Unlocking the Power of Microsoft Purview for ChatGPT Enterprise
In today's rapidly evolving technology landscape, data security and compliance are key. Microsoft Purview offers a robust solution for managing and securing interactions with AI based solutions. This integration not only enhances data governance but also ensures that sensitive information is handled with the appropriate controls. Let's dive into the benefits of this integration and outline the steps to integrate with ChatGPT Enterprise in specific. The integration works for Entra connected users on the ChatGPT workspace, if you have needs that goes beyond this, please tell us why and how it impacts you. Benefits of Integrating ChatGPT Enterprise with Microsoft Purview Enhanced Data Security: By integrating ChatGPT Enterprise with Microsoft Purview, organizations can ensure that interactions are securely captured and stored within their Microsoft 365 tenant. This includes user text prompts and AI app text responses, providing a comprehensive record of communications. Compliance and Governance: Microsoft Purview offers a range of compliance solutions, including Insider Risk Management, eDiscovery, Communication Compliance, and Data Lifecycle & Records Management. These tools help organizations meet regulatory requirements and manage data effectively. Customizable Detection: The integration allows for the detection of built in can custom classifiers for sensitive information, which can be customized to meet the specific needs of the organization. To help ensures that sensitive data is identified and protected. The audit data streams into Advanced Hunting and the Unified Audit events that can generate visualisations of trends and other insights. Seamless Integration: The ChatGPT Enterprise integration uses the Purview API to push data into Compliant Storage, ensuring that external data sources cannot access and push data directly. This provides an additional layer of security and control. Step-by-Step Guide to Setting Up the Integration 1. Get Object ID for the Purview account in Your Tenant: Go to portal.azure.com and search for "Microsoft Purview" in the search bar. Click on "Microsoft Purview accounts" from the search results. Select the Purview account you are using and copy the account name. Go to portal.azure.com and search for “Enterprise" in the search bar. Click on Enterprise applications. Remove the filter for Enterprise Applications Select All applications under manage, search for the name and copy the Object ID. 2. Assign Graph API Roles to Your Managed Identity Application: Assign Purview API roles to your managed identity application by connecting to MS Graph utilizing Cloud Shell in the Azure portal. Open a PowerShell window in portal.azure.com and run the command Connect-MgGraph. Authenticate and sign in to your account. Run the following cmdlet to get the ServicePrincipal ID for your organization for the Purview API app. (Get-MgServicePrincipal -Filter "AppId eq '9ec59623-ce40-4dc8-a635-ed0275b5d58a'").id This command provides the permission of Purview.ProcessConversationMessages.All to the Microsoft Purview Account allowing classification processing. Update the ObjectId to the one retrieved in step 1 for command and body parameter. Update the ResourceId to the ServicePrincipal ID retrieved in the last step. $bodyParam= @{ "PrincipalId"= "{ObjectID}" "ResourceId" = "{ResourceId}" "AppRoleId" = "{a4543e1f-6e5d-4ec9-a54a-f3b8c156163f}" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '{ObjectId}' -BodyParameter $bodyParam It will look something like this from the command line We also need to add the permission for the application to read the user accounts to correctly map the ChatGPT Enterprise user with Entra accounts. First run the following command to get the ServicePrincipal ID for your organization for the GRAPH app. (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id The following step adds the permission User.Read.All to the Purview application. Update the ObjectId with the one retrieved in step 1. Update the ResourceId with the ServicePrincipal ID retrieved in the last step. $bodyParam= @{ "PrincipalId"= "{ObjectID}" "ResourceId" = "{ResourceId}" "AppRoleId" = "{df021288-bdef-4463-88db-98f22de89214}" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '{ObjectId}' -BodyParameter $bodyParam 3. Store the ChatGPT Enterprise API Key in Key Vault The steps for setting up Key vault integration for Data Map can be found here Create and manage credentials for scans in the Microsoft Purview Data Map | Microsoft Learn When setup you will see something like this in Key vault. 4. Integrate ChatGPT Enterprise Workspace to Purview: Create a new data source in Purview Data Map that connects to the ChatGPT Enterprise workspace. Go to purview.microsoft.com and select Data Map, search if you do not see it on the first screen. Select Data sources Select Register Search for ChatGPT Enterprise and select Provide your ChatGPT Enterprise ID Create the first scan by selecting Table view and filter on ChatGPT Add your key vault credentials to the scan Test the connection and once complete click continue When you click continue the following screen will show up, if everything is ok click Save and run. Validate the progress by clicking on the name, completion of the first full scan may take an extended period of time. Depending on size it may take more than 24h to complete. If you click on the scan name you expand to all the runs for that scan. When the scan completes you can start to make use of the DSPM for AI experience to review interactions with ChatGPT Enterprise. The mapping to the users is based on the ChatGPT Enterprise connection to Entra, with prompts and responses stored in the user's mailbox. 5. Review and Monitor Data: Please see this article for required permissions and guidance around Microsoft Purview Data Security Posture Management (DSPM) for AI, Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Use Purview DSPM for AI analytics and Activity Explorer to review interactions and classifications. You can expand on prompts and responses in ChatGPT Enterprise 6. Microsoft Purview Communication Compliance Communication Compliance (here after CC) is a feature of Microsoft Purview that allows you to monitor and detect inappropriate or risky interactions with ChatGPT Enterprise. You can monitor and detect requests and responses that are inappropriate based on ML models, regular Sensitive Information Types, and other classifiers in Purview. This can help you identify Jailbreak and Prompt injection attacks and flag them to IRM and for case management. Detailed steps to configure CC policies and supported configurations can be found here. 7. Microsoft Purview Insider Risk Management We believe that Microsoft Purview Insider Risk Management (here after IRM) can serve a key role in protecting your AI workloads long term. With its adaptive protection capabilities, IRM dynamically adjusts user access based on evolving risk levels. In the event of heightened risk, IRM can enforce Data Loss Prevention (DLP) policies on sensitive content, apply tailored Entra Conditional Access policies, and initiate other necessary actions to effectively mitigate potential risks. This strategic approach will help you to apply more stringent policies where it matters avoiding a boil the ocean approach to allow your team to get started using AI. To get started use the signals that are available to you including CC signals to raise IRM tickets and enforce adaptive protection. You should create your own custom IRM policy for this. Do include Defender signals as well. Based on elevated risk you may select to block users from accessing certain assets such as ChatGPT Enterprise. Please see this article for more detail Block access for users with elevated insider risk - Microsoft Entra ID | Microsoft Learn. 8. eDiscovery eDiscovery of AI interactions is crucial for legal compliance, transparency, accountability, risk management, and data privacy protection. Many industries must preserve and discover electronic communications and interactions to meet regulatory requirements. Including AI interactions in eDiscovery ensures organizations comply with these obligations and preserves relevant evidence for litigation. This process also helps maintain trust by enabling the review of AI decisions and actions, demonstrating due diligence to regulators. Microsoft Purview eDiscovery solutions | Microsoft Learn 9. Data Lifecycle Management Microsoft Purview offers robust solutions to manage AI data from creation to deletion, including classification, retention, and secure disposal. This ensures that AI interactions are preserved and retrievable for audits, litigation, and compliance purposes. Please see this article for more information Automatically retain or delete content by using retention policies | Microsoft Learn. Closing By following these steps, organizations can leverage the full potential of Microsoft Purview to enhance the security and compliance of their ChatGPT Enterprise interactions. This integration not only provides peace of mind but also empowers organizations to manage their data more effectively. We are still in preview some of the features listed are not fully integrated, please reach out to us if you have any questions or if you have additional requirements.
Optimizing OneDrive Retention Policies with Administrative Units and Adaptive Scopes
A special thank you note to Ashwini_Anand for contributing to the content of this blog. In today's digital landscape, efficient data retention management is a critical priority for organizations of all sizes. Organizations can optimize their OneDrive retention policies, ensuring efficient and compliant data management tailored to their unique user base and licensing arrangements. Scenario: Contoso Org encountered a distinct challenge - managing data retention for their diverse user base of 200,000 employees, which includes 80,000 users with F3 licenses and 120,000 users with E3 and E5 licenses. As per Microsoft licensing, F3 users are allocated only 2 GB of OneDrive storage, whereas E3 and E5 users are provided with a much larger allocation of 5 TB. This difference required creating separate retention policies for these users' groups. The challenge was further complicated by the fact that retention policies utilize the same storage for preserving deleted data. If a unified retention policy were applied to all users such as retaining data for 6 years before deletion - F3 users’ OneDrive storage could potentially fill up within a year or less (depending on usage patterns). This would leave F3 users unable to delete or save new files, severely disrupting productivity and data management. To address this, it is essential to create a separate retention policy for E3 and E5 users, ensuring that the policy applies only to these users and excludes F3 users. This blog will discuss the process of designing and implementing such a policy for the large user base based on separate licenses, ensuring efficient data management and uninterrupted productivity. Challenges with Retention Policy Configuration for large organizations 1. Adaptive Scope Adaptive scopes in Microsoft Purview allow you to dynamically target policies based on specific attributes or properties such as department, location, email address, custom Exchange attributes etc. Refer the link to get the list of supported attributes: Adaptive scopes | Microsoft Learn. Limitation: Although Adaptive scopes can filter by user properties, Contoso, being a large organization, had already utilized all 15 custom attributes for various purposes. Additionally, user attributes also couldn’t be used to segregate users based on licenses. This made it challenging to repurpose any attribute for our filter criteria to apply the retention policy to a specific set of users. Furthermore, refinable strings used in SharePoint do not work for OneDrive sites. 2. Static Scope Static scope refers to manually selected locations (e.g., specific users, mailboxes, or sites) where the policy is applied. The scope remains fixed and does not automatically adjust. Limitation: Static scope allows the inclusion or exclusion of mailboxes and sites but is limited to 100 sites and 1000 mailboxes, making it challenging to utilize for large organizations. Proposed Solution: Administrative Units with Adaptive Scope To address the above challenges, it required utilizing Administrative Units (Admin Units - is a container within an organization that can hold users, groups, or devices. It helps us to manage and organize users within an organization more efficiently, especially in large or complex environments) with Adaptive Scopes for creation of a retention policy targeting E3 and E5 licensed users. This approach allows organizations to selectively apply retention policies based on user licenses, enhancing both efficiency and governance. Prerequisites For Administrative unit - Microsoft Entra ID P1 license For Retention policy - Refer to the link: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Learn Configuration Steps Step 1: Create Administrative Unit: Navigate to Microsoft Entra Admin Center https://entra.microsoft.com/#home Click on ‘Identity’ and then click on ‘Show more’ Expand ‘Roles & admins’ Proceed to ‘Admin units’ -> Add. Define a name for the Administrative unit. Click on ‘Next: Assign roles’ No role assignment required, click on 'Next: Review + create’) Click on ‘Create’. To get more information about creating administrative unit, refer this link: Create or delete administrative units - Microsoft Entra ID | Microsoft Learn Step 2: Update Dynamic Membership: Select the Administrative Unit which is created in Step1. Navigate to ‘Properties’ Choose ‘Dynamic User’ for Membership type. Click on ‘Add a dynamic query’ for Dynamic user members. Click on ‘Edit' for Rule syntax In order to include E3 and E5 licensed users who are using OneDrive, you need to include SharePoint Online Service Plan 2 enabled users. Use the query below in the code snippet to define the dynamic membership. user.assignedPlans -any (assignedPlan.servicePlanId -eq "5dbe027f-2339-4123-9542-606e4d348a72" -and assignedPlan.capabilityStatus -eq "Enabled") Click on 'Save' to update the Dynamic membership rules Click on 'Save' to update the Administrative unit changes. Open the Administrative Unit and click on the 'Users' tab to check if users have started to populate. Note: It may take some time to replicate all users, depending on the size of your organization. Please wait for minutes and then check again. Step 3: Create Adaptive Scope under Purview Portal: Access https://purview.microsoft.com Navigate to ‘Settings’ Expand ‘Roles & scopes’ and click on ‘Adaptive scopes’ Create a new adaptive scope, providing ‘Name’ and ‘Description’. Proceed to select the Administrative unit which was created earlier. (It takes time for the Admin/Administrative Unit to become visible. Please wait for some time if it does not appear immediately.) Click on ‘Add’ and ‘Next’ Select ‘Users’ and 'Next' Once the Admin unit is selected, we need to specify the criteria which allows to select users within the Admin unit (this is the second level of filtering available). However, in this case since we needed to select all users of the admin unit, hence the below criteria was used. Click 'Add attribute' and form the below query. Email addresses is not equal to $null Note: You can apply any other filter if you need to select a subset of users within the Admin Unit based on your business use case. Click on ‘Next’ Review and ‘Submit’ the adaptive scope. Step 4: Create Retention Policy using Adaptive Scope: Access https://purview.microsoft.com/datalifecyclemanagement/overview Navigate to ‘Policies’ and then go to ‘Retention Policies’. Create a ‘New Retention policy’, providing a ‘Name’ and ‘Description’. Proceed to select the Administrative unit created earlier. Click on ‘Add or remove admin units’ Choose ‘Adaptive’ and click on ‘Next’. Click on ‘Add scopes’ and Select the previously created Adaptive scope. Click on ‘Next’ to proceed and select the desired retention settings. Click Next and Finish Outcome By implementing Admin Units with adaptive scopes, organizations can effectively overcome challenges associated with applying OneDrive retention policies for distinguished and large set of users. This approach facilitates the dynamic addition of required users, eliminating the need for custom attributes and manual user management. Users are dynamically added or removed from the policy based on license status, ensuring seamless compliance management. FAQ: Why is it important to differentiate retention policies based on user licensing tiers? It is important to differentiate retention policies based on user licensing tiers to ensure that each user group has policies tailored to their specific needs and constraints, avoiding issues such as storage limitations for users with lower-tier licenses like F3. How many Exchange custom attributes are typically available? There are typically 15 Exchange custom attributes available, which can limit scalability when dealing with a large user base. What challenge does Adaptive Scoping face when including a large number of OneDrive sites? Adaptive Scoping faces the challenge of including a large number of OneDrive sites due to limitations in the number of custom attributes allowed. While these custom attributes help in categorizing and managing OneDrive sites, the finite number of attributes available can restrict scalability and flexibility. Why are refinable strings a limitation for Adaptive Scoping in OneDrive? Refinable strings are a limitation for Adaptive Scoping in OneDrive because their usage is restricted to SharePoint only. What are the limitations of Static Scoping for OneDrive sites? Static Scoping for OneDrive sites is limited by the strict limit of including or excluding only 100 sites, making it usage limited for larger environments. Do we need any licenses to create an administrative unit with dynamic membership? Yes, a Microsoft Entra ID P1 license is required for all members of the group.Select the 'Adaptive' retention policy typeBecome a Communication Compliance Ninja
** Updated June 2023 ** We are very excited and pleased to announce this rendition of the Ninja Training Series. There are several videos and resources out there and the overall purpose of the Communication Compliance Ninja training is to help you get the relevant resources to get started and become more proficient in this area.Accelerate AI adoption with next-gen security and governance capabilities
Generative AI adoption is accelerating across industries, and organizations are looking for secure ways to harness its potential. Today, we are excited to introduce new capabilities designed to drive AI transformation with strong security and governance tools.Streamlining AI Compliance: Introducing the Premium Template for Indonesia's PDP Law in Purview
In today’s evolving regulatory environment, businesses must navigate complex data privacy laws while fostering customer trust, especially as AI transforms industries. To support organizations in meeting compliance requirements, we’re introducing the Premium Assessment Template for Indonesia's Personal Data Protection (PDP) Law within Microsoft Purview Compliance Manager. This powerful tool automates critical compliance tasks, simplifies assessments, and integrates seamlessly with Microsoft’s E5 security and Purview solutions, helping businesses reduce manual effort and ensure compliance more efficiently. Discover how this template can streamline your compliance efforts and build trust in an AI-driven world.How business conduct violations can help understand data security risks
Discover how the integration of Communication Compliance and Insider Risk Management enhances understanding of data security risks by providing deeper insights into user intent on potentially risky activities, ultimately aiding proactive management and safeguarding of sensitive assets within organizations.Unleash the Future of Communication Compliance at Microsoft Ignite 2023
Embark on a transformative journey into the future of Communication Compliance at Microsoft Ignite 2023. In an era where data security and compliance are non-negotiable, Microsoft Purview Communication Compliance emerges as a strategic ally, armed with advanced AI capabilities. Join us as we unveil five groundbreaking features that revolutionize how organizations navigate communication risks, ensuring data security, compliance, and user privacy. From Microsoft Copilot for Microsoft 365 integration to Security Copilot intelligence and advanced AI for business conduct detection, these innovations will redefine your approach to communication compliance. Don't miss the opportunity to stay ahead of compliance challenges and secure your organization's future in the digital age.Keep Microsoft Teams meetings compliant with Communication Compliance
Uncover hidden compliance risks in your Microsoft Teams meetings with Communication Compliance's groundbreaking ability to detect and address regulatory and business conduct violations in live transcripts, bolstering your organization's legal and reputational safeguards in the era of digital collaboration.Elevating communication compliance with Microsoft Purview
Unlock the future of Communication Compliance with Microsoft Purview! Dive into our latest blog and discover how this powerful solution can protect your organization from costly penalties while ensuring a respectful and productive communication environment. Explore new features like Reporting Inappropriate Posts in Viva Engage, Adaptive Detection of Sensitive Information, and Policy Scope Insights that change the way you navigate compliance challenges.
