The Tool Does Not Protect — The Architecture Does
When organisations evaluate Microsoft Purview, the demo is compelling. Data loss prevention across Exchange, Teams, SharePoint, OneDrive, and endpoints — all within the Microsoft 365 ecosystem already owned. The licence is signed. The implementation begins.
What happens next is almost always the same. Policies are enabled using default templates. The enforcement mode is set to Audit Only — because no one wants to block anything until the impact is understood. A few sensitivity labels are created. Six months later, the configuration is largely unchanged, the audit logs are full, and nothing has been stopped.
The problem is not the tool. Microsoft Purview is one of the most capable DLP platforms available. The problem is the assumption that enabling a product constitutes implementing a control. It does not. A DLP deployment without comprehensive channel coverage is a monitoring instrument — not a protection architecture.
Data leaves your organisation through twelve distinct channels.
Most Purview deployments address two or three of them. The remaining nine or ten are open pathways — visible to every employee, every contractor, and every threat actor with access to your environment.
The Channels a Default Deployment Leaves Open
The first step in any serious DLP programme is channel mapping: identifying every pathway through which sensitive data can leave your environment. Default Purview configurations focus almost entirely on Exchange email and basic SharePoint activity. The following channels are routinely left unaddressed:
| Exfiltration Channel | Default Purview Coverage | Risk Level |
|---|---|---|
| Exchange Online (email) | Partial — audit-only in most deployments | High |
| SharePoint & OneDrive | Partial — upload restrictions rarely enforced | High |
| USB & Removable Media | None — requires Endpoint DLP + MDE | Critical |
| Personal Cloud (Google Drive, Dropbox) | None — requires browser and endpoint policy | Critical |
| Non-Edge Web Browsers | Limited — full enforcement only on Edge | High |
| Personal Email (Gmail, Yahoo) | None — often miscategorised as web traffic | High |
| External Collaboration (Teams external, Slack) | Limited — external guest access rarely controlled | High |
| AI Assistants (ChatGPT, Copilot web) | None — requires dedicated browser or endpoint policy | Critical |
Platform Constraints Your Configuration Must Account For
Beyond channel gaps, Microsoft Purview has well-documented technical constraints that further limit coverage when deployments are not architected around them. These are not flaws — they are design boundaries that require compensating controls.
Browser DLP: Edge-Only Enforcement
Purview's browser-based DLP achieves full enforcement only on Microsoft Edge with the Purview extension deployed. Chrome, Firefox, and Safari users can upload sensitive documents to personal cloud storage, personal email, and AI assistants without triggering a single policy. In most enterprise environments, Edge market share among end users is well below 100%.
OCR: Size Limits and Quality Degradation
Purview can scan images and scanned PDFs for sensitive information using Optical Character Recognition — but only for files under 4MB. Poor scan quality reduces detection accuracy significantly. And any deliberate degradation of image quality (a tactic used by insider threats to move data via screenshots) bypasses OCR detection entirely. This is not a theoretical risk.
macOS: The Endpoint DLP Gap
Endpoint DLP on macOS is functionally less capable than on Windows. USB blocking, clipboard controls, and browser enforcement all have coverage gaps on Apple devices. In professional services, financial services, and creative industries — where macOS adoption is often 30-50% of the fleet — this creates a systematic blind spot in your endpoint coverage.
The Compliance Dimension: What Auditors Actually Ask
Compliance frameworks do not care how sophisticated your Purview licence is. They require evidence that sensitive data is systematically identified, classified, and protected across all channels where it is processed.
The consistent requirement across GDPR, NIS2, and DORA is demonstrable, systematic, and channel-complete data protection. A configuration that covers email but ignores USB, personal cloud, and AI assistants fails this test — even if every email policy is perfectly tuned.
GDPR Compliance Exposure
Article 32 requires "appropriate technical measures" to protect personal data against unauthorised disclosure. A DLP architecture that leaves eight of twelve exfiltration channels unmonitored is not appropriate — regardless of what the audit log shows for email.
NIS2 Compliance Exposure
NIS2 Article 21 requires risk management measures proportionate to the risks posed. Uncontrolled exfiltration via USB, personal cloud, and AI tools represents a quantifiable, well-documented risk. Dutch competent authorities are increasingly specific about what "measures" must look like.
DORA Compliance Exposure
Financial entities must implement ICT risk management covering all information assets and the systems that process them. Data that can leave your environment via unmonitored channels is, by definition, outside your ICT risk perimeter — a direct gap in your DORA evidence package.
Do You Know Which Channels Are Open in Your Environment?
We map every data exfiltration channel in your Microsoft 365 environment and identify which are unmonitored, which are audit-only, and which are actively enforced. Most organisations find more gaps than expected.
Book a Free Data Risk AssessmentWhat a Holistic DLP Programme Actually Looks Like
A holistic DLP programme is not a list of policies. It is a structured architecture built on five disciplines that must be executed in sequence — each one laying the foundation for the next.
Exfiltration Channel Mapping
Before any policy is written, every channel through which data can leave your environment must be identified and risk-ranked. This includes technical channels (USB, cloud, email, browser, AI tools) and organisational channels (contractors, third-party integrations, shadow IT). What you do not map, you cannot protect.
Classification Foundation First
DLP policies without a classification foundation are blunt instruments. Sensitive Information Types (SITs) must be tuned to your actual data — Dutch BSN numbers, IBAN formats, patient record structures, IP classification schemes — before enforcement begins. Generic templates generate false positives that erode user trust and eventually get turned off.
Phased Enforcement: Audit → Warn → Block
Every channel goes through three phases before block mode is activated. Audit mode establishes your baseline. Warn mode (policy tips) educates users without friction. Block mode is activated only after the false positive rate is understood and accepted. Skipping this sequence is the single most common cause of DLP programme failure.
Per-Channel Coverage Validation
Each channel requires its own validation test. Email enforcement is tested differently from USB enforcement, which is tested differently from browser upload enforcement. A DLP audit that only checks policy configuration — not actual enforcement behaviour by channel — will give you a false sense of security.
Continuous SIT Tuning and False Positive Management
A DLP deployment is not a project with a go-live date — it is an ongoing programme. Sensitive information patterns evolve. Business processes change. New exfiltration techniques emerge. Without a structured tuning cadence, your coverage degrades over time until a policy that once worked becomes noise that nobody acts on.
Three Questions Every CISO Should Be Able to Answer
These are the questions we ask at the start of every DLP health check. Most CISOs cannot answer all three. That gap is where data leaves the organisation.
How many of your twelve exfiltration channels are actively enforced — not just monitored?
Audit-only monitoring creates the illusion of control. If your answer is "all our policies are in audit mode," you have visibility but no protection. The distinction matters enormously when a data breach occurs and you need to demonstrate that controls were in place — not just logs were running.
What is your false positive rate by channel, and when was it last reviewed?
An untuned DLP policy generates enough false positives to make it unusable. When the help desk ticket volume becomes intolerable, policies get relaxed or disabled. Knowing your false positive rate per channel is the leading indicator of whether your DLP programme is sustainable — or quietly degrading.
Do you have documented evidence that your DLP coverage addresses every channel required by GDPR Article 32, NIS2 Article 21, or your DORA obligations?
This is the question your auditor will ask. "We have Purview" is not the answer. "Here is our channel coverage matrix with enforcement modes and audit evidence per channel" is the answer. If you cannot produce that document today, you have a compliance gap — not just a technical one.
Purview Is Capable. Default Deployments Are Not.
Microsoft Purview has the technical depth to achieve near-complete DLP coverage across your Microsoft 365 environment. The Endpoint DLP capabilities, the Adaptive Protection engine, the Insider Risk Management integration — these are genuinely powerful controls when correctly deployed.
The failure is not in the product. The failure is in treating a complex architecture project as a configuration task. Default policies, audit-only enforcement, and single-channel focus are not a DLP programme — they are the starting point for one.
We have delivered channel-complete DLP programmes for enterprises in financial services, healthcare, and professional services across the Netherlands and Europe — using Purview and, where Purview has gaps, compensating controls from other tools. If you are not certain your deployment covers every channel your regulators expect, that uncertainty is itself a finding.
Microsoft Purview Solutions
Channel-complete DLP architecture, sensitivity labels, RBAC governance — discover how we implement Microsoft Purview for European enterprises.
View Purview ServicesPurview Auto-Labelling: Removing Human Error from Data Protection
How auto-labelling closes the classification gap that makes DLP enforcement impossible at scale.
Read the Article