Uniting Purview and Third-Party Data Security Products
As a consultant in the Microsoft Security & Compliance space, you learn that some projects are more like therapy sessions. Half the organization wants to migrate to Microsoft, and the other half, clutching their Varonis or Symantec licenses, waits in the shadows for their "I told you so" moment.
When I started taking on Purview projects, I’d hear it constantly: "Digital Guardian is already doing this for us," or "I'm not seeing the value-add with E5 when we're already using Varonis." Pre-sales calls are nightmare fuel when you don't understand what your competitors can solve. This post serves as a distillation of many months of research inside and outside of the Purview Data Security stack.
It all started with an image...
I stumbled upon the MIP SDK documentation purely by accident one night during one of my Ballmer Peak-induced research sessions (turns out it's not just for programming). I couldn't figure out what I was looking at. Why were the logos for these 3rd party competitors on a Microsoft Learn doc?
Of course we know that they're competitors, but it turns out they're also partners. Almost all of them can use the MIP SDK to integrate their platforms with Microsoft's data protection ecosystem. This isn't a secret, and it's not talked about enough.
This sent me down many a rabbit hole. Seventeen Chrome tabs later, I had my "a-ha" moment. A Data Security vendor-agnostic ecosystem already exists, we just need to cultivate it.
Michael Buckbee
Angelica Torres-Corral
The Microsoft Information Protection SDK brings the classification, labeling, and protection capabilities of Microsoft Information Protection into a simple, lightweight, cross-platform software development kit that enables any application to label and protect information. The labels and protection are consumable by Azure Information Protection, Office apps, Office 365, and any application or service that has integrated the Microsoft Information Protection SDK. Bringing the labeling and protection capabilities that have existed in Office to line of business applications, as well as third-party PDF viewers, CAD/CAM applications, and other SaaS applications is a critical component of the information protection story. The Microsoft Information Protection SDK enables Microsoft partners and customers to build those integrations to protect data at creation, detect movement across trust boundaries, and to prevent accidental or malicious leakage of sensitive information.
A short story...
A few years ago, I was working with a Secude Sales Engineer on behalf of an Engineering Firm who needed to apply sensitivity labels + protection to CAD files. Their HaloCAD product was (and I think still is) the only one on the market that extends MIP label protection to CAD files. I learned this after I was given the project, and after the customer expressed their frustration with not being told about this limitation. This is a prime example of why understanding the nuance of your subject-matter is vitally important to your success. I'm not telling you that you have to learn the ins-and-outs of every product within your discipline; however, even a tangential awareness of third-party competitor platforms will elevate your value to your customers and within your org.
Proprietary Tag? Universal Standard?
Most high-end DLP tools have their own native capabilities. They can discover sensitive data, apply their own proprietary tags, and take action like quarantining a file. So, the relevant question isn't "can they classify data?" but "why would they choose to use Microsoft's label instead of their own?"
The answer is the difference between a custom barcode and a QR code.
A third-party's proprietary tag is like a custom barcode for a specific retail store. This tag works perfectly within that store's framework, but take it anywhere else, and it's meaningless.
A Microsoft Purview label is like a QR code for your data. It’s a platform-wide standard that is natively understood by the entire M365 architecture (Word, Excel, SharePoint, Teams, Fabric, PowerBI, etc.). Its power is in its ubiquity. This allows it to embed not just a classification, but enforceable encryption and usage rights that travel everywhere the data goes.
Theory meets practice...
Here’s how I demonstrate this value in a way that makes it tangible. The goal is to show how a third-party tool's discovery action can trigger the full power of the native M365 protection stack. Imagine two islands:
Island 1: Your on-prem file server, monitored by a tool like Varonis. It finds a file with credit card numbers, generates an alert, and the story stops.
Island 2: Your M365 E5 license, with powerful DLP and encryption tools waiting to be used.
The Demo
First, I explain to the customer:
"Your Varonis instance has the ability to apply a Purview sensitivity label the moment it discovers sensitive data. For this demo, instead of running a full scan, I'm going to use this simple PowerShell cmdlet to perform that exact same action on this sample file."
Then, in PowerShell:
Set-FileLabel -Path ".\Project_Citadel_Financials.docx" -LabelId "Highly Confidential"https://learn.microsoft.com/en-us/powershell/module/purviewinformationprotection/?view=azureipps
Instantly, we can see the downstream effects of that single action:
- Automatic Encryption: The file icon gets a lock. The label has applied persistent encryption.
- SharePoint/Teams DLP: We drag the file into a Teams channel. SharePoint immediately recognizes the label and applies a Purview DLP policy, blocking communication and displaying a policy tip.
- Data Governance: All of this activity is logged in the Purview audit logs, creating a unified record.
This cmdlet triggers a chain reaction that proves the "why." You can use your best-in-class third-party tool to unleash the native licensed protection features you already own. This is of course a gross oversimplification, but it allows me to demo the functionality without needing to own multitudinous expensive product licenses. Luckily, some 3rd party vendors have MIP SDK integration documentation that you can follow if your customers want to take the demo further into proof-of-concept territory.
Value visualization...
This rudimentary process flow showcases an example of Digital Guardian Endpoint DLP integrating with the MIP SDK to combine with Purview.
The inevitable follow-up question...
"Ok...why not just go pure E5?"
This is a logical conclusion: if Purview is so powerful, why keep the third-party tool at all? Because for many organizations, a "rip and replace" is unrealistic:
- Deep On-Premises Expertise: Tools like Varonis were born and bred to analyze complex on-prem file servers, something Microsoft is still catching up to. The MIP Scanner can get the job done, don't get me wrong, but it's not the leader in that space.
- "Best-of-Breed" Functions: A company like Forcepoint has spent a decade perfecting granular endpoint DLP in ways that can still surpass native capabilities.
- Heterogeneous Environments: Your third-party tool is often the "Switzerland" of security, protecting data across non-Microsoft platforms like Google Workspace, Box, or Mac endpoints.
- Organizational Inertia: Teams are trained, and processes are built around these tools. A migration is a massive, costly, and politically risky endeavor.
Be an Architect...
Your role as a Data Security Architect isn't to sell a product. We're meant to be problem-solvers, not problem-explainers. The path to a fully consolidated platform might be a multi-year journey. But, you can deliver immense value this instant by showing your clients how to connect the powerful tools they already own.
I think we should stop the "versus" debate. Do yourselves and your customers a favor and start the integration conversation. Show them how to use their best-in-class discovery engine to power the ubiquitous protection of the Purview stack. That’s how you become a truly brand-agnostic, and invaluable, advisor.
