Extensions & Advanced Scenarios
With core implementation complete, this section extends Purview capabilities to additional environments and advanced scenarios that may not be immediate priorities.
On-Premises Integration {#on-premises}
Extend Purview protection to on-premises file servers and SharePoint Server.
On-Premises Scanner
The Microsoft Purview Information Protection scanner can:
- Discover sensitive data on file shares
- Apply sensitivity labels automatically
- Report findings to Content Explorer
Deploy Information Protection Scanner
Prerequisites:
- Windows Server with scanner service
- SQL Server for scanner database
- Network access to file shares
High-Level Steps:
- Install AIP Unified Labeling client
- Configure scanner cluster in Azure
- Create content scan jobs
- Run discovery scan
- Enable enforcement (labeling)
Azure Purview Integration {#azure-purview}
Integrate Microsoft Purview (M365) with Azure Purview Data Map for unified data governance across cloud and on-premises.
Azure Purview Capabilities
| Feature | Purpose |
|---|---|
| Data Map | Unified catalog across Azure, M365, on-prem |
| Data Lineage | Track data flow through systems |
| Data Governance | Policies across hybrid environment |
| Data Sharing | Secure cross-organization data sharing |
Information Barriers {#information-barriers}
Create "ethical walls" between user groups that should not communicate or collaborate.
Use Cases
| Scenario | Segments | Barrier |
|---|---|---|
| Audit committee | Audit Finance | Block communication |
| Competing research | Lab A Lab B | Block collaboration |
| Legal separation | Legal General staff | Block during M&A |
| Faculty with dual roles | Research Admin | Prevent conflicts of interest |
Implementation Considerations
Information Barriers require careful planning and can significantly impact user collaboration. Test thoroughly in a pilot environment before broad deployment.
Regulatory Focus {#regulatory}
FERPA Protection
Implement specific protections for student educational records.
FERPA Label Configuration:
| Label | Encryption | Sharing | Marking |
|---|---|---|---|
| Confidential - FERPA | Required | Internal only | Header: "FERPA Protected" |
FERPA DLP Policy:
| Condition | Action |
|---|---|
| FERPA SITs detected | Warn with policy tip |
| FERPA + External recipient | Block with override |
| FERPA + Bulk access | Block |
HIPAA Protection
Implement specific protections for protected health information (PHI).
HIPAA Label Configuration:
| Label | Encryption | Rights | Audit |
|---|---|---|---|
| Confidential - HIPAA | Required | No forwarding | Required |
NIST 800-171 / CMMC for Research
Implement controls for Controlled Unclassified Information in research settings.
Required Controls:
| NIST Control | Purview Implementation |
|---|---|
| 3.1.1 Limit access | Sensitivity labels with encryption |
| 3.3.1 Audit logs | Audit Premium with 1-year retention |
| 3.4.5 Change control | PAM for admin changes |
| 3.8.1 Protect CUI | DLP blocking external sharing |
Microsoft Priva (PAYG) {#priva}
Implement privacy risk management using Microsoft Priva (pay-per-request licensing).
Priva Capabilities
| Feature | Purpose |
|---|---|
| Subject Rights Requests | Automate GDPR/CCPA data subject requests |
| Privacy Risk Management | Identify privacy risks proactively |
| Consent Management | Track and manage user consent |
Validation Checklist
| # | Item | Success Criteria |
|---|---|---|
| 1 | On-prem scanner | Deployed and scanning |
| 2 | Azure Purview | Connected to M365 Purview |
| 3 | FERPA labels | Published and in use |
| 4 | HIPAA labels | Published and in use |
| 5 | CUI controls | Implemented for research |
Next Steps
With extensions complete, proceed to Validation for final testing and rollout.