Enhancing Microsoft Purview Data Loss Prevention with new capabilities
Published Jun 02 2022 10:00 AM 13.4K Views

Microsoft Purview Data Loss Prevention (DLP) helps users make the right decisions and take the right actions while using sensitive data, helping balance security and productivity. It helps your organization to move away from a disparate set of DLP tools and benefit from a unified solution that helps detect the use of sensitive data, remediates policy violations, and educates users on how best to handle sensitive data at the endpoint, on-premises, and in the cloud.


DLP is easy to turn on with protection built-in to Microsoft 365 cloud services, Office apps, Microsoft Edge (on Windows and Mac), and on endpoint devices. DLP controls can also be extended to the Chrome browser through the Microsoft Purview extension for Chrome and to various non-Microsoft cloud apps such as Dropbox, Box, Google Drive, and others through the integration with Microsoft Defender for Cloud Apps.


In the past few months, we introduced several capabilities designed to provide new ways of protecting data across a wider variety of use cases and workloads and greater visibility into how sensitive content is used, stored, and shared. These include the general availability of:

  • DLP on macOS endpoints enabling organizations to extend their endpoint DLP insights and controls to devices running macOS (Catalina or higher).
  • Controls for advanced classification scanning and protection that allows the advanced Microsoft Purview cloud-based data classification service to scan items, classify them, and return the results to the local machine. This means you can take advantage of exact data match classification and named entities classification techniques in your endpoint DLP policies. Learn more here.
  • Controls to help detect when sensitive files are created and added to archives and apply restrictions to archive files when they contain sensitive files, reducing the risk of sensitive data exfiltration through concealment in archive files. We currently support .zip, .zipx, .rar, .7z, .tar, .gz archive file formats.

Since we launched DLP Alerts management experience in the Microsoft Purview compliance portal, customers have highlighted the need for a unified incident management dashboard for a comprehensive view into incidents across Microsoft solutions to avoid manual correlation and navigation through different portals.  


Today we are excited to announce the public preview of DLP alert management experience within the Microsoft 365 Defender portal enabling a unified approach to incident management across your Microsoft Defender and Microsoft Purview compliance portals. The integration with the Microsoft 365 Defender portal is native and easy to set up. Additionally, you can import all DLP incidents into Sentinel to extend correlation, detection, and investigation across additional Microsoft and non-Microsoft data sources and extend automated orchestration flows using Sentinel’s native SOAR capabilities. This feature will be available in the coming weeks.


With this capability you will be able to:

  • View all DLP alerts grouped under incidents in the Microsoft 365 Defender incident queue
  • Leverage Advanced hunting within the Defender portal to search through audit logs of files, locations, and users.
  • Associate custom tags to DLP incidents and filter incidents by these tags
  • Customize your incident view by filtering by DLP policy name, tags, date, service source, incident status, user on the unified incident queue
  • Take remediation actions directly from the Microsoft 365 Defender portal, including applying sensitivity or retention labels, deleting or unsharring the file, marking the user as compromised, requiring the user to sign-in again, and more.  
  • Import DLP incidents in Sentinel

The current DLP Alerts dashboard in the Microsoft Purview compliance portal will remain unchanged. With this capability we are enriching the incident management experience with DLP alerts within the Defender portal.


Steps to manage DLP alerts in Microsoft 365 Defender portal

  1. Ensure that you have turned on alerts for all your DLP policies in the Microsoft Purview compliance portal 
  2. Navigate to the Incidents tab in the Microsoft 365 Defender portal and click on Filters on top right and choose Service Source: Data Loss Prevention to view all incidents with DLP alerts
  3. You can also use the search bar to quickly find the DLP alert by name or any additional information such as regulations that the policy might be associated with
  4. Click on the incident from the list to view the incident summary page
  5. Click on the Alerts tab from the Summary page to view the DLP alert details
  6. View the Alert story which has details about what happened, policy that matched and the sensitive information types detected in the alert. Click on the event in the Related Events section to see the user activity details. View the matched sensitive content in the ‘Sensitive info types’ tab as well as the file content in ‘Source’ tab if you have the required permission.
  7. Take remediation actions such as downloading email from the Microsoft 365 Defender portal. For files on SharePoint Online or OneDrive for Business, you can take actions such as Apply retention label, Apply sensitivity label, Unshare, or Delete.

DLP Defender RSA blog.gif

Figure 1: Steps for DLP incident management in Microsoft 365 Defender portalFigure 1: Steps for DLP incident management in Microsoft 365 Defender portal

You can also import all incidents including DLP alerts into Microsoft Sentinel by leveraging Sentinel’s Microsoft 365 Defender connector. Enable CloudAppEvents event connector as well to pull all Office 365 audit logs into Sentinel. Learn more here.


Figure 2: DLP Alerts in Microsoft SentinelFigure 2: DLP Alerts in Microsoft Sentinel

We are also excited to announce the general availability of controls that are designed to give you the flexibility to scope different access restrictions to sensitive files when they are accessed by different applications. This will allow you to create groups of sanctioned or unsanctioned applications and scope policies to control access of sensitive information by individual applications in the application groups. Learn more here.

Get Started 

We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. By enabling the trial in the compliance portal, you can quickly start using all capabilities of Microsoft Purview, including Insider Risk Management, Records Management, Audit, eDiscovery, Communication Compliance, Information Protection, Data Loss Prevention, and Compliance Manager.  


Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial (an active Microsoft 365 E3 subscription is required as a prerequisite).  

Additional resources:

  • Watch these videos to learn more about Microsoft’s approach to cloud DLPendpoint DLP, and maximizing the value of DLP
  • Listen to this podcast on Microsoft Purview DLP.
  • Learn more about configuring DLP policies for Microsoft 365 services and endpoints
  • Learn more about using sensitivity labels as a condition for DLP policies here
  • Learn more about sensitivity labels here
  • Learn more about Predicates for unified DLP here
  • Read this blog for the latest on Microsoft Purview Information Protection

We look forward to your feedback!


Thank you, 

The Microsoft Purview Information Protection Team




Version history
Last update:
‎Jun 02 2022 05:09 PM
Updated by: