Microsoft Purview DLP block all / allow some?

I'm currently implementing Microsoft Purview and have run into the same issue mentioned here. I realize this thread is a bit dated, but I wanted to ask if you were able to find a solution.

In the latest update to the Purview documentation, I noticed that it's now possible to define a list of allowed and blocked applications for endpoint DLP policies. I’ve tried applying the recommended policy settings, but so far, it hasn’t worked as expected.

Has this security gap been addressed in any recent updates? I’d appreciate any insights or workarounds you might have found. You can find more details in the official documentation here: Configure endpoint DLP settings: https://learn.microsoft.com/es-es/purview/dlp-configure-endpoint-settings?tabs=purview#block-all-apps-except-for-a-list-of-allowed-apps

Hi securityxpert1122 

Just following up to see if my previous response helped with your issues/concerns?

Hello securityxpert1122 ,

Thank you for posting your questions, hopefully I can help!

1) You can configure a list of blocked browsers, yes. By default, Microsoft Edge is not blocked from handling sensitive data. Additionally, there is a Microsoft Purview extension for Chrome and Firefox that if installed, will allow those browsers to handle sensitive information, even if they're on the blocked list.

2) Unfortunately, you cannot configure the restricted apps to be a singular "allow". You can minimize your application footprint by ensuring users do not have administrator privileges on their managed endpoints, or if that is too restrictive there is now an Intune Premium feature to configure Endpoint Privilege Management as well as LAPS now being available for Windows 11 through Azure.

You can configure sensitive service domains to being an "allow" list and set it to only allow uploads to your SharePoint and OneDrive locations. Example below:

• SharePoint:
  • companyname.sharepoint.com
• OneDrive:
  • companyname-my.sharepoint.com