Microsoft Purview: New data security controls for the browser & network

Protect your organization’s data with Microsoft Purview. Gain complete visibility into potential data leaks, from AI applications to unmanaged cloud services, and take immediate action to prevent unwanted data sharing. Microsoft Purview unifies data security controls across Microsoft 365 apps, the Edge browser, Windows and macOS endpoints, and even network communications over HTTPS — all in one place.

Take control of your data security with automated risk insights, real-time policy enforcement, and seamless management across apps and devices. Strengthen compliance, block unauthorized transfers, and streamline policy creation to stay ahead of evolving threats. Roberto Yglesias, Microsoft Purview Principal GPM, goes beyond Data Loss Prevention 

Keep sensitive data secure no matter where it lives or travels. 

Microsoft Purview DLP unifies controls across Microsoft 365, browsers, endpoints, and networks. See how it works.

Know your data risks. 

Data Security Posture Management (DSPM) in Microsoft Purview delivers a 360° view of sensitive data at risk, helping you proactively prevent data leaks and strengthen security. Get started.

One-click policy management. 

Unify data protection across endpoints, browsers, and networks. See how to set up and scale data security with Microsoft Purview.

Watch our video here.

QUICK LINKS:

00:00 — Data Loss Prevention in Microsoft Purview 

01:33 — Assess DLP Policies with DSPM 

03:10 — DLP across apps and endpoints 

04:13 — Unmanaged cloud apps in Edge browser 

04:39 — Block file transfers across endpoints 

05:27 — Network capabilities 

06:41 — Updates for policy creation 

08:58 — New options 

09:36 — Wrap up

Link References

Get started at https://aka.ms/PurviewDLPUpdates

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast

Keep getting this insider knowledge, join us on social:

• Follow us on Twitter: https://twitter.com/MSFTMechanics
• Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
• Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
• Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcript:

-As more and more people use lesser known and untrusted shadow AI applications and file sharing services at work, the controls to proactively protect your sensitive data need to evolve too. And this is where Data Loss Prevention, or DLP, in Microsoft Purview unifies the controls to protect your data in one place. And if you haven’t looked at this solution in a while, the scope of protection has expanded to ensure that your sensitive data stays protected no matter where it goes or how it’s consumed with controls that extend beyond what you’ve seen across Microsoft 365. Now adding browser-level protections that apply to unmanaged and non-Microsoft cloud apps when sensitive information is shared. 

-For your managed endpoints, today file system operations are also protected on Windows and macOS. And now we are expanding detection to the network layer. Meaning that as sensitive information is shared into apps and gets transmitted over web protocols, as an admin, you have visibility over those activities putting your information at risk, so you can take appropriate action. Also, Microsoft Purview data classification and policy management engines share the same classification service. Meaning that you can define the sensitive information you care about once, and we will proactively detect it even before you create any policies, which helps you streamline creating policies to protect that information. 

-That said, as you look to evolve your protections, where do you even start? Well, to make it easier to prioritize your efforts, Data Security Posture Management, or DSPM, provides a 360 degree view of data potentially at risk and in need of protection, such as potential data exfiltration activities that could lead to data loss, along with unprotected sensitive assets across data sources. Here at the top of the screen, you can see recommendations. I’ll act on this one to detect sensitive data leaks to unmanaged apps using something new called a Collection Policy. More on how you can configure this policy a bit later. 

-With the policy activated, new insights will take up to a day to reflect on our dashboard, so we’ll fast forward in time a little, and now you can see a new content category at the top of the chart for sensitive content shared with unmanaged cloud apps. Then back to the top, you can see the tile on the right has another recommendation to prevent users from performing cumulative exfiltration activities. And when I click it, I can enable multiple policies for both Insider Risk Management and Data Loss Prevention, all in one click. So DSPM makes it easier to continually assess and expand the protection of your DLP policies. And there’s even a dedicated view of AI app-related risks with DSPM for AI, which provides visibility into how people in your organization are using AI apps and potentially putting your data at risk. 

-Next, let me show you DLP in action across different apps and endpoints, along with the new browser and network capabilities. I’ll demonstrate the user experience for managed devices and Microsoft 365 apps when the right controls are in place. Here I have a letter of intent detailing an upcoming business acquisition. Notice it isn’t labeled. I’ll open up Outlook, and I’ll search for and attach the file we just saw. Due to the sensitivity of the information detected in the document, it’s fired up a policy tip warning me that I’m out of compliance with my company policy. Undeterred, I’ll type a quick message and hit send. And my attempt to override the warning is blocked. 

-Next, I’ll try something else. I’ll go back to Word and copy the text into the body of my email, and you’ll see the same policy tip. And, again, I’m blocked when I still try to send that email. These protections also extend to Teams chat, Word, Excel, PowerPoint and more. Next, let me show you how protections even extend to unmanaged cloud apps running in the Edge browser. For example, if you want to use a generative AI website like you’re seeing here with DeepSeek, even if I manually type in content that matches my Data Loss Prevention policy, you’ll see that when I hit submit, our Microsoft Purview policy blocks the transmission of this content. This is different from endpoint DLP, which can protect file system operations like copy and paste. These Edge browser policies complement existing endpoint DLP protections in Windows and macOS. 

-For example, here I have the same file with sensitive information that we saw before. My company uses Microsoft Teams, but a few of our suppliers use Slack, so I’ll try to upload my sensitive doc into Slack, and we see a notification that my action is blocked. And since these protections are on the file and run in the file system itself, this would work for any app. That said, let’s try another operation by copying the sensitive document to my removable USB drive. And here I’m also blocked. So we’ve seen how DLP protections extend to Microsoft 365 apps, managed browsers, and file systems. 

-Additionally, new protections can extend to network communication protocols when sharing information with local apps running against web services over HTTPS. In fact, here I have a local install of the ChatGPT app running. As you see, this is not in a browser. In this case, if I unintentionally add sensitive information to my prompt, when it passes the information over the network to call the ChatGPT APIs, Purview will be able to detect it. Let’s take a look. If I move over to DSPM for AI in Microsoft Purview, as an admin, I have visibility into the latest activity related to AI interactions. If I select an activity which found sensitive data shared, it displays the user and app details, and I can even click into the interaction details to see exactly what was shared in the prompt as well as what specifically was detected as sensitive information on it. This will help me decide the actions we need to take. Additionally, the ability to block sharing over network protocols is coming later this year. 

-Now, let’s switch gears to the latest updates for policy creation. I showed earlier setting up the new collection policy in one click from DSPM. Let me show you how we would configure the policy in detail. In Microsoft Purview, you can set this up in Data Loss Prevention under Classifiers on the new Collection Policies page. These policies enable you to tailor the discovery of data and activities from the browser, network, and devices. You can see that I already have a few created here, and I’ll go ahead and create a new one right from here. 

-Next, for what data to detect, I can choose the right classifiers. I have the option to scope these down to include specific classifiers, or include all except for the ones that I want to exclude. I’ll just keep them all. For activities to detect, I can choose the activities I want. In this case, I’ll select text and files shared with a cloud or AI app. Now, I’ll hit add. And next I can choose where to collect the data from. This includes connected data sources, like devices, Copilot experiences, or Enterprise AI apps. The unmanaged cloud apps tab uses the Microsoft Defender for Cloud Apps catalog to help me target the applications I want in scope. 

-In this case, I’ll go ahead and select all the first six on this page. For each of these applications, I can scope which users this policy applies to as a group or separately. I’ll scope them all together for simplicity. Here I have the option to include or exclude users or groups from the policy. In this case, I’ll keep all selected and save it. Next, I have the option of choosing whether I want AI prompt and responses that are detected to be captured and preserved in Purview. This enabled the experience we saw earlier of viewing the full interaction. 

-Finally, in mode, you can turn the policy on. Or if you leave it off, this will save it so that you can enable it later. Once I have everything configured, I just need to review and create my policy, and that’s it. In addition, as you create DLP policies, you’ll notice new corresponding options. Let me show you the main one. For each policy, you’ll now be asked what type of data you want to protect. First is data stored in connected sources. This includes Microsoft 365 and endpoint policies, which you’re likely already using now. The new option is data in browser and network activity. This protects data in real-time as it’s being used in the browser or transmitted over the network. From there, configuring everything else in the policy should feel familiar with other policies you’ve already defined. 

-To learn more and get started with how you can extend your DLP protections, check out aka.ms/PurviewDLPUpdates. Keep checking back to Microsoft Mechanics for all the latest updates and thanks for watching.