Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview provides enterprise-grade data security, compliance, and governance capabilities for AI applications. By integrating Purview APIs within the Agent Framework SDK, developers can build intelligent agents that are secure by design, while ensuring sensitive data in prompts and responses are protected and compliant with organizational policies.
Why integrate Purview with Agent Framework?
- Prevent sensitive data leaks: Inline blocking of sensitive content based on Data Loss Prevention (DLP) policies.
- Enable governance: Log AI interactions in Purview for Audit, Communication Compliance, Insider Risk Management, eDiscovery, and Data Lifecycle Management.
- Accelerate adoption: Enterprise customers require compliance for AI apps. Purview integration unblocks deployment.
Prerequisites
Before you begin, ensure you have:
- Microsoft Azure subscription with Microsoft Purview configured.
- Microsoft 365 subscription with an E5 license and pay-as-you-go billing setup.
- For testing, you can use a Microsoft 365 Developer Program tenant. For more information, see Join the Microsoft 365 Developer Program.
- Agent Framework SDK: To install the Agent Framework SDK:
- Python: Run
pip install agent-framework. - .NET: Install from NuGet.
- Python: Run
How to integrate Microsoft Purview into your agent
In your agent's workflow middleware pipeline, you can add Microsoft Purview policy middleware to intercept prompts and responses to determine if they meet the policies set up in Microsoft Purview. The Agent Framework SDK is capable of intercepting agent-to-agent or end-user chat client prompts and responses.
The following code sample demonstrates how to add the Microsoft Purview policy middleware to your agent code. If you're new to Agent Framework, see Create and run an agent with Agent Framework.
using Azure.AI.OpenAI;
using Azure.Core;
using Azure.Identity;
using Microsoft.Agents.AI;
using Microsoft.Agents.AI.Purview;
using Microsoft.Extensions.AI;
using OpenAI;
string endpoint = Environment.GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT") ?? throw new InvalidOperationException("AZURE_OPENAI_ENDPOINT is not set.");
string deploymentName = Environment.GetEnvironmentVariable("AZURE_OPENAI_DEPLOYMENT_NAME") ?? "gpt-4o-mini";
string purviewClientAppId = Environment.GetEnvironmentVariable("PURVIEW_CLIENT_APP_ID") ?? throw new InvalidOperationException("PURVIEW_CLIENT_APP_ID is not set.");
TokenCredential browserCredential = new InteractiveBrowserCredential(
new InteractiveBrowserCredentialOptions
{
ClientId = purviewClientAppId
});
AIAgent agent = new AzureOpenAIClient(
new Uri(endpoint),
new AzureCliCredential())
.GetChatClient(deploymentName)
.CreateAIAgent("You are a secure assistant.")
.AsBuilder()
.WithPurview(browserCredential, new PurviewSettings("My Secure Agent"))
.Build();
AgentRunResponse response = await agent.RunAsync("Summarize zero trust in one sentence.").ConfigureAwait(false);
Console.WriteLine(response);
import asyncio
import os
from agent_framework import ChatAgent, ChatMessage, Role
from agent_framework.azure import AzureOpenAIChatClient
from agent_framework.microsoft import PurviewPolicyMiddleware, PurviewSettings
from azure.identity import AzureCliCredential, InteractiveBrowserCredential
# Set default environment variables if not already set
os.environ.setdefault("AZURE_OPENAI_ENDPOINT", "<azureOpenAIEndpoint>")
os.environ.setdefault("AZURE_OPENAI_CHAT_DEPLOYMENT_NAME", "<azureOpenAIChatDeploymentName>")
async def main():
chat_client = AzureOpenAIChatClient(credential=AzureCliCredential())
purview_middleware = PurviewPolicyMiddleware(
credential=InteractiveBrowserCredential(
client_id="<clientId>",
),
settings=PurviewSettings(app_name="My Secure Agent")
)
agent = ChatAgent(
chat_client=chat_client,
instructions="You are a secure assistant.",
middleware=[purview_middleware]
)
response = await agent.run(ChatMessage(role=Role.USER, text="Summarize zero trust in one sentence."))
print(response)
if __name__ == "__main__":
asyncio.run(main())
Next steps
Now that you added the above code to your agent, perform the following steps to test the integration of Microsoft Purview into your code:
- Entra registration: Register your agent and add the required Microsoft Graph permissions (ProtectionScopes.Compute.All, ContentActivity.Write, Content.Process.All) to the Service Principal. For more information, see Register an application in Microsoft Entra ID and dataSecurityAndGovernance resource type. You'll need the Microsoft Entra app ID in the next step.
- Purview policies: Configure Purview policies using the Microsoft Entra app ID to enable agent communications data to flow into Purview. For more information, see Configure Microsoft Purview.
Resources
- Nuget: Microsoft.Agents.AI.Purview
- Github: Microsoft.Agents.AI.Purview
- Sample: AgentWithPurview