Skip to content

docs(audit): Microsoft Purview pattern catalog (closes #335) — completes v3.4.0 audit umbrella#371

Merged
Daren9m merged 1 commit into
mainfrom
spike/335-purview
Apr 30, 2026
Merged

docs(audit): Microsoft Purview pattern catalog (closes #335) — completes v3.4.0 audit umbrella#371
Daren9m merged 1 commit into
mainfrom
spike/335-purview

Conversation

@Daren9m
Copy link
Copy Markdown
Collaborator

@Daren9m Daren9m commented Apr 30, 2026
edited
Loading

Summary

Resolves spike #335. Fourteenth and final domain audit under v3.4.0 umbrella (#326). Ships docs/audits/purview.md — 404 lines.

This PR completes the v3.4.0 audit umbrella. All 14 spikes resolved.

Coverage matrix

Category Total Covered Refresh Gaps
DLP policy coverage 6 1 partial 0 4
Sensitivity labels (MIP) 10 2 partial 2 5 + 3 cross-spike
Retention 5 4 0 3
eDiscovery + Insider Risk 5 1 1 4
Anti-patterns 6 1 0 3
Total 27 unique 9 3 14 net + 3 cross-spike

v3.4.0 audit umbrella — complete

# Domain Spike PR
1 Conditional Access #327 merged
2 Privileged access (PIM) #328 merged
3 MFA enforcement #329 merged
4 Authentication methods #330 merged
5 Token + session security #331 merged
6 External / guest collaboration #333 merged
7 Defender for Office #332 merged
8 SharePoint + OneDrive #337 merged
9 Microsoft Teams #340 merged
10 Mail flow #339 merged
11 Microsoft Intune #334 merged
12 Defender for Cloud Apps #338 merged
13 Power Platform #336 merged
14 Microsoft Purview #335 this PR

Four cross-cutting themes for v3.5 consideration

The audit work surfaced themes that warrant coordinated treatment in a v3.5 release:

  1. AZ-namespace boundary issuesAZ-IDENTITY-015/016/030/039/041 are Entra controls in the AZ namespace. Filed as boundary chores in spike: research token + session security patterns (CAE, sign-in frequency, Token Protection) #331, spike: research external collaboration patterns (B2B, cross-tenant access, guest controls) #333, etc. Worth a unified reconciliation.

  2. Namespace duplicationsDEFENDER-* ↔ EXO-* (3 pairs from spike: research Defender for Office preset policy detection (Built-in / Standard / Strict) #332 MDO), PBI-* ↔ POWERBI-* (11 pairs from spike: research Power Platform tenant isolation + DLP patterns #336 Power Platform), plus the implicit COMPLIANCE-DLP-* ↔ proposed PURVIEW-DLP-* overlap from this audit. ~14 dedup pairs total.

  3. Canonical reference data file pattern — 4 proposed across the audit work:

    Worth coordinating as a v3.5 release theme: "canonical reference data layer for cross-consumer M365 governance."

  4. Detection-method surface diversity — 5 distinct detection contracts surfaced across audits:

    Worth a docs/CONSUMER-GUIDE.md documenting these contracts for downstream consumers.

Threat-pattern map highlights

Compromise pattern Primary control
Data theft by departing employee Insider Risk Management policy
Outbound email with sensitive content DLP policy + appropriate action progression
Sensitive content cached on personal device after offboarding Encryption offline-access duration limit
Teams chat data loss without retention Retention covers Teams ✅
MIP without auto-labeling Auto-labeling policies match label scope
eDiscovery role over-permissioned eDiscovery RBAC restricted
Insider Risk alerts go nowhere Analyst role membership
Audit log evidence missing for incident Audit retention period extended

Files

  • docs/audits/purview.md — 404 lines (the audit + completion summary)
  • CHANGELOG.md[Unreleased] / Documentation entry

Test plan

Out of scope

After this merges

The v3.4.0 milestone is ready for the next phase: filing the spawned-issue backlog. Across all 14 audits the spawned issues total approximately:

  • ~150 feat: gap CheckIDs
  • ~40 chore: narrative-refresh
  • ~10 cross-spike consolidations
  • ~6 namespace-consolidation chores
  • 4 canonical-data-file proposals

Mechanical batch work; happy to file in chunks once given the green light. Or close out the milestone first and start v3.5 with the cross-cutting themes as the planning input.

🤖 Generated with Claude Code

@Daren9m @claude
docs(audit): Microsoft Purview pattern catalog (closes #335)
6bab789 
Fourteenth and FINAL domain audit under v3.4.0 umbrella (#326).
Resolves spike #335.

docs/audits/purview.md catalogs 27 unique patterns across 5
sub-domains (DLP policy coverage, sensitivity labels / MIP, retention,
eDiscovery + Insider Risk, anti-patterns). Maps against 16 existing
M365-scope Purview-related checks across PURVIEW-*, COMPLIANCE-*,
plus cross-domain Power BI sensitivity labels.

Surfaces:
- 14 gap CheckIDs covering DLP template currency, custom sensitive
  info types, Endpoint DLP location coverage, DLP rule action
  progression, sensitivity label encryption + defaults + auto-labeling
  gap, retention legal hold + records management, eDiscovery RBAC +
  Premium feature, Insider Risk Management policies + analyst
  assignments, audit log retention period, encryption offline-access
  duration
- 4 cross-spike CheckID consolidations:
  - Site-protection labels ↔ #337 (SPO/OneDrive)
  - Teams sensitivity labels ↔ #340 (Teams)
  - Copilot grounding labels ↔ #336 (Power Platform)
  - PBI sensitivity labels (already covered, with #336 dedup)
- 3 narrative-refresh chore: candidates

Threat-pattern map covers data theft by departing employee, outbound
DLP via email, sensitive label content cached on personal device,
Teams chat data loss without retention, MIP without auto-labeling,
eDiscovery role over-permissioning, Insider Risk alerts going
nowhere, audit log retention insufficient for IR, endpoint DLP gap,
custom org data not protected by templates.

Detection appendix documents 8 cmdlet patterns + 8 edge cases across
Security & Compliance PowerShell + Exchange Online connector. Like
#332 (MDO) and #336 (Power Platform), Purview lives almost entirely
outside Microsoft Graph. Specific edge cases:
- Multiple PowerShell modules required (S&C + ExchangeOnline + ComplianceCenter)
- Policy Mode enum (Enable, TestWithNotifications, etc.)
- Sensitivity labels are 3 distinct artifacts (label store + label
  policies + auto-labeling policies) — reconciliation required
- Retention labels vs retention policies (don't conflate)
- Endpoint DLP requires onboarded devices (#334 cross-domain)
- Insider Risk + Premium eDiscovery are E5+ addons (license-gated)
- Auto-labeling scope is per-location (Exchange / SPO / OneDrive each)
- Records management vs retention labels (immutable-vs-flexible
  distinction)

V3.4.0 AUDIT UMBRELLA COMPLETE: this is the fourteenth and final domain
audit. All 14 spikes (#327-#340 inclusive) resolved. Doc includes a
completion summary mapping each spike to its merged PR + 4 cross-cutting
themes surfaced across the audit work for v3.5 consideration:

  1. AZ-namespace boundary issues (5+ Entra controls in AZ namespace)
  2. Namespace duplications (DEFENDER/EXO 3 pairs, PBI/POWERBI 11 pairs,
     plus implicit COMPLIANCE-DLP / proposed PURVIEW-DLP overlap)
  3. Canonical data file pattern — 4 proposed:
     - data/role-tiers.json (#328)
     - data/microsoft-first-party-appids.json (#361)
     - data/transport-rule-actions.json (#339)
     - data/power-platform-connectors.json (#336)
  4. Detection-method surface diversity — 5 distinct contracts:
     - Microsoft Graph
     - Exchange Online PowerShell
     - Security & Compliance PowerShell
     - MDCA REST API (per-tenant URL)
     - Power Platform admin PowerShell

Same template as #327, #328, #329, #330, #331, #332, #333, #334, #336,
#337, #338, #339, #340.

Closes #335

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Daren9m Daren9m merged commit c63c7d4 into main Apr 30, 2026
9 checks passed
@Daren9m Daren9m deleted the spike/335-purview branch April 30, 2026 16:39
This was referenced Apr 30, 2026
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Daren9m