Effectively protect sensitive data in cloud and devices using Microsoft Purview Data Loss Prevention
Published Feb 06 2023 09:00 AM 2,870 Views

Today, working together means working in the cloud where many employees are empowered to collaborate across time zones, devices, platforms, and networks without having to step outside their homes. This flexibility generates more messaging, file sharing, and document uploading and downloading across the digital estate — making it imperative for organizations to adapt their data protection strategies withe the changing landscape. Organizations today face multiple challenges with traditional DLP solutions as these solutions were adapted to support digital transformation rather than being cloud first, where a majority of the work happens today. A recent research [1] found that among the organizations that use on-premise DLP solutions 73% are concerned with data transformation difficulties, and more than half cite that enabling productivity is challenging. The same research also found that organizations who do use cloud DLP solutions are twice as likely to say - that cloud DLP solutions - help balance data protection and employee productivity, and are easier to scale. Today we published a whitepaper detailing the findings of this research to help organizations understand challenges and provide recommendation on their journey to adopting a cloud native DLP solution. Read the paper to learn more.


Today, we are very excited to announce several new capabilities in DLP that help you with granular access controls and easily get started with Microsoft Purview DLP.

  1. Ability for scoped admins to perform administrative tasks for scoped users
  2. Preventing sensitive data exfiltration on Firefox
  3. Optimizing data protection automatically
  4. Helping migrate existing DLP policies

We are excited to announce in public preview a new capability that allows organizations to define user scopes based on Azure Active Directory (AAD) attributes like department or geography, allowing the scoped admins to perform administrative activities like creating policies and investigating alerts for only the users in their designated scope and covered by the policy. This capability helps organizations meet their regulatory and privacy requirements by segregating the administrative activities for users based on geography. As an example, with this capability, German administrators will be able to create DLP policies for and investigate alerts from only German users. See below for a step-by-step guidance on getting started:

  1. Set up administrative units in AAD based on attributes such as department, geography or more and assign users to the administrative units created.
  2. Assign administrative permissions to the user that will be performing the administrative tasks in the Permissions page in Microsoft Purview compliance portal. Learn how to set permissions here.
  3. Assign the administrative unit created in step 1 to the user who was granted administrative privileges (administrator) in step 2.

Upon completing step 3, the administrator will be able to perform administrative tasks such as creating and managing policies and investigating alerts for the users in the administrative units. For creating DLP policies, the administrator will need to have Information Protection or Information Protection Admin role groups and for investigating the DLP alerts, the administrator will need to be assigned to the Information Protection Analysts or Information Protection Investigator role groups.  


This capability will be rolling out over the coming weeks across geographies starting with support for DLP policies for user scoped workloads such as Exchange Online, OneDrive for Business, Microsoft Teams, and endpoint devices. We will be extending this capability to support autolabelling in SharePoint Online, Microsoft 356 Defender, and other Purview solutions in the coming months. Learn more here.


Figure 1: assigning admin units to a user with administrative privilegesFigure 1: assigning admin units to a user with administrative privilegesFigure 2: A German user with administrative privileges is now able to see the alerts from German usersFigure 2: A German user with administrative privileges is now able to see the alerts from German users


We are also announcing the public preview of Microsoft Purview Extension for Firefox helping organizations prevent sensitive data exfiltration while using Firefox browser. With this capability users are automatically alerted when perform a risky action such as uploading a sensitive file to an unsanctioned application or printing sensitive content, and are provided with actionable policy tips and remediation guidance. As with other Microsoft unified DLP capabilities, the Microsoft Purview Extension for Firefox provides the same familiar look and feel that users are already accustomed to. Learn more here.

Figure 3: DLP controls on Firefox browserFigure 3: DLP controls on Firefox browser


In addition to these capabilities, we are very excited to announce the public preview of Adaptive Protection, a new capability of Microsoft Purview that enables organizations to optimize the balance between data protection and productivity automatically. Adaptive Protection leverages machine learning to identify and mitigate the most critical risks with the most effective protection controls dynamically, saving security teams valuable time while ensuring better data security.


By leveraging the machine learning-driven analysis in Insider Risk Management, Adaptive Protection detects potentially risky user actions that may result in a data security incident and automatically adds the user to a stricter Data Loss Prevention policy. The protection policies are adaptive based on user context, ensuring that the most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity. You can read this Tech Community blogpost and watch the Mechanics video to learn more about how to enable Adaptive Protection with Microsoft Purview.

Figure 4: Enabling Adaptive Protection in DLP policiesFigure 4: Enabling Adaptive Protection in DLP policies


The research referenced earlier in this blog also showed that re-creating policies is a significant barrier when it comes to migrating from an on-premise DLP solution to a cloud native DLP solution. To solve for this challenge, we built Microsoft Purview DLP migration assistant for Symantec. Today, we are excited to announce the general availability of the migration assistant. We are continuing to invest in improving the fidelity of the tool and look forward to your feedback.


“Microsoft Purview DLP migration assistant helped us plan better and seamlessly migrate our customers’ existing other Symantec DLP policies, and we saved a lot of time in the migration process as we didn’t have to recreate all the policies from scratch. Also, as a partner, we tested this tool in our customer environments and the feedback has been positive and customer felt very confident of the migration approach with the use of the Microsoft’s DLP migration tool.“ Anand Dutta, Global head, Cybersecurity & Risk Management Practice (CSRM), Tech Mahindra


You can learn more about the migration assistant here.


Additionally, we are also announcing several capabilities in general availability that allow organizations to author DLP policies with granular controls and incident management

  • ability to create groups of printers, removable storage such as USB devices, network share paths, and sensitive sites and assign different restrictive actions such as block, block with override, or audit to each group as you define your DLP policies. Learn more here.
  • ability to configure network location exceptions, allowing you to configure different enforcement restrictions based on the network you are logged into. Learn more here.
  • ability to detect the presence of password protected files on the endpoint devices and configure specific restrictions for these files. This can be done by leveraging the condition “Document or attachment is password protected,” which detects the presence of password protected Office, PDF, or .zip files. Learn more here.
  • ability to configure specific restrictions for PDF and Office files that are not labeled on the endpoint devices. This can be done by leveraging the condition ‘content is not labeled’. Learn more here.
  • ability to create composite rules with AND / OR associations between conditions. You can also add exceptions to the groups using the NOT association. Learn more here.


To help you get the most value from the Microsoft Purview DLP solutions, we recently published new assets to help effective use and realize value quickly from Microsoft Purview DLP.


Get started

We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial of Microsoft Purview. All you need is a Microsoft 365 E3 subscription!


Additional resources

  • Watch these videos to learn more about Microsoft’s approach to cloud DLPendpoint DLP, and maximizing the value of DLP
  • Listen to this podcast on Microsoft Purview DLP
  • Learn more about our Ignite announcements here
  • Read these blogs for the latest on Microsoft Purview Information Protection


Thank you and we look forward to your feedback!

Microsoft Purview Data Loss Prevention team


[1] Survey of 297 DLP professionals at U.S. enterprise organizations, December 2022, commissioned by Microsoft.


Version history
Last update:
‎Feb 06 2023 11:29 AM
Updated by: