dspm for ai module

Author: riswinto

learn-pr/wwl-sci/purview-identify-mitigate-ai-risks/configure-dspm-ai.yml

@@ -10,6 +10,6 @@ metadata:
   ms.topic: unit
 azureSandbox: false
 labModal: false
-durationInMinutes: 4
+durationInMinutes: 8
 content: |
   [!include[](includes/configure-dspm-ai.md)]

learn-pr/wwl-sci/purview-identify-mitigate-ai-risks/data-assessments.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-identify-mitigate-ai-risks.data-assessments
+title: Use Data assessments (preview) to detect oversharing risks
+metadata:
+  title: Use Data assessments (preview) to detect oversharing risks
+  description: "Use Data assessments (preview) to detect oversharing risks."
+  ms.date: 2/6/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 8
+content: |
+  [!include[](includes/data-assessments.md)]

learn-pr/wwl-sci/purview-identify-mitigate-ai-risks/includes/configure-dspm-ai.md

@@ -8,37 +8,73 @@ Before configuring DSPM for AI, check that your environment meets these requirem
 - **[Verify Microsoft Purview Audit is enabled](/purview/audit-log-enable-disable?tabs=microsoft-purview-portal#verify-the-auditing-status-for-your-organization)**: Auditing is on by default for new tenants, but it's a good idea to verify.
 - **[Assign Copilot Licenses](/copilot/microsoft-365/microsoft-365-copilot-enable-users#assign-licenses)**: Users should be assigned Microsoft 365 Copilot licenses for activity tracking.
 - **[Onboard Devices to Microsoft Purview](/purview/device-onboarding-overview)**: Devices need to be onboarded to Microsoft Purview to track AI interactions.
-- **[Install the Microsoft Purview Browser Extension](/purview/insider-risk-management-browser-support#configure-browser-signal-detection-for-microsoft-edge)**: The Microsoft Purview browser extension is required to monitor third-party AI site visits.
+- **[Install the Microsoft Purview Browser Extension](/purview/insider-risk-management-browser-support#configure-browser-signal-detection-for-microsoft-edge)**: The Microsoft Purview browser extension is required to monitor non-Microsoft AI site visits.
 
 ## Steps to configure DSPM for AI
 
 After completing the prerequisites, configure DSPM for AI in Microsoft Purview. This process includes enabling built-in policies, running data assessments, and verifying that AI-related security controls are in place.
 
-1. Access DSPM for AI
+### Step 1: Set up DSPM for AI
 
-   - Sign in to the Microsoft Purview portal.
-   - Navigate to Solutions > DSPM for AI.
+1. Sign in to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Navigate to **Solutions** > **DSPM for AI**.
+1. From the **Overview** page, go to **Get started** to complete the required setup tasks.
+1. Verify that **Microsoft Purview Audit** is enabled to track AI interactions.
+1. Install the **Microsoft Purview browser extension** to detect AI-related activity.
+1. **Onboard devices to Microsoft Purview** to monitor AI interactions.
+1. Enable **Extend your insights for data discovery** to create policies that detect risky AI usage, track AI site visits, and identify when users paste sensitive data into AI apps.
 
-1. Review the Get Started Section
+    :::image type="content" source="../media/dspm-ai-get-started.png" alt-text="Screenshot of the DSPM for AI interface in Microsoft Purview, showing the Get started checklist with required setup steps." lightbox="../media/dspm-ai-get-started.png":::
 
-   - From the Overview page, review Get Started for initial actions.
-   - Confirm that Audit Logging is enabled.
-   - Enable Extend Insights for Data Discovery to track AI-generated content.
-   - Activate One-Click Policies to apply built-in security controls.
-1. Activate Preconfigured Policies
+### Step 2: Review and configure recommendations and policies
 
-   - Go to Policies in the Microsoft Purview portal.
-   - Review available AI security policies.
-   - Enable recommended policies to detect sensitive data exposure and AI activity.
-   - If needed, edit the policy scope before activation to apply policies only to specific users or groups instead of the entire organization.
-   - Allow up to 24 hours for policies to take effect.
+Microsoft Purview provides AI security recommendations that help organizations protect sensitive data and monitor AI interactions. These recommendations include preconfigured policies (one-click policies) or suggested actions that require manual review.
 
-   Once activated, policies begin tracking AI interactions based on configured rules. Results appear in DSPM reports and Activity Explorer after data processing. If a policy is deleted, it remains visible with a PendingDeletion status until fully removed.
+#### How to use recommendations
 
-1. Run Data Assessments
+1. Go to **Recommendations** in the Microsoft Purview portal.
+1. Review the available AI security recommendations and their status.
+1. Select a recommendation to:
 
-   - DSPM for AI automatically runs weekly assessments on the top 100 SharePoint sites used by Copilot.
-   - To create a custom assessment:
-      - Go to Data Assessments (Preview) in Microsoft Purview.
-      - Select Create Assessment and choose users and data sources to scan.
-      - Run the assessment and allow up to 48 hours for results to appear.
+   - **Create a policy**: Instantly apply a one-click policy with built-in security settings.
+   - **View the recommendation**: Assess and manually take action based on guidance.
+
+   :::image type="content" source="../media/dspm-ai-recommendations.png" alt-text="Screenshot of the Recommendations page in Microsoft Purview, showing a list of AI security recommendations categorized as Not Started, Dismissed, or Completed." lightbox="../media/dspm-ai-recommendations.png":::
+
+   > [!NOTE]
+   > Recommendations that provide one-click policies include a **Create policy** button, while manual recommendations require reviewing and taking action based on the provided guidance.
+
+#### Types of AI security recommendations
+
+Recommendations are grouped into categories such as **Data Security**, **Data Discovery**, or **AI Regulations**. When selecting a recommendation, DSPM for AI provides either:
+
+- A preconfigured policy that can be activated immediately (one-click policy)
+- Guidance on security measures that require manual implementation
+
+**Recommendations in DSPM for AI**:
+
+| Recommendation | Type | Description |
+|-----|-----|-----|
+| Fortify your data security | Data security | Uses Adaptive Protection to apply a block-with-override rule for high-risk users interacting with AI sites. |
+| Control unethical behavior in AI | Insight into communications | Creates a policy to detect unethical behavior in Microsoft 365 Copilot. Alerts are generated in Communication Compliance. |
+| Guided assistance to AI regulations | AI regulations | Provides guidance on regulatory compliance for AI interactions. |
+| Protect sensitive data referenced in Copilot responses | Data security | Runs a data assessment to identify oversharing risks in Copilot interactions. |
+| Discover and govern interactions with ChatGPT Enterprise AI (Preview) | Data discovery |Requires setting up a connector in Purview to track ChatGPT Enterprise interactions. |
+| Protect sensitive data referenced in Microsoft 365 Copilot (Preview) | Data security | Creates a data loss prevention policy to prevent Copilot from processing labeled content. |
+| Protect your data from potential oversharing risks | Data security | Provides insights into oversharing risks based on a weekly scan. |
+| Use Copilot to improve your data security posture (Preview) | Data security | Uses Security Copilot to investigate alerts and analyze security risks. |
+| Information Protection Policy for Sensitivity Labels | Data security | Sets up default sensitivity labels to preserve document access rights and protect Copilot output. |
+
+#### Understand recommendation status
+
+Each recommendation falls into one of three categories:
+
+- **Not Started**: Recommendations that haven't been acted on.
+- **Dismissed**: Recommendations that were reviewed but not applied.
+- **Completed**: Recommendations that have been fully implemented.
+
+#### Policy activation timeline
+
+Policies take up to 24 hours to take effect. Once activated, they track AI interactions based on configured rules, with results appearing in DSPM reports and Activity Explorer after data processing. Deleted policies remain visible with a **PendingDeletion** status until fully removed.
+
+After configuring DSPM for AI, use Microsoft Purview reports and data assessments to evaluate AI interactions and identify potential risks. Reports provide insights into policy enforcement, AI data exposure, and compliance status, while data assessments help detect oversharing risks before they affect security.

learn-pr/wwl-sci/purview-identify-mitigate-ai-risks/includes/data-assessments.md

@@ -0,0 +1,72 @@
+AI tools like Microsoft 365 Copilot can unintentionally expose misclassified or over-permissioned content. Data assessments help security teams detect these risks early, apply protections, and maintain compliance.
+
+Microsoft 365 Copilot and other AI tools can surface misclassified, over-permissioned, or outdated content, increasing the likelihood of unintentional data exposure. By running data assessments, organizations can identify these risks early, apply appropriate protections, and ensure compliance with internal policies and regulatory requirements.
+
+## Default data assessments
+
+Microsoft Purview Data Security Posture Management (DSPM) for AI automatically runs a weekly assessment on the top 100 SharePoint sites used by Microsoft 365 Copilot. This built-in assessment helps organizations identify high-risk data exposure without manual configuration.
+
+To review the latest weekly assessment:
+
+1. Navigate to **DSPM for AI** in the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Select **Assessments** from the navigation pane.
+1. Open the **Oversharing Assessment for the week of <month, year>**.
+1. Review key findings, including:
+   - Number of sensitive files accessed
+   - Frequency of access
+   - External sharing risks
+
+   :::image type="content" source="../media/data-assessment-oversharing.png" alt-text="Screenshot of the Oversharing assessments page in Microsoft Purview, showing details on total items, sensitivity labels, and data with sharing links." lightbox="../media/data-assessment-oversharing.png":::
+
+The weekly assessment helps identify trends in data exposure, allowing organizations to detect misconfigured access settings, overly permissive sharing, or files that contain sensitive data but lack proper classification. Reviewing these results regularly ensures that security policies are informed by actual risks rather than assumptions.
+
+For a deeper analysis of specific users, sites, or data sources, security teams can run custom assessments tailored to their needs.
+
+## Run a custom data assessment
+
+Organizations might need to scan beyond the default assessment to evaluate AI security risks in different users, sites, or content types. Custom data assessments allow security teams to define the scope of their analysis.
+
+To create and run a custom assessment:
+
+1. Navigate to **DSPM for AI** > **Data assessments**.
+1. Select **Create assessment**.
+1. On the **Basic details** page:
+   - Enter an **Assessment name**.
+   - Provide an optional **Description** to define the purpose of the assessment.
+1. On the **Add users** page:
+   - Choose whether to Include all users or Include specific users or groups.
+1. On the **Data sources** page, select the SharePoint sites or other data sources you want to scan.
+1. On the **Review and run the data assessment scan**, select **Save and run** to run the custom assessment.
+
+Assessments can take up to 48 hours to complete. After the assessment completes, review the findings in the Protect and Monitor tabs to determine the appropriate security actions.
+
+## Review and act on assessment results
+
+After a data assessment runs, security teams can analyze the results and take action using the **Protect** and **Monitor** tabs. These tabs provide insights into how sensitive data is being accessed and shared, and offer remediation options to reduce oversharing risks.
+
+### Protect tab - Apply security controls
+
+The **Protect** tab helps security teams limit access to high-risk data and enforce compliance measures. Recommended actions include:
+
+- **Restrict access by label**: Use Microsoft Purview Data Loss Prevention (DLP) to prevent Microsoft 365 Copilot from summarizing data that has specific sensitivity labels. For more information about how this works and supported scenarios, see [Learn about the Microsoft 365 Copilot policy location](/purview/dlp-microsoft365-copilot-location-learn-about).
+
+- **Restrict all items**: Use [SharePoint Restricted Content Discoverability](/sharepoint/restricted-content-discovery) to prevent Microsoft 365 Copilot from indexing specified SharePoint sites.
+
+   :::image type="content" source="../media/data-assessment-dlp-restrict-items.png" alt-text="Screenshot showing the options in the Protect tab in Data assessments to restrict access to sensitive data." lightbox="../media/data-assessment-dlp-restrict-items.png":::
+
+- **Apply auto-labeling policies**: [Automatically apply sensitivity labels](/purview/apply-sensitivity-label-automatically#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) to unlabeled files containing sensitive information.
+
+- **Enforce retention policies**: Use [Microsoft Purview Data Lifecycle Management retention policies](/purview/create-retention-policies?tabs=teams-retention) to delete content that hasn't been accessed for at least three years.
+
+   :::image type="content" source="../media/data-assessment-apply-label.png" alt-text="Screenshot showing the options in the Protect tab in Data assessments to manage sensitivity labels and policies for a specific SharePoint site." lightbox="../media/data-assessment-apply-label.png":::
+
+### Monitor tab - Review sharing and access risks
+
+The **Monitor** tab provides visibility into how data is shared and accessed across the organization. It includes tools for reviewing and managing access:
+
+- **Run a SharePoint site access review**: Identify and assess sites that are shared broadly or externally. IT administrators can delegate access reviews to site owners.
+- **Run an identity access review**: Review group memberships, enterprise application access, and role assignments in Microsoft Entra ID to ensure only the right users maintain access.
+
+   :::image type="content" source="../media/data-assessment-monitor.png" alt-text="Screenshot showing the options in the Monitor tab in Data assessments to Run a site access review and Run an identity access review." lightbox="../media/data-assessment-monitor.png":::
+
+By regularly reviewing assessment results in both the **Protect** and **Monitor** tabs, organizations can enforce security policies, reduce oversharing risks, and ensure compliance with data protection requirements.

learn-pr/wwl-sci/purview-identify-mitigate-ai-risks/includes/review-ai-security-reports.md

@@ -0,0 +1,55 @@
+After configuring Data Security Posture Management (DSPM) for AI, the next step is to monitor AI activity, assess security risks, and review reports to ensure that AI interactions comply with organizational policies. Microsoft Purview provides insights into how AI is used, identifies potential data security issues, and enables organizations to take action when necessary.
+
+## Reports in DSPM for AI
+
+The **Reports** section in DSPM for AI provides insights into AI interactions, sensitive data exposure, and security risks. These reports help organizations assess AI activity, identify potential compliance issues, and take proactive steps to protect sensitive information.
+
+To view AI activity insights:
+
+1. Sign in to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Navigate to **Solutions** > **DSPM for AI**.
+1. Go to **Reports** to review AI-related activity, trends, and risk assessments.
+
+## Understand report categories and their insights
+
+Each report helps organizations understand AI usage and risks in different ways. The reports are grouped into three sections: **Activity**, **Data**, and **User Risk**.
+
+### Activity reports
+
+**Activity** reports provide an overview of AI usage patterns across the organization. These reports help security teams track adoption trends, detect unusual activity, and determine whether AI interactions align with company policies. Understanding AI usage is crucial for assessing risks and identifying whether extra safeguards are needed.
+
+The reports available here include:
+
+- **Total interactions over time (Microsoft Copilot & enterprise AI apps)**: Tracks the number of AI interactions within Microsoft 365 Copilot and non-Microsoft AI tools. This report helps organizations monitor AI adoption and identify patterns that might require further investigation.
+- **Total visits (other AI apps)**:  Displays user visits to AI applications such as ChatGPT, Gemini, and Copilot for Bing. This report helps organizations determine whether employees are engaging with unauthorized AI tools and take action if needed.
+
+### Data insights
+
+**Data** reports highlight risks related to AI interactions involving sensitive data. These reports help organizations identify where sensitive information is being processed and whether AI tools are being used responsibly.
+
+The reports available here include:
+
+- **Sensitive interactions per AI app**: Identifies AI applications that process sensitive data. This report helps security teams assess which AI tools pose the highest data exposure risks.
+- **Top unethical AI interactions**: Surfaces instances where Microsoft 365 Copilot has generated or responded to unethical, inappropriate, or noncompliant content. This information is useful for organizations using Communication Compliance policies to monitor AI-generated messages.
+- **Top sensitivity labels referenced in Copilot for Microsoft 365**: Displays which sensitivity-labeled content is being referenced by AI tools. This insight helps organizations assess whether AI interactions involve confidential or highly classified data.
+
+### User risk reports
+
+**User** risk reports help organizations identify potential insider threats based on how employees interact with AI tools. These reports assess user behavior, AI usage trends, and the severity of security risks.
+
+The reports available here include:
+
+- **Insider risk severity**: Shows user AI interactions grouped by risk levels, helping security teams identify patterns that might indicate excessive or inappropriate AI usage.
+- **Insider risk severity per AI app**: Breaks down user risk levels by specific AI applications, showing where risky behavior is occurring. This report helps organizations determine whether Copilot or non-Microsoft AI tools require stricter monitoring.
+
+### Taking action on reports
+
+After reviewing AI security reports, organizations can take specific actions to enhance monitoring, reduce risks, and enforce security policies. Some reports might initially appear blank if data tracking hasn't been enabled. In these cases, adjustments might be needed to begin collecting insights.
+
+To act on report findings, consider:
+
+- **Extend insights**: If reports show "Data discovery is yet to be defined," AI interactions aren't currently being tracked. Select Extend insights to enable monitoring for Microsoft 365 Copilot and non-Microsoft AI tools.
+- **Enable policies**: Certain reports require data loss prevention (DLP) policies, sensitivity labels, or communication compliance rules to be activated before tracking begins. If a report remains empty despite AI activity in your environment, check policy configurations.
+- **Review flagged activity**: Reports can highlight sensitive data usage, risky AI interactions, or insider threats. If an anomaly is detected, security teams should investigate further using Activity Explorer. They can then apply necessary controls, such as blocking AI interactions with classified data or restricting access to high-risk AI tools.
+
+By continuously monitoring AI reports and acting on insights, organizations can ensure AI technologies are used securely, responsibly, and in compliance with data protection policies.