SECURITY BREACH? CALL 888.234.5990 EXT 9999

Crafting the Perfect Microsoft Purview Deployment Strategy

With regulators continuing to level up their expectations, and consumers increasingly aware of the importance of data privacy and security, it’s becoming more and more important for enterprises to forge robust data governance strategies. For many Microsoft customers, deploying Microsoft Purview, the technology giant’s full-featured data governance solution suite, is a vital step in building a robust information protection strategy—one that will satisfy regulators, board members, third-party partners, and customers alike.

Purview is a complex solution, and mastering the deployment process isn’t easy. But if you want to go from newbie to master with Microsoft Purview here’s how to do it.

We guide our clients through a time-tested, four-step deployment process, one that we’ve honed through our experience deploying Microsoft Purview as well as Microsoft sanctioned best practices. This process is built to deliver the most amount of value with the most effective use of time, budget, and resources, and consists of the following four steps:

  • Requirements gathering
  • Building out policies and foundational components
  • Validation testing and Pilot
  • Production deployment

Let’s take a closer look at each of these steps.

Requirements gathering

Every organization’s reasons for deploying Microsoft Purview are unique, but it’s common for regulatory requirements—or overall corporate strategy—to drive the process. Any organization that holds or handles sensitive data may benefit from the visibility and control that Purview provides, but knowing exactly which regulatory requirements are in play, and which data types are at hand, will determine what you need from your Purview deployment.

A best practices-guided Microsoft Purview deployment process begins with an in-depth discussion of the full scope of your needs and requirements and well-defined use cases for various data security scenarios.

Next, we’ll embark upon a quest to discover your sensitive data. What constitutes “sensitive data” is largely dependent upon your industry and objectives. If, for instance, you’re in healthcare, data that’s protected under the Health Insurance Portability and Accountability Act (HIPAA) includes patient medical information, so healthcare organizations can use data discovery tools to search for medical records, social security numbers, and specific keywords within on-premises data stores as well as in the cloud.

Data discovery is the key to a successful Microsoft Purview deployment. The process can be complex and very involved, but it’s the foundation upon which the rest of the implementation process is built. The more stakeholders are involved at this early stage (such as legal teams, risk management, and corporate leadership—including the CEO), the fewer problems you’re likely to encounter later on.

Deploying Microsoft Purview tends to be a design-heavy process. While the initial stages of the project, which include discussion, data discovery, and design sessions, can last a month or longer, an experienced partner like Netrix can expedite these processes and deliver the value of Purview faster. Additionally, the client will come away from these conversations with a thorough understanding of what’s possible, as well as a set of approved design documents.

Building out policies and foundational components

Once an organization’s sensitive data has been discovered, and its goals and objectives translated into a design for its Microsoft Purview implementation, it’s time to start creating policies. Typically, data sensitivity labels are applied automatically, with Purview Information Protection recommending labels based on what it discovers within documents. It’s possible to configure the tool to auto-enforce labeling or allow users to choose their own content labels.

We recommend that our clients first create minimum viable product (MVP) versions of their data loss prevention (DLP) policies in audit mode. This way, they can observe how the policies would behave in real-world use without actively blocking users from sending data or performing other actions until administrators are confident that the policies will work as intended.

Microsoft Purview includes extensive Insider Risk Management capabilities. These enable organizations to quickly identify, investigate, and take action on insider risks. You can set policies to track higher-risk users (such as an employee who recently gave their two-week notice), and alert on activities like downloading sensitive data or deleting large volumes of email. Insider Risk Management can automatically recommend or create policies, or assign user risk scores based on individualized factors. All of these capabilities can be configured during the foundational component build phase.

Validation Testing and Pilot

This phase is what we think of as the “learn and adapt” phase. We test data labels, features, and policy enforcement thoroughly before putting them in front of production users. This way, we’re able to fix issues early on.

The initial steps for Validation testing will be to deploy policies and labels to a few test accounts or specific users so that Purview administrators can prove the tools are working as intended in a small scale and controlled environment before moving into pilot.

After validation testing, alpha and beta pilots are run, involving a small number of users—perhaps as many as 50 or 100. This process enables us to gather real-time feedback: do the data labels we’ve created make sense to the employees who will be using them? Do people understand how and why policies will be enforced?

Communication is key, and end user training should be conducted simultaneously with the pilot phase of the Microsoft Purview deployment process. In addition to the normal pilot practices, organizations should begin sending out policy notifications to all real-world users letting them know which actions would trigger an alert or be blocked. This is an important part of end user training that runs in conjunction with formalized training.

Different organizations use various strategies to teach their employees the whys and hows of working with Purview. These might include web pages, email announcements, user guides, or in-person communications. Regardless of the means of conveying the information, the goals are always the same: to help end users understand what Microsoft Purview will do, what they can expect to see once it’s in production, and what they’ll need to do in response.

A successful employee training program often includes focus groups and champions, so that real-world user experience can be taken into account in planning communications and setting up resources. When this is done well, it should reduce the number of support tickets that service desk teams will have to field after the deployment goes into production.

Production deployment

If the pilot process has gone well, your deployment should be ready for production, and you probably won’t encounter any major issues as you scale it out. Providing high-quality end user support can smooth and streamline the rollout process, as can ensuring that employees with questions can easily find the answers they need.

Organizations will need to incorporate data governance processes into their employee training and new hire onboarding processes going forwards. They’ll also need to ensure that they’re making appropriate use of Purview’s extensive reporting capabilities, and that they have

resources on hand to keep up with the new features that Microsoft will continue to release on an ongoing basis. After all, Purview’s ability to help organizations secure and manage their data estates will only grow stronger over the coming months and years.

Want to learn more about how Netrix’s team of experts can help you deploy Microsoft Purview with all the success and none of the stress? If so, get in touch with us today.


Chris Clark

Chris Clark is the Manager of Microsoft Security at Netrix Global. He has been working with Office 365 for over 10 years and is passionate about all cloud technologies and on-premises hybrid configurations. He has engaged with small, medium, and enterprise clients to design, implement, and administer numerous Office 365 migrations and new implementations.