Deploy and Configure Microsoft Purview Posture Agent

Implementation Effort: Medium – Requires Microsoft Security Copilot onboarding with security compute units (SCUs) provisioned, Microsoft Purview plug-in activation, and role assignments across Purview and Security Copilot; ongoing SCU consumption must be monitored.
User Impact: Low – Admin-only deployment; the Posture Agent operates in the background and does not change end-user workflows.

Overview

The Microsoft Purview Posture Agent in Data Security Posture Management uses natural language prompts to help security teams discover sensitive information across the organization's data estate. Traditional approaches to understanding data exposure require administrators to manually query audit logs, review activity explorer filters, and correlate findings across multiple Purview consoles. The Posture Agent automates this discovery by accepting natural language questions — such as identifying where sensitive data resides, which users interact with it, and what protection gaps exist — and returning actionable findings based on the organization's classification taxonomy, sensitivity labels, and DLP policy matches. This capability extends the observability established by DSPM for AI activity explorer and collection policies into an interactive model where security teams can investigate posture questions on demand rather than waiting for scheduled reports.

The Posture Agent runs on Microsoft Security Copilot infrastructure and consumes security compute units (SCUs) each time it executes an analysis. The tenant must be onboarded to Microsoft Security Copilot, Microsoft 365 data sharing must be enabled, and the Microsoft Purview plug-in must be activated before the agent can operate. The agent can be deployed using either an organizational user account or an agent identity — agent identity is recommended because it decouples the agent's permissions from any individual administrator's account, reducing the risk of privilege escalation if an administrator's credentials are compromised. Only one instance of the Posture Agent can exist per tenant, and it can be deactivated or removed at any time without affecting other Purview configurations.

This activity supports Assume Breach by giving security teams an on-demand investigative tool that can rapidly surface data exposure patterns — if a breach is suspected, the Posture Agent can answer questions about where sensitive content is stored and who has accessed it far faster than manual log analysis. It supports Verify Explicitly by grounding posture assessments in the actual state of the organization's data classification and protection policies rather than assumptions about coverage. Without the Posture Agent, security teams rely on periodic manual reviews of DSPM dashboards and activity explorer, which introduces latency between when a data exposure pattern emerges and when it is discovered. Threat actors exploit exactly this kind of detection gap — sensitive data that is overshared, mislabeled, or unprotected may remain exposed for weeks before a scheduled review surfaces the problem.

Reference

• Microsoft Purview data security and compliance protections for generative AI apps
• Data Security Posture Management for AI
• Get started with Data Security Posture Agent
• Using the data security posture agent
• Security Copilot Agents in Microsoft Purview overview
• Get started with Microsoft Security Copilot
• Microsoft Purview service description — licensing