Microsoft

Microsoft Purview HR Data Integration: Enabling Risk-Based Security for AI

by thalpius

As organizations deploy AI solutions like Microsoft 365 Copilot, a critical security challenge emerges: how do you identify and respond to insider risks before they materialize into data breaches? A departing employee with full Microsoft 365 Copilot access can exfiltrate years of organizational knowledge in minutes, prompting summaries of strategic plans, financial data, and customer information with simple natural language queries. Traditional static security policies can’t adapt to the dynamic nature of insider risk.

This is where Microsoft Purview’s Adaptive Protection becomes essential. By leveraging machine learning to analyze user behavior and automatically adjust security controls, Adaptive Protection provides dynamic, risk-based protection for your AI investments. But here’s the critical dependency: Adaptive Protection requires contextual signals from your Human Resources (HR) systems to accurately assess risk.

In this technical guide, we’ll implement the HR data connector that feeds resignation signals into Adaptive Protection, enabling risk-based security controls for scenarios like departing employees accessing sensitive data through Microsoft 365 Copilot.

Table of Contents

  1. Understanding the Architecture
  2. Pre-Requisites
  3. Step 1: Prepare the CSV File
  4. Step 2: Create Microsoft Entra ID Application
    1. 1. Navigate to Entra Admin Center
    2. 2. Register New Application
    3. 3. Copy Application (client) ID and Tenant ID
    4. 4. Create Client Secret
  5. Step 3: Configure the HR Connector in Purview
    1. 1. Access Data Connectors
  6. Step 4: Upload HR Data with PowerShell
    1. 1. Download the Script
    2. 2. Prepare Credentials
    3. 3. Run the Script
    4. 4. Verify Upload
    5. Recommended: Automating HR Data Uploads
  7. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first and consult official Microsoft documentation before implementing security features in production.

Understanding the Architecture

Before diving into implementation, it’s important to understand Microsoft’s architectural choice. Unlike Microsoft Entra ID provisioning, which offers direct API connectors to Workday and SAP SuccessFactors, the Purview HR connector operates exclusively through CSV file uploads.

This isn’t a limitation, it’s a security design decision:

  • Air-gapped security: No direct connection between production HR systems and compliance platforms
  • Privacy control: Organizations maintain full control over which HR data is exported
  • Universal compatibility: Any HR system can export CSV, regardless of API capabilities
  • Audit trail: Every upload is logged and traceable

The workflow is straightforward: HR system → CSV export → PowerShell upload script → Purview HR Connector → Adaptive Protection. While this requires scheduled automation, we’ll implement this using Power Automate for seamless operation.

Pre-Requisites

Before starting implementation, ensure you have:

  • Licensing: Microsoft 365 E5 or Purview Suite
  • Permissions: Data Connector Admin role in Microsoft Purview
  • Entra ID: Application Administrator or Cloud Application Administrator role
  • Network: Firewall allowlist for webhook.ingestion.office.com
  • HR Access: Ability to export employee resignation data from your HR system

Step 1: Prepare the CSV File

The HR connector for employee resignations requires three critical data points: the user’s email (UPN), resignation date, and last working date. Here’s what each field means:

  • UserPrincipalName: The user’s Microsoft Entra ID UPN (typically their email)
  • ResignationDate: When the employee formally resigned or was terminated (ISO 8601 format)
  • LastWorkingDate: The employee’s final day of work (must be within 6 months prior to 1 year future)

Sample CSV format:

UserPrincipalName,ResignationDate,LastWorkingDate
john.doe@thalpius.com,2026-02-14T09:00:00Z,2026-02-28T17:00:00Z
jane.smith@thalpius.com,2026-03-10T14:30:00Z,2026-03-31T17:00:00Z

Save your CSV file to a location accessible by the PowerShell script you’ll run in Step 4. For this guide, we’ll use: 

C:\HRConnector\employee_resignations.csv
Image 1: Example of CSV file with resignation dates

Step 2: Create Microsoft Entra ID Application

The HR connector uses a Microsoft Entra ID application for authentication. This app represents the automated script that will upload HR data, and Microsoft Entra ID uses it to verify the script’s identity when accessing your tenant.

1. Navigate to Entra Admin Center

Open entra.microsoft.com and navigate to: Entra ID > App registrations

Image 2: Entra ID portal

2. Register New Application

Click “New registration” and configure:

  • Name: Purview-HR-Connector
  • Supported account types: Accounts in this organizational directory only
  • Redirect URI: Leave blank (not required for this scenario)
Image 3: Registering an application for the HR connector

3. Copy Application (client) ID and Tenant ID

After registration, you’ll see the Overview page. Copy and save these values, you’ll need them later:

  • Application (client) ID
  • Directory (tenant) ID
Image 4: Copy the Application Client ID and Directory ID which is need later

4. Create Client Secret

Navigate to Certificates & secrets > Client secrets and click New client secret:

  • Description: HR Connector Authentication
  • Expires: 24 months (recommended for production)

Copy the Value immediately. This is your Client Secret and it’s only displayed once. Store it securely, if you lose it, you’ll need to create a new one.

Image 5: Write down the Value which is needed later

For production environments, consider storing the client secret in Azure Key Vault and referencing it in your automation scripts rather than hardcoding it in PowerShell.

Step 3: Configure the HR Connector in Purview

Now we’ll create the HR connector in Microsoft Purview that will receive and process the CSV data. This connector acts as the ingestion endpoint for your HR signals.

1. Access Data Connectors

Navigate to purview.microsoft.com and go to: Settings > Data connectors

Image 6: Access the all connectors pane in Purview

2. Create HR Connector

Click “My connectors” tab, then “Add a connector”. Select “HR” from the list.

Image 7: Select the HR connector

3. Setup Connection

On the Setup the connection page:

  • Microsoft Entra application ID: Paste the Application (client) ID from Step 2
  • Connector name: Employee-Resignations-Connector
Image 8: Enter the Application Client ID and give the connector a name

4. Select HR Scenario

On the HR scenarios page, select “Employee resignations” and click Next.

Image 9: Select “Employee resignation”

5. Configure File Mapping

You have two options for mapping your CSV columns. I recommend uploading a sample CSV file as it’s faster and less error-prone:

  • Select Upload a sample file
  • Click Upload sample file and select your CSV from Step 1
  • The wizard will automatically detect your column names
Image 10: Select CSV as the format and upload an example file

6. Map Columns

On the File mapping details page, use the dropdown menus to map your CSV columns to the required fields:

  • Email address: UserPrincipalName
  • Resignation date: ResignationDate
  • Last working date: LastWorkingDate
Image 11: Map the correct values

7. Complete Setup and Copy Job ID

Review your configuration and click Finish. The confirmation page displays two critical values:

  • Job ID: Copy this GUID, you’ll need it for the PowerShell script
  • Sample script link: Download or bookmark the PowerShell script link
Image 12: Write down the Connector Job ID

Step 4: Upload HR Data with PowerShell

Now we’ll run the PowerShell script that uploads your CSV data to the HR connector. This script authenticates using the Entra ID application and posts the data to Microsoft’s ingestion endpoint.

1. Download the Script

Download the official script from Microsoft’s GitHub: sample_script.ps1

Save it as Upload-HRData.ps1 in C:\HRConnector\

2. Prepare Credentials

Gather the values you copied in previous steps:

  • tenantId: Directory (tenant) ID from Step 2
  • appId: Application (client) ID from Step 2
  • appSecret: Client secret value from Step 2
  • jobId: Job ID from Step 3
  • filePath: C:\HRConnector\employee_resignations.csv

3. Run the Script

Open PowerShell as Administrator and run:

.\Upload-HRData.ps1 `
  -tenantId "12345678-1234-1234-1234-123456789abc" `
  -appId "87654321-4321-4321-4321-abcdef123456" `
  -appSecret "your-client-secret-value" `
  -jobId "abcdef12-ab12-ab12-ab12-abcdef123456" `
  -filePath 'C:\HRConnector\employee_resignations.csv'
Image 13: Run the script to upload the CSV file

4. Verify Upload

If successful, you’ll see: Upload Successful

Return to the Purview portal and navigate to your HR connector. Under Progress, click Download log to see the ingestion details. The RecordsSaved field should match the number of rows in your CSV.

Image 14: Check the audit log if everything went ok

For production environments, manual PowerShell execution isn’t sustainable. Microsoft recommends automating uploads using Power Automate to trigger when new CSV files appear in SharePoint or OneDrive for Business.

The workflow is straightforward:

  1. HR system exports CSV to SharePoint/OneDrive
  2. Power Automate detects new file
  3. Flow authenticates using credentials from Azure Key Vault
  4. HR data uploads automatically to Purview

Microsoft provides a pre-built Power Automate template (ImportHRDataforIRM.zip) specifically for this purpose, available at: github.com/microsoft/m365-compliance-connector-sample-scripts

This approach eliminates manual intervention while maintaining security through Key Vault integration for credential management.

Conclusion

The HR data connector is a foundational component of Microsoft Purview’s Adaptive Protection strategy. While the CSV-based architecture might seem simplistic compared to real-time API integrations, it reflects Microsoft’s deliberate security-first design: maintaining an air-gap between sensitive HR systems and compliance platforms while ensuring universal compatibility.

By implementing this connector, you’ve enabled Purview to make intelligent, context-aware security decisions. When combined with Adaptive Protection’s machine learning capabilities, these HR signals become powerful risk indicators that automatically adjust security controls, particularly critical as organizations deploy AI solutions like Microsoft 365 Copilot that dramatically increase the blast radius of insider threats.

The key takeaway: static security policies can’t protect dynamic AI environments. Adaptive Protection’s risk-based approach, powered by contextual HR data, provides the intelligence layer needed to secure modern workplace AI at scale.