Today, Microsoft Purview Data Loss Prevention is announcing several new capabilities that extend DLP protections to new surfaces such as Microsoft 365 Copilot, unlock insights and investigation abilities for DLP admins by leveraging AI, and fortify core data loss prevention controls & coverage.
Securing the use of AI may be a daunting charter for many security teams, but it is clear and present need in the modern workplace: 40% of organizations report that their AI apps have already been breached or compromised in a data security incident [1]. As AI technology drives data generation in unprecedented volumes, the need to secure organizational data and prevent loss of sensitive information becomes even more crucial. We believe that a scalable and proactive data security strategy for AI starts with a strong DLP foundation.
That's why we continue to invest in data loss prevention that adapts and scales to the contemporary challenges faced by data security teams. Today, Microsoft Purview Data Loss Prevention is announcing several new capabilities that extend DLP protections to new surfaces such as Microsoft 365 Copilot, unlock insights and investigation abilities for DLP admins by leveraging AI, and fortify core data loss prevention controls & coverage:
- Extended protection: New capabilities that extend our best-of-breed data protection across your modern data ecosystem, including the introduction of DLP controls for Microsoft 365 Copilot and enhancements to endpoint DLP controls on macOS.
- Strengthened protection: Capabilities that strengthen core data protections on endpoint devices, including expanding file type coverage for endpoint DLP and new blanket protections for non-scannable file types.
- Streamlined investigation & insights: Capabilities designed to simplify the admin experience as you investigate DLP incidents and look to address gaps in protection, such as new Security Copilot skills in Purview and the new Power Automate connector.
Introducing Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot
Data oversharing and leakage is top of mind for organizations adopting generative AI technologies, including Microsoft 365 Copilot – 80% of business leaders cite data leakage by employees using AI as their top concern regarding generative AI adoption. [2] Today, we are excited to announce Microsoft Purview DLP for Microsoft 365 Copilot in public preview to help reduce the risk of AI-related oversharing at scale.
Figure 1: Admins can prevent Microsoft 365 Copilot from processing files with a specified sensitivity label as a DLP policy action.With DLP for M365 Copilot, data security admins can now create DLP policies to exclude documents with specified sensitivity labels from being summarized or used in responses in M365 Copilot Business Chat. This capability, which currently works with Office files and PDFs in SharePoint, helps ensure that potentially-sensitive content within a labeled document is not readily available to users to copy and paste into other applications or processed by M365 Copilot for grounding data. An example of such content includes confidential legal documents with highly specific semantic that could lead to improper guidance if summarized by AI or modified by end users. This can also apply to "Internal only” documents with data that shouldn’t be copy & pasted into emails sent outside of the organization.
This capability can be configured for a specific sensitivity label at a file, group, site, and/or user level, giving you the flexibility to scope the policy based on the needs of your organization. For example, if you have users who are privy to a Merger and Acquisition (M&A) and scoped into an M&A group, you can design your DLP for M365 Copilot policy to prevent Copilot from summarizing M&A-labeled documents for everyone except those in the M&A group.
Figure 2: Admins can scope the DLP for M365 Copilot policy to specific users or user groups.As a reminder, M365 Copilot already has the ability to honor Microsoft Purview Information Protection sensitivity label access settings such as item-level view and extract restrictions when referencing sensitive documents. With this new DLP capability, admins can more easily exclude sensitive content from being used by M365 Copilot for all items with the specified sensitivity label.
Read more about new capabilities in Microsoft Purview that support secure generative AI adoption here, and learn more about how Data Security Posture Management (DSPM) for AI, previously known as AI hub, is providing data security admins with visibility into risky generative AI interactions in this blog.
Extending additional protections across the data estate
Last month, we also announced support for Microsoft Purview Data Loss Prevention for Fabric items. This capability allows you to apply Purview DLP policies to detect the upload of sensitive data, like social security numbers to a lakehouse in Fabric. If detected, the event will automatically be audited. This can also alert the admin and even surface a custom policy tip to data owners to take action and remedy non-compliance with the policy.
Today, we are extending the restrict access action in Purview DLP policies to Fabric semantic models. With support for this restrict access action in Fabric, admins can configure policies that will automatically detect sensitive information in semantic models and limit access to internal users or data owners. This control is especially valuable when your tenant includes guest users, and you want to enforce proper restrictions to ensure these users do not accidentally access sensitive information like internal proprietary data.
Figure 3: Example of restricted access through DLP policy enforcement in Fabric semantic models.Alongside the introduction of Purview DLP capabilities for M365 Copilot and Fabric, we are broadening our capabilities on macOS devices:
-
Support for archive files, now in public preview: Detect when files are created and added to archives and apply restrictions to archive files when they contain sensitive information. This helps reduce the risk of exfiltration through concealment in archive files on macOS (.zip, .zipx, .rar, .7z, .tar, and .gz file formats).
-
Just-in-time (JIT) protection, now in public preview: With just-in-time protection, admins can proactively secure files containing sensitive information – regardless of type – that may not have been interacted with for a long time by applying restrictions upon egress. JIT suspends the egress operation and performs an evaluation against organizational policies before resuming the operation. JIT can also be enforced for scenarios based on network location, such as printing files on personal versus corporate networks. This capability is also available on Windows devices.
-
Support for web-based activities, now in public preview: These controls, already available in Windows, apply to printing, saving, and copying of web content on macOS.
Strengthening core data protections and posture
Though data protection controls for genAI and the use of AI as a productivity driver for admins is top of mind for many security teams, we are also committed to strengthening the robustness and reliability of our foundational DLP capabilities. This fortifies protections for your existing data estate and builds the resilience of your data security program as AI-generated data proliferates. In this spirit, we are pleased to share several new improvements to Purview endpoint DLP controls, including:
-
Extended file type coverage for endpoint DLP in public preview: We are greatly expanding the breadth of scannable file types (110+) and extraction limits for endpoint DLP on Windows devices. Not only does this broaden coverage across your environment but also helps ensure that files covered by DLP policies are protected in a consistent way across workloads. This improvement will begin rolling out to customers this month and continue worldwide in the coming weeks.
-
Blanket protections for non-supported file types in public preview: Enforce blanket-level protections for file types that Purview endpoint DLP does not currently scan and classify, ensuring that the diverse range of file types found in your environment are still protected. For example, DLP admins can now prevent copying to USB for all CAD files, regardless of their contents.
-
Pause and resume now generally available: This enhancement to endpoint DLP automatically resumes an initial task such as copying to USB or network share when an end user overrides a policy tip. This helps minimize end user disruption and enables more seamless interaction with sensitive data without sacrificing security.
On top of strengthening the breadth & depth of Purview DLP controls, we are doubling down on ways to help admins continuously assess the efficacy and coverage of their DLP programs. Therefore, we are excited to announce the new DLP policy insights skill in Security Copilot in public preview.
Historically, the ability to quickly & easily understand the full breadth of DLP policy coverage across the organization has proved a challenging task for many DLP admins. In some organizations, admins have inherited or migrated hundreds, sometimes thousands, of DLP policies that were created in legacy DLP tools and pieced together for coverage. However, environment-wide visibility is critical to ensuring that there are no gaps in protection for business-critical workloads.
Figure 4: Example insights from the Security Copilot-powered policy insights skill.The embedded Security Copilot-powered policy insights skill summarizes the intent, scope, and resulting matches of existing DLP policies in natural language. Some of the insights provided by the policy insights skill include DLP policies deployed for each workload (such as SharePoint or Exchange), the sensitive information types they are designed to detect, and the number of associated rule matches to those policies. This helps admins quickly identify and address gaps in protection.
Purview is also introducing a new platform feature that correlates insights from Purview DLP with insights from Microsoft Purview Information Protection and Microsoft Purview Insider Risk Management to provide data security admins with a more holistic, actionable view of their data security posture. Starting today, Microsoft Purview Data Security Posture Management (DSPM), is now available in public preview in the Purview portal. DSPM offers unified visibility of data risks across your environment with prioritized recommendations for reducing those risks – this includes 1-click DLP policy recommendations designed to address top unresolved data loss risks. To learn more about DSPM in Purview, visit the blog.
Streamlining admin investigations & insights
Data security teams face an average of 66 alerts per day – up from 52 in 2023 – and only triage 63% of those daily alerts. Furthermore, organizations are experiencing an average of 156 data security incidents annually [3]. Quick triage, investigation, and remediation is key to mitigating downstream financial and infrastructural impact. However, the vast volume of alerts, data sources, and policies for those data sources can make it difficult for admins to prioritize data risks, investigate DLP incidents, and understand how to optimize their DLP program.
New enhancements to embedded Security Copilot experiences in Purview DLP
We are excited to announce two additional Security Copilot skills in public preview to assist admins with the challenges they face: enhanced hunting & investigation prompts and Activity Explorer prompts for targeted navigation and queries. These capabilities augment the embedded & standalone Security Copilot-powered alert summarization experiences that are already available in Purview DLP:
-
New enhanced hunting prompts let you drill down a step further from Security Copilot-generated alert summaries to gain further context surrounding the data and users behind an incident. Such detail could include the activity performed on the data and the sensitive information type (SIT) detected that resulted in the alert.
-
New Activity Explorer prompts assist admins as they navigate and dive deeper into Activity Explorer insights. For example, pre-built prompts can provide admins with a birds’ eye view of the top activities detected in their environment over the past week such as DLP rule matches or sensitive data used in M365 Copilot interactions. Inversely, admins can prompt Security Copilot to apply the correct investigation filters to Activity Explorer to pinpoint the specific activities or data that they want to narrow in on.
Improved support for data security forensic investigations
Starting today, the ability to store copies of full files that resulted in a DLP policy match on Windows endpoints is now in public preview worldwide. Customers have the option to store this file evidence in Microsoft-managed storage, or link Azure blob storage to their Purview tenant. With the Microsoft-managed option, admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. However, both storage options are available to customers based on the needs of their organizations. Learn more here.
Customizing DLP processes & investigations with Power Automate and in Defender XDR
We are also investing in ways to customize Purview DLP to the needs and established processes of your organization. Today, we are announcing the availability of the Power Automate connector in public preview, which enables admins to trigger Power Automate workflows as a DLP policy action.
Figure 5: Configure a custom Power Automate workflow as a DLP policy action.This integration unlocks automation and customization options for DLP admins, who can now fold DLP incidents into new or established IT, security, and business operations workflows, such as for stakeholder awareness and remediation. Examples include email notifications to managers of policy violations made by their employees or automatically deleting or moving files in SharePoint that are frequently overshared.
To make it easier for customers to get started, the integration will include a pre-built Power Automate template to notify managers in Outlook when policy rules are triggered by their employees. However, you can also start building unique Power Automate workflows, such as creating a ticket in your organization’s IT service management tool of choice when DLP policy conditions are met.
Enhanced filtering options for DLP alerts in Defender XDR
For teams that prefer to centralize their data security incident investigations in Microsoft Defender XDR, we are announcing additional rich filter options for Purview DLP alerts in public preview. In the Defender XDR Incidents view, you can now streamline alert triage and investigation even further with the ability to apply a specific DLP policy, DLP rule, or DLP workload as a filter. This helps admins better understand the data activities and sources that trigger the most alerts and ultimately drive the most downstream impact and risk.
Figure 6: Example of filtering DLP alerts in Defender XDR by policy & policy ruleGet started
You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial! Already have a Windows 10 and 11 device? You can get started easily by turning on endpoint DLP, which is built into your device and does not require an agent or on-premises component. Interested in how Microsoft 365 Copilot can transform the way you work? Contact your Microsoft representative to learn how you can add M365 Copilot to your existing subscription.
Additional resources
- DLP whitepaper on moving from on-premises to cloud native DLP.
- Mechanics video on how to create one DLP policy that works across your workloads.
- Updated interactive guides on DLP policy configuration, management, and investigations.
- Frequently asked questions on DLP for endpoints.
- Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal.
- Customer stories to learn why leading enterprises rely on Microsoft Purview DLP.
And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.
We look forward to your feedback.
Thank you,
The Microsoft Purview Data Loss Prevention Team
[1, 3] 2024 Data Security Index Report | Microsoft Security
[2] Data security market research, n = 638, commissioned by Microsoft
Updated Nov 18, 2024
Version 1.0Vivian_Ma
Microsoft
Joined April 12, 2024
Microsoft Security Blog
Follow this blog board to get notified when there's new activity