Forum Discussion
DSPM for AI - Block sensitive info from AI apps in Edge
Hi,
As anyone been able to get this rule to work DSPM for AI - Block sensitive info from AI apps in Edge?
We recently deployed the Purview edge extension and also the devices are onboarded in purview, I have configured some SIT, and the action is set to block, this seems not be triggering.
I have also tested the SIT'S in the classifier>SIT.
For anyone that has gotten this to work, what steps did you go through and what is the end user experience like? Do they get pop up, that this is blocked by the organization or the prompts do not just return any results
5 Replies
This is still very new in Purview, so you are not alone in finding it tricky. The “DSPM for AI – Block sensitive info from AI apps in Edge” rule relies on several moving parts working together:
First, the machine must be onboarded to Purview with the Microsoft Purview extension for Edge installed and active, and the user must be signed in with their Entra ID account. Second, you need a Data Loss Prevention (DLP) policy in Purview that targets explicitly “Microsoft Edge for Business” under the cloud apps selector. Within that DLP policy, you add your sensitive information types or trainable classifiers, set the action to block, and choose the AI app category (this is what covers ChatGPT, Copilot, Gemini, etc., when accessed via Edge). Third, confirm that device compliance telemetry is flowing, in the Purview compliance portal under Activity explorer you should start to see events from Edge once the extension is properly enforced.
When the rule does trigger, the end user experience is similar to other DLP enforcement in Edge. Suppose a user tries to paste or type a credit card number or other sensitive string into the AI app prompt. In that case, Edge intercepts it and shows a toast-style notification that “This content is blocked by your organization’s data loss prevention policy.” The text will not be submitted to the AI service. If you configure user overrides, the user can provide a justification and proceed; otherwise, the prompt is blocked.
If you are not seeing triggers, check three things: that your SIT definitions match the test data (use the “Test” function in the Purview compliance portal to validate), that your policy is scoped to the correct users and to “Microsoft Edge for Business,” and that the devices are running the latest Edge build with the Purview extension visible in the browser. Also note that it can take several hours for a new DLP policy to propagate to endpoints.
So the expected experience is a block notification in the browser itself, not a silent failure of the AI prompt.
Hit like if you found this approach helpful.
Hi Ankit,
Thank you for your response. Devices are onboarded to purview, browser extension deployed, SIT's tested in purview and I see the data in activity explorer, for visiting the Generative AI sites and also when DLP policy gets matched for the Endpoint DLP rules. "
For edge, do you mind clarifying what you mean by "you need a Data Loss Prevention (DLP) policy in Purview that targets explicitly “Microsoft Edge for Business” under the cloud apps selector" in your previous message?
The DLP policy for Edge was created from DPSM for AI recommendations initially, but I tried creating a new one and here is what i see below, is this what you are referring to? or where is the selection you are referring to for Edge for Business?
Thanks!
Hi Ankit,
Thank you for your response, the devices are onboarded and the we have the extension deployed as well. I tested my SIT's in purview and in my activity explorer, i see the AI sites visited as well as DLP match for the other rule that i have configured (Endpoint DLP)
What do you mean by a DLP policy that targets edge? This policy was activated Via the DSPM for AI recommendations, and I have tried to create a new policy, and this is what i see. Can you clarify? After creating the policy, my locations are the AI apps.
Is there other settings to specify Microsoft Edge?
Yes, working as expected. We are set to Audit only. The logs are viewed in Defender. Our organisation uses Edge.
Applied to 'devices' location.
We have added SIT's and sensitivity labels into the rule conditions.Do you have "Generative AI Sites" added under Sensitive service domain restrictions within the rule conditions? (In the section titled Audit or restrict activities on devices" Edit that and confirm gen ai site category is added.
The Generative AI Sites category can be viewed in Purview > Settings > DLP > Endpoint DLP settings > Browser and domain restrictions to sensitive data.
Let me know how you go.
JHi J,
That worked perfectly, thank you! But I noticed this is for files; I tested with uploading files and pasting files. Do you have any policies to audit or block, SIT prompts for Generative AI sites?
Thanks
