Microsoft Data Security Workshop: What's Included and What It Costs - TrustedTech

Microsoft Data Security Workshop: What's Included and What It Costs

Need Help Figuring Out the Licensing You Need? Save Up to 20% by Chatting with our Experts!

Get Expert Licensing Help

Search for the Microsoft Data Security Envisioning Workshop, and you’ll find a lot of pages promising it’s free. That’s true for some delivery partners, depending on which Microsoft funding program is active at the time. It’s not how TrustedTech delivers it. We scope it, price it, and run it as a real professional services engagement, because assessing your Microsoft 365 data security posture properly takes real work: configuring Purview, running discovery over several weeks, sorting through what comes back, and building a roadmap you can act on instead of a slide deck you file away.

This post covers what the workshop includes, what Microsoft Purview Data Security Posture Management (DSPM) is, which modules are mandatory versus optional, what’s explicitly excluded, and what you get at the end. If you’re trying to decide whether this is worth paying for before you talk to anyone, this should answer that.

Five Phases Covered in the Workshop

Most competitor pages describe this in outcome language: you’ll get a roadmap, you’ll gain visibility. Fine, but not much help if you’re trying to figure out what you’re actually paying for. TrustedTech runs this across five phases.

Phase one is planning and readiness: a pre-engagement call to align on timelines, identify stakeholders, and select the module that best fits your environment. We also review your current compliance landscape before anything technical begins.

Phase two is setup and configuration. This is where the Purview work begins, configuring eDiscovery, Data Loss Prevention, Insider Risk Management, Information Protection, and audit logging, then confirming telemetry is actually flowing.

Phase three is automated discovery. Purview scans Exchange Online, SharePoint Online, OneDrive, and Teams (plus whatever optional source you picked) for sensitive data, stale data, and risky behavior patterns. This phase takes the longest. Behavioral analysis needs weeks of signal, not an afternoon of scanning.

Phase four is findings review. We present what discovery turned up, ranked by risk, along with compliance gaps and insider risk patterns. You leave with a roadmap, not just a pile of problems.

Phase five is closeout, and it’s worth pausing on this one separately below.

DSPM Is the Dashboard. The Workshop Builds It For You

Nearly every page ranking for this topic mixes up two different things: the workshop, which is an event, and Data Security Posture Management, which is a Purview capability. They’re connected, but they’re not the same, and getting this straight will make the rest of this easier to follow.

DSPM is the dashboard. The workshop is what configures it and tells you what it found. Purview DSPM is built around the data itself: where it sits, who can touch it, how it’s used, and whether it’s protected. That’s a different posture than traditional perimeter security, which assumes the threat is trying to get in. DSPM assumes the risk is already sitting inside your tenant, in a SharePoint site nobody’s opened since 2021, or a Teams thread where someone pasted a customer list into a chatbot.

DSPM and DLP aren’t the same control, either. DLP enforces policy by blocking a specific action, such as copying a sensitive file to a personal email address. DSPM doesn’t block anything on its own. It discovers, classifies, and surfaces risk, then recommends DLP, Insider Risk Management, and Information Protection policies you can turn on with one click. DSPM is the diagnostic. DLP is the prescription. If you’re tracking posture more broadly across your tenant, our Microsoft Secure Score benchmarks guide is a useful companion read, since DSPM findings often appear as Secure Score improvement actions, too.

Microsoft also recently shipped a genuinely different version of DSPM. The classic version tracked cross-cloud data and user risk through reports and trends. The current version adds coverage for third-party platforms (Salesforce, Snowflake, Databricks, Google Cloud, depending on what’s connected), reorganizes around outcome-based “objectives” instead of raw findings, and adds AI observability for Copilot and agent activity. If you looked at DSPM a year or two ago and walked away unimpressed, it’s a different product now.

DSPM for AI used to be its own separate experience, which confused people for no good reason. It’s folded into the main DSPM view now, with AI risk tracked next to everything else instead of off in its own silo.

Four Modules Are Fixed. You Choose One More.

Scope is where TrustedTech’s version differs most from the rest. The boundaries are in writing before anything starts, not discovered halfway through.

Four modules are mandatory, full stop:

  1. Exchange Online discovery
  2. SharePoint Online and OneDrive scanning
  3. Teams analysis
  4. Insider Risk Management. 

    These cover the repositories and behavioral signals present in basically every Microsoft 365 tenant, regardless of size or industry.

    You pick one additional module from these five: 

    1. Compliance Manager (benchmarks you against a specific regulatory framework)
    2. On-Premises Data Scanner (extends discovery to file shares)
    3. Windows Endpoints (monitors endpoint-level risk)
    4. Communication Compliance (flags risky communications
    5. Data Security for AI (looks specifically at Copilot and generative AI usage).

    Which one fits depends on what’s actually driving the assessment. An upcoming HIPAA or CMMC audit points to Compliance Manager. Leadership worried about people pasting customer data into ChatGPT points to Data Security for AI.

    What’s explicitly off the table: forensic investigation, incident response, DLP policy enforcement (we recommend the policies; turning them on and tuning them is a different job), discovery on non-Microsoft clouds, and proof-of-concept builds. If a finding turns up something that needs immediate action, that becomes its own separate, mutually agreed conversation rather than something we just absorb into scope.

    About that Phase 5 closeout: most security assessments leave something behind. A service account nobody remembers to deprovision. An admin role nobody questions. A trial license that quietly turns into a paid SKU six months later. TrustedTech’s SOW commits to removing all configurations, resources, and licenses deployed during the engagement and restoring your tenant to exactly how it looked before we started. That’s not a line we added for color; it’s in the contract. If you’ve ever had to clean up after a previous vendor’s “free assessment,” you already know why that matters.

    A Roadmap You Can Act On, Not a Slide Deck You File Away

    A Security Check findings overview: what sensitive data discovery turned up, where it’s exposed, and which user behaviors flagged as risky. This ranges from intellectual property sitting unsecured in a SharePoint site to actual risky interactions with AI tools.

    An optional Compliance Manager assessment, if that’s the module you picked, with improvement actions mapped to whatever regulatory framework matters to you.

    A prioritized roadmap and results presentation, sequenced by risk rather than dumped on you as a raw export.

    Guidance on how findings map to specific Purview solutions, so if you’re new to Purview, the roadmap translates into actual next configuration steps and not a generic checklist.

    AI Adoption Is Outrunning Data Governance

    AI adoption is outrunning data governance at most organizations, which is why this kind of assessment is being booked more often. People are pasting customer data into Copilot, connecting AI tools IT never approved, and sharing files with agents that have no business seeing them, frequently without anyone in IT knowing it’s happening.

    That’s exactly the gap the Data Security for AI module is built to close, and it’s become the most commonly chosen selectable option. It analyzes prompts and responses for sensitive data exposure, tracks which AI apps and agents are accessing your tenant’s data, and flags oversharing before it becomes an incident. If your organization moved fast on Copilot without a parallel conversation about governance, this is usually where the gap shows up first.

    We’ve written before about how Shadow AI risk tends to concentrate at the seniority level you’d assume would know better. If that’s been on your radar, our Shadow AI whitepaper digs into the data behind that pattern and pairs well with this post, especially if you’re leaning toward the Data Security for AI module. For a closer look at how Copilot oversharing risk specifically plays out, our Microsoft Defender all-in-one cybersecurity suite breakdown covers the layered protections Microsoft has built for exactly this kind of exposure.

    Frequently Asked Questions

    How much does the Microsoft Data Security Envisioning Workshop cost?
    TrustedTech delivers this as a paid, scoped professional services engagement rather than a free Microsoft-funded offer. Pricing depends on your environment’s size, the selectable module you choose, and discovery complexity; the way to get an accurate number is a scoping call rather than a published list price, since no two tenants generate the same amount of discovery work.

    What’s the difference between DSPM and DLP in Microsoft Purview?
    DSPM discovers, classifies, and surfaces risk in your sensitive data; DLP enforces policy to prevent specific actions, like blocking a file from being shared externally. DSPM tells you what’s at risk and recommends policies; DLP is one of the tools it recommends turning on.

    What modules are included in the workshop, and what’s optional?
    Four modules are mandatory in every engagement: Exchange Online, SharePoint Online and OneDrive, Microsoft Teams, and Insider Risk Management. You select one additional module from five options: Compliance Manager, On-Premises Data Scanner, Windows Endpoints, Communication Compliance, or Data Security for AI.

    Do I need Microsoft 365 E5 to use DSPM?
    Microsoft Purview DSPM requires an E5 license or the Purview Suite (formerly E5 Compliance) to access. You’ll need to confirm your current licensing and acquire any necessary add-ons before the engagement’s configuration phase begins.

    What happens to the access and configurations TrustedTech sets up during the engagement?
    Everything deployed during the engagement, configurations, resources, and any licenses provisioned for the assessment, is fully removed at closeout, and your tenant is restored to its pre-engagement state. This is a defined phase in the engagement, not an afterthought.

    What’s the difference between the Data Security Envisioning Workshop and the Threat Protection Envisioning Workshop?
    The Data Security Envisioning Workshop focuses on your data itself: where sensitive information lives, who can access it, and how Purview can govern it. The Threat Protection Envisioning Workshop focuses on active threats across email, identity, and endpoints. If your concern is “where is our risk hiding,” start with data security; if it’s “are we under active attack,” start with threat protection.

    TrustedTech Scopes This. Microsoft Doesn't Fund It

    A real data security assessment is detailed, technical work: configuring Purview correctly, letting discovery run long enough to yield meaningful results, and turning raw findings into a roadmap someone can actually execute. TrustedTech holds Microsoft Managed Partner designations across Infrastructure, Security, and Modern Work, and our engineers are in Entra ID, Azure, Purview, Defender XDR, Sentinel, and Intune every day, not as a side specialty they pick up occasionally.

    If you’re weighing whether this engagement makes sense, or which selectable module actually fits your situation, talk to TrustedTech’s security team about scoping a Data Security Envisioning Workshop for your environment.

    Thomas Rosquin, Sr Writer

    Thomas Rosquin, Sr Writer

    Thomas Rosquin is a content strategist and technology writer at TrustedTech, a top 1% global Microsoft Cloud Solution Provider. With 20 years of experience in research, editorial, and content strategy, he focuses on Microsoft technologies, workplace AI, and IT governance, translating complex licensing and adoption decisions into clear guidance for technology leaders. His work draws on original research, industry analysis, and close collaboration with TrustedTech's Microsoft-certified solutions team.

    LinkedIn | Case Studies