At Microsoft, we are committed to providing a unified and cloud-native solution that can help you prevent the loss of your sensitive data across your applications, services, and devices without the need to deploy and maintain costly infrastructure or agents. Microsoft Purview Data Loss Prevention (DLP) is an integrated, and extensible offering that allows organizations to manage their DLP policies from a single location and has a familiar user experience for both administrators and end-users. DLP is easy to turn on, doesn't require any agents and has protection built-in to Microsoft 365 cloud services, Office apps, Microsoft Edge (on Windows and Mac), and on endpoint devices. DLP controls can also be extended to the Chrome and Firefox browsers through the Microsoft Purview extension and to various non-Microsoft cloud apps such as Dropbox, Box, Google Drive, and others through the integration with Microsoft Defender for Cloud Apps.
Today we are excited to announce the general availability of several capabilities in Microsoft Purview Data Loss Prevention that help organizations to increase their depth of protection, extend their protection capabilities to additional planes and platforms, as well as empower administrators to be efficient in their day-to-day tasks.
Increasing the depth of protection: This category includes capabilities that help protect all types of sensitive information with comprehensive coverage, including
- Optical character recognition (OCR) in Exchange Online and Teams. With this capability, the DLP engine is able to extract text from images, quickly recognize if the image contains sensitive information such as credit card or social security numbers and prevent users from sharing such images. OCR for SharePoint and Endpoint is currently in public preview. Learn more here.
- Several enhancements to the fingerprinting capabilities, including extending the support for document fingerprinting to cover additional workloads such as SharePoint Online, One Drive, Teams, and Windows Endpoint. Additionally, organizations can create a fingerprint-sensitive information type (SIT), set confidence threshold, and edit and test the fingerprint all from the Data classification page in the Microsoft Purview compliance portal. You can create a fingerprint as you would any other SIT in the ‘content contains condition as you configure your DLP policies. Learn more here.
- Enhancing the label detection capability to extend support for .pfile filetype, which is a file format when non Office and PDF files are labelled using Azure Information Protection client or other clients that leverage Information Protection SDK. This is currently only supported on Exchange, and we will expand this to other workloads in the coming months. Learn more about .pfile type here and this capability here.
Enhancing the breadth of protection: This category of capabilities helps extend existing protection to support your diverse digital estate, including
- Ability to prevent users from pasting sensitive data to specific websites, including personal email, generative AI prompts, social media sites, and more when accessed through a supported web browser. As an example, organizations can now set DLP policies to prevent their users from copying and pasting sensitive information such as personally identifiable information (PII) from organization’s internal databases such as SQL server, KUSTO databases, customer relationship management (CRM) tools and more to their personal email accounts, generative AI chatbots, and social media sites on supported browsers, including Microsoft Edge, Chrome, and Firefox. Learn more here.
- extend existing protection for files on endpoint devices to sensitive files on virtualized environments including Windows Virtual Desktop, Citrix, AWS workspace, and Hyper-V platforms. Organizations can now protect sensitive data accessed via single and multi-session Windows 10 and 11 environments across several virtualized environments. Learn more here.
- extending DLP protection for sensitive files stored on network shares. With this capability organization’s DLP policies to restrict common egress actions such as copy to USB, print, upload to cloud and more can be automatically extended to files containing sensitive information on network file shares as well. Learn more here.
- And several capabilities in macOS, including the ability to protect sensitive file exfiltration through Bluetooth apps, create groups of apps and configure how sensitive data can be accessed by each of the apps, customize notifications and policy tips to better educate users on handling sensitive data, and leverage advance classification techniques like fingerprinting, exact data match, trainable classifiers, named entities, and more to detect sensitive content. Learn more about the capabilities supported on macOS endpoints here.
Empowering Admins to be efficient: This category of capabilities empowers admins to effectively perform their day-to-day tasks and include
- Ability to see additional details about the device health as well as configuration status of all onboarded endpoint devices in the Device Onboarding tab in the Microsoft Purview compliance portal. Admins will get rich contextual information about the health of the device and visibility into which policies have synced to and apply on files for that device, allowing them to quickly identify and remediate any device misconfigurations in their endpoint devices setup. Learn more here.
- Visibility into the document that resulted in the DLP policy match on the Windows endpoint. This level of visibility will enable organizations to better triage false positives and fine-tune their DLP policies to reduce noise. Additionally, in situations where the DLP alerts need further investigation, admins will be able to easily investigate the matched content and use it in case escalations. Customers will be able to provide a custom location as part of endpoint DLP settings where the files violating DLP policies will be stored. A link to the file uploaded on the customer-provided location will be made available as a part of the alert metadata at the time of investigation. Learn more here.
- Define user scopes based on Azure Active Directory (AAD) attributes like department or geography, allowing the scoped admins to perform administrative activities like creating policies and investigating alerts for only the users in their designated scope and covered by the policy. This capability helps organizations meet their regulatory and privacy requirements by segregating the administrative activities for users based on geography. As an example, with this capability, German administrators will be able to create DLP policies for and investigate alerts from only German users. Learn more here.
- Visibility into matched DLP conditions configured as a part of DLP policies such as ‘Document type/extension is’, ‘Recipient or sender is a member of’, ‘Subject contains words’, ‘Content is received from', and more, in the events tab on DLP Alerts page. The same information about the matched condition will also be available in the DLP alerts in the Microsoft Purview Audit logs, Microsoft 365 Defender portal, and Office365 Management Activity API. Learn more here.
Get started!
Get started today by turning on endpoint DLP as it is built into Windows 10 and 11 and doesn’t require an on-premises infrastructure or agent. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial!
Additional resources
And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.
Thank you,
The Microsoft Purview Data Loss Prevention Team
