Microsoft Purview best practices
Table of contents
If you are a Microsoft 365 professional, you are probably aware that Microsoft offers a program that helps protect data and information – Microsoft Purview. And while Microsoft 365 professionals are usually very knowledgeable about what Purview can do in Microsoft 365 , did you know that Purview offers a ton of different services for your data outside of your tenant as well?
As we all know, many major cyberattacks in recent years have compromised businesses and organizations due to states increasingly using dedicated teams to attack each other’s digital infrastructure. Unfortunately, commercial entities often get caught in the crossfire.
Today, more than ever, it is essential for an organization to carefully monitor and protect its data from any unauthorized access or hacker attacks, both in your Microsoft 365 tenant, as well as the data that sits outside. This is why we’ll show you some of the features that Microsoft Purview offers to protect your data outside your tenant.
What is Microsoft Purview
Microsoft Purview is a set of compliance, risk, and governance solutions for Microsoft 365. It helps organizations govern, protect, and manage their data. It provides a unified platform for data discovery, classification, and lineage, as well as data cataloging, mapping, and monitoring to ensure data is well-managed and compliant with regulations.
Microsoft Purview combines the former Azure Purview and Microsoft 365 compliance solutions and services into a single brand.
Bringing together Azure and M365 compliance aligns with Microsoft’s continuous updates and developments to its services to enhance the end-user experience and make it easier to use.
The main features offered under Microsoft Purview are:
Microsoft Purview Governance portal
The governance portal is the main central service in Microsoft Purview to govern and manage unified data. Additionally, it is designed to help you manage data types such as on-premises, multi-cloud, and software-as-a-service.
The main features of the governance portal are:
- Creating updated data maps with advanced features such as automized data searching, categorizing important data, and tracing data chains.
- Allowing your security administrators to maintain the privacy and protection of your data assets.
- Allowing authorized data users to locate and secure important data.
Microsoft Purview Data map – scan, define, and register your data sources
Microsoft Purview essentially works by creating a directory for all your important and secure data, called a data map. A data map collects and compiles your data estate so that it is more manageable and can be easily scanned, discovered, and classified.
In a way, the data map is the basis for MS Purview’s entire operations since, on top of it, the following apps operate, which all work together to create an enabling environment for storing, accessing, and gaining insights about data.
Microsoft Purview Data catalog – for defining your business glossary
This application operates from the groundwork provided by the data map and acts as a catalog for your data banks. It categorizes and sorts it based on parameters and variables such as glossary terms, classifications, sensitivity labels, and more.
Sorting and filing the data with these different search filters makes searching for and finding particular data very easy.
Microsoft Purview Data estate insights – built for compliance data management and data use
This application also operates off the data map. It provides a holistic picture of your data estate along with insights and information about your data, which you can use to produce tangible results.
A handy feature of these insights is that the application automatically works on its own to generate and provide them as users work.
This allows the users of these insights, primarily chief data officers or data managers, to pay attention to the information in the insights themselves instead of wasting time and energy manually building reports.
Microsoft Purview Data sharing – share data securely
Storing and systematically organizing data is only some of what a data map is good for. What good is data if you cannot securely share it with the right people?
The data sharing feature in Microsoft Purview allows organizations and businesses to share their data in a secure and protected manner with internal or external users. A key security feature in this operation is that the original data provider can coordinate, monitor, and control data-sharing relationships. This allows them to restrict access at any time if they detect any suspicious activity.
Microsoft Purview deployment best practices
You can deploy Microsoft Purview using the Azure portal or a PowerShell script.
There are certain best practices to deploy Microsoft Purview which increase the quality of your data governance operations. Using these best practices is the optimal way to extract the maximum value from Microsoft Purview.
Prerequisites to configure Microsoft Purview
Before you can deploy Microsoft Purview, you must meet certain prerequisites. Since Microsoft Purview Unified Data Governance is hosted in Azure you need to have:
- An Azure subscription.
- A Microsoft Entra tenant associated with your subscription.
- The user account that you use to sign in to Azure must be a member of the contributor or owner role, or an administrator of the Azure subscription.
Prerequisites to configure Microsoft Purview
Before you can deploy Microsoft Purview, you must meet certain preconditions.
Before you can deploy Microsoft Purview, you must meet certain prerequisites. Since Microsoft Purview Unified Data Governance is hosted in Azure you need to have:
- An Azure subscription.
- A Microsoft Entra tenant associated with your subscription.
- The user account that you use to sign in to Azure must be a member of the contributor or owner role, or an administrator of the Azure subscription.
If that is the case, then you need to implement Azure Policy exemptions so the required resources can be used and utilized in the data management landing zone, along with Microsoft Purview deployment.
Configuring needed resource providers in subscription
Next, you need to register Azure resource providers in the data management landing zone subscription. You will need to register Microsoft EventHub, Microsoft Purview, and Microsoft Storage.
Create an Azure Purview account
Once you’ve met the above preconditions, you need to create your Microsoft Purview account in the Azure portal.
Simply search for Microsoft Purview and then click “create” to create a new Microsoft Purview account.
After successfully creating your Microsoft Purview account, you can head on to the governance portal to access and manage it.
Assign data plane roles – for access to data sources
Once all these processes are completed, you need to assign and allot data plan roles to access data sources, determining how in-depth your various users can interact with your data estate depending on their needs.
Among some of the data plane roles in Microsoft Purview are collection administrator, data curator, data reader, data share contributor, data source administrator, insights reader, and more.
These roles all have different permissions regarding interaction with data.
Microsoft Purview security best practices
You can use Microsoft Purview to set up security protocols to comply with various regulatory requirements.
As a part of Microsoft Purview, the compliance portal is a great starting point when setting up a security setting, as it indicates your current compliance score. It will also show you a compliance score breakdown to understand better where you need to improve.
Now let’s go into the best security practices that you need to set up in Purview and how to access them:
Identity and access management
Ultimately, a large part of ensuring security in Microsoft Purview boils down to identity and access management which is why we discussed assigning data plane roles before.
The core tenet of data security management is that not all users can access all levels of data. There should be measures to check the identity or role of the user requesting data access before granting them.
Conditional access
One way to manage access of users is by granting conditional access depending on the user’s identity or data plane role.
Conditional access works by granting data access and use by first verifying if the user making the request fulfills certain conditions or not, like only high-level data plane roles being allowed to access certain data such as Collection Admin, Data Source Admin, and Data Curator.
You can also design and implement these conditions to best determine how you want this mechanism to operate.
Authentication and authorization
Identity authentication and authorization work in tandem for any online space, not just Microsoft Purview.
The security system first authenticates whether a user requesting data access is genuine or meets certain conditions and then authorizes their access.
The easiest way to implement this policy is through multi-factor authentication, which has more security clearances to pass before data access is granted – this is especially important for higher-level roles and sensitive information.
Apply sensitivity labels
Sensitivity labels denote identifiers for data files and assets themselves, which indicate the level of importance and value a data file might have.
Sensitivity labels help keep track of important data to ensure it is not lost among the clutter. They also lead to enhanced care and diligence on the part of the users as they know not to tamper with or mistreat highly sensitive data.
You can secure this further by designating which roles can access which levels of sensitivity label data with lower data plane roles warded off from confidential or highly confidential labels.
If you want to dig deeper into the subject check out our webinar on safeguarding sensitive data with Microsoft Purview.
Microsoft Purview automation best practices
The best security cannot be micromanaged. You have to design automated or semi-automated processes that manage security and then trust them to work while fine-tuning them over time.
Microsoft Purview has many great features, as we described in this article. However, you can only automate some tasks with Purview out of the box.
Here are the best practice actions for automation:
Triggering a scan as an automated process
This is a no-brainer. Instead of your users or the data coordinator promoting and running a scan manually, scan triggers should be automated processes set for certain intervals which start, end, and analyze on their own.
This is because you eliminate the chance of human error, such as forgetting to run a scan.
Monitoring metadata changes in real-time
With automated scans, an organization can keep track of, monitor, and take action on metadata changes or anomalies in real time. In the digital world, prompt action can mean the difference between a virus or hackers corrupting only part of your data files or all of them.
Real-time monitoring combined with real-time action affords enhanced security to your Microsoft Purview operations.
You need to use some tools to enable task automation in Microsoft Purview.
⦁ Azure CLI with Purview extension – enables command executions via terminal, can manage accounts with Purview.
⦁ Azure PowerShell – A tool that, together with the Purview module, can create and manage Purview accounts and resources.
Syskit Point – a centralized Microsoft 365 platform for security and automation
If all of that sounds slightly intimidating, then we will not sugar-coat it and tell you it is not. Maintaining best practices for optimal security in Microsoft Purview is not a cakewalk. If you want to keep your data estate protected and safe, you need to do them.
To that end, there are external organizations and services which can take care of these matters for you and ensure bulletproof security without an organization needing to get bogged down in the processes itself.
Many IT admins use Syskit Point’s customized, easy-to-use provisioning templates for Teams, Yammer Communities, Microsoft 365 Groups, and SharePoint Sites to help solve the challenges of Office 365 security.
Check out Syskit Point and discover how its governance automation and security features can make your everyday tasks easier. A useful feature of Syskit Point is how it is an all-in-one package that has everything in one place, from governance to automation to security – ensuring all your needs and requirements are met by one platform.