> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Purview DLP

> Sync Microsoft Purview Data Loss Prevention (DLP) alerts into RAD Security via Microsoft Graph.

# Microsoft Purview DLP Integration Setup

This guide walks you through registering an Azure AD application, granting it the Microsoft Graph permissions required to read Microsoft Purview Data Loss Prevention (DLP) alerts, and configuring the integration in RAD Security.

Once connected, RAD Security ingests DLP alerts from Microsoft Purview as security findings so you can correlate them with container, cloud, and identity activity in a single workspace.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Global Administrator (or Application Administrator + Privileged Role Administrator) permissions in Microsoft Entra ID (Azure AD)
  * A licensed Microsoft Purview tenant with DLP policies that generate alerts
  * Access to a RAD Security workspace with integration permissions
</Check>

<Info>
  This integration only **reads** DLP alerts via the Microsoft Graph Security API. It does not modify policies, dismiss alerts, or write data back to Microsoft Purview.
</Info>

***

## Step 1: Register an Azure AD Application

<Steps>
  <Step title="Open the Microsoft Entra Admin Center">
    Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with an account that has permission to register applications.
  </Step>

  <Step title="Create a New Application Registration">
    1. Navigate to **Identity → Applications → App registrations**
    2. Click **+ New registration**
    3. Enter a name (e.g. `RAD Security - Purview DLP`)
    4. Under **Supported account types**, select **Accounts in this organizational directory only (single tenant)**
    5. Leave the **Redirect URI** empty — this integration uses the client credentials flow
    6. Click **Register**
  </Step>

  <Step title="Record the Tenant and Client IDs">
    From the application's **Overview** page, copy:

    * **Directory (tenant) ID**
    * **Application (client) ID**

    You will need both values when configuring the integration in RAD Security.
  </Step>
</Steps>

***

## Step 2: Grant Microsoft Graph Permissions

<Steps>
  <Step title="Add Application Permissions">
    1. From your app's left menu, select **API permissions**
    2. Click **+ Add a permission → Microsoft Graph → Application permissions**
    3. Search for and select the following permission:
       * `SecurityAlert.Read.All`
    4. Click **Add permissions**
  </Step>

  <Step title="Grant Admin Consent">
    1. Back on the **API permissions** page, click **Grant admin consent for \<tenant>**
    2. Confirm the consent prompt
    3. Verify that the **Status** column shows a green check mark next to `SecurityAlert.Read.All`

    <Warning>
      Admin consent is required for application permissions. Without it the integration will fail with a `403 Forbidden` error when querying alerts.
    </Warning>
  </Step>
</Steps>

***

## Step 3: Create a Client Secret

<Steps>
  <Step title="Open Certificates & Secrets">
    From your app's left menu, select **Certificates & secrets**.
  </Step>

  <Step title="Create a New Client Secret">
    1. Click **+ New client secret**
    2. Enter a description (e.g. `RAD Security integration`)
    3. Choose an expiration period that aligns with your secret rotation policy
    4. Click **Add**
  </Step>

  <Step title="Copy the Secret Value">
    **Immediately copy the `Value` column** of the new secret.

    <Warning>
      Azure displays the secret value only once. If you navigate away you will need to create a new secret. Store it in a password manager or secrets vault.
    </Warning>
  </Step>
</Steps>

***

## Step 4: Configure in RAD Security

In your RAD Security workspace, add a new **Microsoft Purview DLP** integration with the values gathered above:

| Parameter         | Description                               | Example                                |
| ----------------- | ----------------------------------------- | -------------------------------------- |
| **Tenant ID**     | Azure Directory (tenant) ID from Step 1   | `11111111-2222-3333-4444-555555555555` |
| **Client ID**     | Azure Application (client) ID from Step 1 | `aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee` |
| **Client Secret** | Secret value from Step 3                  | `Xx7~abcDEF...`                        |

Click **Verify** to test the credentials, then **Save** to enable the integration.

***

## Verify Integration

After saving, RAD Security will start syncing DLP alerts on its scheduled cadence.

1. Navigate to **Data Sources → Integrations** in RAD Security
2. Locate your Microsoft Purview DLP integration
3. Confirm the status shows as **Connected** and a recent **Last sync** timestamp
4. Open **Security Findings** and filter by source to see the ingested DLP alerts

<Check>
  Your Microsoft Purview DLP integration is now active. RAD Security will continue to pull new DLP alerts on a regular sync interval.
</Check>

## What Data is Synced

<AccordionGroup>
  <Accordion title="DLP Alerts" icon="shield-exclamation">
    * Alert title, description, and severity
    * Detected sensitive information types
    * Affected users, devices, and files
    * Triggered DLP policy and rule names
    * Alert timestamps (created / last updated)
  </Accordion>

  <Accordion title="Alert Context" icon="circle-info">
    * Service source (`dataLossPrevention`)
    * Status and classification
    * Evidence collected by Microsoft Purview
    * Links back to the alert in the Microsoft Purview portal
  </Accordion>
</AccordionGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Verification fails with 401 Unauthorized" icon="triangle-exclamation">
    **Possible causes:**

    * Tenant ID, Client ID, or Client Secret are incorrect
    * The Client Secret has expired
    * The app registration was deleted or disabled

    **Solution:**

    * Re-copy the Tenant and Client IDs from the app's **Overview** page
    * Generate a new Client Secret under **Certificates & secrets** and update the integration
  </Accordion>

  <Accordion title="Verification fails with 403 Forbidden" icon="shield-exclamation">
    **Possible causes:**

    * `SecurityAlert.Read.All` was not granted
    * Admin consent was not completed

    **Solution:**

    * Open the app's **API permissions** page
    * Confirm `SecurityAlert.Read.All` is listed as an **Application** permission
    * Click **Grant admin consent for \<tenant>** and verify the green check mark
  </Accordion>

  <Accordion title="Integration is connected but no findings appear" icon="database-slash">
    **Possible causes:**

    * No DLP alerts have been generated recently in Microsoft Purview
    * Initial sync is still in progress
    * DLP policies have not been deployed or are still in test mode

    **Solution:**

    * Trigger a known DLP rule in Microsoft Purview and wait a few minutes
    * Confirm Purview shows alerts under **Data loss prevention → Alerts**
    * Allow up to one sync cycle for new alerts to appear in RAD Security
  </Accordion>

  <Accordion title="Secret rotation" icon="rotate">
    Client Secrets in Azure have an expiration date. Before the expiry:

    1. Create a new Client Secret under **Certificates & secrets**
    2. Update the **Client Secret** field on the RAD Security integration
    3. Verify the connection succeeds
    4. Delete the old secret in Azure
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use a Dedicated App Registration" icon="user-gear">
    Create an app registration that is used only by RAD Security so its permissions and audit history stay isolated.
  </Card>

  <Card title="Least Privilege" icon="shield-halved">
    Grant only `SecurityAlert.Read.All`. Avoid adding broader Graph or directory permissions.
  </Card>

  <Card title="Rotate Client Secrets" icon="rotate">
    Set a short expiration on the Client Secret and rotate it on a schedule that matches your security policy.
  </Card>

  <Card title="Monitor Sign-In Logs" icon="chart-line">
    Review Microsoft Entra sign-in logs for the service principal to detect unexpected use of the credentials.
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Azure Cloud Setup" icon="microsoft" href="/rad-security/integrations/azure-setup">
    Connect your full Azure subscription for broader cloud security coverage
  </Card>

  <Card title="Microsoft Entra ID" icon="key" href="/rad-security/integrations/microsoft-entra-id-setup">
    Add identity context by integrating Microsoft Entra ID
  </Card>

  <Card title="Data Sources" icon="database" href="/rad-security/integrations/data-sources">
    Explore all available data sources
  </Card>

  <Card title="Workspace" icon="chart-line" href="/rad-security/platform/workspace">
    Triage DLP findings alongside other security signals
  </Card>
</CardGroup>