recommendations (EM+S E5), the server-side by labeling policies (Office 365 E5). The exact capabilities vary with the approach used.
Purview Data Map is also able to automatically apply labels, but thatās a different product all together.
Labels can also be applied to data exported (to Excel, PowerPoint or PDF) from Power BI (EM+S E3).
As basically all labeling can be applied with Trainable Classifiers (Microsoft 365 E5), these are available here as well (for client-side labeling).
Moving on to Content Explorer (Office 365 E3), which gives insight in the volume and location of (labeled) data, showing you detailed views of where data is travelling. Activity Explorer (Office 365 E5) lets you see what end-users are doing with it, including (Endpoint) DLP logs, auto-labeling, et cetera.
Customer Key (CK) (Office 365 E5) and Double Key Encryption (DKE) (Office 365 E5) were also gobbled up by this product. CK gives you full control of your tenantās data-at-rest encryption keys (remember: with great power comes great responsibility). DKE (which can be applied separately) adds another key to the encryption for selected data which means that an attacker would need two keys (hence the ādoubleā part) to decrypt it.
(Advanced) Message Encryption was missing from the announcement but deserves to be mentioned. In its āStandardā form (EM+S E3), you get to encrypt message and add some rights management (like do-not-forward). This works for both internal and external recipients and attachments are protected as well.
āAdvancedā (EM+S E5) adds message revocation (also known as “the career-saver” š), message expiration and additional branding templates.
The docs suggest it belongs here. I (kind of) agree, but Iām having a hard time getting used to it.
Microsoft Purview Insider Risk Management
Formerly known as Microsoft 365 Insider Risk Management
Insider Risk Management (Microsoft 365 E5) contains capabilities used to detect, respond to, and ultimately prevent risks from inside your tenant. Itās basically a pre-configured Log Analytics implementation, scrutinizing logs from Microsoft 365 and Graph API to detect potential risks.
Once its wide range of policies detect unwanted behavior (like data leakage, security violations or patient data misuse), an alert will be generated. From there you get tooling to triage and investigation.
It even has extensions to prevent browser exfiltration. Well, in Edge and Chrome, at least.
Hopefully, nudging the employee in the right direction is all the correction you need. But, if not, IRM is integrated with eDiscovery (Premium) and recently Office 365 Management APIs were added.
Also missing from the announcement was Privileged Access Management (PAM) (Office 365 E5), Exchange Onlineās equivalent to Privileged Identity Management (PIM). It eliminates the need for standing access to Exchange tasks, roles or role groups and allows for just-in-time access (with approval).
Microsoft Purview Data Map, Data Catalog and Data Estate Insights
Formerly known as Azure Purview Data Map, Azure Data Catalog and Azure Data Insights
These are the governance solutions that are now part of the Purview family. In a nutshell itās an advanced, private search engine, offering discovery, mapping, classification, analysis, and searching capabilities in in multi-cloud (including your on-prem cloud) and SaaS data.
Iām not going to dive into them for this post as theyāre not tied to any traditional licenses (itās a pay-per-use model).
Also, this post has become way too large and I’m tired.
[…] Purview Product Polka; the new, re-shuffled product stack […]