Merge pull request #53660 from ceperezb/CEPEREZB-sc100-design-regulatory-compliance

v-ccolin · web-flow · commit d7935b8a7203 · 2026-03-01T11:03:15.000Z
update module
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/1-introduction-regulatory-compliance.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/1-introduction-regulatory-compliance.yml
@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Introduction to: Design solutions for regulatory compliance."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/2-translate-compliance-requirements-security-solution.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/2-translate-compliance-requirements-security-solution.yml
@@ -4,7 +4,7 @@ title: Translate compliance requirements into security controls
 metadata:
   title: Translate compliance requirements into security controls
   description: "SC-100 preparatory unit on the topic: Translate compliance requirements into security controls."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/2a-ai-compliance-considerations.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/2a-ai-compliance-considerations.yml
@@ -4,7 +4,7 @@ title: AI compliance considerations
 metadata:
   title: AI compliance considerations
   description: "SC-100 preparatory unit on the topic: compliance considerations for AI technologies including EU AI Act, ISO 42001, and NIST AI RMF."
-  ms.date: 01/29/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/3-address-compliance-requirements-microsoft-purview.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/3-address-compliance-requirements-microsoft-purview.yml
@@ -4,7 +4,7 @@ title: Design a solution to address compliance requirements by using Microsoft P
 metadata:
   title: Design a solution to address compliance requirements by using Microsoft Purview
   description: "SC-100 preparatory unit on the topic: Design a solution to address compliance requirements by using Microsoft Purview."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/4-address-privacy-requirements-microsoft-priva.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/4-address-privacy-requirements-microsoft-priva.yml
@@ -4,10 +4,10 @@ title: Address privacy requirements with Microsoft Priva
 metadata:
   title: Address privacy requirements with Microsoft Priva
   description: "SC-100 preparatory unit on topic: address privacy requirements with Microsoft Priva."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 9
+durationInMinutes: 8
 content: |
   [!include[](includes/4-address-privacy-requirements-microsoft-priva.md)]
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/5-address-security-compliance-requirements-azure-policy.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/5-address-security-compliance-requirements-azure-policy.yml
@@ -1,13 +1,13 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.design-solutions-regulatory-compliance.address-security-compliance-requirements-azure-policy
-title: Address security and compliance requirements with Azure policy
+title: Address security and compliance requirements with Azure Policy
 metadata:
-  title: Address security and compliance requirements with Azure policy
-  description: "SC-100 preparatory unit on the topic: address security and compliance requirements with Azure policy."
-  ms.date: 01/28/2026
+  title: Address security and compliance requirements with Azure Policy
+  description: "SC-100 preparatory unit on the topic: address security and compliance requirements with Azure Policy."
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 8
+durationInMinutes: 10
 content: |
   [!include[](includes/5-address-security-compliance-requirements-azure-policy.md)]
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/6-evaluate-infrastructure-compliance-defender-cloud.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/6-evaluate-infrastructure-compliance-defender-cloud.yml
@@ -4,7 +4,7 @@ title:  Evaluate and validate alignment with regulatory standards and benchmarks
 metadata:
   title:  Evaluate and validate alignment with regulatory standards and benchmarks by using Microsoft Defender for Cloud
   description: "SC-100 preparatory unit on the topic:  Evaluate and validate alignment with regulatory standards and benchmarks by using Microsoft Defender for Cloud."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/7-knowledge-check.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/7-knowledge-check.yml
@@ -4,7 +4,7 @@ title: Module assessment
 metadata:
   title: Module assessment
   description: "Knowledge check for module on the topic: design solutions for regulatory requirements. Contains AI generated content."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/8-summary.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/8-summary.yml
@@ -4,10 +4,10 @@ title: Summary
 metadata:
   title: Summary
   description: "Summary of module on topic: design solutions for regulatory requirements."
-  ms.date: 01/28/2026
+  ms.date: 02/27/2026
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 3
+durationInMinutes: 2
 content: |
   [!include[](includes/8-summary.md)]
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/3-address-compliance-requirements-microsoft-purview.md b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/3-address-compliance-requirements-microsoft-purview.md
@@ -2,13 +2,14 @@ Microsoft Purview provides a unified platform for data security, governance, and
 
 ## The Microsoft Purview portfolio
 
+<!-- Source: https://learn.microsoft.com/purview/purview -->
 Microsoft Purview combines multiple solution areas to address compliance requirements across your organization's data estate:
 
 | Solution Area | Purpose | Key Solutions |
 |--------------|---------|---------------|
-| **Data security** | Protect sensitive data across its lifecycle | Information Protection, Data Loss Prevention, Insider Risk Management |
+| **Data security** | Protect sensitive data across its lifecycle | Information Protection, Data Loss Prevention, Insider Risk Management, Information Barriers, Privileged Access Management, Data Security Investigations |
 | **Data governance** | Manage and catalog data across your estate | Data Map, Unified Catalog |
-| **Data compliance** | Meet regulatory requirements and prepare for audits | Compliance Manager, Audit, eDiscovery, Records Management |
+| **Data compliance** | Meet regulatory requirements and prepare for audits | Compliance Manager, Audit, Communication Compliance, eDiscovery, Data Lifecycle Management, Records Management |
 
 Understanding how these solutions map to specific compliance requirements helps you design an integrated architecture rather than deploying isolated tools.
 
@@ -17,6 +18,7 @@ Understanding how these solutions map to specific compliance requirements helps
 
 ## Addressing data protection requirements
 
+<!-- Source: https://learn.microsoft.com/purview/information-protection -->
 Most compliance frameworks require organizations to identify, classify, and protect sensitive data. Purview Information Protection provides the foundation for these requirements.
 
 **Sensitive information types** identify regulated data like payment card numbers, health records, or personal identifiers using built-in patterns or custom definitions. **Trainable classifiers** extend this capability by learning to recognize sensitive content based on examples you provide—useful for organization-specific data like internal financial reports or proprietary designs.
@@ -36,12 +38,13 @@ When designing your labeling strategy, consider:
 
 ## Preventing unauthorized data sharing
 
+<!-- Source: https://learn.microsoft.com/purview/dlp-learn-about-dlp -->
 Regulations often require controls to prevent unauthorized disclosure of sensitive information. **Microsoft Purview Data Loss Prevention (DLP)** monitors and controls how sensitive data is shared across Microsoft 365 services, endpoints, and cloud apps.
 
 Design your DLP policies to address specific regulatory requirements:
 
 - **Policy conditions** - Define what sensitive data to protect based on sensitive information types, labels, or content patterns
-- **Policy locations** - Specify where monitoring occurs (Exchange, SharePoint, OneDrive, Teams, endpoints, Defender for Cloud Apps)
+- **Policy locations** - Specify where monitoring occurs (Exchange, SharePoint, OneDrive, Teams, devices, non-Microsoft cloud apps, on-premises repositories, Fabric and Power BI, and Microsoft 365 Copilot)
 - **Policy actions** - Configure responses from audit-only monitoring to blocking with user override to complete restriction
 
 DLP integrates with your sensitivity labels, so protection can follow content based on its classification. This integration is particularly valuable for requirements that mandate different handling based on data sensitivity levels.
@@ -50,22 +53,26 @@ DLP integrates with your sensitivity labels, so protection can follow content ba
 
 Compliance frameworks require organizations to maintain audit trails and respond to legal or regulatory inquiries. Purview provides several solutions for these requirements:
 
-**Microsoft Purview Audit** captures user and admin activities across Microsoft 365 services. Design your audit strategy to:
+<!-- Source: https://learn.microsoft.com/purview/audit-solutions-overview -->
+**Microsoft Purview Audit** captures user and admin activities across Microsoft 365 services. Audit is available in two tiers—Audit (Standard) provides 180-day retention with basic search and export, while Audit (Premium) adds custom retention policies (up to 10 years with an add-on license), intelligent insights for forensic investigations, and higher API bandwidth. Design your audit strategy to:
 
-- Enable appropriate audit logging levels based on regulatory requirements
-- Configure retention periods that meet legal hold obligations
+- Select the appropriate audit tier based on regulatory retention and investigation requirements
+- Configure retention policies that meet legal hold obligations
 - Establish processes for searching and exporting audit data for investigations
 
+<!-- Source: https://learn.microsoft.com/purview/ediscovery -->
 **Microsoft Purview eDiscovery** helps you identify, preserve, collect, and export content for legal matters. For compliance purposes, design workflows that:
 
 - Create legal holds to preserve relevant content
 - Define search criteria that capture required data without over-collection
 - Export content in formats suitable for regulatory review
 
+<!-- Source: https://learn.microsoft.com/purview/records-management -->
 **Microsoft Purview Records Management** applies retention and deletion policies to meet recordkeeping requirements. Consider how file plans, retention labels, and disposition reviews align with your regulatory obligations.
 
 ## Managing insider risk
 
+<!-- Source: https://learn.microsoft.com/purview/insider-risk-management-solution-overview -->
 Some regulations require controls to detect and respond to insider threats. **Microsoft Purview Insider Risk Management** uses signals from across Microsoft 365 and third-party systems to identify risky user activities.
 
 Design your insider risk program to:
@@ -76,24 +83,27 @@ Design your insider risk program to:
 
 ## Addressing AI compliance requirements
 
-As discussed in the AI compliance considerations unit, organizations deploying AI face specific regulatory requirements around data protection, transparency, and governance. Purview provides capabilities specifically designed for AI scenarios:
+As discussed in the AI compliance considerations unit, organizations deploying AI face specific regulatory requirements around data protection, transparency, and governance. Multiple Purview solutions extend their capabilities to AI scenarios:
 
-**Data Security Posture Management (DSPM)** provides visibility and control for both traditional applications and AI apps. Use DSPM to:
+<!-- Source: https://learn.microsoft.com/purview/data-security-posture-management-learn-about -->
+**Data Security Posture Management (DSPM) (preview)** provides visibility and control for both traditional applications and AI apps and agents. Use DSPM to:
 
 - Discover sensitive data that may be exposed to AI applications
-- Monitor how AI apps access and process organizational data
+- Monitor how AI apps access and process organizational data through data security insights and trend analysis
 - Identify and remediate data security risks before they become compliance issues
 
-**Microsoft Purview for AI** extends data security protections to generative AI experiences:
+<!-- Source: https://learn.microsoft.com/purview/ai-microsoft-purview -->
+Existing Purview data security capabilities extend to generative AI apps, including Microsoft 365 Copilot, Copilot Studio, and third-party AI applications:
 
-- Protect data used by Copilot experiences and custom AI agents
-- Apply sensitivity labels to AI-generated content
-- Prevent sensitive data from being shared inappropriately through AI interactions
+- **Sensitivity labels** protect data referenced by AI apps—users must have appropriate usage rights (VIEW and EXTRACT) for AI apps to return encrypted content
+- **Data Loss Prevention** monitors AI interactions and can block sensitive data sharing with unmanaged AI apps through endpoint and inline web traffic policies
+- **Insider Risk Management** detects risky AI usage, including prompt injection attacks and unauthorized access to protected materials, through the Risky AI usage policy template
 
 For organizations subject to AI-specific regulations like the EU AI Act or ISO 42001, **Compliance Manager** provides assessment templates that map Purview controls to these requirements.
 
 ## Multicloud compliance with Compliance Manager
 
+<!-- Source: https://learn.microsoft.com/purview/compliance-manager -->
 Compliance Manager serves as the orchestration layer that brings together compliance data from across your environment. It integrates with Microsoft Defender for Cloud to assess compliance across Azure, AWS, and GCP.
 
 When designing your Compliance Manager implementation:
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/4-address-privacy-requirements-microsoft-priva.md b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/4-address-privacy-requirements-microsoft-priva.md
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/5-address-security-compliance-requirements-azure-policy.md b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/5-address-security-compliance-requirements-azure-policy.md
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/6-evaluate-infrastructure-compliance-defender-cloud.md b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/6-evaluate-infrastructure-compliance-defender-cloud.md
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/8-summary.md b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/includes/8-summary.md
diff --git a/learn-pr/wwl-sci/design-solutions-regulatory-compliance/index.yml b/learn-pr/wwl-sci/design-solutions-regulatory-compliance/index.yml
