Edit your one-click policies or Purview will disappoint you

Matthew Silcox

19 Aug 2025 — 2 min read

*you checking Activity Explorer thinking DSPM for AI was logging everything (it wasn't)*

Turning on DSPM for AI’s one-click policies gets your dashboards populated, but it doesn't guarantee prompt and response bodies in Activity Explorer. Without a specific edit, you'll mostly see headers, counts, and detections (not the text you need).

"One-click" creates the coverage that you want, but it doesn't finish configuration for the evidence-grade telemetry that you need.

In order to fix...

Pick a DSPM for AI policy and click "Edit".
Step-through the policy wizard until you get to "Data to detect".
Remove the exclusions.
Enable the previously unavailable "Capture content" option.

*locate a relevant policy in DSPM for AI*

*one-click policy showing default SIT exclusions*

*remove the exclusions and save the change*

*you now have the ability to select "Capture content"*

📌

Confirm your account is granted "Content Explorer Content Viewer" rights so you can actually see captured text.

Trust but verify!

Run each of these tests to validate your config:

Ask Copilot to summarize a labeled file.
Trigger a Copilot Studio or Entra-registered agent.
Paste a fake pattern, like a credit card (please don't use your real one), into a third-party AI site from a managed device.

Now check:

DSPM for AI "Apps & agents" → the app or agent appears with activity.
Activity explorer → filter by AI interaction. You should see prompt and response text in the details pane after your edit.
Audit → this is optional, but checking it allows you to cross-check that events actually landed.

Compliance investigations live or die on context. Counts and detections help with posture, but incident response, legal hold, and user coaching need the actual words. Configure your Data Security tools with the assumption that leadership will demand evidence and accountability.

Using Microsoft’s Data Security Stack to Prevent the Next Breach

AI is transforming industries worldwide, but it’s simultaneously creating one of the largest data risks we've ever seen. According to the Varonis 2025 State of Data Security Report, 95% of healthcare organizations have exposed sensitive cloud data, and 64% have employees using unverified AI tools. The same

Email SIT Finder Update: All Credentials Bundled Entity

Found this nugget buried in the Purview Blueprints Github repo. Figured I'd take a crack at integrating credential SITs into my EXO SIT Finder. The "All Credentials" Bundled SIT is multitudinous and complex, as you can see in the linked Learn Doc below. Current SITs being

Architectural Case Study | Extending Microsoft Purview with Fortra (Digital Guardian) DLP via the MIP SDK

This post is a continuation of a series. See part 1, here. Most enterprises already live in dual worlds. On one side, Microsoft Purview governs information inside Microsoft 365. But on the other, dedicated DLP platforms like Digital Guardian DLP control endpoints, networks, and file movement. So what's

Uniting Purview and Third-Party Data Security Products

As a consultant in the Microsoft Security & Compliance space, you learn that some projects are more like therapy sessions. Half the organization wants to migrate to Microsoft, and the other half, clutching their Varonis or Symantec licenses, waits in the shadows for their "I told you so"