Forum Discussion

securityxpert1122's avatar
securityxpert1122
Copper Contributor
May 29, 2023

Microsoft Purview DLP block all / allow some?

I am configuring Microsoft DLP to protect sensitive information from being uploaded on internet by any medium such as browser, 3rd party apps or exfiltration by malwares. When I configured the policy...
miller34mike's avatar
miller34mike
Iron Contributor
Jun 01, 2023

Hello securityxpert1122 ,

 

Thank you for posting your questions, hopefully I can help!

 

1) You can configure a list of blocked browsers, yes. By default, Microsoft Edge is not blocked from handling sensitive data. Additionally, there is a Microsoft Purview extension for Chrome and Firefox that if installed, will allow those browsers to handle sensitive information, even if they're on the blocked list.

 

2) Unfortunately, you cannot configure the restricted apps to be a singular "allow". You can minimize your application footprint by ensuring users do not have administrator privileges on their managed endpoints, or if that is too restrictive there is now an Intune Premium feature to configure Endpoint Privilege Management as well as LAPS now being available for Windows 11 through Azure.

 

You can configure sensitive service domains to being an "allow" list and set it to only allow uploads to your SharePoint and OneDrive locations. Example below:

  • SharePoint:
    • companyname.sharepoint.com
  • OneDrive:
    • companyname-my.sharepoint.com

 

Resources