Get started with the Data Security Posture Agent

This feature is in preview.

The Microsoft Purview Posture Agent in Data Security Posture Management uses natural language prompts to help you find sensitive information across your organization. Follow these steps to deploy the Microsoft Purview Posture Agent in the following Microsoft Purview solutions:

• Data Security Investigations
• Data Security Posture Management

Before you begin

If you're new to Microsoft Security Copilot Agent in Microsoft Purview, read this article.

• Security Copilot Agents in Microsoft Purview Overview

SKU/subscriptions and licensing

This agent requires both the standard per seat licensing model and the pay-as-you-go billing model. Your organization must be licensed for:

• Microsoft 365 E5, with security compute units (SCUs) provisioned to use the Microsoft Purview posture agent in Data Security Posture Management.

The agent consumes security compute units (SCUs) as it performs its tasks. You must have SCUs provisioned for the agent to work. The agent consumes SCUs every time it runs based on the complexity of analysis it performs. For more information about SCUs, see Security compute units (SCUs). You can track your SCU consumption in the usage monitoring tool. For more information about onboarding into Microsoft Security Copilot, see Get started with Microsoft Security Copilot.

For information on Security Copilot licensing in E5 see, Learn about Security Copilot in Microsoft 365 E5.

For information on licensing, see

• Microsoft 365 Enterprise Plans
• Microsoft 365 Service Descriptions

Permissions and Roles

You can enable and deploy the Microsoft Purview Posture Agent in Data Security Posture Management or Data Security Investigations with either an organizational user account or an agent identity.

We recommend that you deploy the agent using an agent identity. The account used to deploy the agent with an agent identity must have the Role Management role. To get started with agent identities, see Governing Agent Identities (preview).

If you enable and deploy the agent with your organizational user account, see Permissions for deploying the Posture Agent.

There are different permissions and roles needed to perform different functions with the agent. For more information, see Permissions in the Microsoft Purview portal, and Roles and role groups in the Microsoft Purview portals.

Permissions for deploying the Posture Agent

Use an account that has the following roles as described in the table.

Permissions for running and viewing results from the Posture Agent

Use an account that has the following roles as described in the table.

Deployment and configuration roadmap

Implementing the Microsoft Purview agents involves several phases:

1. Infrastructure prerequisites
2. Enable the agent
3. Manage the agent configuration
4. Monitor SCU usage

Infrastructure prerequisites

• Your tenant must be onboarded to Microsoft Security Copilot. For more information on how to onboard, see Get started with Microsoft Security Copilot.
• You must enable Microsoft 365 data sharing in Security Copilot. For more information, see Accessing data from Microsoft 365 services.
• You must enable the Microsoft Purview plug-in in Microsoft Security Copilot. For more information, see Enable the Microsoft Purview source in Microsoft Security Copilot.

Enabling the agent

This procedure is for organizations that without the Microsoft Purview Posture Agent for Data Security Posture Management enabled or organizations who removed it and want to enable it again. After you enable the agent, it's available in Microsoft Purview. There can be only one instance of each agent in a tenant.

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select the agent to enable, and then select Add. A page opens that shows the requirements to enable the agent.
5. Select Setup, this action opens the Deploy agent global configuration page. You can:
   1. Choose Create and use agent identity (recommended) or Assign and use my identity.
6. Select Start. You see the Agent is now active message when the agent is successfully deployed.

Managing the agent configuration

After the agent is deployed, make minor changes to the agent configuration as needed.

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select Go to agent for the agent you want to manage. This action opens the agent overview page.
5. Select the ellipses (three dots) on the upper right hand corner of the agent overview page, next to the Edit agent button. From here you can Deactivate agent which makes it inactive, but doesn't uninstall it. If you want to uninstall it, select Remove agent.
6. Select Edit agent to update Agent identity under Deployment configuration.

Deactivate agent

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for the agent you want to pause. This action opens the agent overview page.
5. In the upper-right corner of the agent overview page, select the ellipsis (three dots) next to the Edit agent button.
6. Select Deactivate agent. Deactivating the agent stops it from functioning. It doesn't remove the agent.

Remove agent

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for the agent you want to remove. This action opens the agent overview page.
5. On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
6. Select Remove agent. Removing the agent deletes it from Microsoft Purview. To use it again, follow Enabling the agent.

Monitoring SCU usage

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for the agent you want to edit. This action opens the agent overview page.
5. Select the Performance tab.
6. Track your SCU consumption in the usage monitoring tool.

In some cases, the Agent downloads and scans max 5 GB or 10K items from the selected data sources. The Agent only returns the top 1,000 matched items.

Labeling files discovered by the Agent

You can apply sensitivity labels directly to discovered files. This application means the Data Security Posture Agent not only helps you identify sensitive content, but also helps you start protecting it faster without switching to a separate workflow. 

The sensitivity labels available in this feature are the same labels that you define in the Information Protection solution. You can select up to 10 files at a time and apply the same label to all selected files. For supported file types, see File types supported - Microsoft Information Protection (MIP) SDK | Microsoft Learn. 

Prerequisites: 

1. To view the latest status for labels applied to files, make sure auditing is turned on: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable 

2. Users with the Data Classification Content Viewer or the Purview Content Analyst role can apply sensitivity labels.

Steps to apply the label 

1. Select a discovery that includes items on the Files tab. 

2. Review the items in the list, then select up to 10 files by using the checkboxes. 

3. After you select the files, select Label to open the list of sensitivity labels available in your organization. you can apply sensitivity labels directly to discovered files. 

4. Choose a label.

5. Refresh the page after 30 to 60 minutes to check the labeling status.

Run Agent on a schedule

Schedule prompts to run automatically on a recurring basis—daily, weekly, or monthly—so you can continuously monitor data risks without manual effort. Instead of rerunning the same investigations, the agent re-executes the prompt on the same prompt and data sources and surfaces updated results based on changes in your data estate. This scheduling helps you stay on top of new or evolving sensitive data over time while building a consistent monitoring workflow.

You can set a schedule for a prompt at the time of or after running a prompt, if the prompt is eligible to be scheduled.   

Run prompts the Agent intelligently suggests

The Agent generates rich insights based on what the Agent observed in your environment. These insights may help you ask the right questions to the Agent and run more targeted prompts. Instead of starting from scratch, you can build on what the agent already found, making investigations feel more relevant.

Each recommendation includes a suggested prompt and pre-selected data source, so you can launch a discovery directly from the card with a single click. The intent and sources are prefilled, but you can also edit them further.

Tips and Tricks to write better prompts and get sharper results

Help the Agent understand your intent better. The Agent particularly understands these five search parameters well:

Example of a prompt that may deliver sharp results

A single request can combine multiple filter types in one query for sharper results.

Example: "PDF documents larger than 1 MB, labeled Confidential, that explain data privacy policies, from the last 90 days."

This prompt contains search parameters Identifiers, Sensitivity labels, Keywords, and Intent of the file/data asset.

Examples of prompts that may not deliver sharp results

Sometimes a request is too vague, contradictory, or asks for something the search service doesn't support. In those cases, you see an invalid result with a reason explaining why the request couldn't be interpreted.

See also

• Using the data security posture agent.