Data Security Posture Management (DSPM) is the continuous discovery and risk assessment layer of the Microsoft Purview platform. Where DLP enforces policy on known sensitive data, DSPM finds sensitive data you didn't know was there β across Microsoft 365, cloud storage, and SaaS apps β and scores the risk of your current posture.
DSPM answers: "Where is sensitive data being overshared, undermined by weak permissions, or exposed to AI models?" It surfaces those gaps as actionable insights rather than waiting for a policy violation to occur.
Continuous discovery of sensitive data across Microsoft 365, cloud storage, and SaaS apps. Identifies where PII, financial data, and classified content actually lives β including shadow copies and unexpected locations.
Scores posture risk based on: sensitivity of data, exposure level (internal/external/public), label presence or absence, activity patterns, and access scope. Surfaces the highest-risk concentrations first.
Provides actionable recommendations: apply missing labels, restrict overshared content, remove stale access, update DLP policy scope to cover newly discovered locations.
| Signal | Description | Risk Level | Recommended Action |
|---|---|---|---|
| Unlabeled sensitive content | Sensitive data detected (SIT match) with no sensitivity label applied | High | Apply auto-labeling policy; escalate to data owner |
| Restricted content shared externally | Items with Restricted label shared with external accounts | Critical | Revoke share; DLP rule review; incident response |
| Confidential content in public Teams channel | Confidential items accessible to all org members in public team | High | Move to private channel; restrict access; re-evaluate team privacy |
| Large volume of unlabeled financial content | SharePoint site with high density of SIT matches but no labels | High | Trigger auto-labeling simulation; review with site owner |
| Stale external shares on sensitive files | Files with sensitive classification shared externally, not accessed in 90+ days | Medium | Remove external permissions; review sharing policy |
| Copilot grounding on restricted data | Copilot has access to Restricted or Confidential PHI content via user context | High | Restrict Copilot scopes; apply label-based Copilot DLP rules |
Copilot respects SharePoint permissions and sensitivity labels β but only if they are correctly applied. Unlabeled sensitive content or overly broad permissions are the primary oversharing vectors. DSPM surfaces these before Copilot reaches them.
Configure DLP policies with the Microsoft 365 Copilot location to restrict what content Copilot can use as grounding material. For Restricted and Confidential PHI content, this is a required control before Copilot deployment in affected teams.
Before enabling Copilot for a business unit, run DSPM to identify: unlabeled sensitive content, overshared sites and files, stale external links, and Restricted/Confidential PHI content accessible to Copilot scope. Remediate before rollout.
After Copilot deployment, review DSPM posture monthly. New content, new team members, and site permission changes constantly introduce new exposure. DSPM posture is not static.
DSPM discovers new sensitive data locations not yet covered by DLP policy scope. Those locations should be added to DLP policy targets. DSPM posture gaps are direct inputs to DLP gap analysis.
DSPM identifies unlabeled sensitive content. Output feeds auto-labeling policy scope β ensuring new repositories discovered by DSPM scanning are added to auto-labeling targets.
DSPM risk findings can be registered in the Data Catalog as asset-level risk annotations. Data owners receive posture alerts for their catalog assets.
Behavioral signals from DSPM (large volume access to sensitive content, repeated download of restricted files) feed the Insider Risk Management indicator model as contextual amplifiers.
DSPM posture data feeds directly into the two-axis KPI model: Health (is the control working?) and Effectiveness (is it doing its job?). These are two separate questions and must be measured separately. A program can be healthy but ineffective β or effective in one location and absent in another.
Ingestion path: Purview Security and Compliance logs β Event Hub β Splunk HEC. Reporting cadence: monthly (specific window TBD with client), rolling to live dashboard as program matures.
| Audience | KPI | Axis | Source System | Splunk Layer | Maturity |
|---|---|---|---|---|---|
| Engineering | DLP event ingestion freshness | Health | Splunk _indextime | Pipeline Health | π’ Live |
| Engineering | DLP policy match volume | Health | DLP.All / Advanced Hunting | DLP Effectiveness | π’ Live |
| Engineering | Policy assignment & coverage % | Health | UAL + policy scope | DLP Effectiveness | π‘ Partial |
| Engineering | Auto-labeling job success rate | Health | UAL / Purview classification events | DLP Effectiveness | π‘ Partial |
| Engineering | Rule action distribution | Health | UAL + AH enrichment | DLP Effectiveness | π‘ Partial |
| Engineering | SIT confidence distribution | Effectiveness | AH / Purview event details | DLP Effectiveness | π‘ Partial |
| Engineering | False-positive rate | Effectiveness | Defender XDR classification | Investigation Ops | π‘ Partial |
| Engineering | Label adoption / usage rate | Effectiveness | UAL + label events | DLP Effectiveness | β« Blank |
| Engineering | Connector / SHIR scan health | Health | Purview Data Map telemetry | Pipeline Health | β« Blank |
| Engineering | OCR pipeline status | Health | Control register | Pipeline Health | β« Not deployed |
| Investigations | Alert volume by severity | Health | Defender XDR alerts | Investigation Ops | π’ Live |
| Investigations | Triage queue depth & aging | Health | Defender XDR incidents | Investigation Ops | π’ Live |
| Investigations | Mean time to triage (MTTA) | Effectiveness | Defender incident lifecycle | Investigation Ops | π‘ Partial |
| Investigations | Mean time to resolve (MTTR) | Effectiveness | Defender resolved timestamp | Investigation Ops | π‘ Partial |
| Investigations | Top exfiltration vectors | Effectiveness | DLP events + workload / action | DLP Effectiveness | π‘ Partial |
| Executive | Program coverage % (locations protected) | Health | Control inventory + policy scope | Executive Scorecard | π‘ Partial |
| Executive | Control Health composite score | Health | KPI mart | Executive Scorecard | π‘ Partial |
| Executive | Risk exposure trend (90-day) | Effectiveness | Alerts + DLP events | Executive Scorecard | π’ Live once retained |
| Executive | PHI / PCI protected vs. exposed | Effectiveness | SIT + action outcome | Executive Scorecard | β« Blank |
| Executive | Block / allow-with-override ratio | Effectiveness | DLP enforcement / action | Executive Scorecard | π‘ Partial |
| Executive | Retention deployment status | Health | Purview retention inventory | Executive Scorecard | β« Blank |
Dual-ingestion model (UAL + Defender XDR + Advanced Hunting), 6 raw indexes, normalized fact table, 5 KPI marts, 5 dashboard tiers, composite Health Γ Effectiveness score formulas, and the full engineering prompt for the Splunk / Microsoft team.
Why: AI-assisted investigation summarization and alert triage recommendation. Could be revelatory for L1/L2 analysts β converts raw alert data into plain-language risk summaries.
Recommend: Pilot in Q1, constrained scope. Private endpoint required β no external telemetry. CMK mandatory for NPI processing.
Status: Not deployed.
Why: Specialized investigation surface for sensitive-data exposure incidents. Shortens investigation time substantially by surfacing related content and collaborators.
Recommend: Enable after legal/HR formal review of scope and data-handling policies.
Status: Not deployed β requires sign-off.
Why: Microsoft 365 agent framework. Potential for Purview-specific agents: triage assistant, label coach, compliance advisor. Operates within M365 tenant boundary.
Recommend: Evaluate Q2 after Copilot for Security baseline is established. Don't build agents before controls are mature.
Status: Evaluate after Q1.
Why: Structured AI rollout framework β workers, skills, pre-prompts. Enables consistent AI-assisted workflows without ad-hoc prompt engineering.
Recommend: Parallel track owned by internal AI SME. 12-month roadmap. Not an in-scope deliverable β but must be formally recommended now.
Owner: Internal AI SME.
Why: Without OCR enabled, image-based exfiltration β scanned documents, screenshots, image attachments β is entirely invisible to DLP. A significant blind spot for organizations handling paper-originated PHI and regulated documents.
Recommend: Enable for high-risk locations once licensing confirmed. Pay-as-you-go scope to be verified.
Status: Not deployed.
Why: On-premises or private-Azure LLM with no external data dependency. Unlimited customization for client-specific workflows vs. Copilot's constraints. Long-horizon: enables private AI enrichment of DLP alerts without PHI leaving the tenant.
Recommend: 12-month feasibility exploration. Hosting model (on-prem vs. Azure Private) and funding model to be determined.
Owner: Internal AI SME.
Why: Low-code AI automation layer for Power Platform workflows β form processing, approval routing, document classification, and integration with Purview outputs.
Recommend: Use before November 1, 2026. Evaluate active workflows for migration path.
β οΈ Credit Retirement: AI Builder credits retire November 1, 2026 and migrate to Copilot Credits. Any Power Platform AI Builder workflows must be inventoried and assessed before this date to avoid disruption.
Status: Credits active until Nov 1, 2026.
12-Month AI Enablement Sequence
- Q1: Copilot for Security pilot β constrained scope, private endpoint, CMK. Measure triage time reduction.
- Q1βQ2: Data Investigations β enable after legal/HR sign-off. Measure investigation time reduction.
- Q2: OCR pipeline β enable for top-risk locations (SharePoint Legal, HR, Finance). Measure new detection volume.
- Q2βQ3: Agent 365 evaluation β triage assistant or label coach pilot. Measure analyst adoption.
- Q3βQ4: MCP structured rollout via internal AI SME β formalize skills, pre-prompts, worker definitions.
- Year 2: Local LLM feasibility study and hosting model decision.
- Deadline β Nov 1, 2026: AI Builder credit retirement β Copilot Credits migration. Inventory all Power Platform AI Builder workflows and confirm migration path before cutover.