Microsoft Purview is Microsoft’s offering for Data Loss Prevention and Data Governance in the Enterprise. Like many things Microsoft, the offering is touted as part of an integrated strategy for Data Governance and Compliance. Based on my initial experiences, Microsoft has a long ways to go to make this product ready for primetime.
Microsoft Purview is an integrated data governance and compliance solution designed to help organizations manage, protect, and secure their data across various environments. It offers tools for data discovery, classification, and protection, enabling users to gain insights into their data landscape, ensure compliance with regulatory requirements, and implement effective data loss prevention (DLP) strategies. By providing a unified platform for data governance, Microsoft Purview aims to enhance data visibility, minimize risks, and maintain data integrity across the organization.
Ineffectiveness of Data Loss Prevention Investigations
Predictability. Accuracy. Efficiency. These are all terms that would describe what my expectations are surrounding the usage of Microsoft Purview in an Enterprise setting. From false positives and negatives to inconsistencies in detecting data loss incidents, it has been an exercise in frustration to navigate an overly broad DLP policy. While I realize that there is a bit of garbage in, garbage out at play in tuning the DLP policies, we understood this going in and crafted thoughtful policies that examine headers for the recipient email address being matched to a personal address that we have on file for each employee at our company. Examining the contents of the email, we are not doing anything exotic… basic PII searches and PHI searches.
The volume of DLP investigations that Microsoft Purview generated within hours of turning the policies on were predictable. Quickly, our Microsoft Sentinel console was filling up with DLP Policy incidents. Not a big deal. However, as I pivoted through Microsoft Defender XDR to investigate a single incident, it quickly became apparent that I was not in Kansas anymore.
You see, generating a content search in Microsoft Purview is straightforward. After providing a name for the incident and a brief description, the user is presented with parameters for the search, including Microsoft Exchange mailboxes, SharePoint sites (including Yammer and OneDrive locations), and Exchange Public Folders. The user can step through the wizard and quickly enter in the search criteria for the content search. All in all, it takes less than a minute to generate a new content search.
However, it is once the content search kicks off that the frustration began setting in. The content search pane in Microsoft Purview will quickly report back that the content search is completed. Great! Let’s investigate! With about a 40% accuracy rate, attempting to open a completed content search and review the samples produces a very ugly, generic message that simply states that “No permission to generate access token for eDiscovery feature!” The error message appears for no apparent rhyme or reason. I guess it is just a bit temperamental. So I hit refresh. Same error. Refresh! Refresh! Refresh! I think Microsoft is mocking me. So what is an investigator to do? Reboot Microsoft Purview and try again.
Eventually–let’s call it about 20 minutes, I gather the courage to reattempt the content search sample preview, and lo and behold! No error message. I dutifully click on the Review Samples button and prepare to review all of the email messages that matched my criteria. To the left is the most predictable output that I receive when reviewing samples. As you can see, I received zero hits on my overly broad content search. This is not good, as I KNOW there are messages that have occurred between my target sender and recipient. Again, what the hell is an investigator to do with these results (or lack thereof)? So I rerun the search and try again. Le sigh.
Rerunning the search does not produce any noticeable changes. It takes the same amount of time to run the search and is fraught with the same claymores that the first search had. Clicking the Load more items button is like hitting the elevator door hold open button. It appears to just be there for show. Hitting refresh within the content search’s window generates a troll sound at Microsoft headquarters from what I can gather.
Conclusion
Microsoft Purview has the scaffolding in place to be a really solid tool. I can certainly see the allure in Executive eyes when seeing all of the things that the offering promises to deliver on. However, in my experiences, Microsoft has produced a 4/10 product that is riddled with usability errors and unpredictable results. This leads to a significant increase in the amount of time that it takes to fully investigate a single incident.
In a world where sending an innocuous document to your personal email or outside the borders of your own Enterprise can lead to termination, we really cannot afford to have so many issues with the interface. Microsoft, please get your shit together with this tool. We need something like your promises offer, but we will not use it if we are forced through a torturous experience. Signed, investigators everywhere.
What do you all think? Am I just having a bad day, or do your experiences mirror mine when attempting to perform investigations in Microsoft Purview? I would like to think that this product will get better over time, but spending 45 minutes to 2 hours to investigate a single DLP incident seems extraneous and inefficient.
