Prevent data loss across your ever-expanding data estate with Microsoft Purview Data Loss Prevention

Organizations today grapple with securing data across the various devices, platforms, and data sources that comprise their modern ecosystem. This challenge has become even more daunting as unsanctioned and unsupervised generative AI becomes more ubiquitous in the workplace, presenting a new frontier for sensitive data loss. In response, many teams have found themselves with fragmented solutions and processes that don’t enable data loss prevention at scale, and even cause an increased rate of data security incidents.  

Microsoft Purview Data Loss Prevention (DLP) offers today’s organizations a unified approach to securing data across their ever-evolving data estates. Purview DLP not only is built into the Microsoft 365 apps and desktop devices that you rely on every day, but also extends to the expanding range of data types and locations found across your environment – for example, .java files as developers write or edit source code, or .txt files as information workers take notes. Today, we are happy to announce over 25 new capabilities in Purview DLP as part of our continued commitment to helping organizations protect their business-critical data. In particular, we are investing in new ways to: 

• Expand visibility & protection beyond Microsoft 365, such as inline discovery of sensitive data across the network, inline protection of sensitive data accessed in Microsoft Edge for Business, and new label-based protections for non-Microsoft file types.
• Simplify experiences for admins with policy sync dashboards and collection policies for more streamlined signal collection and classification.
• Enhance existing protections with expanded advanced classification support and DLP coverage for all files in SharePoint & OneDrive, including previously unclassified files. This is enabled through the new on-demand classification capability.

Let’s dive in.

Expanded visibility & protection beyond Microsoft 365: Introducing new network & browser controls

In the era of AI and remote work, organizations need to address data loss risks holistically across their environment – especially where sensitive data could leave the trusted boundaries of the organization to untrusted, 3rd party locations. This is why we are excited to introduce three momentous improvements to Purview DLP:

• Inline data discovery for the network, in public preview early May: Purview DLP now integrates with secure access service edge (SASE) solutions to provide admins greater visibility over sensitive data that is being sent outside of the organization from company devices. This can include sensitive data uploaded to personal cloud repositories or sent to 3rd party AI services from a desktop application.
• Inline data protection in Edge for Business, in public preview early April: With information workers spending more time working in the browser than ever before [1], it’s critical that organizations secure sensitive data that could be sent to untrusted locations from the browser. These potentially risky interactions include typed submissions to unmanaged SaaS apps like Slack or consumer GenAI apps like Google Gemini and DeepSeek. Our inline DLP controls are built natively into Edge for Business, meaning they can be enabled even without endpoint DLP deployed, and complement the existing endpoint DLP protections for uploading or pasting sensitive content to the browser.
• Data security controls for unmanaged Windows & macOS devices accessing Edge for Business, in public preview late April: These built-in controls help admins enforce guardrails for what users can do with sensitive data in organization-managed apps like Salesforce or Workday when they're accessed from Edge for Business on an unmanaged or personal computer. This prevents sensitive organizational data from being exfiltrated to unmanaged devices. 

To learn more about these new capabilities, visit our detailed blog.

Beyond the extension of Purview DLP controls for the browser and to the network layer, we are also investing in deeper protections for file types beyond Office 365 or PDF. Given the variety of different data types and applications that users interact with every day, it’s imperative that any sensitive file be protected as it’s used, modified, or moved – regardless of the type of file that it is. Developers handle proprietary code daily, requiring protection for .java or .js files. Designers work with early branding concepts in Adobe Photoshop, requiring protection for .psd files. Engineers work with intellectual property in AutoCAD, requiring protection for .dwg files. The list goes on. 

With new sensitivity label-based protections (in public preview), employees can securely work on non-Microsoft file types such as Java, Adobe Creative Cloud, and AutoCAD that will stay protected even if they leave the device. 

Figure 1: Admins can enable advanced label-based protections in their endpoint DLP settings.

By enabling these advanced label-based protections in your endpoint DLP settings, users will be able to apply sensitivity labels with access control settings on any file, including file types beyond Office 365 or PDF. While these files exist on the end user’s endpoint device, they will be treated as if they are unencrypted, meaning that the user does not need to manually decrypt & encrypt the file every time they work with it. This helps minimize any impact to their productivity. 

If the user decides to move or share this file, endpoint DLP will automatically encrypt the file upon egress from the device. This ensures that the intended protection stays with the file, wherever it lives or travels. This capability is now rolling out in public preview.

Lastly, our investment into protection parity across platforms continues with improvements for macOS devices: 

• First, we are excited to announce that Purview endpoint DLP can now be deployed to macOS devices independent of any device management solution. Deploying endpoint DLP across macOS devices no longer requires these devices to be managed by Microsoft Intune or Jamf. With this update, endpoint DLP can be enabled as long as users log in successfully through an Entra ID account to a Microsoft application, or through the Microsoft Enterprise SSO plugin for Apple devices.
• Second, we are happy to share that the following endpoint DLP capabilities are now available in public preview on macOS devices in addition to Windows:
  • Coverage & exclusions for network shares and network share groups
  • OCR cost estimation
  • Detection & protection of sensitive data pasted to supported browsers
  • Full file evidence storage for endpoint DLP policy matches
  • Appearance of file read events in Activity Explorer
  • Finally, just-in-time protection for removable media and network shares is now generally available for macOS devices.

Simplified experiences for DLP admins

In a survey of 600 data security decision makers, “protecting sensitive data across multiple data sources, repositories, and workloads” emerged as the #1 concern related to data loss prevention [2]. To help our customers scale their DLP operations across an expanding data estate, we are continuing to invest in simplified and centralized admin experiences. 

Historically, Microsoft Purview has been designed to discover and classify data by default using all sensitive information types (SITs) and user activities across all connected data sources – this approach enables us to provide insights into the top data risks in your organization before policies are ever created. 

In the coming weeks, we are introducing a flexible alternative to this default configuration for data-in-transit scenarios. This will enable admins to more granularly define the baseline signals and information collected from each data source, starting with endpoint devices and inline discovery for the network and Edge for Business. Unlike traditional DLP policies, this new configuration is designed to streamline discovery of relevant information, rather than apply enforcement on that information. This benefits DLP admins by: 

• Making it easier to pinpoint relevant data events in Purview Data Security Posture Management (DSPM) and Activity Explorer, and reduce noise from SITs or user activities that are not relevant to your organization

• Enabling compliance with regional regulations that restrict collection of certain data types

• Reducing CPU & memory consumption from signal collection on endpoint devices
• Creating a baseline configuration of SITs & user activities for existing & future DLP policies

Figure 2: Classifiers that are relevant to your organization can be scoped via "collection policies" under the Classifiers tab.

From the new collection policies workflow, admins can define the classifiers that are relevant to their organization. Alternatively, admins can exclude classifiers that may be irrelevant to your organization or scenario.

Figure 3: Admins can also scope just the user activities that are relevant to their organization.

Similarly, admins can also define the types of user activities they would like to detect from each data source. These new configuration options are available to all Purview DLP customers based on the workloads for which they are licensed.

Next, we’ll cover several new improvements to Purview DLP that equip DLP admins with the key insights they need, faster: 

• Policy sync dashboards, now in public preview for cloud workloads: Starting today, admins now have visibility into the status of deployed policies or policy changes directly from the DLP Overview and Policies pages. The dashboard indicates whether these policy changes have reached their target locations and identifies any sync errors. This dashboard currently supports SharePoint, Exchange, Teams, and OneDrive policies.

Figure 4: New policy sync dashboards help admins understand the status of deployed policies.

• Device-based policy scoping, now in public preview: Admins can now scope DLP policies to specific devices or Entra device groups under Locations in the policy workflow. This enables them to tailor protections to certain devices, such as those used by vendors or contractors, or devices that are based in the same physical office. 

Figure 5: DLP policies can now be scoped to include or exclude specific devices or device groups.

• Administrative unit scoping for SharePoint Online policies: Admins can now also scope DLP policies for SharePoint Online based on Entra-defined administrative units. This helps ensure that potential data loss risks in SharePoint Online are visible to & addressed by the proper personnel. For example, admin unit scoping enables DLP alerts originating from a Highly Confidential site for the Finance team to only be investigated by a specific group of incident handlers.
• Save & reuse filters in Activity Explorer, now in public preview: We are also making it easier for admins to identify relevant data events and streamline investigation with the ability to save and reuse filters in Activity Explorer.
• New filter for DLP alerts based on label, now in public preview: Admins can also drill down into DLP alerts generated from a specified sensitivity label, such as “Highly Confidential” or “Internal Only” for better ease-of-use.
• Evidence summaries for all supported file types in endpoint DLP, now in public preview: By providing admins contextual evidence, they can better understand which classifier(s) – including those detected through advanced methods like Exact Data Match – triggered the policy match. This capability extends to all supported file types on Windows & macOS devices.
• Security Copilot-powered alert summarization, now in public preview for DLP alerts in Microsoft Defender XDR: Security Copilot already provides the ability to summarize DLP alerts in the Purview portal. This skill now extends to Purview DLP alerts that are managed through the Defender XDR Incidents queue in the Defender portal.
• Security Copilot skills in Purview DLP, now generally available: Three Security Copilot skills – DLP policy insights, enhanced hunting & investigation prompts, and Activity Explorer prompts, are now generally available for all Purview DLP customers with Security Compute Units. These skills help admins easily understand the full breadth of their existing DLP policy coverage, and streamline investigation of potential data loss incidents.

Enhanced protections across data sources and end users

While we have invested significantly in broadening our coverage across different workloads, file types, and platforms, we also know that our customers need depth and flexibility of controls. Not only that, but these controls must optimize for the experience of end users. By continuing to strengthen our foundational capabilities, we enable admins to expand their DLP programs with confidence in existing protections. In that spirit, we are happy to share the following four key enhancements to Purview DLP:

• Critical to our commitment to customers is the ability to classify and protect all files containing sensitive content, even if they have been sitting dormant for some time. With on-demand classification, in public preview, admins can now detect and classify all files containing sensitive data in a specific SharePoint or OneDrive location. This can include documents that were never previously scanned by Purview, or that have not been updated with the latest set of classifiers. If the newly-classified documents match any SITs defined in an existing DLP policy, the policy will immediately take effect on that file. This helps ensure that previously unprotected files can be "grandfathered" into the proper DLP policies. Learn more in the Information Protection blog.
• Next, we are providing admins with the ability to tailor restrictions to network share and URL groups based on the IP address or IP range from which they’re accessed. This can be particularly helpful for organizations that track intranet sites using IP addresses and want to limit or allow access to data within those locations. This capability is now in public preview.
• Last year, we announced that Purview endpoint DLP would support a significantly expanded range of file types. Today, we are continuing this momentum by announcing that advanced classification methods such as Exact Data Match and Named Entities will now support this expanded list of file types on Windows devices (in public preview).
• We are also expanding opportunities for user education when employees trigger a DLP policy tip. Policy tips delivered on Windows endpoint devices will now support custom hyperlinks (public preview). These hyperlinks can help direct users to organizational policies or security best practices when they perform an action that violates an existing endpoint DLP policy.

Licensing details

Get started

Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Hear from Microsoft leaders online at Microsoft Secure on April 9.

You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. Already have a Windows 10 and 11 device? You can get started easily by turning on endpoint DLP, which is built into your device and does not require an agent or on-premises component.

Additional resources

• Frequently asked questions on DLP for endpoints.
• Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal.
• Customer stories to learn why leading enterprises rely on Microsoft Purview DLP. 

[1] Internal Windows telemetry

[2] Internal Microsoft research