sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard

Published 20 hours ago verified publisher icon SharePoint

Clarity required for security and compliance capabilities for SPE

Open 12Knocksinna opened this issue 10 months ago • 0 comments

The statements about Purview security and compliance capabilities applying to File Storage Containers seem reassuring. Nevertheless, lurking in that black and white statement is a lot of grey. For example:

Retention: I assume that org-wide retention policies apply to File Storage Containers (FSC), but what about non-org-wide retention policies (those that apply to selected locations)? AFAIK, it’s not possible to select SPE sites from the Purview UI. Also, do FSCs support adaptive scopes (requires E5 or advanced compliance)? Because eDiscovery works, I assume that auto-labeling policies support content located in FSCs (requires E5), but does advanced retention features work such as disposition reviews?

Sensitivity labels: If a tenant only has E3 licenses, users can manually apply sensitivity labels to files – but apps must include UI to reveal the sensitivity labels published to the location (or all sensitivity labels that apply to Files). Finding files with sensitivity labels is straightforward but the public API for applying sensitivity labels to files is a metered API that requires Microsoft approval for an app to use, so how does an app apply sensitivity labels to content? Can a default sensitivity label be defined for a document library in an FSC? And while auto-labeling policies should work (non-public API but requires E5 licenses), will the presence of sensitivity labels that assign usage rights over content impact how an app works?

For both retention labels and sensitivity labels, will the application of labels to SPE content show up in audit records and the Activity Explorer?

The point is that broad statements about Purview tend to become tangled in license-specific implementation questions. That’s why I have problems with the way that the documentation frames the issue and the lack of detail in the chosen words. It would be good to have much more clarity about what security and compliance capabilities are available for FSCs together with the licensing requirements.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

12Knocksinna avatar Apr 13 '24 14:04 12Knocksinna