Integrate Azure Purview with Azure security products

This document explains the steps required for connecting an Azure Purview account with various Azure security products to enrich security experiences with data classifications and sensitivity labels.

Microsoft Defender for Cloud

Azure Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization’s security posture and protect against threats to their workloads. Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Azure Purview expands visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data.

To take advantage of this enrichment in Microsoft Defender for Cloud, no additional steps are needed in Azure Purview. Start exploring the security enrichments with Microsoft Defender for Cloud's Inventory page where you can see the list of data sources with classifications and sensitivity labels.

Supported data sources

The integration supports data sources in Azure and AWS; sensitive data discovered in these resources is shared with Microsoft Defender for Cloud:

Known issues

  1. Data sensitivity information is currently not shared for sources hosted inside virtual machines - like SAP, Erwin, and Teradata.
  2. Data sensitivity information is currently not shared for Amazon RDS.
  3. Data sensitivity information is currently not shared for Azure PaaS data sources registered using a connection string.
  4. Unregistering the data source in Azure Purview doesn't remove the data sensitivity enrichment in Microsoft Defender for Cloud.
  5. Deleting the Azure Purview account will persist the data sensitivity enrichment for 30 days in Microsoft Defender for Cloud.
  6. Custom classifications defined in the Microsoft 365 Compliance Center or in Azure Purview are not shared with Microsoft Defender for Cloud.

FAQ

Why don't I see the AWS data source I have scanned with Azure Purview in Microsoft Defender for Cloud?

Data sources must be onboarded to Microsoft Defender for Cloud as well. Learn more about how to connect your AWS accounts and see your AWS data sources in Microsoft Defender for Cloud.

Why don't I see sensitivity labels in Microsoft Defender for Cloud?

Assets must first be labeled in Azure Purview, before the labels are shown in Microsoft Defender for Cloud. Check if you have the prerequisites of sensitivity labels in place. Once your scan the data, the labels will show up in Azure Purview and then automatically in Microsoft Defender for Cloud.

Next steps