Forum Discussion
Purview DLP: Paste to supported browsers
I've enabled a policy that audits "Paste to Supported Browsers." The policy applies if the file has a specific sensitivity label assigned. When I copy content from the file to an unallowed domain e.g. gmail.com I'm not seeing the activity recorded in the log.
I'm reading the Microsoft endpoint data loss prevention page definition for "paste to supported browser" and it appears to only apply if the content copied itself is sensitive e.g. a social security number pattern. So I'm guessing there's no way to prevent users from copying content from a sensitive file and pasting to an unallowed domain. Is that right?
"Detects when a user attempts to paste content to a restricted service domain. Evaluation is performed on the content that is being pasted. This evaluation is independent of how the source item that the content came from is classified."
https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about
14 Replies
AS1522Microsoft
Hi,
As per my understanding of your concern, the policy definitely needs evaluation. Additionally, you should check a few samples to determine if the content is sensitive information. The policy detects when a user attempts to paste content to a restricted service domain. The policy will only trigger if the content itself is identified as sensitive, such as containing a social security number or other predefined sensitive information types. To control this completely, you need to evaluate the policy again and control the "Copy To Clipboard" activity in the Endpoint DLP policy.
I also suggest using the Activity Explorer in the Microsoft Purview portal to review the audit logs and ensure that the policy is being applied correctly. Filter the logs by the "Paste to Supported Browsers" activity to see if any events are recorded.
Example Scenario: If you want to block all items that contain specific sensitive information (e.g., credit card numbers) from being pasted to unallowed domains, you need to create a rule in the policy that detects the type of information you want to protect and set the actions for each activity to "Block."
Be aware that changes to eDLP policies can take some time to deploy fully to endpoints. Delays of 24-48 hours are common, so ensure that you allow sufficient time for the changes to take effect.
Good to read: Configure endpoint DLP settings | Microsoft Learn
I have the same problem, I want to block people from copying information that is on allowed sites into restricted sites. I created a DLP policy to block those actions, but when I copy information into restricted sites, sometimes it works but other times it doesn't. Sometimes it even blocks copying within the same site. My organization only uses Edge as the default browser, and I've been reading the documentation but I'm still testing. If someone knows what's happening, it would be helpful for me.
Try turn on Just in time (JIT) protection
JIT is on and set to block actions if unable to evaluate. Unfortunately, the paste into gmail still just works and does not get prevented.
Confirm if you have information protection plugin on Microsoft Edge. This is what need to block content in websites. Also you need some purview settings to be done. Share here what you currently have.
This is the configuration in the action section, and what´s the plugin for edge
Hi MX_IT In order to work DLP on browsers you need to have extension installed on the browser. https://learn.microsoft.com/en-us/purview/dlp-chrome-get-started , and you can install it using Intune as well.
Agree. Not the issue in my case either. Plugin installed.
If the browser is blocked entirely (as a restricted app) then the paste gets blocked, but that doesn't help since we need to open up certain domains, for instance the CRM for pasting content.
Need to secure this gmail paste use case.
Indeed blocking is one thing you can do, but as to deal with contents, your web based CRM, must be blocked as a domain, confirm how your configs lied up. Also in order for us to understand requesting to share diagram or configs. Hope you are using activity explorer to explore what have been took effect.
We have the plugin that's not the issue.
RafaelDornelesFor this option you need to control the "Copy To Clipboard" activity in the Endpoint DLP policy.
