Create and Deploy collection policies

There are many configuration options in a Microsoft Purview collection policy. Each option changes the policy's behavior. This article presents some common intent scenarios for policies that map to configuration options. Then it walks you through configuring those options. Once you familiarize yourself with these scenarios, you'll have the foundational skills that you need to use the collection policy creation UX to create your own policies.

Before you begin

If you're new to Microsoft Purview collection policies, here's a list of the core articles you should be familiar before.

• Collection policies solution overview (preview).
• Collection policies policy reference

SKU/subscriptions licensing

For information on licensing, see

• Microsoft 365 Enterprise Plans
• Microsoft 365 Service Descriptions

Learn about Microsoft Purview billing models

Granular Roles and Role Groups

There are roles and role groups that you can use to fine tune your access controls.

Here's a list of applicable roles.

• DLP Compliance Management

To learn more, see Permissions in the Microsoft Purview portal.

Here's a list of applicable role groups.

• Organization Management
• Compliance Administrator
• Security Administrator
• Insider Risk Management Admin
• Information Protection Admins
• Data Security Viewers (read-only support)

Policy creation scenarios

There are so many configuration options in the policy creation flow that it's not possible to cover every, or even most configurations. So this article covers several of the most common collection policy scenarios. Going through these gives you hands on experience across a broad range of configurations.

• Preview Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network

Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network (preview)

This scenario detects sensitive data shared with unmanaged cloud apps at the network level. Visibility into the network traffic is provided by an integrated Secure Access Service Edge (SASE) provider, so it requires the integration to be configured and enabled. These steps are covered in this scenario.

Scenario 1 prerequisites and assumptions

• You either have an existing relationship with one or more supported SASE providers or are interested in procuring one as part of your deployment.
• You have configured Microsoft Purview pay-as-you-go billing for your Microsoft 365 tenant.

Configuring network data security is a multi-phase process.

1. Setup Purview integration integration with one or more SASE providers.
2. Configure a collection policy to detect sensitive data shared with unmanaged cloud apps at the network level.
3. Viewing the network data security data

Scenario 1 policy intent statement and mapping

We need to detect data that is sensitive to our organization in text or files shared by any user in the "US Sales" group through browsers, applications, add-ins, APIs, and more, with unmanaged cloud apps, such as ChatGPT, Dropbox, Slack, or Gmail.

Steps to create policy for scenario 1

SASE provider integration

1. In the Microsoft Purview portal, open Settings (in the upper right hand corner) > Data loss prevention > Integrations.
2. Select Get started for the SASE solution provider you want to integrate with.
3. Complete the steps provided in the integration wizard. The steps vary depending on the SASE provider you choose.

Configure collection policy for network data security

1. Sign in to the Microsoft Purview portal.
2. Open the Data loss prevention solution and navigate to Classifiers > Collection policies (preview).
3. Select + Create policy.
4. Give the policy a Name and an optional Description. You can use the policy intent statement here.
5. Choose Next.
6. Select + Add condition and choose Content contains.
7. Select Classifiers and then Edit.
8. In the Scope for classifiers flyout, check Exclude classifiers and then select + Exclude classifiers.
9. In the Choose Classifiers flyout, select All Full Names and All Physical Addresses then select Done.
10. Select Done then select Next.
11. Select + Add activities.
12. Select Text sent to or shared with cloud or AI app and File uploaded to or shared with cloud or AI app.
13. Select Add then Next.
14. Select + Add data source.
15. Select the Unmanaged cloud apps tab.
16. Search for and select ChatGPT, Dropbox, Slack, and Gmail and select Add.
17. Select Edit scope on the Unmanaged cloud apps row.
18. Select the Include only specific option, and on the Included tab select + Add inclusions.
19. Search for the US Sales group, select it, and select Add.
20. Select Save and close then select Next.
21. Leave the default option of Don't capture content and select Next.
22. Ensure Network is enabled and select Next.
23. Ensure Turn on is enabled and select Next.
24. Review the policy settings and select Create policy.
25. Review the Next steps and select Done.

Viewing the network data security data

You can view network sensitive data matches in two Purview tools:

• Activity explorer in Data loss prevention
• Data Security Posture Management (DSPM) for AI.

Activity explorer

1. Open the Data loss prevention solution and navigate to Explorers > Activity explorer.
2. Select + Add filter and choose Enforcement plane.
3. Click the Enforcement plane filter and select Network.
4. Select Apply.

DSPM for AI

1. Open the DSPM for AI solution.
2. Navigate to Reports to see high level reports and graphs breaking down the interactions detected by the collection policy.
3. Navigate to Activity explorer to see individual AI interactions and sensitive information detection events.