Configure Microsoft Purview for increased security (Preview)

In Microsoft Purview, we group our security recommendations into multiple themes based on the Secure Future Initiative (SFI). This structure allows organizations to logically break up projects into related consumable chunks.

Tip

Some organizations might take these recommendations exactly as written, while others might choose to make modifications based on their own business needs.

We recommend that all of the following controls be implemented where licenses are available. These patterns and practices help to provide a foundation for other resources built on top of this solution. More controls will be added to this document over time.

Automated assessment

Manually checking this guidance against a tenant's configuration can be time-consuming and error-prone. The Zero Trust Assessment transforms this process with automation to test for these security configuration items and more. Learn more in What is the Zero Trust Assessment?

Licensing and billing requirements

Several Microsoft 365 subscriptions support the capabilities covered by this assessment. To identify the licenses required, see the Microsoft Purview service description.

Some Microsoft Purview capabilities also require pay-as-you-go billing—for example, when the configuration includes non–Microsoft 365 data sources, AI hub locations, or retention scopes that cover some Copilots or other AI apps.

Protect data

Reduce risk by ensuring encryption and collaboration settings are correctly configured for your organization's data.

Check
Azure Rights Management service is activated
Super user membership is configured for Microsoft Purview Information Protection
On-demand scans are configured for sensitive information discovery
OCR is enabled for sensitive information detection
Custom sensitive information types are configured
Exact data match is configured for sensitive information detection
Named entity sensitive information types are used in auto-labeling and data loss prevention policies
Trainable classifiers are used in data loss prevention and auto-labeling policies
Purview audit logging is enabled
Sensitivity labels are configured
Globally published sensitivity labels don't exceed the recommended maximum
Sensitivity labels with encryption are configured
Double Key Encryption labels are configured
Co-authoring is enabled for encrypted documents
Container labels are configured for collaborative workspaces
Sensitivity labels are enabled in SharePoint
PDF labeling is enabled in SharePoint
Sensitivity label policies are published to users
A default sensitivity label is configured in label policies
Mandatory labeling is enabled in sensitivity label policies
Users must provide justification to downgrade sensitivity labels
Email label policies inherit sensitivity from attachments
Default sensitivity labels are configured for SharePoint document libraries
Auto-labeling policies are configured for all workloads
Auto-labeling policies are in enforcement mode
Auto-labeling policies are enabled for SharePoint and OneDrive
Microsoft Purview Message Encryption is configured with simplified client access
Custom branding templates are configured for Microsoft Purview Message Encryption
Email retention policies are configured
Data loss prevention policies are enabled
Endpoint data loss prevention policies are configured
Adaptive Protection is enabled in data loss prevention policies
Browser data loss prevention is enabled for AI apps via Edge for Business
Insider Risk Management policies are enabled for risky AI usage
Communication compliance monitoring is configured for Microsoft Copilot
Communication compliance monitoring is configured for enterprise AI tools

Feedback

Was this page helpful?

Last updated on 2026-05-07