From Alert to Action: Using Purview DSI with Entra ID for End‑to‑End Data Breach Response

Executive summary

Modern incident response has two realities: identities are the new perimeter and data is the blast radius. Microsoft Purview Data Security Investigations (DSI) adds an AI‑assisted layer on the data side—quickly finding what sensitive content was touched, where it moved, and how severe the risk is—while Microsoft Entra ID adds an identity‑first guardrail and brake pedal via risk‑based Conditional Access, authentication context, and session controls. Together, they close the loop from “who” to “what” to “now what?”—so your SOC and data teams can triage, scope, and mitigate faster.

Why DSI now? What problems it actually solves

Purview DSI (preview) focuses investigations on the data impact—documents, emails, Teams chats, even Copilot prompts and responses—using vector search, AI‑based categorization, and deep content examination to surface the riskiest material first. It turns sprawling collections into prioritized evidence sets and lets you collaborate across security, legal, and HR to drive mitigation.

You can start an investigation from multiple signals—Microsoft Defender XDR incidents and Insider Risk cases—or manually, then keep everything in one place for review and action. This is crucial when identity‑led intrusions create data‑centric fallout that must be scoped for breach notification and organizational risk.

Where Entra ID fits: Make identity signals drive data controls

Risk‑based Conditional Access (CA): Let sign‑in or user risk (from Entra ID Protection) trigger MFA or secure password change automatically—reducing attacker dwell time and containing data exfiltration risk.
Authentication context: Tie sensitivity labels for Teams/SharePoint/Groups to auth context and require stronger CA policies (MFA, trusted network, compliant device) only when users access sensitive containers or perform sensitive actions.
Session controls (Conditional Access App Control): Insert Defender for Cloud Apps into the session to block downloads, cut/copy/print, or force labeling on download—especially on unmanaged devices or high‑risk sessions.

This identity‑to‑data handshake means you can prevent, detect, and then investigate with a consistent Zero Trust policy fabric.

Reference architecture: Identity‑centric + Data‑centric investigation loop

Flow (high level):

Detect identity risk\ Entra ID Protection calculates sign‑in and user risk. CA enforces MFA or password change for risky sign‑ins/users—and can block access when needed.
Contain session risk\ CA Session controls invoke Defender for Cloud Apps to limit downloads, uploads, or clipboarding for sensitive apps or auth contexts—especially on unmanaged devices.
Correlate with DLP & Insider Risk\ DLP alerts aggregate in Defender XDR and the Purview DLP alert dashboard; Insider Risk can share risk severity with DLP to enrich triage.
Launch DSI\ Create/launch a Data Security Investigation from a Defender XDR incident or Insider Risk case; use vector search, categorization, and examination to find the most impacted data fast.
Forensics & compliance\ Use Purview Audit (Standard/Premium) and mailbox signals like MailItemsAccessed to establish defensible impact scope for notifications and regulators.
Mitigate & harden\ Tighten CA, expand auth contexts on sensitive sites, and tune DLP/Insider Risk policies so the next incident is smaller and stops sooner.

Set up DSI (preview) the right way

Prereqs & permissions\ Assign Data Security Investigations Admin/Investigator roles in the Purview portal; use the built‑in setup task or role groups. Give yourself a “zero admin” escape plan by ensuring at least one admin remains.
Billing and capacity\ DSI uses two meters: storage (GB‑month) and Security Compute Units (SCUs) for AI analysis. You can provision SCUs and set overage units for bursts; billing is per hour (min. one hour).
Create your first investigation\ Start from a Defender XDR incident or Insider Risk case, or use templates/draft mode in the Purview portal. Add sources, define scope, and prepare data for AI.
Use AI tools\ Run vector search to find “nearby” content (semantic similarity), enable categorization to sort by risk and topic, and examination to surface credentials, network indicators, and other security risks buried in content.

Tip for scale: Vector queries are cheap in SCU terms; even 10 GB of vectorized data is typically only a few SCUs. Budget your SCUs for categorization/examination passes on the high‑risk categories first.

Bring in Entra ID: Three practical patterns you can ship this week

1) Risk‑based access for users and sessions

Policy: Require MFA for Medium/High sign‑in risk; require secure password change for High user risk. Use templates to deploy and keep break‑glass accounts excluded.
Session: For sensitive apps, use Conditional Access: Session → Defender for Cloud Apps to limit downloads or require label‑on‑download when risk is detected or device is unmanaged.

Why it matters: You cut time‑to‑control for risky identities and stop live exfiltration channels before they become a DSI case.

2) Sensitivity‑aware step‑up via authentication context

Label your Teams/SharePoint/Groups with settings that include authentication context.
CA: Create policies that bind to that auth context—e.g., require MFA + compliant device for “Highly Confidential” sites. Apply via label so owners can manage at scale.

Why it matters: Users work normally until they touch sensitive containers; then identity rules step up seamlessly—less friction, more protection.

3) DLP + Insider Risk + Defender XDR triage hub

Investigate DLP in Defender XDR (recommended) or Purview DLP dashboard; use alert types (single vs aggregate) to tune noise vs. fidelity.
Enrich DLP with Insider Risk user risk severity and export to SIEM if needed.
Escalate to DSI for AI‑assisted scoping when the blast radius is unclear or cross‑workspace.

Why it matters: You get one pane of glass to prioritize by sensitive data impact and user risk, then a straight‑through path to AI‑assisted scoping.

Hands‑on: Example policies and queries

A. Conditional Access (report‑only → on)

Start in report‑only to socialize impact, then switch to on:

Sign‑in risk MFA: All users (exclude break‑glass), All resources, Sign‑in risk = Medium & High, Grant = Require MFA.
User risk password change: All users (exclude break‑glass), User risk = High, Grant = Require password change (SSPR).

Pre‑flight: Use the Impact Analysis of risk‑based access policies workbook with your sign‑in logs in Log Analytics to predict outcomes before you enforce.

B. Session control for unmanaged devices (OneDrive/SharePoint)

CA policy: Route target users/apps to Conditional Access App Control when device is not compliant.
Defender for Cloud Apps: Block download or require label on download for files matching sensitive info types or labels. (Know the scanning/file size limits.)

C. Audit queries (hunting mail data exposure)

Even if an attacker didn’t “open” messages, MailItemsAccessed helps you assess what mail was touched and when.

// Purview Audit (Advanced Hunting via Sentinel or API export workflows) AuditLogs | where Operation == "MailItemsAccessed" | where UserId == "&lt;compromised_user@contoso.com&gt;" | summarize count() by bin(TimeGenerated, 1h), ClientIP, Application

Use this alongside DSI’s categorization for emails/documents tied to the incident.

Operating model: Roles, processes, and collaboration

Roles & permissions
- DSI Admins/Investigators (Purview) for case setup and AI analysis.
- CA/Identity administrators for risk policies and auth contexts.
- DLP and Insider Risk analysts for day‑to‑day triage and escalations.
Processes
- Triage in Defender XDR or the DLP Alerts dashboard; escalate to DSI when scope is uncertain or multi‑channel.
- Forensics via Purview Audit (180‑day default retention; Premium options for longer).
- Mitigation: tighten auth contexts/CA, expand DLP coverage, and share Insider Risk severity back to SOC tooling.

Cost & scale notes you’ll want before you brief finance

Storage meter (GB‑month) + SCUs (hourly) = DSI cost; delete investigations to stop storage charges; use SCU overage units for bursts.
Vector search is SCU‑light; reserve SCU for categorization/examination passes.
Audit (Standard) now defaults to 180‑day retention (up from 90), which often reduces the need to flip to Premium for mid‑size cases.

Governance guardrails & pitfalls

Break‑glass exclusions in CA are non‑negotiable. Test policy changes in report‑only and validate with the impact analysis workbook.
Auth context limitations: Not all apps and scenarios support it; test Teams/OneNote behaviors when binding auth context to sites.
CA App Control limits: Be aware of file size thresholds and encrypted files behavior; set “default behavior” for >50 MB.

30‑60‑90 day plan

Days 1–30 (Foundations)

Enable risk‑based CA (report‑only), deploy auth contexts for “Highly Confidential” containers, and start DLP alert hygiene (single vs aggregate).
Verify Purview Audit access and retention, and assign DSI roles.

Days 31–60 (Controls & pipelines)

Turn on session controls for unmanaged devices; bind auth contexts to sensitivity labels; integrate DLP/Insider Risk with Defender XDR triage.
Run a pilot DSI on a benign dataset to baseline SCU/storage usage.

Days 61–90 (Operate & optimize)

Move CA risk policies from report‑only to on, expand auth contexts to more sites, and formalize the DSI escalation playbook.
Tune DLP alert aggregation and share Insider Risk severity with DLP for richer triage.

FAQ (quick hitters you’ll be asked)

Is DSI licensed per user?\ No. DSI (preview) is pay‑as‑you‑go on storage + SCUs for AI. It’s not tied to a standalone plan; configure billing in the Purview portal.

Can I launch DSI straight from an incident?\ Yes—from Defender XDR incidents or Insider Risk cases—or manually with templates/draft mode.

Where should my analysts investigate DLP alerts?\ Defender XDR is the recommended hub for DLP alert investigations; DLP dashboard is ideal for policy authoring/tuning and workload‑specific context.

How do I prove what mail was actually accessed?\ Use MailItemsAccessed in Purview Audit as part of your forensic narrative; it logs item access even when messages aren’t explicitly “opened.”

Copy‑paste checklist for your runbook

Entra ID Protection: Enable user and sign‑in risk policies; exclude break‑glass.
Conditional Access (Session): Route unmanaged/high‑risk sessions to Defender for Cloud Apps; set download/label rules.
Sensitivity labels + Auth context: Bind auth context to “Highly Confidential” containers; enforce step‑up access.
DLP alerts: Standardize on Defender XDR for investigations; tune aggregate alerts to reduce noise.
Insider Risk ↔ DLP: Share user risk severity to enrich DLP incidents.
Purview Audit: Confirm 180‑day retention; plan Premium/10‑year only if required by regulation.
DSI: Assign roles, configure billing (storage + SCUs), pilot an investigation, and codify escalation triggers.

Closing thoughts

Data Security Investigations gives your teams an AI‑powered lens on what happened to your data, while Entra ID ensures who is allowed to do what—and under which conditions. When you wire them together with DLP, Insider Risk, Defender XDR, and Audit, you turn isolated tools into a cohesive breach‑response system that prioritizes sensitive data impact and risk‑based access above all. That’s how you shrink both dwell time and blast radius.