Workloads/Get-PurviewData.ps1
|
# Get-PurviewData.ps1 # Collects retention policies, retention labels, DLP policies, # sensitivity labels, and eDiscovery cases from Microsoft Purview. # Part of the M365-QuickAssess module -- not exported. function Get-PurviewData { param ( $Assessment ) # ------------------------------------------------------------------- # Connect to Purview # ------------------------------------------------------------------- try { Connect-Purview } catch { Write-Log "Purview connection failed -- skipping Purview collection" "ERROR" return } Write-Log "Collecting Purview data" # ------------------------------------------------------------------- # Purview License Check # ------------------------------------------------------------------- $purviewAvailable = $false try { $null = Get-RetentionPolicy -ErrorAction Stop $purviewAvailable = $true } catch { if ( $_.Exception.Message -match 'Forbidden|unauthorized|not licensed|OrganizationNotFound|couldn''t be found' ) { Write-Log "Purview compliance features unavailable -- tenant does not have a qualifying license" "WARN" $Assessment.Purview.RetentionPolicies = $null $Assessment.Purview.RetentionLabels = $null $Assessment.Purview.DlpPolicies = $null $Assessment.Purview.SensitivityLabels = $null $Assessment.Purview.EdiscoveryCases = $null $Assessment.Findings += New-Finding ` -Type "PurviewNotLicensed" ` -Summary "Purview compliance data could not be collected -- qualifying license not found" ` -Category "Compliance" ` -Severity "Info" ` -Impact "Retention policies, DLP, sensitivity labels, and eDiscovery cases cannot be assessed without a Microsoft Purview or equivalent compliance license." ` -Recommendation "Verify whether the target tenant requires Purview licensing as part of the migration scope." return } else { Write-Log "Purview license check failed: $( $_.Exception.Message )" "ERROR" return } } # ------------------------------------------------------------------- # Policies to ignore -- system defaults not relevant to migration # ------------------------------------------------------------------- $policiesToIgnore = @( "Default MRM Policy", "ArbitrationMailbox" ) # ------------------------------------------------------------------- # Retention Policies # ------------------------------------------------------------------- $retentionCount = 0 try { $retentionPolicies = Get-RetentionPolicy -ErrorAction Stop | Where-Object { $_.Name -notin $policiesToIgnore } $retentionCount = ( $retentionPolicies | Measure-Object ).Count Write-Log "Retention Policies: $retentionCount" } catch { Write-Log "Retention policy collection failed: $( $_.Exception.Message )" "WARN" } # ------------------------------------------------------------------- # Retention Labels # ------------------------------------------------------------------- $labelCount = 0 try { $retentionLabels = Get-RetentionComplianceRule -ErrorAction Stop $labelCount = ( $retentionLabels | Measure-Object ).Count Write-Log "Retention Labels: $labelCount" } catch { Write-Log "Retention label collection failed: $( $_.Exception.Message )" "WARN" } # ------------------------------------------------------------------- # DLP Policies # ------------------------------------------------------------------- $dlpCount = 0 try { $dlpPolicies = Get-DlpCompliancePolicy -ErrorAction Stop | Where-Object { $_.Mode -eq "Enabled" } $dlpCount = ( $dlpPolicies | Measure-Object ).Count Write-Log "DLP Policies: $dlpCount" } catch { Write-Log "DLP policy collection failed: $( $_.Exception.Message )" "WARN" } # ------------------------------------------------------------------- # Sensitivity Labels # ------------------------------------------------------------------- $sensitivityCount = 0 try { $sensitivityLabels = Get-Label -ErrorAction Stop $sensitivityCount = ( $sensitivityLabels | Measure-Object ).Count Write-Log "Sensitivity Labels: $sensitivityCount" } catch { Write-Log "Sensitivity label collection failed: $( $_.Exception.Message )" "WARN" } # ------------------------------------------------------------------- # eDiscovery Cases # ------------------------------------------------------------------- $caseCount = 0 try { $cases = Get-ComplianceCase -ErrorAction Stop $caseCount = ( $cases | Measure-Object ).Count Write-Log "eDiscovery Cases: $caseCount" } catch { Write-Log "eDiscovery case collection failed: $( $_.Exception.Message )" "WARN" } # ------------------------------------------------------------------- # Populate Schema # NOTE: Field names match HTML viewer exactly -- do not rename # ------------------------------------------------------------------- $Assessment.Purview.RetentionPolicies = $retentionCount $Assessment.Purview.RetentionLabels = $labelCount $Assessment.Purview.DlpPolicies = $dlpCount $Assessment.Purview.SensitivityLabels = $sensitivityCount $Assessment.Purview.EdiscoveryCases = $caseCount Write-Log "Purview complete: Retention=$retentionCount Labels=$labelCount DLP=$dlpCount Sensitivity=$sensitivityCount Cases=$caseCount" # ------------------------------------------------------------------- # Findings -- only fire if something meaningful exists # ------------------------------------------------------------------- $totalConfigs = $retentionCount + $labelCount + $dlpCount + $sensitivityCount + $caseCount if ( $totalConfigs -gt 0 ) { $Assessment.Findings += New-Finding ` -Type "PurviewConfigurationsDetected" ` -Summary "Microsoft Purview configurations detected" ` -Category "Compliance" ` -Severity "Medium" ` -Details @( "Retention Policies: $retentionCount", "Retention Labels: $labelCount", "DLP Policies: $dlpCount", "Sensitivity Labels: $sensitivityCount", "eDiscovery Cases: $caseCount" ) ` -Impact "Purview compliance configurations are tenant-specific and will not migrate automatically." ` -Recommendation "Engage a compliance specialist to assess and recreate Purview configurations in the target tenant." } # ------------------------------------------------------------------- # Finding: Active eDiscovery cases # ------------------------------------------------------------------- if ( $caseCount -gt 0 ) { $Assessment.Findings += New-Finding ` -Type "ActiveEDiscoveryCases" ` -Summary "$caseCount eDiscovery cases detected" ` -Category "Compliance" ` -Severity "High" ` -Impact "Active eDiscovery cases may have legal holds in place. Migrating data under legal hold without proper handling can have serious legal implications." ` -Recommendation "Engage legal counsel before migrating any data associated with active eDiscovery cases." } # ------------------------------------------------------------------- # Finding: Sensitivity labels # ------------------------------------------------------------------- if ( $sensitivityCount -gt 0 ) { $Assessment.Findings += New-Finding ` -Type "SensitivityLabelsDetected" ` -Summary "$sensitivityCount sensitivity labels detected" ` -Category "Compliance" ` -Severity "Medium" ` -Impact "Sensitivity labels and their associated protection policies must be recreated in the target tenant before migration to avoid data protection gaps." ` -Recommendation "Export sensitivity label configurations and recreate in the target tenant prior to migrating labeled content." } } |