Microsoft Purview
This section describes the configuration of Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Estimated reading time: 5 minutes
Instruction
The below pages outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Purview portal at the following URL:
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
When using automated configuration files, organisations should note they will configure the relevant settings in a Microsoft 365 tenancy exactly as outlined in the Configuration pages of the Blueprint. Organisations should ensure they customise configuration of their Microsoft 365 tenancies in accordance with their own design decisions and requirements, deviating from the Blueprint (including automated configuration files) where appropriate.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Purview regex
Throughout the Purview configuration guidance there are regular expressions used to match Protective Security Policy Framework (PSPF) markings, these regular expressions do not cater for the concurrent use of multiple Information Management Markers (IMM). Organisations that use multiple IMMs in the same marking should create additional configurations to suit their specific use-cases.
Automated configuration deployment and assessment
Overview
Some of the Purview configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).
Some of the Purview configurations cannot be assessed using a DSC blueprint. Please refer to those configuration pages to conduct a manual assessment.
| Configuration | Blueprint automation provided |
|---|---|
| Purview settings | No |
| Audit | No |
| Compliance Manager | No |
| Data Lifecycle Management | Yes (DSC)1,2 |
| Data Loss Prevention | Yes (DSC)3,4 |
| Information Protection | |
| - Sensitivity labels | Yes (DSC)5 |
| - Publishing policies | Yes (DSC)6 |
| - Auto labeling policies | Yes (DSC)3,4 |
| - Sensitive info types | No |
1: Retention policies are deployed by the DSC Blueprint in a disabled stated and must be manually enabled.
2: The Teams private channel messages 7 year hold policy must be created manually.
3: Policy rules must be configured manually.
4: Policies are deployed in simulation mode and must be manually enabled.
5: The following sensitivity label configurations must be set manually:
- apply a label to channel meetings, and
- use Microsoft Entra Conditional Access to protect labeled SharePoint sites authentication context for each PROTECTED label.
6: The users and groups setting for the users up to PROTECTED policy must be set to the specific groups of users permitted access to PROTECTED information.
Desired State Configuration
Before using the below DSC file, please refer to the setup and automated deployment pages for instructions. Do not proceed with the automated deployment instructions until you’ve familiarised yourself with the addition configuration required below.
Warning
Any existing settings in a tenancy that match the name or UID of any settings in the DSC will be overwritten.
Desired State Configuration file
Download the Purview DSC file and rename the linked .txt file to .ps1.
Configuration data file
Download the configuration data file and rename the linked .txt file to .psd1.
Extra Parameters
The downloaded DSC file requires the following parameters for the configuration of sensitivity label access control settings:
| Parameter name | Contents |
|---|---|
| PROTECTEDUsers | The email address of an existing email-enabled security group, distribution group, or Microsoft 365 group that has all users permitted to access PROTECTED information as members1 |
| PROTECTEDGuests | The email address of an existing email-enabled security group, distribution group, or Microsoft 365 group that has all guests permitted to access PROTECTED information as members1 |
| PROTECTEDDomain | The name of an external organisation’s domain2 used for emailing PROTECTED information |
1: These groups must have the PROTECTED sensitivity label applied following the import of the DSC Blueprint. The same groups should also be set for the publishing policies mentioned in footnote 6 above.
2: Only one domain name is currently supported by DSC Blueprints, additional domain names must be configured manually.
Additional configuration
The following instructions replace step 4 Determine the required permissions for the targeted M365 service, on the automated deployment page, and use configurations from the M365DSC app created during the initial setup:
- On the Windows host used for deployment, in an elevated PowerShell prompt, install the Exchange Online PowerShell module if not already installed:
Install-Module ExchangeOnlineManagement
- Connect to Security & Compliance PowerShell with an account with permissions to configure roles:
Connect-IPPSsession
- Create a reference to the M365DSC service principal in Exchange Online, substituting the M365DSC app’s app ID and object ID:
New-ServicePrincipal -AppId '<App ID GUID>' -ObjectId '<Object ID GUID>' -DisplayName 'M365DSC'
- Add the M365DSC service principal to the eDiscovery Manager role group, substituting the M365DSC app’s object ID:
Add-RoleGroupMember -Identity eDiscoveryManager -Member '<Object ID GUID>'
- Add the M365DSC service principal to the list of eDiscovery Administrators, substituting the M365DSC app’s object ID:
Add-eDiscoveryCaseAdmin -User '<Object ID GUID>'
- If significant time has passed since performing the initial setup, you may need to re-authenticate before proceeding. Authenticate to your Entra ID tenant with an account with permissions to update the M365DSC app’s permissions:
$creds = Get-Credential
- Update the M365DSC app with the Exchange ManageAsApp permission, substituting location with the name of your working folder used in the DSC setup:
Update-M365DSCAzureAdApplication -ApplicationName 'M365DSC' -Type Certificate -CertificatePath 'C:\<location>\M365DSC.cer' -Permissions @( @{Api='Exchange';PermissionName='Exchange.ManageAsApp'} ) -AdminConsent -Credential $creds
Grant admin consent
You will be required to manually grant admin consent to provide the M365DSC app with the required permissions which can be done in the Entra portal under the API permissions section. The Graph ReadAll permission used in the DSC setup is not required and can be removed if prompted.
There may also be a delay in updating the permissions via Powershell and them appearing in the Entra portal.
Assign the Entra, Compliance Administrator role to the M365DSC service principal.
A one-time procedure is required to enable sensitivity labels for containers and to synchronise labels to Entra ID. Instructions for this procedure can be found here.
A one-time procedure is required to turn on auditing. Confirm the status of auditing in the Purview portal by checking for the presence of a banner labelled “start recording user and admin activity” - select the banner to enable auditing. If no banner is present, auditing is already enabled. Alternative instructions for using PowerShell can be found here.
Settings
This section describes the configuration of settings within Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Audit
This section describes the configuration of audit logging within Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Compliance Manager
This section describes the configuration of Compliance Manager within Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Data Lifecycle Management
This section describes the configuration of Data Lifecycle Management within Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Data Loss Prevention
This section describes the configuration of Data Loss Prevention within Microsoft Purview associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Information Protection
This section describes the configuration of Information Protection within Microsoft Purview associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.