CTRL + ALT + Data Security #20
Product Updates and Announcements
Data Loss Prevention
General availability (GA): Learn about the Microsoft 365 Copilot policy location released to GA.
In preview: You can rename DLP policies.
In preview: New Block Users From Sharing Sensitive Information to Unmanaged AI Apps Via Edge on Managed Devices (preview)Browser based DLP extends monitoring and control of sharing activities and protective actions to Microsoft Edge without the need to onboard the device.
Data Security Posture Management for AI
General availability (GA): Recommendation and one-click policy to capture interactions for Microsoft Copilot experiences, which captures prompts and responses for Security Copilot and Copilot in Fabric. The first Copilot in Fabric supported by DSPM for AI and other Microsoft Purview solutions is Copilot for Power BI.
In preview: Rolling out, new one-click policies from the recommendation Extend your insights for data discovery. These use the recently released browser-based DLP capability that blocks users from sharing sensitive information to unmanaged AI apps via Edge without the need to onboard the device: DSPM for AI - Detect sensitive info added to AI sitesDSPM for AI - Detect when users visit AI sitesDSPM for AI - Detect sensitive info shared in AI prompts in Edge
Documentation update: The main documentation for DSPM for AI is moved to Learn about Data Security Posture Management (DSPM) for AI, with new articles for each major AI app or category that's listed in the updated Microsoft Purview data security and compliance protections for generative AI apps article. For example, if you're interested specifically in Microsoft 365 Copilot, that information is moved to Use Microsoft Purview to manage data security & compliance for Microsoft 365 Copilot & Microsoft 365 Copilot Chat.
New: Rolling out, the following new roles are added to support view-only permissions for DSPM for AI:
Purview Data Security AI Viewer: View-only permissions in DSPM for AI, for sensitivity labels, and sensitive information types only.
Purview Data Security AI Content Viewer: View-only permissions specific to AI interactions (prompts and responses) in DSPM for AI.
AI Administrator: Recently introduced role from Microsoft Entra to manage Microsoft Copilot. In Microsoft Purview, this role provides view-only permissions in DSPM for AI, for sensitivity labels, and sensitive information types—the equivalent of the Purview Data Security AI Viewer role, but also can be used with other management solutions.
In preview: Rolling out, a new Web searched filter in activity explorer that helps you locate web queries in prompts with the search query text itself displayed as part of the AI interaction event.
New: The Overview page now has two views, for All AI apps (the default and previous view) and Microsoft 365 Copilot. The new Microsoft 365 Copilot view has recommendations and data specific to just Microsoft 365 Copilot to guide you through managing data security & compliance for these AI interactions.
Update: Previously, an administrator who was assigned to one or more administrative units could create policies for all users. This scenario is now prevented and only unrestricted administrators can create the one-click policies that apply to all users.
Update: The recommendation Protect items with sensitivity labels from Microsoft 365 Copilot and agent processing now helps you create the DLP policy without leaving DSPM for AI. You're prompted to select one or more of your sensitivity labels for the one-click policy that's named DSPM for AI - Protect sensitive data from Copilot processing.
Sensitivity labels
General availability (GA): Now rolling out in general availability, support for files in SharePoint or OneDrive that are labeled with user-defined permissions. Support now includes search, data loss prevention, and eDiscovery support for newly uploaded and edited files.
In preview: Gradually rolling out, a change to the sensitivity labeling scheme to replace parent labels with label groups. Although users won't see a difference in their apps, label groups support better organization and reduce the deployment complexity. Unlike parent labels, they can't be configured for label settings other than name, description, color, and priority. They also can't be published by themselves. To convert existing parent labels to label groups, you must manually migrate them.
Insider Risk Management
In preview: New support for a Microsoft Security Copilot Agent for Insider Risk Management. The Microsoft Purview Insider Risk Management Triage Agent provides an agent-managed alert queue where the alerts about the highest risk activities are identified and prioritized on the Alert Triage Agent dashboard (preview). For more information, see Security Copilot Agents in Microsoft Purview Overview (preview).
Data Lifecycle Management
General availability (GA): New retention policy locations and expanded support for Copilots and AI apps. Teams chats have been separated from Microsoft 365 Copilot interactions, with a location just for Teams chat. Current locations that support Copilot and other AI apps:
Microsoft Copilot experiences: Microsoft 365 Copilot, Security Copilot, Copilot in Fabric, Copilot Studio
Enterprise AI Apps: Microsoft Entra-registered AI apps, ChatGPT Enterprise, Azure AI services
Other AI Apps: ChatGPT, Google Gemini, Microsoft Copilot, DeepSeek
Data Governance
General availability (GA): If your Fabric Lakehouse tenant is running on a virtual network or behind a private endpoint, you can now use Microsoft Purview data quality virtual network enabled compute to connect and perform data quality assessments, including profiling and rule-based scanning. This feature is now generally available and supported across all regions.
General availability (GA): Critical data identification to measure percentage of business domains that have at least one critical data element defined is now generally available. Chief Data Officer (CDO), Data Stewards, and Data Product owners can measure and monitor if there any critical data elelments in their business domain to govern.
In preview: The custom metadata (preview) area in Unified Catalog centralizes the creation and management of user-defined attributes, which provide context to describe and organize data. Attibute types are the new business concept attributes (preview) and data asset attributes (formerly "managed attributes" in the classic governance experience).
Update: You can customize the label for contacts in data products.
In preview: Data quality error record publishing to customers’ cloud storage is now available in all supported Azure regions. Data engineers, data quality stewards, and analysts can review and correct data, as well as monitor continuous improvements by creating dashboards with Unified Catalog metadata and Data quality error records for their data governance and data quality teams. This feature helps Microsoft Purview Unified Catalog users not only measure and monitor data quality, but also improve it by enabling them to correct data quality error records and handle rule exceptions.
General availability (GA): Virtual network (vNet) provisioning admin capability to provision virtual network for data quality scan is now generally available. Microsoft Purview Data Governance Administrators can provision a virtual network compute location in supported Azure regions by navigating to Settings > Unified Catalog > Virtual network.
Blog posts and Community Content
Quantum-safe security: Progress towards next-generation cryptography
A great blog on our strategy for Quantum safe security - with everything going on, sometimes we can lose track on some advancements in technology as they come through:
"While scalable quantum computing is not available today, the time to prepare is now. Microsoft is preparing to be quantum-safe and partnering with regulatory and technical bodies like the National Institute of Standards and Technology (NIST), Internet Engineering Task Force (IETF), International Organization for Standardization (ISO), Distributed Management Task Force (DMTF), Open Compute Project (OCP), and European Telecommunications Standards Institute (ETSI) to align on quantum-safe encryption standards and support worldwide interoperability."
Worth checking it out for the Quantum safe program, as well as its foundational security components; but the whole blog is worth spending some time reading through!
The link can be found here: https://www.microsoft.com/en-us/security/blog/2025/08/20/quantum-safe-security-progress-towards-next-generation-cryptography/
Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
Great blog post if your intereested in the tactics, techniques and procedures (TTP's) that a threat actor may use to evade detection - in this case, PipeMagic - a modular backdoor used by Storm-2460 that looks like a legitamite Chat GPT Desktop application - well worth the read!
The link can be found here: https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/