🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 3
Domain 3 — Module 8 of 9 89%
24 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 3: Manage Risks, Alerts, and Activities Premium ⏱ ~13 min read

DSPM for AI: Setup & Controls

Data Security Posture Management for AI is the newest domain in SC-401. Configure prerequisites, roles, and Microsoft Purview controls that protect your organisation's data from exposure through AI services like Copilot.

Why AI needs data security controls

☕ Simple explanation

Think of Microsoft Copilot as a super-capable new employee who can read everything.

When you deploy AI services like Copilot, the AI can access the same data your users can — emails, documents, Teams messages, SharePoint sites. If a user has access to 50,000 files, Copilot can summarise, search, and reference all 50,000.

The problem? Oversharing + AI = amplified risk. A file shared with “Everyone” that nobody ever found manually suddenly surfaces in a Copilot response. Sensitive data that was hidden by obscurity is now one prompt away from exposure.

DSPM for AI helps you see what data AI can access, discover oversharing, fix permissions, and monitor how AI interacts with your sensitive content.

Data Security Posture Management (DSPM) for AI in Microsoft Purview provides visibility and controls for data accessed by AI services — primarily Microsoft 365 Copilot, but also extending to Azure AI services and third-party AI applications. It identifies data security risks in AI environments (oversharing, unlabelled sensitive content, excessive permissions), provides actionable recommendations, enables policy creation to monitor AI interactions, and surfaces insights about how AI services access and reference sensitive data.

DSPM for AI addresses a fundamental shift: AI amplifies existing access permissions. Data that was technically accessible but practically obscure (buried in a SharePoint library, forgotten in an old mailbox) becomes instantly surfaceable through natural language prompts.

The AI data risk landscape

RiskWhat HappensExample
Oversharing amplified by AIFiles shared with broad permissions surface in AI responsesA salary spreadsheet shared with “Everyone except external” appears in a Copilot summary when someone asks “what do senior managers earn?”
Unlabelled sensitive dataAI accesses sensitive content that has no label or protectionPatient data in an unlabelled Word doc gets included in a Copilot-generated report
Stale permissionsFormer project members still have access, and AI uses that accessA departed employee’s SharePoint access lets Copilot surface their project data to current users
AI-generated content risksAI creates new content from sensitive sourcesCopilot generates a meeting summary that includes confidential project details from a labelled document

Prerequisites for DSPM for AI

PrerequisiteDetail
LicensingMicrosoft 365 E5, E5 Compliance, or E5 Information Protection and Governance
Microsoft Purview portal accessAdmin must have appropriate Purview roles
Sensitivity labels deployedDSPM recommendations rely on labels being in use
Audit logging enabledRequired to capture AI interaction events
Microsoft 365 Copilot deployed (for M365 AI monitoring)Copilot must be licensed and active for AI activity monitoring

Roles and permissions

RoleDSPM for AI Capability
Compliance AdministratorFull access to DSPM for AI — view reports, configure policies, manage recommendations
Information Protection AdminManage sensitivity labels and DLP policies that DSPM references
Security ReaderView DSPM reports and recommendations (read-only)
Global ReaderView-only access across the portal

Purview controls for AI environments

1. Sensitivity labels — the first line of defence

Sensitivity labels control what AI can do with labelled content:

Label SettingAI Impact
EncryptionCopilot respects encryption — users without access cannot get AI summaries of encrypted content
Content markingHeaders/footers/watermarks persist in AI-generated outputs from labelled sources
Label inheritanceWhen Copilot creates content based on labelled sources, the output should inherit the source label

2. DLP policies — protect AI interactions

DLP can monitor and control AI interactions:

DLP CapabilityAI Application
Monitor AI-generated contentDetect when Copilot outputs contain sensitive data matching SITs
Block sensitive data in AI responsesPrevent Copilot from surfacing content matching specific SITs
Alert on AI data exposureGenerate alerts when AI accesses or references sensitive content

3. Oversharing prevention

DSPM for AI identifies and helps remediate oversharing:

ControlWhat It Does
Permission reviewsIdentify files shared with “Everyone” or broad groups that contain sensitive data
Access clean-up recommendationsSuggest removing excessive permissions before AI amplifies the exposure
Label recommendationsIdentify unlabelled sensitive content that AI could surface without restrictions

Microsoft 365 workload controls

Beyond Purview-level settings, each M365 workload has controls relevant to AI:

WorkloadAI-Relevant Control
SharePointRestricted access control for sites — limits which sites Copilot can reference
OneDriveSensitivity labels on files determine Copilot’s access
TeamsMeeting sensitivity labels control whether Copilot can generate meeting summaries
ExchangeSensitivity labels on emails control Copilot’s access to email content
💡 Scenario: Marcus prepares NovaTech for Copilot

NovaTech is deploying Microsoft 365 Copilot to all 800 employees. Marcus, the Security Architect, uses DSPM for AI to prepare:

  1. Assessment: DSPM scans NovaTech’s M365 environment and finds:
    • 12,000 files shared with “Everyone” — 340 contain source code
    • 8,500 unlabelled documents containing PII or IP
    • 45 SharePoint sites with stale permissions (former employees still have access)
  2. Remediation: Marcus fixes permissions, auto-labels the 8,500 documents, removes stale access
  3. Controls: Configures DLP to monitor Copilot interactions containing source code SITs
  4. Go-live: Copilot deploys with clean permissions, labelled data, and active monitoring
💡 Exam tip: DSPM for AI is about readiness, not blocking

DSPM for AI is NOT about preventing AI adoption. It is about ensuring your data security posture is ready for AI:

  • Discover: What sensitive data can AI access?
  • Assess: Where are the gaps in labeling, permissions, and protection?
  • Remediate: Fix oversharing, apply labels, remove stale access
  • Monitor: Track AI interactions with sensitive data ongoing

Exam questions focus on DSPM as a preparation and monitoring tool, not as an AI blocker.

Question

What is the core problem that DSPM for AI addresses?

Click or press Enter to reveal answer

Answer

AI amplifies existing access permissions. Data that was technically accessible but practically obscure (buried in SharePoint, forgotten in mailboxes) becomes instantly surfaceable through AI prompts. DSPM for AI provides visibility into what data AI can access and helps remediate oversharing before it becomes an exposure.

Click to flip back
Question

What are the key prerequisites for DSPM for AI?

Click or press Enter to reveal answer

Answer

1. E5 or E5 Compliance licensing. 2. Sensitivity labels deployed (DSPM relies on labeling). 3. Audit logging enabled. 4. Microsoft 365 Copilot deployed (for M365 AI monitoring). 5. Appropriate Purview admin roles (Compliance Administrator or Information Protection Admin).

Click to flip back
Question

How do sensitivity labels protect data from AI exposure?

Click or press Enter to reveal answer

Answer

Encryption ensures Copilot cannot access content the user lacks permission for. Label inheritance means AI-generated outputs should inherit the source label's protection. Content markings persist in AI-generated content from labelled sources. Together, labels enforce data protection even when AI processes the content.

Click to flip back
Knowledge Check

NovaTech is deploying Microsoft 365 Copilot. DSPM for AI reveals that 12,000 files are shared with 'Everyone' and 340 of those contain source code. What should Marcus do BEFORE enabling Copilot?
Knowledge Check

Priya at Meridian Financial wants to ensure that when Copilot summarises documents labelled 'Highly Confidential', the summaries inherit the same protection. Which control achieves this?

🎬 Video coming soon

Next up: DSPM for AI: Policies & Monitoring — configure DSPM policies and monitor how AI services interact with your sensitive data.

← Previous

Alert Response: Purview, XDR & Cloud Apps

Next →

DSPM for AI: Policies & Monitoring

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.