Purview Exchange Mailbox (at-rest) Data Discovery and Classification

Hi Sai Manisha, thank you for your response.

I have a few follow-up questions, hope you can help out in clarifying.

"eDiscovery and Content Search help locate data but don’t perform continuous classification or automatic labeling of mailbox items."
"eDiscovery or Content Search: Run targeted searches to identify older emails that may contain sensitive content and perform review or remediation workflows as required."

1. Here, my understanding is that eDiscovery and Content Search can help in finding at-rest emails if we know the specific keyword to look for or other conditions/criteria. But we will not be able to use Sensitive Information Types/Sensitive Types to search for emails having sensitive content. Is that correct?

"Microsoft Purview Data Loss Prevention (DLP): Use DLP policies with SITs to detect sensitive information in Exchange and generate alerts or enforcement actions. This provides ongoing visibility even though labels aren’t applied retroactively."

2. Here, my understanding is that similar to the limitation we have with eDiscovery, Information Protection - DLP policies also will not be able to generate alerts of take actions on at-rest (older) exchange email data. Please correct if my assumption is wrong.

"Retention policies and retention labels: Implement lifecycle management to ensure emails are retained only for the required regulatory period and automatically deleted afterward."

3. Can you please clarify whether retention policies and retention labels can apply retention labels to at-rest (older) exchange emails?
   If yes, can advise what criteria we can provide for the policies? (Ex: Are SITs/Sensitive Type conditions available)
   Is there any consolidated report or view where we can view the retention labeling activities and drill down to view the user/mailbox where the specific label is applied?

I am thinking of something like this - If retention auto-labeling policies can support scanning and labeling of exchange mailboxes (at-rest) using SIT's as conditions, these can be used to tag potentially sensitive labels using Rentention labels.

My main question is - is there any automated mechanism or approach we can take to understand and flag potentially sensitive emails in a large amount of exchange mailboxes at-rest using criteria such as SIT's or some other in-built classification rules?

Thank you very much for your help.

Hi AzGeek,
Sorry for delay in response

Thank you for your follow-up questions. Below is a concise clarification.

Yes, eDiscovery and Content Search can use Sensitive Information Types (SITs) as search conditions. You are not limited to keywords. However, they are investigative tools only they do not continuously scan or automatically classify or label mailbox items.

For DLP, it can evaluate Exchange Online mailbox content, but it is primarily event-driven (send/receive/modify). It is not designed as a full historical scanner that guarantees immediate processing of all legacy email.

Retention policies apply to all at-rest mailbox content but do not use SIT conditions.

Retention auto-apply labels, however, can use SITs and can scan Exchange Online mailboxes to automatically apply a retention label when sensitive data is detected. This is the closest built-in mechanism to automatically tagging sensitive emails at-rest.

That said, there is no single Purview feature that performs continuous deep historical reclassification of all mailbox content with full reporting.

• eDiscovery – supports SIT search, no auto-classification • DLP – detection and enforcement, not full historical inventory • Retention auto-labeling with SITs – automated tagging option for at-rest content

If your goal is automated identification of sensitive emails at-rest, retention auto-apply labels with SIT conditions is the recommended Microsoft-native approach.

Hi, are you sure that eDiscovery support using SIT's for searches of at-rest email boxes?
Does it provide valid results without errors? And can we view the highlighted text in the matched items to see which content/text from the emails was flagged as part of the search?

Thank you for your support, it helps greatly

Hi AzGeek,
Thank you for your follow-up.

Yes, eDiscovery (Standard and Premium) and Content Search do support Sensitive Information Types (SITs) as search conditions for Exchange Online mailboxes, including at-rest email content. When configured correctly, the search can return results based on built-in or custom SIT definitions without errors.

However, there are a couple of important limitations to be aware of:

Search results will show the emails that match the SIT condition, but Content Search itself does not highlight the exact matched text within the message body.

If you need deeper analysis, eDiscovery (Premium) provides better review capabilities. After adding results to a review set, investigators can open the item and analyze the content to determine what triggered the match, though the SIT match is not always highlighted in the same way as keyword hits.

SIT-based searches are supported in eDiscovery/Content Search for Exchange mailboxes.

They can return valid results for at-rest emails.

Exact highlighted SIT matches are generally not displayed directly in Content Search, but deeper inspection can be performed in eDiscovery Premium review sets.

Please let us know if you need guidance on configuring SIT-based searches or reviewing results in eDiscovery.

Hi AzGeek,
I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.

Hi Vasil, I know, this seems like an important functionality most users must be expecting since Exchange mailboxes are generally the user-facing aspect where important data is captured, so having a way to know these potentially sensitive emails must be important.

I have a question about retention policies and labels-

Can you please clarify whether retention policies and retention labels can apply retention labels to at-rest (older) exchange emails? If yes, can you advise what criteria we can provide for the policies? (Ex: Are SITs/Sensitive Type conditions available) Is there any consolidated report or view where we can view the retention labeling activities and drill down to view the user/mailbox where the specific label is applied?

I am thinking of something like this - If retention auto-labeling policies can support scanning and labeling of exchange mailboxes (at-rest) using SIT's as conditions, these can be used to tag potentially sensitive labels using Rentention labels.

Apologies if I wasn't clear above - auto-apply retention policies for ExO do not support SITs for items at rest. But they still support a large set of criteria, which should hopefully allow you to use this as workaround. Retention will ensure all stamped items are preserved, and you can combine it with the manual disposition process to have a poor man's SIT check at the end of the item lifecycle.