This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Microsoft Defender for Cloud Apps section of this blog series is aimed at Security and Compliance officers who need protect data through a Cloud App, meaning a third-party cloud-based application.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through.
In this blog entry, we want to understand how Microsoft Defender for Cloud Apps (MDCA) is leveraged for Data Loss Prevention.
Microsoft Defender for Cloud Apps (MDCA) can be used for things such as Conditional Access, Shadow IT, and other security features. However, in this blog entry, we are focused only on how MDCA can be used for Data Loss Prevention (DLP).
This is limited in scope and meant to walk you through the basic process configuring a DLP activity.
This document does not cover any other aspect of Microsoft E5 Purview, including:
Data Protection Loss (DLP) for Exchange, OneDrive, Devices
Data Lifecycle Management (retention and disposal)
Records Management (retention and disposal)
Insider Risk Management (IRM)
This is limited in scope and meant to walk you through the basic process configuring a Data Loss Prevention activity in Microsoft Defender for Cloud Apps.
It is presumed that you have a pre-existing understanding of what Microsoft E5 Purview does and how to navigate the User Interface (UI).
For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
Overview of Document
What MDCA Does
DLP features supported by MDCAs
An organization who wants to configure Data Loss Prevention (DLP) against a cloud-based application. In this blog we will only look at general DLP use cases.
Cloud App – meaning a third-party cloud-based application.
Session Policy – a session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session.
Policy Control – these policies “detect risky behavior, violations, or suspicious data points and activities in your cloud environment.”
You have read Part 0 of this blog series.
What MDCA does
Microsoft Defender for Cloud Apps (MDCA) is the Microsoft Cloud App Security Broker (CASB). So even though we are looking at it in this blog series to provide DLP functionality, it has a broader range of security features.
Here is a list of the other things you can do with MDCA:
Thread Detection – “Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.”
Information Protection – “Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real time across all your cloud apps.”
Conditional Access – “Real-time monitoring and control over access to cloud apps based on user, location, device, and app.” This also allows for “real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session.”
Shadow IT – “Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 31,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.”
DLP features supported by MDCA
For data protection with MDCA, you can do 3 different types of policies:
Of these three policies, the one you will use the most for DLP activities will be the Session Policy. The reason is Session policies allow for the following types of Session control types (which are the most similar to service and device level DLP functionalities):
Control file download (with inspection)
Control file upload (with inspection)
Here are the Activities related to DLP:
Send item (Exchange/Teams message)
Here are the Actions (in addition to the Session control types mentioned above) related to the above Activities.