New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention

We are witnessing the proliferation of different types of data and access points, coupled with an ever-evolving regulatory landscape, with hybrid work being the new normal. Additionally, the solution landscape is fragmented, with most organizations using several solutions and custom integrations to meet their data protection needs. A recent survey by MDC Research showed that to meet their compliance and data-protection needs, almost 80% had purchased multiple products, and a majority had purchased three or more [1]. Stitching together disparate solutions is not only resource-intensive but also could lead to potential blind spots and gaps in an organization’s data protection strategy. At Microsoft, we are committed to providing a unified and comprehensive solution that can help you prevent the loss of your sensitive data with Microsoft Purview Data Loss Prevention (DLP).

Microsoft Purview DLP helps users make the right decisions and take the right actions while using sensitive data, helping balance security and productivity. Microsoft Purview DLP is managed as a single, integrated, and extensible offering that allows organizations to manage their DLP policies from a single location and has a familiar user experience for both administrators and end-users.  DLP is easy to turn on with protection built-in to Microsoft 365 cloud services, Office apps, Microsoft Edge (on Windows and Mac), and on endpoint devices. DLP controls can also be extended to the Chrome browser through the Microsoft Purview extension for Chrome and to various non-Microsoft cloud apps such as Dropbox, Box, Google Drive, and others through the integration with Microsoft Defender for Cloud Apps.

Today, we are excited to announce several new capabilities in Microsoft Purview DLP focused on granular policy configuration and context for post-incident investigation on endpoint devices.

1. Contextual evidence for DLP policy matches on endpoint devices
2. Granular controls for policy configuration
   1. creating groups of printers, removable storage, network share paths, and sensitive sites and assign different restrictive actions to each group
   2. Configuring different restrictions based on network location of the user
   3. Support for complex condition using AND/OR associations
   4. Support for detecting sensitive files that are password protected or encrypted
3. Enhancements to DLP for Microsoft Teams 

These capabilities help organizations balance security and productivity, which is critical to building a comprehensive data protection strategy and addressing the challenges of a modern workplace.

Contextual evidence for DLP policy matches on endpoint devices

We have heard from customers that effectively managing and triaging alerts from any DLP solution is challenging. Organization want to be able to take remedial action quickly, which requires visibility into the sensitive content that triggered the alert as well as context around the content. Currently, as part of the DLP investigation experience for emails, messages on Teams or for files in SharePoint or OneDrive for Business, DLP admins can view the contextual evidence, including the matched sensitive content and the surrounding characters, in addition to the other metadata.

We are excited to share that contextual evidence will now be available for DLP incidents and alerts for sensitive files on endpoint devices in public preview. You can see the contextual evidence for Microsoft Office and PDF files match on endpoint devices in three places:

1. In audit logs within activity explorer for DLP rule matches with sensitive files on endpoint devices   
2. In the events details in DLP alerts page in the Purview Compliance Center
3. In Microsoft 365 Defender portal as part of the DLP events details  

This capability will be available in customers’ tenants within the next month.

Figure 1: Contextual evidence for DLP policy matches on endpoint devices

Granular controls for policy integration

A key part of comprehensive data protection strategy is to balance security with productivity, which has made granular policy controls a key requirement for all organizations. Currently, DLP provides the ability to enforce restrictions on potential egress activities such as print, copy to removable storage, copy to network shares, and upload to cloud sites on endpoint devices. We are excited to announce several capabilities that provide granular controls to prevent exfiltration through common egress channels in preview.

With these new capabilities DLP administrators will be able to create groups of printers, removable storage such as USB devices, network share paths, and sensitive sites and assign different restrictive actions such as block, block with override, or audit to each group as you define your DLP policies. As an example, you can configure your policy to block printing on all printers with the exception of audit as the restriction level if the printing destination is your corporate office printers, thereby allowing your employees to print certain content only through authorized printers. To add a printer device to a group, you can use the device name, printer PID or VID, IP range or options like file printer, universal printer or corporate printer to choose the appropriate device. Similar granular policy configurations can be created for groups of removable storage, network share paths, and sensitive sites.

Figure 2: Configuring groups of printers, removable storage devices, network share paths, and sensitive sites with different restrictive actions

We understand that effectively managing your sensitive data across the digital landscape is critical to be able to design complex policies that allow for exceptions. We are excited to announce the public preview of configuring network location exceptions. With this capability, you will be able to configure different enforcement restrictions based on the network you are logged into. As an example, you will be able to enforce different restrictions for corporate networks or VPNs. You can configure VPN addresses under VPN settings in Endpoint DLP settings. 

Figure 3: configuring network location as exception in DLP policies

These capabilities, including groups of printers, removable storage, network share path, sensitive sites, and configuring network location exceptions will be available in customer’s tenants in the next month. If you are interested in early access, please register your tenants here and attend this webinar to learn more.

We are also announcing a public preview of support for complex conditions in policy authoring. With this capability, you can create nested groups with AND / OR associations between conditions. You can also add exceptions to the groups using the NOT association. In the example below, we have built a condition to detect the presence of credit card numbers in an email unless the email is sent from the Finance team or is sent to fabrikam.com. Learn more here.

Figure 4: Complex policy authoring using AND/OR/NOT associations

The fourth capability in this category is the public preview of support for password protected files, allowing you to detect the presence of password protected files on the endpoint devices and configure specific restrictions for these files. This can be done by leveraging the condition “Document or attachment is password protected,” which detects the presence of password protected Office, PDF, or .zip files. Learn more here.

Figure 5: Support for password protected and encrypted files

Enhancements to DLP for Microsoft Teams

We are also excited to share new enhancements to DLP for Microsoft Teams, which allows users to protect against sensitive data exfiltration through Teams chat and channel messages. We have made significant improvements to Teams DLP message processing with our improvements in the speed of detecting and classifying sensitive content shared on Teams chat and channel messages, to enforce DLP policies (in public preview). This means that users will experience a reduced latency of Teams DLP blocking the sharing of sensitive content. Additionally, users will be able to extend your Teams DLP policies to cover additional workloads such as SharePoint Online and OneDrive for Business with one click, helping extend protection across their digital estate without having to create duplicate policies. Learn more about DLP for Teams here.

Figure 6: Extending Teams DLP policy to other workloads

These new features in Microsoft Purview DLP will start rolling out to customer tenants within the next few weeks.

We are also announcing the general availability of several capabilities:

• DLP alerts in Microsoft 365 Defender portal, which enables a unified approach to incident management with all of your security and DLP incidents in a single unified queue. Learn more here.
• Deep link to content viewer from the DLP alert, allowing admins to easily see additional context related to the alert, or to facilitate integration between Microsoft Purview DLP and an existing SIEM system.
• Sensitive service domains that allow you to configure controls on websites containing sensitive corporate information on Microsoft Edge. You can choose to restrict risky activities that may lead to a data security incident, like Save-as or Add to collection for certain groups of such websites when they are accessed through the Microsoft Edge browser. This feature is natively supported in Microsoft Edge – no extension or plug-ins are needed. Learn more about this capability here. You can read more about Edge security and productivity here.

Figure 7: Setting restrictive actions for sensitive service domains

Figure 8: Blocking copying and printing sensitive information on Microsoft Edge

• Support for trainable classifiers as a condition in DLP policies. You can use out-of-the-box or custom-built trainable classifiers and add them as conditions to your DLP policies. Learn more about trainable classifiers here.
• Sensitive information types (SITs) that enable organizations to identify, classify, and protect credentials such as user credentials (username and passwords), default passwords, Azure cloud resources, and more found in documents across Microsoft 365 apps, services, and endpoints. Learn more here.

• DLP now supports 100+ file types on Exchange Online and 80+ file types on SharePoint and OneDrive. Learn about our latest announcements in Microsoft Purview Information Protection here.

Get started

We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial of Microsoft Purview. All you need is a Microsoft 365 E3 subscription!

Additional resources:

• Watch these videos to learn more about Microsoft’s approach to cloud DLP, endpoint DLP, and maximizing the value of DLP
• Listen to this podcast on Microsoft Purview DLP
• Learn more about configuring DLP policies for Microsoft 365 services and endpoints
• Learn more about Predicates for unified DLP here
• Read these blogs for the latest on Microsoft Purview Information Protection

In addition to these exciting assets, you can sharpen, expand, and discover new skills and earn a free certification exam by completing one of seven unique Collections on Microsoft Learn. The challenge is on until November 9.

We look forward to your feedback!

Thank you,

The Microsoft Purview Information Protection Team

[1] February 2022 survey of 200 US compliance decision-makers (n=100 599-999 employees, n=100 1000+ employees) commissioned by Microsoft with MDC Research