Merge pull request #49940 from MicrosoftDocs/NEW-purview-ai-discover-data

New purview ai discover data

Author: JamesJBarnett

learn-pr/wwl-sci/purview-ai-discover-data/audit-copilot.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ai-discover-data.audit-copilot
+title: Audit Microsoft 365 Copilot interactions with Microsoft Purview
+metadata:
+  title: Audit Microsoft 365 Copilot interactions with Microsoft Purview
+  description: "Audit Microsoft 365 Copilot interactions with Microsoft Purview"
+  ms.date: 04/10/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/audit-copilot.md)]

learn-pr/wwl-sci/purview-ai-discover-data/configure-dspm-ai.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ai-discover-data.configure-dspm-ai
+title: Configure DSPM for AI
+metadata:
+  title: Configure DSPM for AI
+  description: "Configure DSPM for AI."
+  ms.date: 04/10/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 8
+content: |
+  [!include[](includes/configure-dspm-ai.md)]

learn-pr/wwl-sci/purview-ai-discover-data/dspm-ai-overview.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-ai-discover-data.dspm-ai-overview
+title: Microsoft Purview Data Security Posture Management (DSPM) for AI overview
+metadata:
+  title: Microsoft Purview Data Security Posture Management (DSPM) for AI overview
+  description: "Microsoft Purview Data Security Posture Management (DSPM) for AI overview."
+  ms.date: 04/10/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/dspm-ai-overview.md)]

learn-pr/wwl-sci/purview-ai-discover-data/includes/audit-copilot.md

@@ -0,0 +1,77 @@
+Microsoft 365 Copilot integrates with apps like Word, Excel, Outlook, and Teams to help users generate content, summarize information, and automate everyday tasks. These capabilities rely on large language models, including GPT-4, and use data from emails, chats, documents, and calendars to provide context-based assistance.
+
+Because of how Copilot works, with access to sensitive content across Microsoft 365, it's important to have visibility into how it's being used. Microsoft Purview Audit helps organizations track Copilot usage to support security, compliance, and organizational policy enforcement.
+
+## How Microsoft Purview Audit helps review Copilot usage
+
+As users interact with Microsoft 365 Copilot across apps like Word, Excel, and Teams, it's important to verify that those interactions meet organizational and regulatory expectations. Microsoft Purview Audit supports this by recording user and admin activity across Microsoft 365, including Copilot usage.
+
+These actions are stored in a unified audit log, which you can search in the Microsoft Purview portal or by using PowerShell. Audit logs help answer key questions such as:
+
+- Who used Copilot and when?
+- In which application was it used?
+- Did the interaction involve labeled or sensitive content?
+
+These insights give security and compliance teams the visibility they need to ensure Copilot usage aligns with policy.
+
+## Search the audit log for Copilot interactions
+
+Microsoft Purview Audit supports compliance management by capturing Copilot interactions across applications like Word, Excel, PowerPoint, Teams, Loop, Whiteboard, OneNote, and Microsoft 365 Chat. The audit records identify Copilot interactions by the app in which they occur, providing detailed insights into Copilot usage across different contexts.
+
+### Prerequisites for using Microsoft Purview Audit to search Microsoft 365 Copilot interactions
+
+Before you search and analyze Copilot interactions using Microsoft Purview Audit, there are a few steps to ensure your environment is ready. Follow these prerequisites to set up your Microsoft 365 and Purview Audit configurations:
+
+| **Step** | **Description** | **Learn more** |
+|------|-------------|------------|
+| Verify prerequisites for Copilot | Ensure your IT infrastructure is ready for Copilot and Audit, including necessary network configurations and software updates. | - [Microsoft 365 Copilot requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements?azure-portal=true) |
+| Understand searching with Audit | Understand the search functionalities in Microsoft Purview Audit to effectively analyze activities within Microsoft 365. | - [Audit New Search](/purview/audit-new-search?azure-portal=true) |
+| Check licensing requirements | Confirm that you have the appropriate Microsoft 365 E3/E5 licenses for Copilot and Microsoft Purview Audit. | - [Microsoft 365 Copilot service description](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot?azure-portal=true#available-plan) <br> - [Microsoft Purview Audit service description](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-purview-audit?azure-portal=true) |
+
+Note: Microsoft Purview Audit logging is turned on by default, but when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview portal or by using Exchange Online PowerShell. For more information on verifying that auditing is enabled and enabling the audit sign in Microsoft Purview, see [Turn auditing on or off](/purview/audit-log-enable-disable?azure-portal=true).
+
+### Search the audit log for Copilot interactions in Microsoft Purview
+
+Microsoft Purview Audit captures user activity across Microsoft 365, including when users interact with Microsoft 365 Copilot. These interactions are recorded based on the application where they occurred, such as Word, Excel, or Teams, and can include details about referenced files, including whether sensitivity labels were applied.
+
+You can search for these events in the Microsoft Purview portal using filters that help narrow your results to Copilot-specific activity.
+
+1. Sign into the [Microsoft Purview portal](https://purview.microsoft.com?azure-portal=true).
+1. In the left navigation pane, select **Solutions** > **Audit**.
+1. Select **New Search** tab at the top of the **Audit** page.
+1. Configure your search on the **New Search** tab:
+   1. Set the **Start date** and **End date** for your search, with the last seven days selected by default.
+   1. Enter relevant keywords or phrases in the **Keyword Search**, using asterisks (*) to replace special characters.
+   1. Select administrative units from the **Admin Units** dropdown if needed.
+   1. Under **Activities - friendly names** select specific activities relevant to Copilot by navigating to **Copilot activities** and selecting **Interacted with Copilot**. You can also use the search bar to find activities related to Copilot by entering _Copilot_.
+   :::image type="content" source="../media/audit-copilot-new-search-activities.png" alt-text="Screenshot showing Interacted with Copilot selected under Activities - friendly names." lightbox="../media/audit-copilot-new-search-activities.png":::
+   1. For precise searches, use **Activities - operations names** and enter _CopilotInteraction_ as the operation name for Copilot activities.
+   1. In the **Record types** dropdown, select record types linked to Copilot activities. Enter _Copilot_ in the search box above the list for easier selection.
+   :::image type="content" source="../media/audit-copilot-new-search-record-type.png" alt-text="Screenshot showing CopilotInteraction selected under Record types." lightbox="../media/audit-copilot-new-search-record-type.png":::
+   1. Name your search in the **Search name** field for easy identification.
+   1. Enter specific users in the **Users** field or leave it blank to return entries for all users (and service accounts) in your organization.
+   1. Enter **File, folder, or site** names for targeted searches, or leave this box blank to return entries for all files and folders in your organization.
+1. Select **Search** to start your search job. A maximum of 10 search jobs can be run in parallel for one user account. If a user requires more than 10 search jobs, they must wait for an _In progress_ job to finish or delete a search job.
+
+## Limitations and considerations for auditing Copilot interactions
+
+Microsoft Purview Audit provides useful insight into how users interact with Microsoft 365 Copilot, but there are a few limitations to be aware of. Understanding these limitations helps set accurate expectations for what can and can't be captured in the audit logs.
+
+### What's captured in the audit log
+
+- Copilot activity is recorded based on the app in which it occurred (such as Word, Teams, or Excel).
+- Events typically include user IDs, time stamps, and references to accessed files.
+- If a referenced file has a sensitivity label, that label is included in the log entry.
+
+### What's not captured in audit logs
+
+- **Prompts and responses**: Audit logs record that Copilot was used, but not the actual content of the prompt or the AI-generated response. For more detailed content-level review, use Microsoft Purview eDiscovery.
+- **Copilot configuration changes**: Administrative updates to Copilot settings (such as enabling or disabling features) aren't currently logged in Audit.
+- **Device details**: Device identifiers aren't included in Copilot-related audit entries.
+
+### Application-specific considerations
+
+- **Copilot in Teams**: If meeting transcripts are turned off, Copilot activities in Teams aren't captured in the audit log.
+- **App identifiers**: The source app for each interaction is listed in the log, such as Copilot in Word or Copilot in Teams.
+
+Knowing these limitations can help you plan which tools to use for broader investigations or compliance reviews. Audit is a useful first step for visibility into Copilot activity, but might need to be paired with other solutions for full context.

learn-pr/wwl-sci/purview-ai-discover-data/includes/configure-dspm-ai.md

@@ -0,0 +1,84 @@
+Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations understand how AI tools interact with data, identify potential risks, and connect insights to security and compliance tools that help enforce policy. To use DSPM for AI effectively, organizations need to configure key settings, enable monitoring, and apply security controls.
+
+## Prerequisites
+
+Before configuring DSPM for AI, check that your environment meets these requirements:
+
+- **[Check permissions](/purview/ai-microsoft-purview-permissions?azure-portal=true)**: Your account needs appropriate permissions in Microsoft Entra or Microsoft Purview, such as Compliance Administrator or a related role with compliance management permissions.
+- **[Verify Microsoft Purview Audit is enabled](/purview/audit-log-enable-disable?azure-portal=true#verify-the-auditing-status-for-your-organization)**: Auditing is on by default for new tenants, but it's a good idea to verify.
+- **[Assign Copilot Licenses](/copilot/microsoft-365/microsoft-365-copilot-enable-users?azure-portal=true#assign-licenses)**: Users should be assigned Microsoft 365 Copilot licenses for activity tracking.
+- **[Onboard Devices to Microsoft Purview](/purview/device-onboarding-overview?azure-portal=true)**: Devices need to be onboarded to Microsoft Purview to track AI interactions.
+- **[Install the Microsoft Purview Browser Extension](/purview/insider-risk-management-browser-support#configure-browser-signal-detection-for-microsoft-edge?azure-portal=true)**: The Microsoft Purview browser extension is required to monitor non-Microsoft AI site visits.
+
+## Steps to configure DSPM for AI
+
+After completing the prerequisites, configure DSPM for AI in Microsoft Purview. This process includes enabling built-in policies, running data assessments, and verifying that AI-related security controls are in place.
+
+### Step 1: Set up DSPM for AI
+
+1. Sign in to the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
+1. Navigate to **Solutions** > **DSPM for AI**.
+1. From the **Overview** page, go to **Get started** to complete the required setup tasks.
+1. Verify that **Microsoft Purview Audit** is enabled to track AI interactions.
+1. Install the **Microsoft Purview browser extension** to detect AI-related activity.
+1. **Onboard devices to Microsoft Purview** to monitor AI interactions.
+1. Enable **Extend your insights for data discovery** to create policies that detect risky AI usage, track AI site visits, and identify when users paste sensitive data into AI apps.
+
+    :::image type="content" source="../media/dspm-ai-get-started.png" alt-text="Screenshot of the DSPM for AI interface in Microsoft Purview, showing the Get started checklist with required setup steps." lightbox="../media/dspm-ai-get-started.png":::
+
+### Step 2: Review and configure recommendations and policies
+
+Microsoft Purview provides AI security recommendations that help organizations protect sensitive data and monitor AI interactions. These recommendations include preconfigured policy templates (one-click policies) that work with Microsoft Purview features like data loss prevention (DLP), Insider Risk Management, or Communication Compliance, as well as guidance for manual policy implementation.
+
+#### How to use recommendations
+
+1. Go to **Recommendations** in the Microsoft Purview portal.
+1. Review the available AI security recommendations and their status.
+1. Select a recommendation to:
+
+   - **Create a policy**: Instantly apply a one-click policy with built-in security settings.
+   - **View the recommendation**: Assess and manually take action based on guidance.
+
+   :::image type="content" source="../media/dspm-ai-recommendations.png" alt-text="Screenshot of the Recommendations page in Microsoft Purview, showing a list of AI security recommendations categorized as Not Started, Dismissed, or Completed." lightbox="../media/dspm-ai-recommendations.png":::
+
+   > [!NOTE]
+   > Recommendations that provide one-click policies include a **Create policy** button, while manual recommendations require reviewing and taking action based on the provided guidance.
+
+#### Types of AI security recommendations
+
+Recommendations are grouped into categories such as **Data Security**, **Data Discovery**, or **AI Regulations**. When selecting a recommendation, DSPM for AI provides either:
+
+- A preconfigured policy that can be activated immediately (one-click policy)
+- Guidance on security measures that require manual implementation
+
+**Recommendations in DSPM for AI**:
+
+DSPM for AI offers a range of AI security recommendations, each designed to detect specific risks or enforce specific protections. Some apply a one-click policy. Others offer guidance for manual configuration.
+
+Use this table to get a quick understanding of what each recommendation does so you can decide which to apply in your environment.
+
+| Recommendation | Type | Description |
+|-----|-----|-----|
+| Fortify your data security | Data security | Uses Adaptive Protection to apply a block-with-override rule for high-risk users interacting with AI sites. |
+| Control unethical behavior in AI | Insight into communications | Creates a policy to detect unethical behavior in Microsoft 365 Copilot. Alerts are generated in Communication Compliance. |
+| Guided assistance to AI regulations | AI regulations | Provides guidance on regulatory compliance for AI interactions. |
+| Protect sensitive data referenced in Copilot responses | Data security | Runs a data assessment to identify oversharing risks in Copilot interactions. |
+| Discover and govern interactions with ChatGPT Enterprise AI (Preview) | Data discovery |Requires setting up a connector in Purview to track ChatGPT Enterprise interactions. |
+| Protect sensitive data referenced in Microsoft 365 Copilot (Preview) | Data security | Creates a data loss prevention policy to prevent Copilot from processing labeled content. |
+| Protect your data from potential oversharing risks | Data security | Provides insights into oversharing risks based on a weekly scan. |
+| Use Copilot to improve your data security posture (Preview) | Data security | Uses Security Copilot to investigate alerts and analyze security risks. |
+| Information Protection Policy for Sensitivity Labels | Data security | Sets up default sensitivity labels to preserve document access rights and protect Copilot output. |
+
+#### Understand recommendation status
+
+Each recommendation falls into one of three categories:
+
+- **Not Started**: Recommendations that haven't been acted on.
+- **Dismissed**: Recommendations that were reviewed but not applied.
+- **Completed**: Recommendations that have been fully implemented.
+
+#### Policy activation timeline
+
+Policies take up to 24 hours to take effect. Once activated in the appropriate Microsoft Purview solution, policies begin tracking or enforcing rules based on AI activity and risk signals, with results appearing in DSPM reports and Activity Explorer after data processing. Deleted policies remain visible with a **PendingDeletion** status until fully removed.
+
+After configuring DSPM for AI, use Microsoft Purview reports and data assessments to evaluate AI interactions and identify potential risks. Reports provide insights into policy enforcement, AI data exposure, and compliance status, while data assessments help detect oversharing risks before they affect security.