Purview Product Polka; the new, re-shuffled product stack

The Microsoft compliance products have always been kind of a mystery to anyone just starting to learn about them. Things haven’t gotten better since the Purview Product Polka tm (have a laugh and pronounce this like Daffy Duck) of April 2022. They will, it’ll just take time to reorganize.

I, myself, noticed I kept getting lost all the product names, capabilities and licensing. I am aware that this is probably just due to my hard-wired brain resisting change, but I got the feeling I didn’t know what I was doing anymore.

Although I may not be an expert in all Microsoft compliance products, I do subscribe to the idea that I should know (preferably more than) the basics about anything I frequently encounter or use.

Turns out I know a lot more about this stuff than I thought. Confidence restored šŸ˜Ž.

Launchpad

If you want to skip my introductory ramblings, I included a table of contents. From here you can jump directly to specific sections.

Wait, what?!

In case you missed it: last April (April 19, 2022) Microsoft announced it would be mashing a whole bunch of (somewhat) related, separate products together under one new family name: ā€œMicrosoft Purviewā€. They then went on to rename all the products (some more than others) to reflect this.

Donā€™t worry, itā€™s a good thing. Really.

No, no… Iā€™m not talking about ā€œAzure Purviewā€, but that’s part of this now, too.

The product stack was becoming extremely fragmented, and this is a step in the right direction. It will allow for streamlining and (I assume) licensing will become easier or maybe it will even move to the pay-per-use (or pay-Purview, if you will) model used by capabilities like Purview Data Map.

I apologize for this pun. Or Pay-Punview. Oh, no! I made it worse šŸ˜Š.

Purview Kirby

Flexing Purview Kirby is creepy.

The thing is, from one day to another, the docs suddenly called everything by its new name. With that, my brain couldn’t trigger slumbering knowledge about the subject.

You see, when I re-read documentation, I tend to recognize bits and pieces (and apparently product names). This seems to reactivate knowledge I haven’t used in a while so I can get back up to speed instantly.

Granted, they left vague notes telling you something like ā€œPurview Kirby ate this productā€ all over the place but as I couldn’t compare it to the old ways anymore, I got lost.

What remained was a compliancy-clueless consultant.

Believe me, I do not like being clueless. Or lost, for that matter.

My go-to resource for a structured overview of Microsoft 365 products, capabilities and licensing is (of course) the most excellent m365maps.com (thank you for saving me a lot of work, many times, @AaronDinnage). Unfortunately, it didnā€™t help this time. It’s last update stems from January 2022, and naturally the results of all this dancing around weren’t incorporated yet.

The ā€œDetailed Microsoft 365 Compliance Licensing Comparison XLS (April 2021)ā€ (insert maximum path length warning here) only mentions the capabilities, not the product names my brain remembers, so that didn’t help either.

As my memory about these products could use a refresher anyway, I decided to write it all up in a post. Without further ado, letā€™s see what exactly makes up this huge beast that is Microsoft Purview.

Please note that when it comes to licensing, I’m not going in-depth at all. I may note a bundle it’s included in, but there are many other, smaller bundles (not to mention add-on licenses). I bet you that’s all going to be simplified, anyway.

Microsoft Purview Audit

Formerly known as Microsoft 365 Basic Audit & Microsoft 365 Advanced Audit

You probably already use the ā€œStandardā€ (any Office 365) edition of this one, but donā€™t know it yet. Itā€™s enabled ā€˜for freeā€™ (and by default) in all Microsoft 365 and Office 365 subscriptions and is the base for all things auditing in your tenant.

This one also has a ā€œPremiumā€ flavor (Office 365 E5) which allows you to create auditing policies, give you longer retention for your logs (extending a measly 90 days to a year) and makes access extended events (like when an email was accessed or forwarded or even search history) available.

Bad user! Bad!

Microsoft Purview Communication Compliance

Formerly known as Microsoft 365 Communication Compliance

Sometimes all they did was a simple search-and-replace šŸ˜Š

Communication Compliance (Office 365 E5) will let you scan your communications (like email or Microsoft Teams chats) for inappropriate behavior. It also lets you report on and analyze this behavior (in the technical sense… therapy not included) and coordinate remediation.

Microsoft Purview Compliance Manager

Formerly known as Microsoft Compliance

Compliance Manager (any Office 365) lets you assess your compliance posture, compare it to Microsoftā€™s own data protection baseline. It then scores your compliance and gives advise on how to improve this score. Oh, it also keeps checking this behind the scenes and alerts you if anything changes.

Basically, itā€™s an automated data protection auditor and advisor.

Premium Assessments (Office 365 E5) offer these capabilities with complex standards, like GDPR, NIST 800-53, ISO 27001, and many, many more. Custom Assessments (Office 365 E5) lets you cook up your very own concoctions.

Microsoft Purview Customer Lockbox

Formerly known as Office 365 Customer Lockbox

Microsoft already has rigorous processes in place to make sure its employees canā€™t access your data without jumping through several approval hoops. Customer Lockbox (Office 365 E5) allows you to become part of this chain of approval and have the final say.

Unless you really, really, really donā€™t trust Microsoft, you will probably only use this if some external compliance obligation mandates it.

Even though Customer Lockbox implies the need for a Customer Key, the two capabilities things are completely unrelated.

Also, shouldn’t this be part of Insider Risk Management?

Microsoft Purview Data Connectors

Formerly known as Microsoft 365 Data Connectors

These things (Office 365 E5) let you pull third-party data (ranging from social media & communications to HR & healthcare) data under your compliance umbrella. There are many pre-made connectors available, ranging from physical badging, to HR, to healthcare. Most offer the full range of capabilities (eDiscovery, Data Lifecycle Management, Records Management, Communication Compliance, Insider Risk Management).

Microsoft Purview Data Lifecycle Management

Formerly known as Microsoft Information Governance

First and foremost: this oneā€™s all about retention, allowing you to specify when data should be retained and/or deleted.

Windows Recycle Bin icon
Retain all the things!

Record Labels can be applied manually (item-level) on email and files in your Microsoft cloud (Exchange Online P1, SharePoint Online P1, OneDrive for Business P1) and Microsoft Teams chats and channel posts (Microsoft 365 E5).  

Of course, youā€™re not pleased with manual work so you need some Retention Policies (which can, thankfully, be scoped dynamically) (Exchange Online P1, SharePoint Online P2, OneDrive for Business P2).

Trainable Classifiers (Microsoft 365 E5) take automation of this labeling to the next level, allowing you to train self-learning algorithms to do the work for you.

Surprisingly (at least to me), thereā€™s a couple of Exchange-specific capabilities (Exchange Online P2) named in this context as well: Bulk PST Imports, Inactive Mailbox Management, and In-place Archiving.

Microsoft Purview Data Loss Prevention

Formerly known as Office 365 Data Loss Prevention (and Endpoint DLP, apparently) with a dash of Microsoft/Azure Information Protection

Data Loss Prevention (DLP) is used to detect specific information types in data and prevent them from being shared with others. The simplest examples are credit card and social security numbers, but thatā€™s just the tip of the iceberg.

For some reason, the Microsoft 365 Security & Compliance service descriptions list DLP capabilities as part of Microsoft Purview Information Protection, and although thereā€™s some logic to it, I decided thatā€™s wrong for now šŸ˜Š.

You can apply DLP ā€œfor Exchange Online, SharePoint Online, and OneDrive for Businessā€ (Office 365 E3) which allows you to protect exactly that data in the cloud. Keep in mind, files in Teams are stored in SharePoint Online, so thatā€™s protected with this one as well, but communications are not. The DLP ā€œfor Microsoft Teamsā€ (Office 365 E5) capability adds that to your arsenal, as well. Finally, DLP ā€œfor Power BIā€ (Office 365 E5) protects your PBI workspaces (at a performance cost though).

At the time of writing, the capabilities in this product are having a bit of an identity crisis on their own. The ā€œfor Exchange Online, SharePoint Online, and OneDrive for Businessā€ capability is also referred to as ā€œfor Email and Filesā€ and you may see ā€œfor Microsoft Teamsā€ (ambiguously) being called ā€œfor Chatā€ and ā€œfor Communicationsā€. Just to keep things interesting while the docs are being reviewed.

The On-premises Scanner (Office 365 E5) allows you to apply DLP to your on-prem file shares and SharePoint libraries. This is completely dependent on Azure Information Protection (AIP) Scanner.

AIP Scanner, in turn, requires AIP (Unified Labeling) Client. AIP Client is in maintenance mode. Iā€™m assuming that these dependencies will be resolved when AIP is retired, as Sensitivity Labels depend on it as well.

And then thereā€™s Endpoint DLP (Office 365 E5). You use this to extend control over labelled items when they are stored on endpoints. It wasnā€™t part of the oldskool Office 365 DLP capabilities, afaik. It, however is not mentioned in the P-P-Polka announcement at all and the docs say “put it under this header”.

Microsoft Purview Records Management

Formerly known as Records Management in Microsoft 365

Closely related to Data Lifecycle Management, this offers retention-labels-on-steroids and calls it Record Labels (Office 365 E5).

Remember this?

No, it’s not a Zune revival. Basically, these are labels linked to retention policies that cannot be removed (even by an admin). These labels can automatically apply when specific events occur (Office 365 E5), like the termination of an employee or retirement of assets.

When the data is finally up for deletion, you can let managers review them and then get rid of them (and generate proof of disposal, if Audit is enabled) (Office 365 E5).

Record Labels can also use the Trainable Classifiers (Microsoft 365 E5) mentioned earlier.

Microsoft Purview eDiscovery

Formerly known as Office 365 Core eDiscovery, Office 365 Advanced eDiscovery

This eDiscovery thing all starts with Search & Export, which isn’t even part of this product. Those capabilities are handled by Content Search (Office 365 E1). I had to mention them, though, because without them, eDiscovery couldn’t work.

The ā€œStandardā€ edition of eDiscovery (Exchange Online P2,  SharePoint Online P2) gives you simple case management and (Legal) Hold capabilities.

“John-E5”. Get it? Okay, I’ll stop now.

If you splurge on the ā€œPremiumā€ edition (Office 365 E5), you get some pretty advanced case management. That includes workflows so your legal team can manage data custodians performing search, export & hold actions for them.

And, as all things E5, thereā€™s some degree of automation involved. Error Remediation will, for instance, automatically strip password protection on selected file formats. Predictive Code Models will try to learn what data is relevant and what is not (and filter your sets accordingly).

Microsoft Purview Information Barriers

Formerly known as Microsoft 365 Information Barriers

Information Barriers (Office 365 E5) do exactly what the name suggest: it forms barriers which data cannot cross. Youā€™d use this to prevent data being shared within your organization. Like finance data reaching tech support staff, for example.

Microsoft Purview Information Protection

Formerly known as Microsoft/Azure Information Protection, Customer Key for Microsoft 365, Double Key Encryption for Microsoft 365, Office 365 (Advanced) Message Encryption

The main capability here (imho) are [is?] Sensitivity Labels, used to classify and protect sensitive files and emails containing sensitive information. You can simply mark them with headers, footers and/or watermarks but also require encryption and even enforce sharing policies.

Protection is enforced through the Office apps (desktop, mobile and web) or Microsoft Defender for Cloud Apps (MDCA), which allows you to protect third-party apps and services like SalesForce or DropBox.

Of course, MDCA may requires additional configuration (and maybe even licensing).

In its purest form, Sensitivity Labels are manually applied (Office 365 F1). Automatic labeling is available on the client-side as (user-rejectable) label recommendations (EM+S E5), the server-side by labeling policies (Office 365 E5). The exact capabilities vary with the approach used.

Purview Data Map is also able to automatically apply labels, but thatā€™s a different product all together.

Labels can also be applied to data exported (to Excel, PowerPoint or PDF) from Power BI (EM+S E3).

As basically all labeling can be applied with Trainable Classifiers (Microsoft 365 E5), these are available here as well (for client-side labeling).

Moving on to Content Explorer (Office 365 E3), which gives insight in the volume and location of (labeled) data, showing you detailed views of where data is travelling. Activity Explorer (Office 365 E5) lets you see what end-users are doing with it, including (Endpoint) DLP logs, auto-labeling, et cetera.

Customer Key (CK) (Office 365 E5) and Double Key Encryption (DKE) (Office 365 E5) were also gobbled up by this product. CK gives you full control of your tenantā€™s data-at-rest encryption keys (remember: with great power comes great responsibility). DKE (which can be applied separately) adds another key to the encryption for selected data which means that an attacker would need two keys (hence the ā€œdoubleā€ part) to decrypt it.

(Advanced) Message Encryption was missing from the announcement but deserves to be mentioned. In its ā€œStandardā€ form (EM+S E3), you get to encrypt message and add some rights management (like do-not-forward). This works for both internal and external recipients and attachments are protected as well.

ā€œAdvancedā€ (EM+S E5) adds message revocation (also known as “the career-saver” šŸ˜Š), message expiration and additional branding templates.

The docs suggest it belongs here. I (kind of) agree, but Iā€™m having a hard time getting used to it.

Microsoft Purview Insider Risk Management

Formerly known as Microsoft 365 Insider Risk Management

Insider Risk Management (Microsoft 365 E5) contains capabilities used to detect, respond to, and ultimately prevent risks from inside your tenant. Itā€™s basically a pre-configured Log Analytics implementation, scrutinizing logs from Microsoft 365 and Graph API to detect potential risks.  

Once its wide range of policies detect unwanted behavior (like data leakage, security violations or patient data misuse), an alert will be generated. From there you get tooling to triage and investigation.

It even has extensions to prevent browser exfiltration. Well, in Edge and Chrome, at least.

Hopefully, nudging the employee in the right direction is all the correction you need. But, if not, IRM is integrated with eDiscovery (Premium) and recently Office 365 Management APIs were added.

Also missing from the announcement was Privileged Access Management (PAM) (Office 365 E5), Exchange Onlineā€™s equivalent to Privileged Identity Management (PIM). It eliminates the need for standing access to Exchange tasks, roles or role groups and allows for just-in-time access (with approval).

Microsoft Purview Data Map, Data Catalog and Data Estate Insights

Formerly known as Azure Purview Data Map, Azure Data Catalog and Azure Data Insights

These are the governance solutions that are now part of the Purview family. In a nutshell itā€™s an advanced, private search engine, offering discovery, mapping, classification, analysis, and searching capabilities in in multi-cloud (including your on-prem cloud) and SaaS data.

Iā€™m not going to dive into them for this post as theyā€™re not tied to any traditional licenses (itā€™s a pay-per-use model).

Also, this post has become way too large and I’m tired.

One Comment

Let me know what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.