Forum Discussion
Purview DLP: Paste to supported browsers
I've enabled a policy that audits "Paste to Supported Browsers." The policy applies if the file has a specific sensitivity label assigned. When I copy content from the file to an unallowed domain e.g. gmail.com I'm not seeing the activity recorded in the log.
I'm reading the Microsoft endpoint data loss prevention page definition for "paste to supported browser" and it appears to only apply if the content copied itself is sensitive e.g. a social security number pattern. So I'm guessing there's no way to prevent users from copying content from a sensitive file and pasting to an unallowed domain. Is that right?
"Detects when a user attempts to paste content to a restricted service domain. Evaluation is performed on the content that is being pasted. This evaluation is independent of how the source item that the content came from is classified."
Learn about Endpoint data loss prevention | Microsoft Learn
6 Replies
AS1522Microsoft
Hi,
As per my understanding of your concern, the policy definitely needs evaluation. Additionally, you should check a few samples to determine if the content is sensitive information. The policy detects when a user attempts to paste content to a restricted service domain. The policy will only trigger if the content itself is identified as sensitive, such as containing a social security number or other predefined sensitive information types. To control this completely, you need to evaluate the policy again and control the "Copy To Clipboard" activity in the Endpoint DLP policy.
I also suggest using the Activity Explorer in the Microsoft Purview portal to review the audit logs and ensure that the policy is being applied correctly. Filter the logs by the "Paste to Supported Browsers" activity to see if any events are recorded.
Example Scenario: If you want to block all items that contain specific sensitive information (e.g., credit card numbers) from being pasted to unallowed domains, you need to create a rule in the policy that detects the type of information you want to protect and set the actions for each activity to "Block."
Be aware that changes to eDLP policies can take some time to deploy fully to endpoints. Delays of 24-48 hours are common, so ensure that you allow sufficient time for the changes to take effect.
Good to read: Configure endpoint DLP settings | Microsoft Learn
I have the same problem, I want to block people from copying information that is on allowed sites into restricted sites. I created a DLP policy to block those actions, but when I copy information into restricted sites, sometimes it works but other times it doesn't. Sometimes it even blocks copying within the same site. My organization only uses Edge as the default browser, and I've been reading the documentation but I'm still testing. If someone knows what's happening, it would be helpful for me.
Confirm if you have information protection plugin on Microsoft Edge. This is what need to block content in websites. Also you need some purview settings to be done. Share here what you currently have.
This is the configuration in the action section, and what´s the plugin for edge
Hi MX_IT In order to work DLP on browsers you need to have extension installed on the browser. https://learn.microsoft.com/en-us/purview/dlp-chrome-get-started , and you can install it using Intune as well.
RafaelDornelesFor this option you need to control the "Copy To Clipboard" activity in the Endpoint DLP policy.
