Merge pull request #49947 from MicrosoftDocs/NEW-purview-ai-assess-mitigate-risks

New purview ai assess mitigate risks

Author: JillGrant615

learn-pr/wwl-sci/purview-ai-assess-mitigate-risks/adaptive-protection-ai.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ai-assess-mitigate-risks.adaptive-protection-ai
+title: "Case study: Implement Adaptive Protection for AI data security"
+metadata:
+  title: "Case study: Implement Adaptive Protection for AI data security"
+  description: "Case study: Implement Adaptive Protection for AI data security"
+  ms.date: 04/10/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+durationInMinutes: 10
+content: |
+  [!include[](includes/adaptive-protection-ai.md)]

learn-pr/wwl-sci/purview-ai-assess-mitigate-risks/data-assessments.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ai-assess-mitigate-risks.data-assessments
+title: Use data assessments to detect oversharing risks
+metadata:
+  title: Use data assessments to detect oversharing risks
+  description: "Use data assessments to detect oversharing risks."
+  ms.date: 04/10/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 10
+content: |
+  [!include[](includes/data-assessments.md)]

learn-pr/wwl-sci/purview-ai-assess-mitigate-risks/includes/adaptive-protection-ai.md

@@ -0,0 +1,72 @@
+As organizations adopt generative AI tools, traditional security policies might not provide enough flexibility to manage evolving risks. Microsoft Purview Adaptive Protection helps address this challenge by adjusting data loss prevention (DLP) policy enforcement based on user risk signals. These signals can come from browsing behavior or how users handle data in AI environments. This dynamic approach helps protect sensitive information without blocking productivity across the organization.
+
+The next example shows how a financial technology company uses Adaptive Protection to safeguard sensitive data while enabling responsible use of AI tools.
+
+## Learning objectives
+
+In this example, you'll learn how to:
+
+- Use Adaptive Protection to manage data security risks related to AI tool usage.
+- Link insider risk policies and DLP policies through dynamic user risk levels.
+- Configure protections that block or restrict risky actions based on those levels.
+
+## Example: Protecting financial data in generative AI tools
+
+Contoso, a financial software company, uses external generative AI tools in both R&D and marketing workflows. These tools support productivity, but they also raise risks, including:
+
+- Sharing of sensitive financial data
+- Exposure of proprietary algorithms
+- Disclosure of confidential product information
+
+To manage these risks, Contoso uses Adaptive Protection to adjust DLP enforcement based on each user's behavior. This example walks through how they configure Microsoft Purview to support that goal.
+
+## Step 1: Create an insider risk policy for browsing behavior
+
+Contoso begins by creating an insider risk policy using the **Risky browser usage (preview)** template. The policy includes the **browsed to generative AI websites** indicator to detect access to external AI tools.
+
+:::image type="content" source="../media/risky-browser-usage-template.png" alt-text="Screenshot shows the Choose a policy template screen in the Insider Risk Management policy template wizard." lightbox="../media/risky-browser-usage-template.png":::
+
+This policy helps Contoso identify users who interact with external AI sites while working with sensitive data. They name the policy **AI Browsing Detection**, making it easier to track and reference when configuring Adaptive Protection.
+
+## Step 2: Assign adaptive risk levels
+
+Next, Contoso configures risk levels for Adaptive Protection. They associate both their existing Data leaks policy and the new AI Browsing Detection policy with Adaptive Protection to support dynamic risk scoring based on a broader range of activities.
+
+- **Elevated**: Assigned when high-severity events like confirmed data sharing occur
+- **Moderate**: Used for irregular but less severe activities
+- **Minor**: Assigned for low-level but notable behaviors
+
+Contoso chooses to assign risk levels based on user activity, allowing them to focus on specific signals related to AI usage.
+
+:::image type="content" source="../media/custom-risk-levels-adaptive-protection.png" alt-text="Screenshot shows the Custom risk levels menu in Adaptive Protection." lightbox="../media/custom-risk-levels-adaptive-protection.png":::
+
+## Step 3: Create a DLP policy with risk-based actions
+
+Contoso uses the **Fortify your data security** recommendation in **DSPM for AI** to simplify deployment. This recommendation creates a prebuilt DLP policy named **DSPM for AI - Block sensitive info from AI sites** designed to work with Adaptive Protection.
+
+**The policy**:
+
+- Targets **elevated risk users** identified through insider risk management
+- **Blocks pasting and uploading** of sensitive content to AI tools in Microsoft Edge, Chrome, and Firefox
+- Uses a **block with override** action to give users a chance to justify the action
+- Starts in **simulation mode** to evaluate potential matches before enforcement
+
+Contoso reviews the policy configuration and simulation results to confirm accuracy. They enable the option to automatically turn the policy on after 15 days if no changes are made, ensuring it doesn't remain inactive indefinitely.
+
+This approach gives Contoso a fast way to put protections in place while still allowing time for validation and adjustment.
+
+## Step 4: Enable Adaptive Protection
+
+To complete setup, Contoso enables Adaptive Protection in the Microsoft Purview portal. This activates the dynamic protections they configured.
+
+:::image type="content" source="../media/enable-adaptive-protection.png" alt-text="Screenshot shows Adaptive Protection enabled." lightbox="../media/enable-adaptive-protection.png":::
+
+Once enabled:
+
+- Insider Risk Management policies assign risk levels based on activity
+- Adaptive Protection updates risk levels and tracks users in scope
+- DLP policies apply different enforcement rules based on each user's risk level
+
+This connection ensures that users with higher risk scores face stricter safeguards when interacting with sensitive data, while lower-risk users can work with fewer restrictions.
+
+This configuration helps Contoso manage AI-related data risks while allowing their teams to continue using tools that support productivity and innovation.

learn-pr/wwl-sci/purview-ai-assess-mitigate-risks/includes/data-assessments.md

@@ -0,0 +1,114 @@
+AI tools like Microsoft 365 Copilot can unintentionally expose misclassified or over-permissioned content. Data assessments help security teams detect these risks early, apply protections, and maintain compliance.
+
+Microsoft 365 Copilot and other AI tools can surface misclassified, over-permissioned, or outdated content, increasing the likelihood of unintentional data exposure. By running data assessments, organizations can identify these risks early, apply appropriate protections, and ensure compliance with internal policies and regulatory requirements.
+
+## Default data assessments
+
+Microsoft Purview Data Security Posture Management (DSPM) for AI automatically runs a weekly assessment on the top 100 SharePoint sites used by Microsoft 365 Copilot. This built-in assessment helps organizations identify high-risk data exposure without manual configuration.
+
+To review the latest weekly assessment:
+
+1. Navigate to **DSPM for AI** in the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
+1. Select **Assessments** from the navigation pane.
+1. Open the **Oversharing Assessment for the week of <month, year>**.
+1. Review key findings, including:
+   - Number of sensitive files accessed
+   - Frequency of access
+   - External sharing risks
+
+   :::image type="content" source="../media/data-assessment-oversharing.png" alt-text="Screenshot of the Oversharing assessments page in Microsoft Purview, showing details on total items, sensitivity labels, and data with sharing links." lightbox="../media/data-assessment-oversharing.png":::
+
+The weekly assessment helps identify trends in data exposure, allowing organizations to detect misconfigured access settings, overly permissive sharing, or files that contain sensitive data but lack proper classification. Reviewing these results regularly ensures that security policies are informed by actual risks rather than assumptions.
+
+For a deeper analysis of specific users, sites, or data sources, security teams can run custom assessments tailored to their needs.
+
+## Run a custom data assessment
+
+Organizations might need to scan beyond the default assessment to evaluate AI security risks in different users, sites, or content types. Custom data assessments allow security teams to define the scope of their analysis.
+
+To create and run a custom assessment:
+
+1. Navigate to **DSPM for AI** > **Data assessments**.
+1. Select **Create assessment**.
+1. On the **Basic details** page:
+   - Enter an **Assessment name**.
+   - Provide an optional **Description** to define the purpose of the assessment.
+1. On the **Add users** page:
+   - Choose whether to Include all users or Include specific users or groups.
+1. On the **Data sources** page, select the SharePoint sites or other data sources you want to scan.
+1. On the **Review and run the data assessment scan**, select **Save and run** to run the custom assessment.
+
+Assessments can take up to 48 hours to complete. After the assessment completes, review the findings in the Protect and Monitor tabs to determine the appropriate security actions.
+
+## Review and act on assessment results
+
+After a data assessment runs, security teams can analyze the results and take action using the **Protect** and **Monitor** tabs. These tabs provide insights into how sensitive data is being accessed and shared, and offer remediation options to reduce oversharing risks.
+
+### Protect tab - Apply security controls
+
+The **Protect** tab helps security teams limit access to high-risk data and enforce compliance measures. Recommended actions include:
+
+- **Restrict access by label**: Use Microsoft Purview Data Loss Prevention (DLP) to prevent Microsoft 365 Copilot from summarizing data that has specific sensitivity labels. For more information about how this works and supported scenarios, see [Learn about the Microsoft 365 Copilot policy location](/purview/dlp-microsoft365-copilot-location-learn-about?azure-portal=true).
+
+- **Restrict all items**: Use [SharePoint Restricted Content Discoverability](/sharepoint/restricted-content-discovery?azure-portal=true) to prevent Microsoft 365 Copilot from indexing specified SharePoint sites.
+
+   :::image type="content" source="../media/data-assessment-restrict-items.png" alt-text="Screenshot showing the options in the Protect tab in Data assessments to restrict access to sensitive data." lightbox="../media/data-assessment-restrict-items.png":::
+
+- **Apply auto-labeling policies**: [Automatically apply sensitivity labels](/purview/apply-sensitivity-label-automatically?azure-portal=true#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) to unlabeled files containing sensitive information.
+
+- **Enforce retention policies**: Use [Microsoft Purview Data Lifecycle Management retention policies](/purview/create-retention-policies?azure-portal=true) to delete content that hasn't been accessed for at least three years.
+
+   :::image type="content" source="../media/data-assessment-apply-label.png" alt-text="Screenshot showing the options in the Protect tab in Data assessments to manage sensitivity labels and policies for a specific SharePoint site." lightbox="../media/data-assessment-apply-label.png":::
+
+### Monitor tab - Review sharing and access risks
+
+The **Monitor** tab provides visibility into how data is shared and accessed across the organization. It includes tools for reviewing and managing access:
+
+- **Run a SharePoint site access review**: Identify and assess sites that are shared broadly or externally. IT administrators can delegate access reviews to site owners.
+- **Run an identity access review**: Review group memberships, enterprise application access, and role assignments in Microsoft Entra ID to ensure only the right users maintain access.
+
+   :::image type="content" source="../media/data-assessment-monitor.png" alt-text="Screenshot showing the options in the Monitor tab in Data assessments to Run a site access review and Run an identity access review." lightbox="../media/data-assessment-monitor.png":::
+
+By regularly reviewing assessment results in both the **Protect** and **Monitor** tabs, organizations can enforce security policies, reduce oversharing risks, and ensure compliance with data protection requirements.
+
+## Respond to assessment findings
+
+After reviewing a data assessment, it's important to act on the insights to reduce risk and strengthen data protection. While tools like the Protect and Monitor tabs help apply controls, some decisions require investigation and follow-up outside the portal.
+
+Consider the following actions based on what you find in your assessment results:
+
+### Investigate frequently accessed or unlabeled sites
+
+If a site shows a high volume of activity or contains a large number of unlabeled files, review the site to determine:
+
+- Whether the data is still needed
+- If it contains sensitive content that should be labeled
+- If access should be limited to fewer users or groups
+
+Sites that receive frequent access but contain no labeled items might require manual classification or a review of auto-labeling coverage.
+
+### Review broad internal sharing
+
+Sites shared with “People in your organization” might still be too permissive. Follow up with site owners to confirm whether that level of access is necessary. If not, adjust permissions or run a SharePoint site access review to delegate cleanup.
+
+### Apply protections to sensitive files
+
+When sensitive data is found with no labels or protections applied, consider:
+
+- Running an auto-labeling policy to apply the appropriate sensitivity level
+- Restricting access to high-risk data using DLP or Restricted Content Discoverability
+- Applying retention policies to remove stale content no longer in use
+
+### Clean up unused or empty data sources
+
+If a site shows no scanned items or access activity, determine whether it's still needed. Inactive sites can be archived or restricted to reduce your organization's overall exposure risk.
+
+### Follow up with content owners
+
+For sites with unclear or outdated access patterns, notify data owners and provide guidance on how to:
+
+- Review and update sharing settings
+- Label content correctly
+- Remove unused files or folders
+
+Creating a process to follow up with site owners can help maintain long-term control over shared and sensitive content.