Microsoft Purview Referential Architecture Diagrams

The Microsoft Purview architecture diagrams offer a helpful overview of how data classification, sensitivity labelling, Data Loss Prevention (DLP), and Insider Risk function across Microsoft 365 services. These diagrams serve as a guide for organisations to understand where policy evaluations take place, how signals move between services, and how enforcement measures are consistently applied.

Instead of suggesting a one-size-fits-all deployment model, the diagrams showcase common architectural designs used to safeguard sensitive information across endpoints, emails, and collaboration tools.

This diagram illustrates the classification of content within Microsoft 365 environments and linked locations.

Here are some key takeaways from the diagram:

• Classification can happen on the client side, during transport, or within the service itself, depending on the specific workload and policies in place.
• It supports various types of classifiers, such as Sensitive Information Types (SITs), which include deterministic patterns, keywords, and advanced classifiers like Exact Data Match and document fingerprinting.
• The classification process identifies the contents, with results utilised by downstream controls like DLP, auto-labelling, data lifecycle management, and eDiscovery.
• Classification is performed in real-time or almost in real-time as content is created, altered, or transmitted.

Classification is central to Purview’s data protection; all subsequent enforcement actions shown in other diagrams rely on these classification results.

The labelling diagram outlines how sensitivity labels are applied and enforced uniformly across Microsoft 365.

Key points from the diagram include:

• Sensitivity labels serve as organisational signals, providing a coherent strategy for training users on data protection.
• Labels can be applied manually, through layered defaults, or automatically, based on the workload and configurations.
• Labels travel with the content across platforms like SharePoint, OneDrive, Teams, Outlook, and Office apps.
• Label settings can enforce protections such as encryption, watermarking, access controls, and DLP based on the label.
• If a user lowers the label priority, it indicates intent to share, which is managed by DLP, Insider Risk Management, and Adaptive Protection systems.
• Priority rules for labels ensure expected behaviour in cases where multiple labelling methods are applicable.

Sensitivity labels provide a unified way to represent an organisation’s data protection intentions, minimising the need for specific configurations for each workload.

This diagram focuses on how DLP policies are assessed and enforced on user devices, including Windows and macOS.

Key takeaways include:

• Devices connect to Microsoft 365 and Purview using existing management methods without needing extra agents.
• Content is classified locally (and optionally in the cloud) and assessed against DLP policies in real time.
• User actions like copying to removable media and uploading files are evaluated before completion.
• Enforcement includes tracking, warnings, or blocking, with all activities logged centrally.
• Just-In-Time (JIT) ensures that files needing re-evaluation due to policy changes or offline creations are reclassified and protected.

Endpoint DLP extends protection to instances where data might not reach a cloud service, thus reducing the risk of local data breaches.

This diagram illustrates how classification and DLP function within the Exchange email ecosystem.

Highlights from this diagram include:

• Email content can be classified both in the Outlook client and during transport via Exchange, according to policies and client abilities.
• DLP evaluations occur before delivery, implementing actions like policy tips, warnings, or blocking, alongside protections during transport.
• Enforcement applies consistently across all Outlook client versions.
• Every action is logged for future auditing and investigation.

This structure ensures that sensitive data is assessed and safeguarded before it leaves the organisation.

The SharePoint DLP diagram showcases how DLP policies are enforced when files are uploaded, shared, or accessed within SharePoint and OneDrive.

Key takeaways include:

• DLP assessments occur for both new and existing files when their content becomes sensitive, regardless of earlier access or sharing.
• Enforcement is triggered when files are shared internally or externally, following specific policy configurations.
• Guest access scenarios are carefully monitored, ensuring enforcement when external access is identified.
• Alerts and incidents arise when sensitive data is shared outside defined policy borders.

This strategy allows organisations to enforce policies at critical moments, even for files that were uploaded or shared before sensitivity was identified.

This diagram showcases how Microsoft Purview implements DLP when users access managed applications from personal devices or unmanaged web browsers.

Key points from this diagram include:

• Access decisions are enforced using Conditional Access, session controls, and browser rules.
• Users may need to switch to Edge for Business to access sensitive applications.
• DLP policies assess uploads, downloads, and other actions in real time.
• Enforcement measures include tracking or blockage, based on content sensitivity and policy intent.

This structure is particularly relevant for scenarios where employees use personal devices (BYOD), contractors, or partners, where control over devices is limited but data risks remain significant.

This diagram examines how users on corporate-managed devices interact with consumer AI tools or unmanaged web apps.

Key points highlighted in this diagram include:

• Web traffic is evaluated in real-time using browser-based DLP measures.
• Sensitive information entered into AI prompts or files uploaded to unmanaged applications can either be tracked or blocked.
• Enforcement applies across all Edge profiles, ensuring consistent policy implementation.
• Users can continue regular browsing activities while protecting sensitive information.

Browser DLP extends Purview’s protective measures into modern AI interactions and SaaS activities that basic endpoint or cloud DLP systems might not fully cover.

This diagram explains how Microsoft Purview’s Insider Risk Management system connects various signals from Microsoft 365 and beyond to identify risky behaviours among users.

Key takeaways include:

• Signals from user activities, DLP, audit logs, communication compliance, Defender, and third-party inputs are integrated.
• Risk indicators are assessed against policies to generate alerts.
• Investigations are tracked through cases, which include escalation, confirmation, or dismissal processes.
• Adaptive protection enables the automatic adjustment of DLP controls according to user risk levels.

This Insider Risk Management system allows organisations to shift from just reacting to alerts to conducting contextual investigations that balance security and compliance.

This diagram clarifies how Copilot respects sensitivity labels, encryption, and data boundaries while generating responses.

Key points highlighted include:

• Copilot only accesses data within the Microsoft 365 environment.
• Sensitivity labels and encryption are inherited by the content generated by Copilot.
• External files accessed in Office applications are evaluated separately from tenant data.
• Exported or reused content from Copilot maintains its protection levels.

This setup ensures that Copilot adheres to established data protection controls and enhances them.

This diagram illustrates how SharePoint, Purview, and Copilot work together to minimise accidental oversharing.

Key points outlined in the diagram:

• SharePoint’s Restricted Search limits what Copilot can find without altering permissions.
• Sensitivity labels and DLP restrict Copilot’s access to sensitive materials.
• SharePoint Advanced Management identifies sites that are overshared or inactive.
• Site-level controls take precedence over general permissions while still allowing for collaboration.

Oversharing controls assist organisations in minimising the risk associated with Copilot without having to redesign permission models.

This diagram addresses how prompts, responses, and accessed content from Copilot are stored and managed.

Key points to note:

• Prompts and responses are stored in user mailboxes, OneDrive, or SharePoint embedded containers.
• Microsoft Purview tools ensure auditability, retention, and eDiscovery compliance.
• Communication Compliance can identify risky or inappropriate usage of Copilot.
• Retention policies dictate how long data from Copilot is preserved or deleted.

This framework guarantees that Copilot interactions are trackable, discoverable, and compliant with organisational standards.

This diagram combines classification, labelling, and DLP to demonstrate how actions related to Copilot are assessed.

Key points to consider:

• Copilot responses are subjected to existing Purview DLP policies.
• Sensitive content can be blocked, tracked, or warned about before it is released.
• Labels and DLP signals continue consistently across Copilot and Office services.
• All enforcement actions are logged for further investigation and reporting.

DLP for Copilot ensures that AI assistance functions within the same governance framework as the other Microsoft 365 applications.

Each diagram should be viewed as a reference point, rather than a step-by-step guide for implementation. Together, they illustrate how:

• Classification provides sensitivity signals.
• Sensitivity labels communicate the intended protection level, serving as a clear organisational signal and experience for user training.
• DLP consistently enforces that intent across endpoints, emails, and collaborative tools.
• Data is safeguarded beyond the confines of traditional files and emails.
• It adapts to AI, web, and insider risk situations.
• Consistent controls are applied across individuals, devices, applications, and services.

These patterns assist organisations in shaping data protection strategies that can expand with the demands of modern work and AI-assisted collaboration.

This set of diagrams has been collaboratively created and is maintained by the Microsoft Purview Customer Excellence Engineering team. You can download them in PowerPoint format here (note: this link opens in PowerPoint Online with an option to download), and they can be used as a reference and training resource when planning your Purview solutions deployment. For deeper guidance on deployment, you can find our Purview Deployment blueprints here.