Documentation Index
Fetch the complete documentation index at: https://docs.rad.security/llms.txt
Use this file to discover all available pages before exploring further.
Microsoft Purview DLP Integration Setup
This guide walks you through registering an Azure AD application, granting it the Microsoft Graph permissions required to read Microsoft Purview Data Loss Prevention (DLP) alerts, and configuring the integration in RAD Security. Once connected, RAD Security ingests DLP alerts from Microsoft Purview as security findings so you can correlate them with container, cloud, and identity activity in a single workspace.Prerequisites
Before you begin, ensure you have:- Global Administrator (or Application Administrator + Privileged Role Administrator) permissions in Microsoft Entra ID (Azure AD)
- A licensed Microsoft Purview tenant with DLP policies that generate alerts
- Access to a RAD Security workspace with integration permissions
This integration only reads DLP alerts via the Microsoft Graph Security API. It does not modify policies, dismiss alerts, or write data back to Microsoft Purview.
Step 1: Register an Azure AD Application
Open the Microsoft Entra Admin Center
Sign in to the Microsoft Entra admin center with an account that has permission to register applications.
Create a New Application Registration
- Navigate to Identity → Applications → App registrations
- Click + New registration
- Enter a name (e.g.
RAD Security - Purview DLP) - Under Supported account types, select Accounts in this organizational directory only (single tenant)
- Leave the Redirect URI empty — this integration uses the client credentials flow
- Click Register
Step 2: Grant Microsoft Graph Permissions
Add Application Permissions
- From your app’s left menu, select API permissions
- Click + Add a permission → Microsoft Graph → Application permissions
- Search for and select the following permission:
SecurityAlert.Read.All
- Click Add permissions
Step 3: Create a Client Secret
Create a New Client Secret
- Click + New client secret
- Enter a description (e.g.
RAD Security integration) - Choose an expiration period that aligns with your secret rotation policy
- Click Add
Step 4: Configure in RAD Security
In your RAD Security workspace, add a new Microsoft Purview DLP integration with the values gathered above:| Parameter | Description | Example |
|---|---|---|
| Tenant ID | Azure Directory (tenant) ID from Step 1 | 11111111-2222-3333-4444-555555555555 |
| Client ID | Azure Application (client) ID from Step 1 | aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee |
| Client Secret | Secret value from Step 3 | Xx7~abcDEF... |
Verify Integration
After saving, RAD Security will start syncing DLP alerts on its scheduled cadence.- Navigate to Data Sources → Integrations in RAD Security
- Locate your Microsoft Purview DLP integration
- Confirm the status shows as Connected and a recent Last sync timestamp
- Open Security Findings and filter by source to see the ingested DLP alerts
Your Microsoft Purview DLP integration is now active. RAD Security will continue to pull new DLP alerts on a regular sync interval.
What Data is Synced
DLP Alerts
DLP Alerts
- Alert title, description, and severity
- Detected sensitive information types
- Affected users, devices, and files
- Triggered DLP policy and rule names
- Alert timestamps (created / last updated)
Alert Context
Alert Context
- Service source (
dataLossPrevention) - Status and classification
- Evidence collected by Microsoft Purview
- Links back to the alert in the Microsoft Purview portal
Troubleshooting
Verification fails with 401 Unauthorized
Verification fails with 401 Unauthorized
Verification fails with 403 Forbidden
Verification fails with 403 Forbidden
Possible causes:
SecurityAlert.Read.Allwas not granted- Admin consent was not completed
- Open the app’s API permissions page
- Confirm
SecurityAlert.Read.Allis listed as an Application permission - Click Grant admin consent for <tenant> and verify the green check mark
Integration is connected but no findings appear
Integration is connected but no findings appear
Possible causes:
- No DLP alerts have been generated recently in Microsoft Purview
- Initial sync is still in progress
- DLP policies have not been deployed or are still in test mode
- Trigger a known DLP rule in Microsoft Purview and wait a few minutes
- Confirm Purview shows alerts under Data loss prevention → Alerts
- Allow up to one sync cycle for new alerts to appear in RAD Security
Secret rotation
Secret rotation
Client Secrets in Azure have an expiration date. Before the expiry:
- Create a new Client Secret under Certificates & secrets
- Update the Client Secret field on the RAD Security integration
- Verify the connection succeeds
- Delete the old secret in Azure
Security Best Practices
Use a Dedicated App Registration
Create an app registration that is used only by RAD Security so its permissions and audit history stay isolated.
Least Privilege
Grant only
SecurityAlert.Read.All. Avoid adding broader Graph or directory permissions.Rotate Client Secrets
Set a short expiration on the Client Secret and rotate it on a schedule that matches your security policy.
Monitor Sign-In Logs
Review Microsoft Entra sign-in logs for the service principal to detect unexpected use of the credentials.
Next Steps
Azure Cloud Setup
Connect your full Azure subscription for broader cloud security coverage
Microsoft Entra ID
Add identity context by integrating Microsoft Entra ID
Data Sources
Explore all available data sources
Workspace
Triage DLP findings alongside other security signals