Forum Discussion

MX_IT's avatar
MX_IT
Copper Contributor
Jul 11, 2024

Purview DLP: Paste to supported browsers

I've enabled a policy that audits "Paste to Supported Browsers." The policy applies if the file has a specific sensitivity label assigned. When I copy content from the file to an unallowed domain e.g. gmail.com I'm not seeing the activity recorded in the log. 

 

I'm reading the Microsoft endpoint data loss prevention page definition for "paste to supported browser" and it appears to only apply if the content copied itself is sensitive e.g. a social security number pattern. So I'm guessing there's no way to prevent users from copying content from a sensitive file and pasting to an unallowed domain. Is that right?

 

"Detects when a user attempts to paste content to a restricted service domain. Evaluation is performed on the content that is being pasted. This evaluation is independent of how the source item that the content came from is classified."

 

https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about

 

 

14 Replies

  • Hi,

     

    As per my understanding of your concern, the policy definitely needs evaluation. Additionally, you should check a few samples to determine if the content is sensitive information. The policy detects when a user attempts to paste content to a restricted service domain. The policy will only trigger if the content itself is identified as sensitive, such as containing a social security number or other predefined sensitive information types. To control this completely, you need to evaluate the policy again and control the "Copy To Clipboard" activity in the Endpoint DLP policy.

    I also suggest using the Activity Explorer in the Microsoft Purview portal to review the audit logs and ensure that the policy is being applied correctly. Filter the logs by the "Paste to Supported Browsers" activity to see if any events are recorded.

    Example Scenario: If you want to block all items that contain specific sensitive information (e.g., credit card numbers) from being pasted to unallowed domains, you need to create a rule in the policy that detects the type of information you want to protect and set the actions for each activity to "Block."

    Be aware that changes to eDLP policies can take some time to deploy fully to endpoints. Delays of 24-48 hours are common, so ensure that you allow sufficient time for the changes to take effect.

     

    Good to read: Configure endpoint DLP settings | Microsoft Learn

  •  

    I have the same problem, I want to block people from copying information that is on allowed sites into restricted sites. I created a DLP policy to block those actions, but when I copy information into restricted sites, sometimes it works but other times it doesn't. Sometimes it even blocks copying within the same site. My organization only uses Edge as the default browser, and I've been reading the documentation but I'm still testing. If someone knows what's happening, it would be helpful for me. 

      • PWA's avatar
        PWA
        Copper Contributor

        JIT is on and set to block actions if unable to evaluate.  Unfortunately, the paste into gmail still just works and does not get prevented.

    • duliprb's avatar
      duliprb
      MCT

      Hi Melvin_Maldonado03

      Confirm if you have information protection plugin on Microsoft Edge. This is what need to block content in websites. Also you need some purview settings to be done. Share here what you currently have.

    • PWA's avatar
      PWA
      Copper Contributor

      Agree.  Not the issue in my case either.  Plugin installed.

       

      If the browser is blocked entirely (as a restricted app) then the paste gets blocked, but that doesn't help since we need to open up certain domains, for instance the CRM for pasting content.

      Need to secure this gmail paste use case. 

      • Indeed blocking is one thing you can do, but as to deal with contents, your web based CRM, must be blocked as a domain, confirm how your configs lied up. Also in order for us to understand requesting to share diagram or configs. Hope you are using activity explorer to explore what have been took effect. 

    • MX_IT's avatar
      MX_IT
      Copper Contributor

      We have the plugin that's not the issue. 

  • For this option you need to control the "Copy To Clipboard" activity in the Endpoint DLP policy. 

Resources