Microsoft 365 Data Security Engineering

Make your organization's data defensible

Most tenants have Purview licensed and nothing configured, or configured badly by someone who has left. This course teaches the discipline end to end: know what is sensitive, mark it so every control downstream can act on it, close the channels it actually leaves through, keep what must be kept, watch the people who already have legitimate access, and answer what left, when, and who moved it. Aligned to the SC-401 skills measured, and built to teach the job rather than the exam.

ARC403 | Premium tier | 16 modules across 9 phases | 36-40 hours at your own pace | 40 CPE credits | Lab optional | Updated July 2026
Course Agenda View all 2 modules

Course Orientation

DS0
Course Orientation

Phase 1 - Know your data

DS2
Classification

Course overview

Data security engineering is its own discipline. It is not identity security with different portals, and it is not a compliance project with a dashboard at the end. The question every control in Purview resolves to is whether a classifier matched, and almost nobody measures whether theirs did. This course follows one organization's data from unknown to defended, and teaches you to prove each control works rather than assume it. Learn how to:

Build a classification scheme that matches what the business holds, and measure its false-positive rate against real content
Design a sensitivity label taxonomy that survives contact with users, and apply it without depending on them
Write DLP policies that block the paths data actually leaves through, and roll them out without breaking Monday morning
Set retention that satisfies the regulator without hoarding, and read the precedence rules before they surprise you
Run insider risk without producing four hundred alerts a week, and investigate a case from the platform's own evidence

By the end you can walk into a licensed, unconfigured tenant and stand up a programme you can defend, including an honest statement of what it does not cover.

Who this course is for

You are a security engineer, M365 administrator, SOC analyst, or consultant with Purview in the tenant and a gap between what it could do and what it does. This course is designed for you if you want to:

Move from "we have E5 so we have data protection" to naming which data is sensitive and proving it is labelled
Deploy controls you can measure, rather than dashboards that look clean because nothing is firing
Understand the licensing boundary properly, so you know what you can build on E3 today and what E5 actually buys
Handle the newest half of the job, where a copilot indexes the oversharing that was survivable while discovery was hard

Compliance and privacy staff who need to know what the technical controls actually do belong here too. Every concept is taught at first use.

What you'll learn

By the end of this course you will be able to:

Build custom sensitive information types, document fingerprints, Exact Data Match, and trainable classifiers, and choose correctly between them
Obtain a false-positive rate from real content and tune a classifier on evidence rather than on the last complaint
Design a label taxonomy, publish it, and auto-apply it client-side and service-side, including container labels
Protect data beyond the tenant with the Information Protection client, the on-premises scanner, and message encryption
Take DLP from requirements to policy, resolve rule precedence, and roll out simulation to audit to block in the only safe order
Deploy endpoint DLP across the real channels: USB, cloud sync, print, clipboard, unallowed apps, and network shares
Configure retention labels and policies, adaptive scopes, and precedence, and recover retained content
Run insider risk management with its privacy model, connectors, and thresholds, and drive DLP enforcement from risk level
Investigate with Purview Audit, Activity explorer, and Content Search, and close the audit retention gap before it ends a case
Secure data for AI with DSPM for AI, prompt and response governance, and Copilot readiness as a data security exercise

Key course takeaways

Stand up a complete data security programme in a tenant that has Purview licensed and nothing configured
Measure every control you deploy, because in classification wrong is quiet and a clean dashboard proves nothing
Make the licensing call honestly, control by control, on E3 or E5
Write the coverage statement that names its own edges before an auditor finds them
Work the capstone on a fresh requirement set, assembling the whole discipline without a walkthrough

Things you need to know

What are the prerequisites for this course?

Familiarity with Microsoft 365 as an administrator or a user, and comfort reading a PowerShell cmdlet. No prior Purview, KQL, or compliance experience is required. Each is taught at first use and the content is self-contained.

What are the lab requirements?

None. The course is completable without a tenant. If you want to build every control as you learn it, a Microsoft 365 E5 trial or a developer tenant is enough, and the course states plainly which controls need E5 and which are reachable on E3. There is no lab image to download and no hypervisor to run.

How will the course benefit your career?

Purview is licensed in most Microsoft-shop enterprises and configured properly in very few of them. An engineer who can classify an estate, prove the classifiers work, close the exfiltration channels, and hand over a case file is answering the question boards have started asking. The AI half of the discipline is newer still, and the people who can do it are fewer.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 0.1  |  Last updated: July 2026

July 2026 - v0.1: In build. Module 2 (Classification) complete: sensitive information types and the confidence model, custom SITs, document fingerprinting, Exact Data Match, trainable classifiers, OCR, the explorers, measuring and tuning, and the classification decision.

This course is actively maintained.