9.2 Privacy Principles and Microsoft Priva
Key Takeaways
- Microsoft's approach to privacy rests on six principles: control, transparency, security, strong legal protections, no content-based targeting, and benefits to you.
- Microsoft Priva is the privacy product family: Priva Privacy Risk Management detects risks like data hoarding, oversharing, and transfers; Priva Subject Rights Requests automates DSR fulfillment.
- No content-based targeting means Microsoft does not use your email, chat, or files to target advertising.
- On SC-900, map explicit privacy/personal-data language to Priva — not Defender (security) or Compliance Manager (general posture).
Microsoft's Six Privacy Principles
SC-900 expects you to know that Microsoft's approach to privacy is built on six foundational principles. These describe how Microsoft handles the data you entrust to its cloud:
| Principle | What it means |
|---|---|
| Control | Microsoft puts you in control of your privacy with easy-to-use tools and clear choices. |
| Transparency | Microsoft is transparent about data collection and use so you can make informed decisions. |
| Security | Microsoft protects the data you entrust to it through strong security and encryption. |
| Strong legal protections | Microsoft respects local privacy laws and defends privacy as a fundamental human right. |
| No content-based targeting | Microsoft does not use your email, chat, files, or other personal content to target ads. |
| Benefits to you | When Microsoft collects data, it uses it to benefit you and improve your experiences. |
A frequent exam item asks which option is not one of the six (distractors like "data minimization," "consent," "accountability," or "anonymization" sound plausible but are not on the list). Memorize the six exact terms. The principle most often tested in isolation is no content-based targeting — Microsoft will not mine your Exchange, Teams, or OneDrive content to sell ads. A close second is strong legal protections, where Microsoft commits to challenging government data requests and treating privacy as a fundamental human right.
Privacy is distinct from security and from general compliance, and SC-900 leans on that distinction:
| Discipline | Core question | Example Microsoft tool |
|---|---|---|
| Security | Are systems, identities, and data protected from attack and unauthorized access? | Microsoft Defender, Sentinel |
| Compliance | Can we demonstrate we meet our obligations? | Compliance Manager |
| Privacy | Is personal data handled responsibly, honoring individuals' rights? | Microsoft Priva |
Security protects systems and data from unauthorized access; compliance demonstrates you meet obligations and can prove it; privacy governs the responsible handling of personal data and the rights of the people that data describes. The three overlap — a privacy breach is often also a security incident with compliance consequences — but the exam wants you to pick the privacy-specific product when the stated goal is personal-data handling or individual rights, even though security and compliance products appear in the same answer set.
Microsoft Priva
Microsoft Priva is the product family that operationalizes privacy inside the Microsoft Purview/Priva ecosystem. It helps organizations proactively identify and protect against privacy risks and respond to data-subject requests. The two capabilities SC-900 most often references are:
Priva Privacy Risk Management
Scans the data estate to detect privacy risks and helps remediate them. The three risk patterns called out by Microsoft are:
- Data overexposure / oversharing — personal data shared more broadly than it should be.
- Data hoarding — personal data kept longer than necessary, with no business need.
- Data transfers — personal data moving across departmental or geographic boundaries in risky ways.
Priva can establish policies that detect these conditions, then notify users directly with recommended actions (for example, a guided email nudging an employee to remove oversharing) so remediation scales without manual investigation of every file.
Priva Subject Rights Requests (SRR)
Manages data subject requests (DSRs / subject rights requests) at scale — the requests individuals make under laws like GDPR or CCPA to access, correct, or delete their personal data. Priva SRR provides automated data discovery, conflict detection, and file review and redaction, plus collaboration workflows, so privacy teams fulfill requests faster and more confidently than searching mailboxes and sites by hand. (The broader Priva suite also includes capabilities such as Consent Management, Privacy Assessments, and Tracker Scanning, but Risk Management and Subject Rights Requests are the SC-900 anchors.)
Selection cues
| Scenario language | Best answer | Why |
|---|---|---|
| "Detect data oversharing / hoarding / risky transfers of personal data" | Priva Privacy Risk Management | Privacy risk detection and remediation |
| "Respond to GDPR data-subject access/deletion requests at scale" | Priva Subject Rights Requests | Automates DSR discovery, review, redaction |
| "We don't want our email content used for advertising" | No content-based targeting (privacy principle) | A stated Microsoft commitment, not a product |
| "Detect malware on a laptop" | Microsoft Defender for Endpoint | Security, not privacy |
| "Track our compliance score and improvement actions" | Compliance Manager | General posture, not privacy-specific |
Common trap: Priva looks like "just compliance," so test-takers pick Compliance Manager. If the goal is explicitly about personal-data privacy risk or subject rights requests, choose Priva; Compliance Manager is for broad regulatory posture and scoring, not the day-to-day privacy operations Priva automates.
Worked privacy scenario
A privacy officer reports that employees keep copying customer records containing personal data into a shared site accessible company-wide, and that the volume of GDPR access requests is overwhelming the team. Two needs, two Priva capabilities:
- Personal data shared too broadly → Priva Privacy Risk Management creates a policy that detects the oversharing and nudges users to fix it.
- GDPR access requests piling up → Priva Subject Rights Requests automates the discovery, review, and redaction needed to fulfill each request.
Notice that neither answer is a Defender product (no threat is being detected), an Entra control (no identity decision), or the Service Trust Portal (no Microsoft audit document is needed). The goal is responsible handling of personal data and the rights of the people it describes — that is the Priva lane.
Why not Compliance Manager? Compliance Manager helps assess and document GDPR posture overall and earn a score, but it does not operationally discover oversharing or process individual subject requests. When the scenario describes the hands-on privacy operation rather than the assessment-and-scoring view, Priva is the precise answer.
Which of the following is NOT one of Microsoft's six privacy principles?
An organization must respond to a flood of GDPR requests from individuals wanting access to their personal data. Which capability automates discovering, reviewing, and redacting that data?
Which Microsoft Priva capability detects privacy risks such as data hoarding and oversharing and can notify users to remediate them?