AI-based Privacy Management for Microsoft 365

Mechanics Team
11 min readOct 19, 2021

Get started with Microsoft’s new AI-based privacy management solution for Microsoft 365, which applies intelligence to quickly assess your organization’s privacy risks and help anyone working with personal data make the right decisions. Alym Rayani, General Manager for Microsoft 365 Compliance and Privacy, joins Jeremy Chapman to show how you can automate subject rights requests for Microsoft 365 data and ensure integration with your existing solutions using our API.

Privacy requirements universally impact organizations as more privacy regulations are introduced around the globe. And just like security is a top priority, privacy needs to be too. Now you can build a privacy resilient organization where everybody working with personal data is empowered to be part of the solution.

For admins- We’ve tailored the experience to what privacy teams care about to proactively identify and protect against common privacy risks.

For privacy managers- We’ve built automation for processing subject rights requests at scale, and at quality, whether you’re using our built-in experience or tools from a partner.

For users- Understand privacy risks in the moment, or even in the context of your work with data.


02:19 — See how it works: Everyday user experience

05:41 — Admin experience

08:00 — Policies

10:20 — Subject rights requests

12:38 — Wrap up

Link References:

Get started with a trial experience at

Find guidance geared towards admins, data officers, and data workers at

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

- Up next, we’re joined by Alym Rayani to look at Microsoft’s new AI-based privacy management solution for Microsoft 365, which applies intelligence to quickly assess your organization’s privacy risks and help anyone working with personal data make the right decisions. And also keep watching as we’ll show you how you can automate subject rights requests for Microsoft 365 data and ensure integration with your existing solutions using our API. So Alym, after all these years of working together, it’s really great to have you on.

- Thanks for having me on.

- So you and your team have really been at the forefront of our work in governance and compliance across Microsoft for some time now, you know, from things like eDiscovery and automated data classification to information protection policies and compliance management. Now with today’s announcement of privacy management, how do things change?

- There are several things we’re solving for. This marks a shift to modernizing the approach we take to privacy. In fact, we’re at a point now where we can apply the latest intelligence, the latest innovation and automation, to operationalize privacy management for anyone who handles personal data in the course of their day-to-day work.

- And it’s really topical because we’ve all seen digital privacy rise in importance over recent years, you know, from things like data breaches, to the right to be forgotten, GDPR, and really everything in between.

- We have. Privacy requirements universally impact every organization everywhere as more and more privacy regulations are introduced around the globe. And just like security is a top priority, privacy needs to be too. We want to help you build a privacy resilient organization where everybody working with personal data is empowered to be part of the solution. For example, on the admin side, we’ve tailored the experience to cater for things privacy teams care about and proactively identifying and protecting against common privacy risks. Also, specifically for privacy managers, we’re building automation for processing subject rights requests at scale and at quality, whether you’re using our built-in experience or tools from a partner. Then for the rest of us, because we all work with data in the course of our jobs, we’re continuing our approach of helping you understand privacy risks in the moment, or even in the context of your work with data.

- And many of these processes really were manual before, especially thinking of things like managing subject rights requests or sifting through logs, in some cases, to find those risky behaviors, like you mentioned. I’d love to see how all of this works. So why don’t we start with the people that handle data everyday, like you and me?

- Sure. We know from research that over 90% of privacy incidents are unintentional. At the same time, it’s the people working with the data who have the most context and are really best positioned to minimize privacy risks. So I’ll start in Teams. Let’s say I’m a banker in the U.S. who wants to share information with a peer in the UK. This is a cross border transfer where each side is subject to different privacy regulations and laws. So here I am typing a chat message containing a name, address, and credit card number. And when I go to share it, Teams understands that geography is involved in this case, it sees what I’m sharing, and based on policies it automatically blocks the transfer. While I showed you the effects of a geographic transfer here, this could also apply to cross-department transfers, for example if the finance team tries to share personal information with the marketing team. You can see it explains to me what the policy violation is. So if I wasn’t aware of the policy before sharing, this message takes care of that, so I won’t share these in the future. And it also links me to valuable training and recommended actions to take in order to remain responsible from a data usage standpoint.

- And over time, you know, this type of in-the-moment guidance will really make it second nature for people to spot potential privacy risks as they go about their daily work, without getting in the way of their productivity. And what’s significant here is even though the concept of policy tips is something we’ve had for a while now, we’ve gone from those one dimensional checks for sensitive information types, like credit cards, to applying intelligence and AI to spot more contextual use. Or for example, that credit card information, it might be shareable locally within your region, but not across borders. So it’s that extra bit of intelligence that makes this unique.

- It is. And beyond the experiences integrated in the apps you use every day, we also inform you when existing content may pose a potential risk. For example, content that contains personal information that hasn’t been used in a while, or content that’s been overshared or overexposed. All of these are potential risks. Here, for example, you’re seeing a personalized email digest, which can be customized for your organization. It’s sent to the data owner of the content that includes personal information, so they can quickly take action. The goal is to take a data-first and a content-first approach to alert you of potential risk. This one is informing me of data that’s potentially overexposed with access beyond its necessary reach. These email digests are directly interactive in Outlook, as you can see here. They can have one or more items listed. And in this case, I can reduce sharing permissions on this item and elect to make it private to me. Now, I may also want to keep this item as is and keep its permissions intact, or I can report the item as a false positive or hit retain and provide written feedback. There’s even a link here to tailored training for this specific risk of data overexposure.

- What I love about this is also it’s directly actionable in email without linking you off to another site or experience. And this whole experience by the way, is automated under the covers. And it’s surfaced in a timely manner to those people that are best placed to mitigate against specific risks, the people that use that data every day, which in terms helps the whole organization be more proactive and also frees up the work of admins to be less reactive. But speaking of which, let’s take a look at the admin experience.

- So as a former admin, I’m really excited about this because all the work we’ve been doing over the past couple of years in governance and compliance, it really comes together to identify and report risks and enable granular investigation. As a privacy admin, you’ll be able to see a great dashboard that I’m showing now for a comprehensive view of your organization’s risk. For example, here I can see a few recent insights with new items from the last week, like the number of items with personal data, privacy risks flagged from the last seven days across our three areas of data hoarding, overexposure, and transfer. I can see recent subject rights requests to take action on, and overdue subject rights requests. Below those top level accounts, you’ll see alerts with recent trends for the content with the most personal data. You’ll see active policy alerts matched to risk severity, personal data found, and the unused or inactive personal data like I mentioned earlier, which could be an indication of data hoarding. And below that we can get an overview of the recent trends for subject rights requests, which we’ll go through a bit later.

- And this is really a great summary of up-to-the-minute trends, but what’s underneath all of that.

- So let me show you by taking a look at the new items discovered in the environment. Back up top, we can filter on files, for example, files with external access. And if I switch to the data profile dashboard using this button here, I can get a holistic snapshot of my data estate. I can see which Microsoft 365 locations have the most instances of personal data, as well as the total cumulative numbers and the diversity of types across Exchange, across SharePoint, OneDrive and Teams. There’s also a view that shows the top data types found, like credit cards and personal ID numbers, along with how it breaks down by geography. And if I want to drill further or find specific data, I can use the content explorer to find exactly what I’m looking for across sensitive information types and locations. Let’s say, I want to know which locations have the most social security card numbers. I can select that as an information type. Then I get a breakdown of Exchange, OneDrive, SharePoint and Teams. And if I click into SharePoint, I can even see the number of files per site. And I can use this to manage site permissions and policies to again, minimize risk.

- There’s really a good level of granularity behind that summary view. Now, you mentioned policies and one of the big pain points that I see a lot of the time is really knowing which one of my policies is actually working.

- Right. It can be really hard to get a handle on which policies are working. And if people are even using the resources like training that are being made available to them. So something else we’ve optimized for is how we drive better insights on the policies that you’ve set as well as the ones running by default. This gives you visibility into the activities you care about. So here in the policies dashboard, there are alerts and active issues. I can literally see what I need from one place. Now below the top level summary is a detailed list of policies with their status, type, and number of matches, which is the number of times a policy is triggered. I’m going to click into this one which has a high number of matches. And that gives me enough detail to take the next step of tuning this policy further if I want. Additionally, I can see how many notifications were sent, and whether people are taking actions to mitigate risks.

- Okay. So what are some of the settings then that you can leverage in privacy management and what’s that experience look like?

- Yes, so of course there are hundreds of granular configurations to really tailor specific policies to data, locations, and user groups. But one of the age old questions, when you have lots of policy options, is where do you actually start? To solve for this, we’ve included out-of-the-box policy templates to get ahead of the most common privacy risks that I mentioned before: data overexposure, where data is overshared either internally or externally, data transfers like I showed in Teams, data minimization, so this is where personal data might be accumulating in one location and infrequently used. That’s the data hoarding risk I mentioned earlier. Each of these policies can be created and enabled from these templates in just a couple of clicks. And you can also create your own custom policies. And for any policy, you can edit them to meet your specific conditions, for example, like the data transfer regions you see here. Additionally, you can set the outcomes for how you inform users, such as the policy tips like I showed before in Teams or via email. And each policy can have its own dedicated link to training specific to that single policy.

- This is really great if you have specific training for individual information types or maybe individual regions or those in activities. So it’s not just the general all up privacy link, like or something, but you mentioned also subject rights requests earlier. So how does that get better?

- Yeah, so subject rights requests are something that a lot of people spend a lot of time on ever since GDPR and similar regulations were put in place. So we made the process for responding to these requests much easier. Here, I can keep track of all my existing requests and even create a new request. And if I hit create request, I’ve added a name, email, and residency to help identify content as well as how the person is related to our organization. Like if they’re a customer or they’re an employee. Next I can scope the search to be more granular. Here I can add other personal attributes to make sure we find everything. And once I go through the rest of the steps and submit the request, that usually completes in under an hour. When it’s done processing, you’ll get an overview like this for each subject rights request. Now here, you can see, we flagged priority items to help admins start their review. You can easily add others to help with this request and securely collaborate with them over Microsoft Teams with our private channel built specifically around this request. And in data collected, you can preview each item and choose whether or not to include it in the final report. You can see highlights where the personal information was found or take other actions against it, like redactions for things you don’t want to share, or even add your own notes. And to integrate with your existing processes, we’ve also added three built-in Power Automate templates here for things like performing custom actions for subject rights requests, adding calendar reminders for follow-up, and creating records for requests in ServiceNow, allowing for extensibility for automating privacy operations. We’re also enabling programmatic access to create these requests. For example, privacy ISV apps, or your LOB apps can access the subject rights requests API to create requests directly in Microsoft 365 and export those results. And now as you continue to manage privacy and subject rights requests, everything is right here in one place.

- And it’s really amazing to see how much you and also your team have done to modernize privacy management, really from the use of intelligence to assess privacy risks, to unified and scoped experiences for the different people working with personal data, along with the integration of privacy management into the apps that we use every day. But what do you recommend people do next?

- The first things I’d say is try it out. We have an easy trial experience at All you need is an Office 365 or Microsoft 365 account to get started. Also, we just published a ton of guidance geared towards admins, data officers, and data workers that you can check out at to learn more.

- Thanks so much, Alym. And also of course, keep checking back to Microsoft Mechanics for the latest updates, subscribe to our channel if you haven’t already, and thanks again for watching.