Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Gain comprehensive data protection and efficient investigation with Microsoft Purview DLP
Published Nov 15 2023 08:00 AM 9,899 Views

Data is not only an asset but also a potential liability if it falls into the wrong hands inadvertently or maliciously. In the age of AI, applications can analyze large volumes of data and derive insights faster than humans can providing immense benefits to an organization. However, organizations are also struggling and concerned about ensuring their sensitive or business critical data is not intentionally or inadvertently lost as they adopt AI. A recent Microsoft research showed that 97% of organizations had concerns about AI with the top concern being data leak through AI applications and risky use of AI [1]. Now more than ever, organizations need to take a comprehensive approach to their data security and apply data loss prevention policies to their data sources, data flows, and data outputs to ensure their data is protected, and to comply with regulations and industry standards. Microsoft Purview Data Loss Prevention (Microsoft Purview DLP) can help protect data at rest, in transit, and in use across different environments and platforms helping organizations gain visibility into their data, reduce risks, and enhance trust in their AI initiatives.


At Microsoft, we are committed to providing a unified and cloud-native solution to help prevent the loss of your sensitive data across your applications, services, and devices without the need to deploy and maintain costly infrastructure or agents. Purview DLP is an integrated and extensible offering that allows organizations to manage their DLP policies from a single location and has a familiar user experience for both administrators and end users. Microsoft Purview DLP is easy to turn on, doesn't require any agents, and has protection built into Microsoft 365 cloud services, Office apps, Microsoft Edge (on Windows and Mac), and on endpoint devices. Microsoft Purview DLP controls can also be extended to the Chrome and Firefox browsers through the Microsoft Purview extension and to various non-Microsoft cloud apps such as Dropbox, Box, Google Drive, and others through the integration with Microsoft Defender for Cloud Apps.


Today we are excited to announce a set of new capabilities in Microsoft Purview DLP that can help comprehensively protect your data and efficiently investigate DLP incidents. Our announcements today can be grouped into three categories:

  1. Efficient investigation: capabilities that empower admins by making their everyday task easier including DLP capabilities in Security Copilot, natively embedding Security Copilot summarization capabilities in DLP, enriching DLP alerts with user activity insights from Insider Risk Management, DLP analytics to help find the biggest risk and recommendations to finetune DLP policies, and more.
  2. Strengthening protection: capabilities that help protect all types of data and provide granular policy controls including predicate consistency across workloads, enhancements to just-in-time protection for endpoints, support for optical character recognition (OCR), and performance improvements for DLP policy enforcements.
  3. Expanding protection: capabilities that extend your protection sphere to cover your diverse digital estate including support for Windows on ARM and several enhancements to macOS endpoints.

These capabilities will be rolling out to the tenants in the coming weeks.


Efficient investigations:

We know that conducting DLP investigations can be a daunting task for security teams. Not only are there a large and diverse number of data sources across apps, cloud services, email, endpoints, and chat to analyze but also the DLP policies and rules are becoming more complex to enforce across different data types, locations, and scenarios. In fact, data security teams receive on average 50+ alerts per day but can only review 60-70% of them [2]. What customers are looking for are real time guidance, analysis, query, and summarization capabilities at the speed of AI, all within your trusted and proven investigation workflows. We are excited to announce the addition of Microsoft Purview DLP capabilities in Security Copilot in private preview to provide SOC teams with integrated insights across the security stack to drive operational efficiency, by bringing data risk insights around specific assets targeted in a potential cyberattack. Within Security Copilot, you can now gain insights into the volume of files exfiltrated and their location as well as the content included in the files, such as credit card numbers or log-in credentials, and sensitivity level of the files, such as highly confidential.  


Figure 1: Security Copilot summarizing a DLP incident.Figure 1: Security Copilot summarizing a DLP incident.

Not only are we adding Microsoft Purview capabilities in Security Copilot, but we are also natively embedding Security Copilot in Microsoft Purview DLP to help summarize DLP alerts. This quick summary provides a comprehensive overview of an alert, including the attributed policy and rules, and helps you catch what others miss, all while honoring the appropriate roles-based access control permissions. By understanding what sensitive data was leaked and associated user risk, you have a better starting point for further investigation. Security Copilot in Microsoft Purview will be available in private preview to Early Access Program customers. Reach out to your account manager to gain access to these features.


Figure 2: Security Copilot embedded in Microsoft Purview DLPFigure 2: Security Copilot embedded in Microsoft Purview DLP

Further enriching the DLP alerts, we are now including user context from Insider Risk Management in the DLP alerts, in public preview, allowing DLP or SOC analysts (with appropriate permissions) to see a summary of past user activities that may have led to potential data security incidents. For example, the DLP alert now contains user risk severity and a summary of the critical sequence of actions taken by the user, showing that they downloaded confidential files from SharePoint, downgraded the sensitivity label, and compressed the files into a zip file before exfiltrating them to the USB device. With this context, analysts can better understand the user’s intent and determine if they were trying to exfiltrate sensitive data while evading detection. The feature requires explicit opt-in by Insider Risk Management admins with appropriate permissions. The insights can help analysts gain a better understanding of a DLP incident and make faster, more informed decisions on how to respond to potential incidents.  Learn more in our blog


Figure 3:Insider risk severity within Microsoft Purview DLP alertsFigure 3:Insider risk severity within Microsoft Purview DLP alerts

With ever-increasing data sources and data types, organizations often struggle to connect insights across a fragmented landscape and know what to prioritize, which becomes a daunting task. Collecting, analyzing, and acting on insights takes time, which leads to organizations being reactive rather than proactive in preventing sensitive data loss. We are excited to announce the public preveiw of Microsoft Purview DLP analytics, which leverages machine learning to highlight the top data protection risk and recommends policies that can help mitigate those risks. Organizations can turn on analytics from the Microsoft Purview DLP overview page, and once enabled the system will generate recommendations every week through two new cards in the overview page:

  • The first card highlights the top risks that can be mitigated with the creation of a new policy. In addition to the risk, the card also shows the details causing the risk such as sensitive information detected, files that contain the detection sensitive information, and the recommended policy settings to help mitigate the risk. DLP admins can choose to create the recommended policy right from the analytics experience.
  • The second card recommends policy settings to improve the fidelity of your existing policies and reduce alert noise. DLP admins will be able to see quick stats such as current matched, predicted matches, and the impact the recommendation will have on their existing policy before they choose to update the policy.

Figure 4: Recommended policy detailsFigure 4: Recommended policy details


Figure 5: Policy improvement and finetuning recommendation cardFigure 5: Policy improvement and finetuning recommendation card

In addition to these two cards on the DLP overview page, we are adding a list of recommendations to help mitigate data security risks. New recommendations will be added every week, and a given recommendation stays in the queue for four weeks. Get started today by turning on analytics in the DLP overview page. Learn more here.


Figure 6: Recommendation queue which includes all the weekly recommendations.Figure 6: Recommendation queue which includes all the weekly recommendations.

About 50% of organizations take a reactive approach to DLP as they run the policies in audit mode vs enforcing the restriction on the users[3]. A key reason for this lack of confidence in how their policies will behave and the impact it will have when deployed in production. To help organizations take a proactive approach to DLP and be confident in their policies, we are thrilled to announce that DLP admins can now simulate a DLP policy to assess its impact and fine tune the policy as required in an isolated environment through simulation mode in public preview. We have integrated simulation mode in the DLP policy configuration experience. With simulation mode, organizations can quickly see the impact of the simulated policy, including the number of documents scanned, total matches found, and the locations that the policy applies to. Within the policy simulation experience, admins can select a location of their choice to see the list of documents that matched the policy and the matched content with the right permissions, to evaluate the efficacy of the policy and ensure that the policy is catching the information it was intended it to catch.


Figure 7: Simulation mode with easy to understand insights into policy impactFigure 7: Simulation mode with easy to understand insights into policy impact

Figure 8: View the matched content in line with the familiar content explorer experience in the simulation experience.Figure 8: View the matched content in line with the familiar content explorer experience in the simulation experience.

While in simulation mode, the alerts generated by the policy are contained in the isolated environment and are not intermingled with the alerts from the policies running in the production environment, allowing DLP admins to understand how the policy might affect the volume of alerts in production. The policy being simulated can be edited at any time, and the simulation can be restarted. Once the admin is satisfied with the results of the simulation, the policy can be turned on right from the simulation experience. Simulation mode will allow DLP admins to build confidence in the configuration of the policy before deploying in the production environment and reduce enforcement time. Learn more here.


A key differentiation for Microsoft Purview DLP is the integration with Microsoft Defender XDR , which enables organizations to investigate DLP alerts in context of their security incidents from a single place. With this integration organizations do not need to collect insights from different places, analyze, and connect them together to get a picture of what data was compromised. Over the last year, we have made significant investments in enriching the DLP alert experience in the Microsoft Defender XDR portal and today we are announcing yet another set of capabilities to further enhance your current incident management experience.


  • The DLP alerts in Microsoft Defender XDR portal will now support out-of-box advanced hunting queries for specific scenarios in public preview. Organizations can click the "Go Hunt” dropdown from the DLP alert page in Microsoft Defender XDR and select from a list of pre-populated queries for common scenarios such as understanding if a file is shared externally, participants of a meetings, and more. Learn more here.
  • Enhanced filtering experience for DLP alerts in Microsoft Defender XDR portal with the capability to filter the DLP alerts queues by File Name or File Path in public preview gives you more flexibility to customize your incident management view for efficient triage. Learn more here.
  • DLP and SOC analysts will also be able to store a copy of the file that resulted in a DLP policy match on Windows endpoint, now in public preview. In March 2023, we announced that organizations needed to link an Azure blob storage to their Microsoft Purview tenant to enable this capability. Today, we are pleased to announce we are adding another option where Azure blob storage is not required, saving time spent to configure any additional settings such as adding a blob, assigning permissions, and selecting storage in policy workflow. Please note that the Azure blob storage option is not retiring, we are simply providing another option so organizations can choose the option that meets their storage needs the best. Learn more here.
  • There is support for Azure Activity Directory admin units for DLP alerts in Microsoft Defender XDR portal, in general availability, to help delegate management and remediation authority for different people in different regions or organizational units with role-based access control (RBAC). As an example, German investigators will be able to investigate alerts and audit events for only German users or DLP admins for the finance department will be able to configure policies only for employees in the finance department. We recently released support for admin units for DLP alerts in Microsoft Purview compliance portal and are now extending that support to Microsoft Defender XDR portal. Learn more here.
  • The ability to download the full file that resulted in the DLP policy match as evidence in SharePoint and OneDrive for Business are now in general availability. The option to download files will be available for DLP alerts in Microsoft Purview compliance portal as well as the DLP alerts in the Microsoft Defender XDR portal. Microsoft Defender Portal, learn more here. Microsoft Purview Compliance Portal, learn more here.


Strengthening protection

With Microsoft Purview DLP, we want to help you protect all types of sensitive information throughout its lifecycle. To help you comprehensively protect all types of data, we are continuously adding new capabilities that provide you with granular policy configuration options.


We are adding new predicates in public preview for endpoint DLP policies to better protect sensitive information on your endpoint machines. We are announcing the availability of four new predicates:

  • ‘"Document Size equals or is greater than”’ to help detect documents greater than or equal to the specified size.
  • ‘"Document Name matches patterns”’ to help detect documents with specific patterns in their name.   
  • ‘"Document couldn’t be scanned”’ to help protect documents that were not scanned such as password protected files or files that exceed the specified size limit as an example.
  • ‘"Document couldn’t complete scanning”’ to protect files in which the entire document was not scanned.

These predicates were already available for DLP policies for Exchange and now we are extending them to endpoints to allow DLP admins to create a single policy that works across their workloads. Learn more here.


Second, just-in-time protection to proactively protect files on your Windows endpoint devices is now generally available. With this capability every document on your endpoint is scanned at the time of egress to determine sensitivity, no matter whether it contains sensitive information or not or when it was created or modified. If the file being egressed has sensitive content that violates any of your DLP policy rules, the appropriate restrictions are applied and if the file does not contain any sensitive content, the action is allowed. Once the sensitivity of the file is determined and the initiated action is in adherence with your DLP policies, the action will automatically resume. Learn more here.


Next, we are excited to share that OCR is generally available for Exchange, SharePoint, OneDrive, Teams, and Windows endpoint today. With support for OCR, the DLP engine can extract text from images, quickly analyze the image for sensitive information such as credit card or social security numbers, and prevent users from sharing such images. You can enable OCR from the Microsoft Purview settings page – an active Azure subscription is required. Learn more here.


And finally, customers will experience faster detection and enforcement for DLP for Microsoft Teams chat and channel messages (in general availability). We have made significant enhancements such that the DLP engine can now detect, classify sensitive content, and enforce DLP policies in Teams within matter of a few seconds. Microsoft Purview DLP is natively integrated with Teams, leading to better performance and faster response time. Learn more about DLP in Teams here.


Expanding protection:

We understand that most customers have diverse data and digital estate, and we are investing heavily to ensure they can use Microsoft’s DLP to protect that. We are excited to share that organizations can now extend existing protection for sensitive files resting on endpoint devices against actions such as print, copy to USB, upload to cloud, and copy to clipboard, and more to Windows devices with ARM chipset in public preview.


And we are continuing to make the DLP solution for macOS comprehensive. Back in March 2023, we had announced the support for Bluetooth and apps groups for macOS endpoints. Today we are announcing that macOS will support the following capabilities in public preview:

  • Ability to create groups of USBs, printers, and network shares and apply different restrictions to each group for different actions. As an example, you will be able to create a DLP policy that allows printing from managed macOS on your corporate printers but blocks on personal printers.
  • Ability to protect files stored on the mapped network share.
  • Ability to apply most restrictive actions amongst audit, block with override, or block across multiple matching DLP rules on files that match a DLP policy.
  • Support for automatically quarantining sensitive files.

Learn more about capabilities supported on macOS endpoints here.


Get started!

Get started today with Microsoft Purview DLP by turning on endpoint DLP as it is built into Windows 10 and 11 and does not require an on-premises infrastructure setup or agents on endpoint devices. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial


Additional resources

  • DLP whitepaper on moving from on-premises to cloud native DLP.
  • Uncover Hidden Risks podcast episode on adopting a cloud native DLP solution.
  • Mechanics video on how to create one DLP policy that works across your workloads.
  • Updated interactive guides on DLP policy configuration and management, and investigations.
  • Frequently asked questions on DLP for endpoints.
  • Guidance on optimal DLP incident management experience.
  • Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal.

And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.


We look forward to your feedback. 


Thank you,

The Microsoft Purview Data Loss Prevention Team


[1] Shaping the Data Security Narrative, July 2023, Microsoft

[2] Data Security Index Report, Oct 2023, Microsoft

[3] DLP from on-premises to cloud, Feb 2023, Microsoft

Version history
Last update:
‎Nov 15 2023 08:51 AM
Updated by: