Microsoft Purview: Testing Advanced Message Encryption’s Branding, Revocation, and Expiration

Microsoft Purview: Testing Advanced Message Encryption’s Branding, Revocation, and Expiration

In the previous post, encrypting an email containing a BSN turned out to be the easy part: a DLP policy, a sensitive information type, and a Do Not Forward action got the job done in an afternoon. This post covers the harder half of the promise, controlling what happens to that email after it has already been sent. Can it expire on its own? Can it be pulled back if it was sent to the wrong person? That is Microsoft Purview Advanced Message Encryption, and testing it surfaced more undocumented behavior than expected.

Table of Contents

  1. What Advanced Message Encryption Adds
  2. Setting Up the Branding Action
  3. Testing Revocation
  4. Testing Expiration
  5. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. Several values and behaviors described in this post fall outside Microsoft’s documented ranges and were only confirmed through direct testing in a single tenant; they are not guaranteed to behave the same way in every environment, and Microsoft support was not consulted before publishing. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first.

What Advanced Message Encryption Adds

Advanced Message Encryption (AME) sits on top of the Purview Message Encryption covered in the previous post. It requires a Microsoft 365 E5, E5 Compliance, or E5 Information Protection & Governance license, on top of the base encryption capability that already comes with E3. Without one of those licenses, the cmdlets in this post either fail outright or simply have no effect.

AME adds three things: multiple branding templates, message expiration, and message revocation. All three depend on the recipient reading the message through the OME web portal rather than natively inline. That is a detail worth repeating from the previous post’s “What the Recipient Actually Sees” section: a Microsoft-account recipient normally gets a native, login-free reading experience, and native messages cannot be revoked or expired, regardless of licensing. To guarantee every external recipient goes through the portal, a separate Exchange transport rule is needed:

New-TransportRule -Name "Force Portal - BSN" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "Do Not Forward" -ApplyRightsProtectionCustomizationTemplate "BSN-Template"
Image 1: The Force Portal – BSN transport rule created and enabled immediately, applying both the Do Not Forward template and the BSN-Template branding to every externally sent message.

This rule is separate from, and runs alongside, the DLP policy from the previous post. Both can trigger encryption independently.

Setting Up the Branding Action

A custom branding template only guarantees revocation and expiration support once it is actually applied through a mail flow rule. If a custom branding template is needed, it is worth knowing that it does not appear as a protection option in the same dropdown as Encrypt and Do Not Forward. It requires a second, separate DLP action called Apply branding to encrypted messages, added alongside the encryption action rather than instead of it.

The template itself is created and modified through PowerShell:

New-OMEConfiguration -Identity "BSN-Template" -ExternalMailExpiryInDays 7

With the transport rule from the previous section referencing this template directly, every external recipient, including Microsoft account holders who would otherwise get the native experience, is forced through the portal.

Testing Revocation

Checking whether a message is revocable does not require sending anything new. Given a Message ID (found through Message Trace), the status can be queried directly:

Get-OMEMessageStatus -MessageId "<message-id>" | ft -a Subject, IsRevocable

This returned IsRevocable: True without issues, confirming the setup (DLP policy, branding template, and transport rule) was correctly forcing portal-based delivery.

Image 2: Get-OMEMessageStatus confirming the test message was revocable, validating that the DLP policy, branding template, and transport rule were correctly forcing portal-based delivery.

Actually revoking the message was a different story:

Set-OMEMessageRevocation -Revoke $true -MessageId "<message-id>"

This consistently failed with a 401 error, reproducible across multiple messages and after a fresh PowerShell session:

Write-ErrorMessage : StatusCode: 401, ReasonPhrase: 'Auth Failed. For details, use the Token Validation Service
correlation ID to get more details from Core Auth telemetry. OAuthEvent currTvsCorrId: [correlation-id]'
Image 3: The 401 authentication error returned by Set-OMEMessageRevocation, tracing back to an internal Microsoft service-to-service call rather than a tenant-side permissions or configuration issue.

The stack trace pointed to an internal service-to-service call, Exchange’s OMEMessageHelper submitting a revocation confirmation to Microsoft’s internal Substrate Bus service, failing its own authentication. That is not something a tenant admin, even with Global Administrator and Compliance Administrator roles assigned, can fix through configuration. It is a backend issue, and the correlation ID in the error is meant for a Microsoft support ticket, not for tenant-side troubleshooting.

The sender-side alternative, “Remove external access” in Outlook on the web’s Sent Items, turned out not to apply here either. That option appears to be reserved for messages manually encrypted by a user through Outlook’s own Encrypt button, not messages encrypted automatically by a DLP policy or transport rule.

Revocation, in this tenant, remains an open issue pending a Microsoft support ticket.

Testing Expiration

Expiration looked more promising, and testing it surfaced a chain of undocumented behavior worth walking through.

The only documented parameter is -ExternalMailExpiryInDays, an integer from 1 to 730. Waiting a full day to confirm a test felt impractical, so the boundaries of that restriction got tested directly.

Passing a TimeSpan-formatted string failed immediately, revealing that the parameter is parsed as a number, not a duration:

Set-OMEConfiguration -Identity "BSN-Template" -ExternalMailExpiryInDays "0.00:05:00"
Cannot convert value "0.00:05:00" to type "System.Double"

That error was more informative than expected: the parameter is documented as an Int32, but the actual conversion target is System.Double. Decimal values are apparently accepted despite the documented 1-730 integer range:

Set-OMEConfiguration -Identity "BSN-Template" -ExternalMailExpiryInDays 0.1
Image 4: Set-OMEConfiguration accepting 0.01 days and storing it precisely as a 14-minute-24-second interval, well below the documented 1-730 day range.

This succeeded, and reading the configuration back confirmed it was stored precisely, as a genuine TimeSpan rather than being rounded up to a full day:

ExternalMailExpiryInterval : 00:14:24

0.1 days is 2.4 hours, and a smaller test, 0.01 days, also went through cleanly and stored as 14 minutes and 24 seconds exactly, no rounding, no rejected value, despite being two orders of magnitude below the documented minimum.

Sending a fresh test message confirmed via Message Trace details that both the DLP policy and the transport rule were applied as expected.

Image 5: Get-MessageTraceDetailV2 output showing the message passing through both the DLP rule and the Force Portal – BSN transport rule before being sent externally.

But after the 14-minute-24-second window passed, the message remained fully readable, with no expiration notice in the wrapper email at all.

Image 6: The wrapper email received during the 14-minute-24-second test window, showing no expiration notice at all.

Re-authenticating into the portal made no difference.

The likely explanation: the configuration is stored correctly regardless of how small the value is, but the enforcement layer, the background process that actually checks “has this expired”, appears to be built around the documented whole-day granularity, and silently treats sub-day values as no expiration at all rather than a short one.

Reverting to the officially supported minimum confirmed this. With the value set back to a full day:

Set-OMEConfiguration -Identity "BSN-Template" -ExternalMailExpiryInDays 1

the wrapper email for a fresh test message displayed an explicit expiration notice, “Access to the message will expire on [date] (UTC)”, which never appeared with the fractional values. Storage accepts fractional days; enforcement and the user-facing expiration notice apparently do not.

Image 7: With the configuration reverted to a full day, the wrapper email now explicitly displays “Access to the message will expire on Sunday, 5 July 2026 07:08 (UTC)”, a notice that never appeared with the fractional values.

After the expiration window passed, opening the same link consistently returned a generic error, “Sorry, we can’t display your message right now, Something went wrong and your encrypted message couldn’t be opened”, rather than a specific “this message has expired” notice. Sending a brand new test message immediately afterward opened without issue, confirming the failure was tied specifically to the expired message rather than a broader service outage. Expiration works as intended; Microsoft’s error messaging around it, however, doesn’t make that obvious.

Image 8: After the expiration deadline passed, opening the same link consistently returned this generic error rather than a specific “message expired” notice — confirmed to be tied to expiration by successfully opening a brand new test message immediately afterward.

Conclusion

  1. Advanced Message Encryption is a licensing gate, not just a feature toggle: without Microsoft 365 E5 or an equivalent add-on, expiration and revocation are not available regardless of how the rest of the configuration is set up.
  2. Branding is a separate action, and a prerequisite: revocation and expiration only apply to messages that go through the OME portal, which itself depends on a custom branding template applied through a mail flow rule, not the DLP encryption action alone.
  3. A documented range is not always an enforced one: Set-OMEConfiguration accepted values far below the documented 1-730 day minimum for ExternalMailExpiryInDays, storing them precisely, without the enforcement layer honoring them the same way.
  4. Revocation failed on a backend authentication error unrelated to tenant configuration or permissions, a reminder that not every failure in these tools is something an admin can resolve alone.

Between this post and the previous one, the practical takeaway is the same: Microsoft Purview’s encryption capabilities work largely as documented for the core scenario, detecting and encrypting sensitive data automatically, but the more advanced controls are worth testing directly in a non-production tenant before relying on them, rather than assuming the documentation’s stated limits are the actual behavior.

Microsoft Purview: Encrypting Emails Automatically When They Contain a BSN

Microsoft Purview: Encrypting Emails Automatically When They Contain a BSN

A finance employee needs to email a client’s Burgerservicenummer (the Dutch equivalent of a U.S. Social Security Number) to confirm a contract detail. They type it straight into the body of a normal email and hit send. Depending on how the tenant is configured, that email either gets encrypted and access-restricted automatically before it leaves the mailbox, or it goes out in plain text, readable by anyone who intercepts, forwards, or accidentally receives it.

This is exactly the gap Microsoft Purview Message Encryption, combined with Data Loss Prevention (DLP), is built to close. Rather than relying on a person remembering to manually encrypt a sensitive email, Microsoft Purview can detect the sensitive data itself and apply protection automatically, before the message ever reaches the recipient. In this post, I will walk through the full setup, the two protection options and the difference between them, and what actually happens on the recipient’s side, including a few things that went wrong along the way.

Table of Contents

  1. The Building Blocks
  2. Activating the Underlying Encryption Service
  3. Building the DLP Policy
  4. Testing the Detection
  5. What the Recipient Actually Sees
  6. It Still Shows Up as an Incident in Defender
  7. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first and consult official Microsoft documentation before implementing security features in production.

The Building Blocks

Three Microsoft Purview components work together to make this happen:

  • A DLP policy that scans outgoing email for a specific sensitive information type, in this case the built-in Netherlands Citizen’s Service (BSN) Number type, which validates both the digit pattern and its checksum.
  • Message encryption, applied automatically once the DLP rule finds a match. Depending on the tenant, this dropdown can include several templates, including custom ones derived from existing sensitivity labels, but two options are always available: Encrypt protects the message, but the recipient can still forward, print, or copy it. Do Not Forward applies the same encryption plus blocks forwarding, printing, and copying. For this scenario, Do Not Forward is the better fit, since it does not require choosing between the two, Do Not Forward already includes the encryption.
  • A custom branding template (optional), which controls what the encrypted message looks like and, with Microsoft 365 E5 or the E5 Compliance add-on, enables expiration and revocation of already-sent messages.

Activating the Underlying Encryption Service

Before any of this works, connect to Exchange Online PowerShell and check whether internal licensing is enabled:

Connect-ExchangeOnline -UserPrincipalName you@yourdomain.com
Get-IRMConfiguration | Select-Object InternalLicensingEnabled

This is where it is easy to get stuck: InternalLicensingEnabled = True only confirms that Exchange is allowed to use IRM. It does not confirm that the underlying Azure Rights Management service is active. Running Get-RMSTemplate and getting nothing back, not even the default Encrypt and Do Not Forward templates, means Rights Management itself is disabled tenant-wide. That is fixed through a separate module:

Install-Module -Name AIPService
Connect-AipService
Get-AipService
Enable-AipService

Once enabled, Get-RMSTemplate returns the default templates plus any custom ones created afterward.

Image 1: Output of Get-RMSTemplate after the Azure Rights Management service is enabled, showing the available protection templates, including the built-in Encrypt and Do Not Forward options alongside custom templates derived from existing sensitivity labels.

If expiration or revocation is needed, a custom branding template can be created with:

New-OMEConfiguration -Identity "BSN-Template" -ExternalMailExpiryInDays 7

If a custom branding template is needed later, for example to enable expiration or revocation, it is worth knowing that it does not appear as a protection option in the same dropdown as Encrypt and Do Not Forward. It requires a second, separate DLP action called Apply branding to encrypted messages, added alongside the encryption action rather than instead of it.

Building the DLP Policy

In the Microsoft Purview compliance portal, under Data loss prevention, Policies, a custom policy scoped to Exchange email needs the following:

  • Condition: content contains sensitive info type, Netherlands Citizen’s Service (BSN) Number
  • Action 1: Restrict access or encrypt the content in Microsoft 365 locations, Encrypt email messages, Do Not Forward
  • Action 2 (optional): Apply branding to encrypted messages, selecting the custom template
Image2: The DLP rule configuration, showing the Netherlands Citizen’s Service (BSN) Number condition alongside the Encrypt email messages action set to Do Not Forward.

Naming both the policy and the rule descriptively pays off later, once there are several DLP policies running. Something like Encrypt Email - NL BSN Detection for the policy and Encrypt with DNF - NL BSN Detected for the rule is enough to trace a match back to its source in Activity Explorer without guessing.

Starting the policy in test mode with notifications, rather than full enforcement, logs every match, including the sensitive info type, policy, rule, and action that would have been taken, without actually encrypting anything yet.

Testing the Detection

A few details matter before sending a test email:

  • DLP only scans new outgoing mail. Nothing already sent gets scanned retroactively, and a newly enabled or changed policy typically takes about an hour to fully propagate.
  • A fake but checksum-valid BSN is enough for testing. The number 111222333 passes the BSN checksum (the elfproef: multiply each digit by weights 9, 8, 7, 6, 5, 4, 3, 2, -1, sum the results, and the total must be divisible by 11) without belonging to a real person. On its own it may not trigger detection though; the sensitive info type also looks for a nearby keyword such as “BSN” within roughly 300 characters, so pairing both in the test email is what reliably triggers a match.
  • Activity Explorer, not Content Explorer, shows rule matches. Content Explorer reports where sensitive content exists across the environment; Activity Explorer confirms whether a specific email actually matched a DLP rule, using the filter “DLP policy rules that detected activities.”
Image 3: A “DLP rule matched” event in Activity Explorer, confirming the sensitive info type, the policy and rule name, and the actions taken (Encrypt, GenerateAlert) for a test email containing a BSN.

Once a “DLP rule matched” event shows the correct sensitive info type, policy, and rule name, the policy can move from test mode to enforce. After another hour of propagation, a genuinely fresh test email confirms the real behavior.

What the Recipient Actually Sees

Sending the same encrypted, Do Not Forward email to different types of recipients produces two distinct experiences:

  • A Microsoft account recipient (Outlook.com, Hotmail, or a Microsoft 365 mailbox) gets a native experience. The message opens normally, with only a small “Do Not Forward” label at the top, no login prompt or portal. Decryption happens transparently because the recipient is already signed in with Microsoft; the restriction itself, blocking forwarding, is still fully enforced.
  • A non-Microsoft recipient (tested with Gmail and iCloud) gets the classic wrapped portal experience: an email with a “Read the message” link, requiring identity verification through a one-time passcode or a Microsoft sign-in before the content becomes visible.
Image 4: The portal experience for a non-Microsoft recipient (iCloud). Instead of opening natively, the message arrives wrapped in a generic notification with a “Read the message” button and an encrypted .rpmsg attachment, requiring the recipient to verify their identity before the actual content becomes visible.

Both are the exact same underlying protection. The difference is only in how Microsoft verifies who is opening the message, which is worth knowing before assuming that a smooth, login-free reading experience means something was not encrypted.

It Still Shows Up as an Incident in Defender

Encrypting the message does not make the action invisible to security monitoring. Because the email still left the organization to an external recipient, Microsoft Defender correlated the DLP match into an incident tagged “External user risk” under the Exfiltration category, at Low severity. The data itself stayed protected, but the event was still flagged for a SOC team to review if needed, a reminder that Purview and Defender are complementary layers, not substitutes for each other.

Image 5: Microsoft Defender automatically correlates the DLP match into an incident tagged “External user risk” under the Exfiltration category. Even though the message was encrypted and access-restricted, the outbound action itself is still surfaced for security monitoring.

Conclusion

  1. Classification drives everything: without a sensitive information type detecting the BSN, there is nothing for a DLP action to encrypt in the first place.
  2. Do Not Forward, not Encrypt plus Do Not Forward: the two are alternatives, not additive actions, and Do Not Forward already includes the encryption.
  3. Test mode before enforce: confirming a detection match in Activity Explorer first avoids surprises once the policy actually starts encrypting live mail.
  4. The recipient experience varies, the protection does not: a native, login-free read for Microsoft account holders and a portal-based read for everyone else are the same encryption underneath.

Given how safely this can be tested, a made-up but checksum-valid number sent to your own test mailboxes, there is little reason not to set this up before something sensitive slips through in plain text.

Microsoft Purview vs. Defender for Cloud Apps: Preventing vs. Correcting Data Exposure

Microsoft Purview vs. Defender for Cloud Apps: Preventing vs. Correcting Data Exposure

A finance employee applies a Confidential label to a spreadsheet, works on it for a few days, and then shares it with an external consultant through a link in Teams. Depending on how the tenant is configured, that share attempt is either stopped in real time, or it goes through completely unnoticed until someone reviews it weeks later. Which of those two outcomes happens depends entirely on which Microsoft security tool is doing the watching, and at what point in the document’s lifecycle it gets involved.

This is exactly where Microsoft Purview and Microsoft Defender for Cloud Apps get confused as doing “the same thing” for data protection. They do not. One prevents an action before it happens. The other cleans up after data has already moved. In this post, I will walk through both sides with concrete policy examples, and explain why most mature environments end up running both rather than picking one over the other.

Table of Contents

  1. Two Different Moments of Control
  2. Microsoft Purview DLP: Blocking Data After Classification
  3. Microsoft Defender for Cloud Apps: Revoking Access on Already-Shared Files
  4. Why You Need Both
  5. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first and consult official Microsoft documentation before implementing security features in production.

Two Different Moments of Control

A question I get regularly: “We have Microsoft Purview, so why do we also need Defender for Cloud Apps for data protection?” The short answer is that they intervene at two different moments in a document’s lifecycle. Purview prevents sensitive data from going down the wrong path in the first place. Defender for Cloud Apps cleans up what has already been shared. Neither one replaces the other; they cover different gaps.

Microsoft Purview DLP: Blocking Data After Classification

Microsoft Purview Data Loss Prevention (DLP) intervenes at the moment a user tries to do something with a document: sending it by email, uploading it to a cloud app, pasting it into a browser, or sharing it outside the organization.

That intervention depends entirely on classification. Before a DLP rule can block anything, Purview first needs to know that a document is sensitive. This is done through:

  • Sensitive information types (SITs): pattern-based detection such as credit card numbers, national identification numbers, or customer IDs
  • Sensitivity labels: applied manually by users or automatically based on content, for example Confidential or Internal
  • Trainable classifiers: machine-learning-based recognition of content types such as contracts or financial statements

Once content is classified as sensitive, a DLP policy can act on it. A common example: a user tries to share a document labeled Confidential with someone outside the organization. The DLP policy recognizes the label and the action is immediate: block, optionally with a business justification override, or block without that option. Every attempt is logged in Activity Explorer, so you can see exactly who tried what and whether the policy intervened.

Image 1: Microsoft Purview DLP rule with a Confidential sensitivity label condition and a block action set to restrict access for people outside the organization

The strength of this approach is that it is preventive, and it applies across the locations Purview has visibility into: endpoints, email, Teams chats, SharePoint/OneDrive, and even prompts sent to Microsoft 365 Copilot and external generative AI tools.

Microsoft Defender for Cloud Apps: Revoking Access on Already-Shared Files

Where Purview DLP is about preventing an action, Defender for Cloud Apps is about correcting a situation that already exists. Think of a document that was shared externally before a label was ever applied, or a file that ended up in a cloud app outside your visibility through a route DLP never inspected.

With a file policy in Defender for Cloud Apps, you can continuously scan for files matching specific conditions, for example an access level of External or Public combined with a sensitivity label or a sensitive information type detected through the Data Classification Service. Once a file matches those conditions, automated governance actions can follow, including:

  • Remove external users: removes all collaborators outside the internal domains configured in your settings
  • Remove public access / remove direct shared link: revokes a shared link or restricts access to named collaborators
  • Make private: removes all shares, leaving access to site administrators only
  • Remove a collaborator: revokes access for one specific person without affecting the rest
Image 2: Defender for Cloud Apps file policy filtering on External or Public access level and a Confidential sensitivity label, with the Remove external users governance action enabled

This works across connected apps such as SharePoint, OneDrive, Google Workspace, and Box, which makes it particularly valuable as a backstop for content that was already shared before it was classified, or for gaps that fall outside Purview DLP’s preventive reach.

Why You Need Both

Microsoft Purview DLP intervenes before or during the action (preventive), triggered by classification detected during an activity, typically blocking sharing, copying, pasting, or uploading, across endpoints, email, Teams, SharePoint/OneDrive, Copilot, and browsers.

Microsoft Defender for Cloud Apps intervenes after the action, on data at rest (corrective), triggered by a continuous scan of files against conditions such as access level and label, typically revoking permissions, undoing sharing, or quarantining/making files private, across connected cloud apps such as SharePoint, OneDrive, Google Workspace, and Box.

This is where the combination earns its value. Purview DLP prevents a large share of risky actions from happening at all. But no preventive layer is airtight: files shared before a label was applied, or content that leaked out through an unmanaged path, will slip through. Defender for Cloud Apps acts as the safety net, continuously scanning what is already out there and revoking access the moment it should not have been granted.

Conclusion

Data protection is not a single control, it is a layered model:

  1. Classify first: sensitivity labels and sensitive information types are the foundation both solutions depend on. Neither Purview DLP nor Defender for Cloud Apps has anything to act on without classification.
  2. Microsoft Purview DLP: prevents risky actions on sensitive content at the moment they happen, across endpoints, email, Teams, and browsers.
  3. Microsoft Defender for Cloud Apps: continuously scans already-shared content in connected cloud apps and revokes access when it violates policy.

Prevent where you can, correct where you must. Together, these two layers close the gap that either one would leave open on its own.

Blocking Generative AI with Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint

Blocking Generative AI with Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint

Employees are using generative AI tools every day, often without IT or security teams knowing about it. Tools like ChatGPT, Gemini, Deepseek, and dozens of others are freely accessible from any browser on any managed device. While these tools can be productive, they also represent a significant data governance risk. Sensitive information can leave the organization the moment it is pasted into a prompt.

Blocking generative AI is not about being anti-innovation. It is about making a deliberate, governed choice about which tools are trusted, how they handle your data, and what controls exist when they are used. In this blog post, I will walk through a layered approach to governing generative AI in your organization using Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Purview.

Table of Contents

  1. Policy: The Foundation of AI Governance
  2. Blocking Generative AI with Defender for Cloud Apps and Defender for Endpoint
    1. Step 1: Sanction Allowed Applications
    2. Step 2: Create a Block Policy for the Generative AI Category
    3. Step 3: Validate Enforcement via Defender for Endpoint
  3. Data Protection with Microsoft Purview
    1. Sensitivity Labels
    2. Endpoint DLP Policy
  4. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first and consult official Microsoft documentation before implementing security features in production.

Policy: The Foundation of AI Governance

Policy comes before technical controls. Policy determines what is and what is not permitted within an organization, and is the foundation for staying in control of company data. Without a policy, any technical control you implement lacks a foundation. You cannot enforce a rule you have not defined.

Examples of questions that an AI usage policy should address:

  • Which generative AI tools are sanctioned for use by the organization?
  • Are there restrictions on what data can be used in those tools?
  • What happens when an employee uses an unsanctioned tool?

For the purpose of this blog post, I will use the following example policy:

ToolStatusRationale
Microsoft 365 Copilot✅ AllowedIntegrated with the Microsoft 365 data boundary, governed by tenant controls
Claude (Anthropic)✅ AllowedApproved for specific use cases via organizational account
All other generative AI tools❌ BlockedUnsanctioned, unmanaged, and outside the organization’s data governance framework

This distinction is important. Microsoft Copilot operates within your Microsoft 365 tenant and is subject to the same compliance and data residency controls as the rest of your Microsoft 365 environment. Claude, when accessed via an approved organizational account, can be governed and audited. All other generative AI tools, unless explicitly evaluated and approved, operate outside of your organization’s governance and data protection framework.

Documenting this in a policy gives you the basis to enforce controls technically and to communicate expectations clearly to your employees.

Blocking Generative AI with Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint

With a policy in place, the next step is enforcement. Microsoft Defender for Cloud Apps (MDA) allows you to discover, classify, and govern cloud application usage across your organization. One of the built-in application categories in MDA is Generative AI, which automatically groups over 1200 known generative AI services like ChatGPT, Gemini, Deepseek, and many others, a list that keeps growing.

The enforcement mechanism on managed endpoints is provided by Microsoft Defender for Endpoint (MDE). When MDE is deployed on a device, it enforces blocking via Network Protection, which operates at the network level. This means that access to unsanctioned generative AI tools is blocked regardless of how the request is made, whether through a browser, PowerShell, or any other HTTP client, without requiring an additional proxy or agent. This integration is one of the reasons this approach is practical for most organizations that are already using Microsoft Defender for Endpoint.

Step 1: Sanction Allowed Applications

Before creating a block policy, mark the applications that are explicitly allowed as Sanctioned in the Microsoft Defender for Cloud Apps app catalog. This ensures they are excluded from any block policy you create.

Location: Microsoft Defender Portal > Cloud Apps > Cloud app catalog

Search for Microsoft Copilot and Claude and set their tag to Sanctioned.

Image 1: The Cloud App Catalog in Microsoft Defender for Cloud Apps, filtered on the Generative AI category showing Sanctioned apps including Microsoft Copilot and Anthropic Claude.

Step 2: Create a Block Policy for the Generative AI Category

Navigate to the Cloud Apps policies section and create a new App discovery policy.

Location: Microsoft Defender Portal > Cloud Apps > Policies > Policy Management > Create Policy > App discovery policy

Configure the policy as follows:

  • Policy name: Block Unsanctioned Generative AI
  • Category filter: Generative AI
  • Action: Tag app as Unsanctioned

This policy targets the entire Generative AI category while excluding the applications you have explicitly sanctioned in the previous step.

Image 2: Creating an App Discovery Policy in Microsoft Defender for Cloud Apps targeting the Generative AI category with the governance action to tag apps as Unsanctioned.

Step 3: Validate Enforcement via Microsoft Defender for Endpoint

Once an app is tagged as Unsanctioned, Microsoft Defender for Endpoint enforces the block via Network Protection on managed devices. When a user attempts to access a blocked generative AI service, the connection is blocked at the network level and the user sees a notification that the site is blocked by their organization.

Image 3: Microsoft Defender for Endpoint blocking access to deepseek.com

You can review blocked access attempts in the Microsoft Defender for Cloud Apps activity log and in the Microsoft Defender for Endpoint device timeline, giving you full visibility into which users attempted to access which tools and when.

Data Protection with Microsoft Purview

Blocking unsanctioned tools addresses the governance problem at the application level. But what about data being used in the tools that are allowed? Even within sanctioned tools, not all data should be treated equally.

Consider the following scenario: a user has a document classified as Confidential containing financial projections or personal data. Within Microsoft Copilot, this is acceptable because Copilot operates inside your Microsoft 365 tenant boundary. The data does not leave your environment. However, if that same user copies the content and pastes it into Claude, the data is now being sent to an external third-party service, even if Claude is an approved tool.

Microsoft Purview allows you to create controls that distinguish between these scenarios at the data level.

Sensitivity Labels

Microsoft Purview Information Protection uses sensitivity labels to classify content. Labels can be applied manually by users or automatically based on content inspection. Common examples include:

  • Public: No restrictions
  • Internal: For internal use only
  • Confidential: Sensitive data, restricted sharing
  • Highly Confidential: Strictly limited access

When a document or piece of content carries a sensitivity label, that label travels with the content and can be used to enforce policy wherever the content goes.

Note: This assumes sensitivity labels are already configured and published in your organization.

Endpoint DLP Policy

Microsoft Purview Data Loss Prevention (DLP) allows you to create policies that detect when labeled content is being handled in a way that violates your policy, such as being pasted into a browser-based application.

Location: Microsoft Purview Portal > Solutions > Data loss prevention > Policies > Create policy > Enterprise applications & devices

For the scenario described above, you create a custom Endpoint DLP policy with the following logic:

  • Condition: Content contains a sensitivity label of Confidential or Highly Confidential
  • Action: Audit or restrict activities on devices
    • Enable Upload to a restricted cloud service domain or access from an unallowed browsers > Block
    • Click Choose different restrictions for sensitive service domains > add Claude AI domain group > Block
    • Copilot is not added to the sensitive service domain group and is therefore not restricted

This means a user can work with Confidential content in Microsoft Copilot without restriction, but will be blocked from pasting that same content into Claude.

Image 4: Microsoft Copilot successfully reading the Mario_Internal_Secrets document and responding to the question “How do I warp to world 8?”, demonstrating that Confidential content is accessible within the Microsoft 365 boundary.
Image 5: Microsoft Purview blocking the upload of the Mario_Internal_Secrets document to Claude, “Your organization prevents you from uploading the file to this location. To protect the sensitive info in this file, your organization prevents you from uploading it to unapproved locations.”

The DLP policy generates an alert in the Microsoft Purview compliance portal and can be configured to notify the user, notify an administrator, or require the user to provide a business justification before overriding the block, depending on your organization’s risk tolerance.

This creates a data-aware enforcement layer on top of the application-level controls you configured in Microsoft Defender for Cloud Apps. Even for approved tools, sensitive data is protected.

Conclusion

Generative AI is not going away. Employees will continue to look for ways to use these tools, and many of those tools are genuinely useful. The goal is not to block everything, but to make deliberate choices about which tools are trusted, enforce those choices technically, and add a data protection layer to ensure sensitive information does not end up where it should not be.

The approach described in this blog post follows a three-layer model:

  1. Policy: Define which tools are allowed and under what conditions
  2. Microsoft Defender for Cloud Apps + Microsoft Defender for Endpoint: Tag unsanctioned generative AI tools in the Microsoft Defender for Cloud Apps catalog. Microsoft Defender for Endpoint enforces the block via Network Protection.
  3. Microsoft Purview DLP: Enforce data-level controls so that sensitive content cannot be used in external tools, even when those tools are technically allowed.

Each layer addresses a different risk. Together, they give you a practical and enforceable governance framework for generative AI that does not require you to choose between productivity and security.

Start with policy. Enforce at the app level. Protect at the data level.

Microsoft Entra ID: Understanding OAuth App Consent and Permissions

Microsoft Entra ID: Understanding OAuth App Consent and Permissions

Recently, Anthropic released a Microsoft 365 connector for Claude, their AI assistant. This connector allows Claude to interact with Microsoft 365 services on behalf of users and organizations. As part of deploying and testing this connector, I started looking more carefully at how OAuth app consent works in Microsoft Entra ID, and I noticed several misconceptions circulating online about how consent actually works, what it means when an admin grants consent, and how to properly scope access afterward.

In this blog post, I want to clarify how app consent works in Microsoft Entra ID, walk through the relevant configuration settings, and demonstrate this using a Microsoft App Consent Demo application I built for this purpose: https://consent.thalpius.com.

Table of Contents

  1. App Registration vs. Enterprise Application
  2. Consent and Permissions: User Consent Settings
  3. Consent and Permissions: Admin Consent Settings
  4. Consent and Permissions: Permission Classifications
  5. Admin Consent Scope: A Common Misconception
  6. Testing with consent.thalpius.com
  7. Conclusion

Disclaimer: This blog post is provided for informational purposes only. While every effort has been made to ensure accuracy, implementation of these features should be performed by qualified administrators in accordance with your organization’s security and change management policies. The author is not responsible for any issues, data loss, or security incidents that may occur from following this guidance. Always test in a non-production environment first and consult official Microsoft documentation before implementing security features in production.

App Registration vs. Enterprise Application

Before diving into consent settings, it is important to understand the distinction between an App Registration and an Enterprise Application in Microsoft Entra ID.

An App Registration is where you define your application. It is the developer-side object. Here you configure things like the application name, redirect URIs, API permissions the application requests, certificates and secrets, and the application manifest. The App Registration lives in the tenant where the application was created. Think of it as the blueprint or definition of the application.

An Enterprise Application, also called a Service Principal, is the tenant-side representation of an application. When an application is consented to, either by a user or an administrator, or manually added by an administrator, an Enterprise Application object is created in your tenant. This is where you manage access control, user assignments, single sign-on settings, and provisioning. Crucially, this is also where the consent granted to the application is recorded.

The relationship is straightforward: one App Registration can have many corresponding Enterprise Applications across different tenants. When a user successfully consents to a third-party application, or when an administrator grants consent or manually adds the application, an Enterprise Application object is created in your tenant to represent that application.

This distinction matters for consent. Consent is recorded on the Enterprise Application, not the App Registration.

The User Consent Settings page in the Microsoft Entra admin center controls whether end users are allowed to grant consent to applications on their own, without involving an administrator. You can find these settings under Enterprise apps > Consent and permissions > User consent settings.

There are three options available:

Do not allow user consent: All application consent requests require administrator approval. Users who attempt to sign into an application that requests permissions will be blocked and will see a prompt asking them to request admin approval. This is the most restrictive and most controlled option.

Allow user consent for apps from verified publishers, for selected permissions, Users can consent to applications, but only if two conditions are met: the requested permissions must be classified as low impact, and the application must either come from a verified publisher or be registered within your own organization. This option provides a balance between usability and security control.

Let Microsoft manage your consent settings (Recommended): Microsoft automatically applies its current recommended consent settings to your tenant, and updates them as its recommendations evolve. Under the current settings, users can consent to any user-consentable delegated permission, except for a specific set of sensitive permissions that Microsoft has explicitly excluded, such as Mail.Read, Files.ReadWrite.All, Calendars.ReadWrite, and similar high-impact scopes. This is also the default for newly created tenants.

The screenshot below shows these three options as they appear in the Microsoft Entra admin center, with the verified publishers option currently selected.

Image 1: The User Consent Settings page in the Microsoft Entra admin center, showing the three available options for controlling end-user consent behavior. The second option, allowing consent for apps from verified publishers or apps registered in this organization for low-impact permissions, is currently selected.

Choosing the right option depends on your organization’s risk appetite. In high-security environments, disabling user consent entirely and requiring administrator approval for all applications is the appropriate choice. For most organizations, restricting user consent to verified publishers with low-impact permissions provides a good default.

The Admin Consent Settings page controls how users can request administrator review and approval for applications they want to use but cannot consent to themselves. You can find these settings under Enterprise Apps > Consent and permissions > Admin consent settings.

Image 2: The Admin Consent Settings page in the Microsoft Entra admin center, showing the Admin Consent Workflow enabled with designated reviewers and the configured reminder interval.

The key feature here is the Admin Consent Workflow. When this is enabled, users who are blocked from consenting to an application are given an option to submit a request for admin approval rather than simply seeing an error. Administrators designated as reviewers are notified and can approve or deny the request from within the Microsoft Entra admin center.

Configuring this workflow is an important companion to restricting user consent. If you restrict user consent without enabling the workflow, users are simply blocked with no path forward. With the workflow enabled, the experience is significantly better: users can explain why they need the application, and administrators have a managed queue to review.

The Admin Consent Workflow settings allow you to:

  • Enable or disable the workflow entirely
  • Designate which users or groups act as admin consent reviewers
  • Configure whether reviewers receive email notifications when new requests are submitted
  • Set a reminder interval for pending requests

Recommended practice: Enable the Admin Consent Workflow and designate at least two reviewers to avoid a single point of failure. Reviewers should have sufficient technical knowledge to evaluate the permissions an application is requesting, not just the ability to approve requests. A helpdesk employee or manager is rarely the right choice. Configure the reminder interval to ensure requests do not go unnoticed.

The Admin Consent Workflow is only effective when combined with restricted user consent settings. If users can consent freely, they will simply bypass the workflow by consenting themselves. The workflow should be treated as the controlled path for application access requests, not an optional addition on top of an already permissive consent configuration.

The Permission classifications page allows you to classify specific API permissions as low, medium, or high impact. You can find this under Enterprise Applications > Consent and permissions > Permission classifications.

Image 3: The Permission Classifications page in the Microsoft Entra admin center, showing the five permissions classified as low impact by default: openid, profile, email, offline_access, and User.Read.

Permission classifications work hand in hand with the User Consent Settings. When you configure user consent to allow consent for verified publishers with selected permissions, the “selected permissions” refers specifically to the permissions you have classified as low impact.

By default, Microsoft pre-classifies a small set of permissions as low impact, typically OpenID Connect scopes like `openid`, `profile`, `email`, `offline_access`, and `User.Read`. These are the five permissions that appear when you click the link labeled “5 permissions classified as low impact” on the User Consent Settings page.

You can extend this list by classifying additional permissions as low impact, which expands what users are allowed to consent to without admin involvement. Equally important, you can use medium and high classifications to signal to administrators which permissions in the consent workflow deserve extra scrutiny.

Use permission classifications thoughtfully. A permission like `Mail.Read` or `Files.ReadWrite.All` should not be classified as low impact, as these provide significant access to organizational data. Stick to authentication and basic profile scopes for low-impact classification.

This is the misconception I see most frequently, and it is an important one to address.

When an administrator grants consent to an application in Microsoft Entra ID, they grant consent for the entire organization. This means every user in the tenant can potentially use the application with the consented permissions. The admin consent is tenant-wide, not scoped to specific users or groups.

Many administrators assume that granting admin consent inherently limits access to themselves or to a small group. It does not. After admin consent is granted, any user who can reach the application’s sign-in URL can authenticate and the application will have the consented permissions for that user’s data.

The correct way to scope access after granting admin consent is through the Enterprise Application’s assignment settings.

To properly scope access:

1. Navigate to the Enterprise Application in the Microsoft Entra admin center.

2. Go to Properties and set “Assignment required?” to Yes. This ensures that only users, or members of groups, explicitly assigned to the application can sign in. Without this, any user in your tenant can access the application.

Image 4: The Properties page of an Enterprise Application in the Microsoft Entra admin center, showing the “Assignment required?” setting configured to “Yes” to restrict access to explicitly assigned users and groups only.

3. Navigate to Users and groups on the Enterprise Application and add the specific users or groups who should have access.

Image 5: The Users and groups page of an Enterprise Application in the Microsoft Entra admin center, showing the users and groups explicitly assigned to scope access after admin consent has been granted.

This combination, admin consent at the tenant level plus assignment-required scoping at the Enterprise Application level, gives you the correct security model. Admin consent covers the permission grant, and the assignment covers who can actually use those permissions.

Skipping the assignment step is a common mistake. An administrator grants consent thinking they have done the necessary security work, but the application remains accessible to the entire organization.

To make these concepts easier to explore hands-on, I have built a test application available at https://consent.thalpius.com.

Image 6: The consent test application at consent.thalpius.com, which can be used to walk through the OAuth consent flow against Microsoft Entra ID and observe the behavior under different consent configurations.
Image 7: The consent test application at consent.thalpius.com, which can be used to walk through the OAuth consent flow against Microsoft Entra ID and observe the behavior under different consent configurations.

This application lets you walk through the OAuth consent flow against Microsoft Entra ID and observe exactly what happens at each stage, from the initial authorization request, through the consent prompt, to the resulting token. You can test the behavior under different user consent settings, observe what the consent prompt looks like for verified versus unverified publishers, and see how permission classifications affect what users are allowed to consent to.

I recommend testing this application in a non-production tenant or a dedicated test tenant where you can freely modify the consent settings described in this post without impacting your organization’s users.

Conclusion

Understanding OAuth app consent in Microsoft Entra ID is fundamental to securing your organization’s identity environment. As applications like the Anthropic Microsoft 365 connector become more common, having a clear understanding of how consent is granted, what it means at the organizational level, and how to properly scope access afterward is essential knowledge for every identity administrator.

The settings described in this post, user consent settings, admin consent workflow, permission classifications, and enterprise application assignment, work together as a complete control framework. Each layer addresses a different aspect of the problem, and skipping any one of them leaves a gap.