Prevent data loss across your ever-expanding data estate with Microsoft Purview Data Loss Prevention
Organizations today grapple with securing data across the various devices, platforms, and data sources that comprise their modern ecosystem. This challenge has become even more daunting as unsanctioned and unsupervised generative AI becomes more ubiquitous in the workplace, presenting a new frontier for sensitive data loss. In response, many teams have found themselves with fragmented solutions and processes that don’t enable data loss prevention at scale, and even cause an increased rate of data security incidents. Microsoft Purview Data Loss Prevention (DLP) offers today’s organizations a unified approach to securing data across their ever-evolving data estates. Purview DLP not only is built into the Microsoft 365 apps and desktop devices that you rely on every day, but also extends to the expanding range of data types and locations found across your environment – for example, .java files as developers write or edit source code, or .txt files as information workers take notes. Today, we are happy to announce over 25 new capabilities in Purview DLP as part of our continued commitment to helping organizations protect their business-critical data. In particular, we are investing in new ways to: Expand visibility & protection beyond Microsoft 365, such as inline discovery of sensitive data across the network, inline protection of sensitive data accessed in Microsoft Edge for Business, and new label-based protections for non-Microsoft file types. Simplify experiences for admins with policy sync dashboards and collection policies for more streamlined signal collection and classification. Enhance existing protections with expanded advanced classification support and DLP coverage for all files in SharePoint & OneDrive, including previously unclassified files. This is enabled through the new on-demand classification capability. Let’s dive in. Expanded visibility & protection beyond Microsoft 365: Introducing new network & browser controls In the era of AI and remote work, organizations need to address data loss risks holistically across their environment – especially where sensitive data could leave the trusted boundaries of the organization to untrusted, 3rd party locations. This is why we are excited to introduce three momentous improvements to Purview DLP: Inline data discovery for the network, in public preview early May: Purview DLP now integrates with secure access service edge (SASE) solutions to provide admins greater visibility over sensitive data that is being sent outside of the organization from company devices. This can include sensitive data uploaded to personal cloud repositories or sent to 3rd party AI services from a desktop application. Inline data protection in Edge for Business, in public preview early April: With information workers spending more time working in the browser than ever before [1], it’s critical that organizations secure sensitive data that could be sent to untrusted locations from the browser. These potentially risky interactions include typed submissions to unmanaged SaaS apps like Slack or consumer GenAI apps like Google Gemini and DeepSeek. Our inline DLP controls are built natively into Edge for Business, meaning they can be enabled even without endpoint DLP deployed, and complement the existing endpoint DLP protections for uploading or pasting sensitive content to the browser. Data security controls for unmanaged Windows & macOS devices accessing Edge for Business, in public preview late April: These built-in controls help admins enforce guardrails for what users can do with sensitive data in organization-managed apps like Salesforce or Workday when they're accessed from Edge for Business on an unmanaged or personal computer. This prevents sensitive organizational data from being exfiltrated to unmanaged devices. To learn more about these new capabilities, visit our detailed blog. Beyond the extension of Purview DLP controls for the browser and to the network layer, we are also investing in deeper protections for file types beyond Office 365 or PDF. Given the variety of different data types and applications that users interact with every day, it’s imperative that any sensitive file be protected as it’s used, modified, or moved – regardless of the type of file that it is. Developers handle proprietary code daily, requiring protection for .java or .js files. Designers work with early branding concepts in Adobe Photoshop, requiring protection for .psd files. Engineers work with intellectual property in AutoCAD, requiring protection for .dwg files. The list goes on. With new sensitivity label-based protections (in public preview), employees can securely work on non-Microsoft file types such as Java, Adobe Creative Cloud, and AutoCAD that will stay protected even if they leave the device. By enabling these advanced label-based protections in your endpoint DLP settings, users will be able to apply sensitivity labels with access control settings on any file, including file types beyond Office 365 or PDF. While these files exist on the end user’s endpoint device, they will be treated as if they are unencrypted, meaning that the user does not need to manually decrypt & encrypt the file every time they work with it. This helps minimize any impact to their productivity. If the user decides to move or share this file, endpoint DLP will automatically encrypt the file upon egress from the device. This ensures that the intended protection stays with the file, wherever it lives or travels. This capability is now rolling out in public preview. Lastly, our investment into protection parity across platforms continues with improvements for macOS devices: First, we are excited to announce that Purview endpoint DLP can now be deployed to macOS devices independent of any device management solution. Deploying endpoint DLP across macOS devices no longer requires these devices to be managed by Microsoft Intune or Jamf. With this update, endpoint DLP can be enabled as long as users log in successfully through an Entra ID account to a Microsoft application, or through the Microsoft Enterprise SSO plugin for Apple devices. Second, we are happy to share that the following endpoint DLP capabilities are now available in public preview on macOS devices in addition to Windows: Coverage & exclusions for network shares and network share groups OCR cost estimation Detection & protection of sensitive data pasted to supported browsers Full file evidence storage for endpoint DLP policy matches Appearance of file read events in Activity Explorer Finally, just-in-time protection for removable media and network shares is now generally available for macOS devices. Simplified experiences for DLP admins In a survey of 600 data security decision makers, “protecting sensitive data across multiple data sources, repositories, and workloads” emerged as the #1 concern related to data loss prevention [2]. To help our customers scale their DLP operations across an expanding data estate, we are continuing to invest in simplified and centralized admin experiences. Historically, Microsoft Purview has been designed to discover and classify data by default using all sensitive information types (SITs) and user activities across all connected data sources – this approach enables us to provide insights into the top data risks in your organization before policies are ever created. In the coming weeks, we are introducing a flexible alternative to this default configuration for data-in-transit scenarios. This will enable admins to more granularly define the baseline signals and information collected from each data source, starting with endpoint devices and inline discovery for the network and Edge for Business. Unlike traditional DLP policies, this new configuration is designed to streamline discovery of relevant information, rather than apply enforcement on that information. This benefits DLP admins by: Making it easier to pinpoint relevant data events in Purview Data Security Posture Management (DSPM) and Activity Explorer, and reduce noise from SITs or user activities that are not relevant to your organization Enabling compliance with regional regulations that restrict collection of certain data types Reducing CPU & memory consumption from signal collection on endpoint devices Creating a baseline configuration of SITs & user activities for existing & future DLP policies lassifiers that are relevant to your organization can be scoped via "collection policies" under the Classifiers tab. From the new collection policies workflow, admins can define the classifiers that are relevant to their organization. Alternatively, admins can exclude classifiers that may be irrelevant to your organization or scenario. Similarly, admins can also define the types of user activities they would like to detect from each data source. These new configuration options are available to all Purview DLP customers based on the workloads for which they are licensed. Next, we’ll cover several new improvements to Purview DLP that equip DLP admins with the key insights they need, faster: Policy sync dashboards, now in public preview for cloud workloads: Starting today, admins now have visibility into the status of deployed policies or policy changes directly from the DLP Overview and Policies pages. The dashboard indicates whether these policy changes have reached their target locations and identifies any sync errors. This dashboard currently supports SharePoint, Exchange, Teams, and OneDrive policies. Device-based policy scoping, now in public preview: Admins can now scope DLP policies to specific devices or Entra device groups under Locations in the policy workflow. This enables them to tailor protections to certain devices, such as those used by vendors or contractors, or devices that are based in the same physical office. Administrative unit scoping for SharePoint Online policies: Admins can now also scope DLP policies for SharePoint Online based on Entra-defined administrative units. This helps ensure that potential data loss risks in SharePoint Online are visible to & addressed by the proper personnel. For example, admin unit scoping enables DLP alerts originating from a Highly Confidential site for the Finance team to only be investigated by a specific group of incident handlers. Save & reuse filters in Activity Explorer, now in public preview: We are also making it easier for admins to identify relevant data events and streamline investigation with the ability to save and reuse filters in Activity Explorer. New filter for DLP alerts based on label, now in public preview: Admins can also drill down into DLP alerts generated from a specified sensitivity label, such as “Highly Confidential” or “Internal Only” for better ease-of-use. Evidence summaries for all supported file types in endpoint DLP, now in public preview: By providing admins contextual evidence, they can better understand which classifier(s) – including those detected through advanced methods like Exact Data Match – triggered the policy match. This capability extends to all supported file types on Windows & macOS devices. Security Copilot-powered alert summarization, now in public preview for DLP alerts in Microsoft Defender XDR: Security Copilot already provides the ability to summarize DLP alerts in the Purview portal. This skill now extends to Purview DLP alerts that are managed through the Defender XDR Incidents queue in the Defender portal. Security Copilot skills in Purview DLP, now generally available: Three Security Copilot skills – DLP policy insights, enhanced hunting & investigation prompts, and Activity Explorer prompts, are now generally available for all Purview DLP customers with Security Compute Units. These skills help admins easily understand the full breadth of their existing DLP policy coverage, and streamline investigation of potential data loss incidents. Enhanced protections across data sources and end users While we have invested significantly in broadening our coverage across different workloads, file types, and platforms, we also know that our customers need depth and flexibility of controls. Not only that, but these controls must optimize for the experience of end users. By continuing to strengthen our foundational capabilities, we enable admins to expand their DLP programs with confidence in existing protections. In that spirit, we are happy to share the following four key enhancements to Purview DLP: Critical to our commitment to customers is the ability to classify and protect all files containing sensitive content, even if they have been sitting dormant for some time. With on-demand classification, in public preview, admins can now detect and classify all files containing sensitive data in a specific SharePoint or OneDrive location. This can include documents that were never previously scanned by Purview, or that have not been updated with the latest set of classifiers. If the newly-classified documents match any SITs defined in an existing DLP policy, the policy will immediately take effect on that file. This helps ensure that previously unprotected files can be "grandfathered" into the proper DLP policies. Learn more in the Information Protection blog. Next, we are providing admins with the ability to tailor restrictions to network share and URL groups based on the IP address or IP range from which they’re accessed. This can be particularly helpful for organizations that track intranet sites using IP addresses and want to limit or allow access to data within those locations. This capability is now in public preview. Last year, we announced that Purview endpoint DLP would support a significantly expanded range of file types. Today, we are continuing this momentum by announcing that advanced classification methods such as Exact Data Match and Named Entities will now support this expanded list of file types on Windows devices (in public preview). We are also expanding opportunities for user education when employees trigger a DLP policy tip. Policy tips delivered on Windows endpoint devices will now support custom hyperlinks (public preview). These hyperlinks can help direct users to organizational policies or security best practices when they perform an action that violates an existing endpoint DLP policy. Licensing details Microsoft 365 E3 subscriptions and above Microsoft 365 E5, E5 Compliance, and E5 Information Protection & Governance Policy sync dashboards Save & reuse filters in Activity Explorer Rename DLP policies DLP Alerts filter: Label Admin unit support for SharePoint Online policies Security Copilot-powered DLP policy insights (requires Security Copilot Units) Advanced label-based protections for non-M365 file types All endpoint DLP capabilities for macOS Evidence summaries for all supported file types in endpoint DLP (Windows & macOS) Device-based policy scoping Network share & URL group restrictions based on IP address/IP range Advanced classification for all supported file types in endpoint DLP (Windows) Hyperlink support in endpoint DLP policy tips (Windows) Get started Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Hear from Microsoft leaders online at Microsoft Secure on April 9. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. Already have a Windows 10 and 11 device? You can get started easily by turning on endpoint DLP, which is built into your device and does not require an agent or on-premises component. Additional resources Frequently asked questions on DLP for endpoints. Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal. Customer stories to learn why leading enterprises rely on Microsoft Purview DLP. [1] Internal Windows telemetry [2] Internal Microsoft researchMitigating insider risks in the age of AI with Microsoft Purview Insider Risk Management
The rapid rise of generative AI presents both transformative opportunities and critical security challenges for organizations handling sensitive data. As data security teams grapple with an increasingly fragmented tooling landscape and a relentless stream of alerts, the use of AI within organizations also might bring new risks such as data leakage and exposure of sensitive information on 3 rd party generative AI apps. AI has the potential to both reinforce security protocols and automate defenses, enhancing resilience against evolving data risks. However, securing AI itself is just as vital, ensuring the very tools organizations rely on remain protected. By adopting integrated and intelligent data security solutions, businesses can not only safeguard sensitive data but also empower teams to operate more efficiently, shifting focus from reactive to proactive defense. Microsoft Purview Insider Risk Management (IRM) addresses these pressing needs by offering comprehensive visibility over how users interact with data within your organization. It integrates machine learning-based detection controls, dynamic protections, and advanced privacy controls to help organizations effectively manage and mitigate insider risks. IRM correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Expanding visibility into risky AI usage across more AI workloads Despite the high interest in AI adoption, the 2024 Microsoft Data Security Index[1] reveals that 84% of surveyed organizations want greater confidence in managing and discovering data input into AI applications. Data leakage remains a top concern for 80% of business leaders, while the rise of shadow AI adds to the complexity, with 78% of users bringing their own AI tools like ChatGPT. Emerging threats such as indirect prompt injection attacks are also on the radar, with 11% identifying them as critical risks. Therefore, it is crucial for organizations to understand how their employees interact with generative AI tools. At Ignite last fall, we announced several new capabilities to help identify risky generative AI usage by insiders on Microsoft 365 Copilot, ChatGPT Enterprise, and Copilot Studio, enabling organizations to accelerate their AI adoption while ensuring robust data security and governance. To continue addressing the expansion of GenAI tools and scenarios, today we’re excited to announce new Risky GenAI usage detections in IRM for the enterprise-built apps Copilot for Fabric and Security Copilot, as well as for 3 rd party apps such as Gemini, ChatGPT consumer, Copilot Chat, and DeepSeek. The detections will cover a wide range of activities, including risky prompts that contain sensitive information or exhibit risky intent, as well as sensitive responses that either contain sensitive information or are generated from sensitive files or sites, enabling admins to identify and mitigate risky AI usage. (Figure 1: IRM risky AI usage activity detected in Copilot for Fabric) Additionally, these signals will contribute to Adaptive Protection insider risk levels, further enhancing the data security posture of the organization, and facilitating the balance between protection and productivity. Adaptive Protection will also be leveraged by the new data security capabilities native within the Microsoft Edge for Business browser to dynamically enforce different levels of protection based on the risk level of the user interacting with the AI application. For example, Adaptive Protection can enable admins to block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for an elevated-risk user. These updates will empower organizations to better manage and secure their AI usage and safeguard valuable data, increasing their confidence level in their AI adoption. Check out all the new capabilities we're announcing today across Microsoft Security to secure data in the era of AI. Introducing Alert Triage Agents in Insider Risk Management There are also significant opportunities to leverage generative AI to enhance data security teams' efficiency and enable them to prioritize critical tasks and risks. Organizations face an average of 66 data security alerts per day, but teams only have time to review 63% of them[2]. The large volume of alerts, combined with an ongoing shortage of security professionals, makes it increasingly challenging for organizations to stay ahead of potential data security risks and avoid blind spots in their data security programs. To support customers in addressing these challenges, we are thrilled to announce Alert Triage Agent in IRM. This new autonomous Security Copilot capability integrated into IRM will offer an agent-managed alert queue that highlights the IRM alerts posing the greatest risk to your organization, that should be tackled first. The agent analyses the content and potential intent behind an alert, based on the organization’s chosen parameters, to identify which alerts might signal bigger impacts on sensitive data and need to be prioritized, providing also explanation for the categorization logic. Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools, which are often ineffective and create blind spots on data security programs. Now, admins can choose from which IRM policies they’d like to triage alerts and which information the agent should focus on, as well as provide the agent with inputs to calibrate results to better match the organization’s priorities. (Figure 2: Alert Triage Agent in IRM queue, with prioritization rationale ) Customers will be able to leverage the following benefits: Enhanced alert management: Improves alert prioritization, addressing critical risks first and leading to faster response times. Increased team efficiency: Teams of varying degrees of expertise will be able to efficiently handle more alerts, improving overall percentage of risks addressed. Dynamic response: The agent will autonomously identify important alerts based on the selected parameters and will learn from feedback in natural language, dynamically fine-tuning alert prioritization. The Alert Triage Agent is seamlessly integrated within IRM to easily enhance workflow efficiency through Security Copilot, a trusted and reliable platform that dynamically learns and adapts to emerging threats with a proven track record. [3] Alert Triage Agents in Purview public preview starts rolling out on April 27. To get started, check out the visit the Security Copilot product page for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and try the new features — join today at aka.ms/JoinCCP. New insider risk scenarios and continuous product experience improvement We are also continually expanding IRM scenarios and improving admin experiences to better address the most pressing challenges customers face. When facing data breaches, organizations struggle to understand the sensitivity and importance of the data involved due to fractured workflows and multiple tools. Breaches involving stolen credentials take nearly 10 months to identify and contain[4], and customers have expressed the need for a unified product to reduce incident resolution time and safeguard their data. Today we’re excited to announce the integration of IRM with the new Microsoft Purview Data Security Investigations (DSI). DSI accelerates data risk mitigation using generative AI-powered deep content analysis enriched with activity insights to dive deep into organizations’ emails, instant messages, and documents. When evaluating a risky user with IRM, you can now escalate the case to DSI, instead of reviewing files individually. The integration between IRM and DSI allows a data security admin to identify when a risky user needs deeper investigation to launch a pre-scoped investigation directly from the user activity pane, allowing them to view content analysis related to that user and better assess post-incident data impact. (Figure 3: DSI case being launched from Insider Risk Management) Data security context is also vital for SOC teams to better understand the user intent and sensitivity of the data involved in a possible attack. To strengthen the integration of data security into the SOC experience, we are bringing insider risk user analytics to Microsoft Defender XDR on the user entity page, for all users. Now, any potential risky behavior related to a user involved in an XDR incident will be surfaced, regardless of their triggering an IRM policy, enabling SOC analysts to evaluate behavior patterns that could have influenced the incident. User analytics will also be available for DLP and Communication Compliance investigations, and on Defender XDR Advanced Hunting tables in a few months. Increasing the connection of IRM with the broader Microsoft Purview stack, we’re now adding DLP alerts as IRM indicators to detect when a user activity triggers a DLP policy. This capability will provide admins greater visibility and efficiency by consolidating a user’s risky activity triggering DLP and/or IRM policies, eliminating the need to switch between solutions for better evaluating data risks. We are also bringing a new indicator for ‘Email to personal email accounts’ to alert when business-sensitive data is potentially leaked via email attachments to free public domains or personal email accounts. Now, admins will be able to better understand the intent behind emails with sensitive data attached being sent to a personal email for non-business reasons. To enhance the end-user experience, we have made several improvements that enable teams to refine their data security strategy and facilitate insider risk investigations. Enhancements include: Increasing IRM policy template units: Increase policy creation limits from 20 to 100 policies per template, enabling organizations to create more a granular policy strategy to better fit their needs, such as different data security needs in different groups of the organization or regulatory requirements. Endpoint collection policy update: Admins can now leverage collection policies to more granularly scope what is collected from the endpoint and used in IRM policies. Email signature exclusion enhancement: Inclusion of keyword exclusion logic update to exclude noisy signals when email signature images are considered as attachments on a policy. These capabilities will start rolling out to customers’ tenants within the coming weeks. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Get started To get started, read more about Insider Risk Management in our technical documentation. Stay up to date on Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview. Visit your Microsoft Purview compliance portal to activate your free trial and begin using new features. An active Microsoft 365 E3 subscription is required to activate the free trial. [1] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [2] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [3] Randomized Controlled Trial for Copilot for Security [4] Cost of a data breach 2024 | IBMAnnouncing Alert Triage Agents in Microsoft Purview, powered by Security Copilot
Powered by Security Copilot, the Alert Triage Agents will help organizations prioritize the most critical risks faster. By triaging alerts based on parameters provided by the organization and fine-tuning the process through feedback provided by the data security teams, the agent will upskill teams, provide faster investigation, and enable more assertive data risk mitigation.Building layered protection: New Microsoft Purview data security controls for the browser & network
Microsoft is committed to helping our customers protect their data wherever it lives or travels - even as the modern data estate grows more complex. Over the years, we have taken a uniquely seamless approach of building protections directly where data is stored, used, or moves, helping customers get up and running easily without compromising on coverage. Our journey started with native integration of Purview data security controls into Microsoft 365 apps and services. This built-in design enables us to secure data right where most of your organization’s productivity takes place, without added latency or onboarding. This principle has continued with built-in controls for Teams, PowerBI, Fabric, and Microsoft 365 Copilot. We have also extended protections to Windows and macOS endpoint devices using a differentiated, agentless model that delivers visibility and control without deployment headaches or heavy on-premises footprint. However, the nature of modern work is continuously evolving: Generative AI tools are increasingly ubiquitous in the digital workplace and information workers are spending more time working in the browser than ever before [1]. As such, we are once again evolving our solutions to the modern AI era by extending Purview data security capabilities to the network layer and Microsoft Edge for Business. These capabilities include: Inline discovery of sensitive data across the network through secure access service edge (SASE) integration Inline discovery & protection of sensitive data in Edge for Business Data security controls for unmanaged Windows & macOS devices using Edge for Business When combined with existing Purview protections across cloud, email, and endpoints, the new browser and network controls empower teams to build a layered strategy for data protection that scales with the pace and complexity of today’s data ecosystems. Introducing inline data discovery for the network Historically, Microsoft Purview has possessed the ability to allow or block the use of sensitive data within specified applications through our cloud and endpoint data loss prevention (DLP) solutions. As users interact with a wider variety of cloud-connected apps & services throughout the day – such as unmanaged SaaS apps, personal cloud storage services, and consumer GenAI apps – organizations need greater oversight over sensitive data that is being sent outside of the trusted boundaries of the organization. Today, we are excited to share that Microsoft Purview is opening its best-in-class data classification and data loss prevention policies to an ecosystem of secure access service edge (SASE) solutions. Integrating Purview with your SASE technology of choice enables you to secure sensitive data at the network layer using the same tools and workflows you rely on every day. This approach also enables you to extend Purview inspection, classification and ability to make policy verdicts to data in unmanaged, 3rd party locations, all at the speed & scale of the cloud. Users won’t have their pace and productivity disrupted as policies await decisions from on-premises classification systems, and admins can intercept sensitive data before it's leaked to risky destinations. Alongside us for the start of this journey are Netskope, a Leader in the Gartner Magic Quadrant for SSE and SASE, iboss, a Leader in the IDC ZTNA MarketScape, and Palo Alto Networks, a Leader in the Gartner Magic Quadrant for SSE and SASE. We are excited to announce that inline discovery of sensitive data will be available in public preview early May through the Netskope One SSE and iboss Zero Trust SASE integrations. The integration with Palo Alto Networks Prisma Access for inline discovery will be available later this year. The list of supported SASE partners will continue to expand in the coming months. Through these joint solutions, we can help our customers see greater value from bringing together best-of-breed data security and network visibility. "As insider threats rise and adversaries leverage AI, large enterprises are strengthening their security strategies by integrating insights from diverse tools. Netskope’s seamless integration with Microsoft Purview tackles these evolving challenges head-on, enhancing data protection and ensuring classified information remains secure." – Siva VRS, Wipro, Vice President & Global Business Unit Head, Cyber Security Practices Securing risky data interactions through SASE integration Through the upcoming Netskope and iboss integrations, your SASE solution will provide visibility into network traffic originating from managed devices to potentially untrusted locations. These interactions can be initiated from desktop applications such as the ChatGPT desktop app, cloud file sync apps like Box, and even non-Microsoft browsers such as Opera or Brave. Examples of common but potentially risky interactions include: Intentional or inadvertent exfiltration of sensitive company data to a personal or 3rd party instance of an application: For example, an employee is working with a partner outside of their organization on an upcoming project via the Slack desktop application. If the employee sends sensitive data to that 3rd party Slack channel, such as customer account numbers or contact information, this event will be captured in Purview Data Security Posture Management (DSPM) and Activity Explorer, and the admin can dive deeper into the sensitive data that was exfiltrated & its destination: Use of unsanctioned generative AI applications or plugins: Some employees in your organization may have installed an unsanctioned GPT plugin for their Microsoft Word application, for example. If they prompt the plugin to summarize the contents of the Confidential merger & acquisition document that is open, this prompt will also be captured in Purview DSPM for AI. Learn more about inline discovery of sensitive data in GenAI applications in this blog. Detection & discovery of these events provide data security admins invaluable insight into how sensitive data is leaving trusted locations through the network, even before policies are ever created. From Purview DSPM, admins can better understand how the sensitive data detected in network activity contributes to their organizational risk, such as the top applications to which users send sensitive data, and the types of data that are most frequently exfiltrated. Even better, DSPM provides proactive policy recommendations for controls that can help address this risk. Additionally, admins have the option to leverage Activity Explorer to drill down into specific egress points and destinations of sensitive data to better inform their protection strategy. Visibility of sensitive data in motion not only gives admins insight into how to improve their data loss prevention strategy, but also broadens their aperture of activities that could indicate potentially risky behavior by users. In the coming months, these new network signals will unlock a new category of policy indicators in Purview Insider Risk Management. Indicators for user activities such as file uploads or AI prompt submissions detected through the network will help Insider Risk Management formulate richer and comprehensive profiles of user risk. In turn, these signals will also better contextualize future data interactions and enrich policy verdicts. Introducing inline data protection in Edge for Business Every day, your employees interact with data across a variety of web applications & services. Chances are, some of this data is sensitive or proprietary for the organization. For that reason, it’s growing increasingly critical to have visibility and control over how employees interact with sensitive data within the browser. Today, we are excited to announce two new capabilities that represent significant strides in our growing set of native data security controls for Edge for Business, the secure enterprise browser optimized for AI: inline data protection and data security controls for unmanaged devices. With the new inline protection capability for Edge for Business, available in public preview in the coming weeks, you can prevent data leakage across the various ways that users interact with sensitive data in the browser, including typing of text directly into a web application or generative AI prompt. Inline protection is built natively into Edge for Business, meaning it can be enabled even without endpoint DLP deployed, and complements existing endpoint DLP protections for uploading or pasting sensitive content to the browser. Starting with some of the top consumer GenAI apps (ChatGPT, Google Gemini, and DeepSeek), admins will be able to block typed prompts containing sensitive data. This list will continuously expand to support a broad range of unmanaged apps, including additional genAI, email, collaboration, and social media apps. In the example below, you can see how a Purview DLP policy can block a user from submitting a prompt containing sensitive M&A details to Google Gemini for summarization: Inline protection can also leverage Adaptive Protection policy conditions for activities in GenAI apps. This enables data security admins to tailor the level of enforcement to the risk level of the user interacting with the data, minimizing disruption to day-to-day AI usage. For example, Adaptive Protection can enable admins to block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for an elevated-risk user. To bring this full circle, risky prompts sent to GenAI apps or responses containing sensitive information can also raise a user’s risk level through risky AI usage detections in Insider Risk Management. This helps organizations understand and adapt to how insiders are interacting with data in AI apps. Similarly to inline data discovery for the network, visibility into sensitive data use in Edge for Business will now surface in Purview DSPM, even if a protection policy has not yet been deployed. If DSPM observes high data exfiltration risk originating from Edge for Business, it will proactively recommend a set of data security policies to mitigate that risk, such as blocking typed sensitive data and sensitive files from being sent to consumer AI apps. Purview data security controls for unmanaged devices In addition to the new inline protection capability, we are thrilled to announce that Purview data security controls now extend to Edge for Business on unmanaged Windows or macOS devices. These data loss prevention policies, rolling out in public preview in the coming weeks, allow organizations to prevent or enable access to data in organizational apps based on the sensitivity of the data, as long as the end user is logged into their Edge for Business profile. This is particularly relevant for organizations that leverage a significant contractor or frontline workforce, or enable bring-your-own-device (BYOD) policies. Similarly to inline protection, these controls are built natively into Edge for Business and can be activated even without endpoint DLP deployed. As an example, your organization may allow a contractor to use a personal macOS device to access corporate resources. By opening Edge for Business and logging in using their Entra ID account, Purview data security policies can now be applied to that browser session. If the contractor navigates to a managed app such as Workday or a proprietary line of business app, you can apply context-aware data protections such as allowing download of a benefits brochure that does not contain any sensitive information, but preventing download of employee or patient records that contain sensitive data. This context-aware policy helps organizations balance adequate data security controls with end user productivity. To learn more about security capabilities built into Edge for Business, the secure enterprise browser, visit the blog. Licensing details Inline data discovery via 3rd party network integrations: Your global admin will be able to enable this capability by activating Purview pay-as-you-go meters. Pricing will be based on the number of requests captured through network traffic within the scope of a policy. Additional pricing details will be available with public preview rollout in early May. Inline discovery & protection in Edge for Business: Included in E5, E5 Compliance, and E5 Information Protection & Governance up to a certain number of requests. (Note: Inline protection for Edge for Business is included in E5 today. Microsoft will monitor the telemetry and reserve the right to declare a certain threshold where this data will be absorbed in an E5 license, and reserve the right to charge additionally based on usage beyond such threshold.) Data security controls for unmanaged devices accessing Edge for Business: Included in E5, E5 Compliance, and E5 Information Protection & Governance. Get started You can try Microsoft Purview data security solutions directly in the Microsoft Purview compliance portal with a free trial. Want to learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant? Hear from Microsoft leaders online at Microsoft Secure on April 9. [1] Internal Windows telemetryStrengthen data security posture in the era of AI with Microsoft Purview
Today, data usage has moved beyond the traditional borders of business and is now stored on-premises, in multiple clouds, on devices; and accessed from within and outside of your corporate networks. Data has become the lifeblood of every business, driving insights that enable effective operations, competitive advantage, and productive collaboration among employees. IDC predicts that the datasphere will double by 2026, meaning data everywhere, and exponentially growing. With this growth in data and with organizations adopting multiple cloud infrastructures and platforms, data security incidents are widespread and increasing in severity. In 2024, 27% of data security incidents were severe compared to 20% in 2023[1], costing millions of dollars every year to resolve. Additionally, organizations faced 66 alerts per day, up from 52 in 2023[2]. Fortify data security with an integrated approach Data security is a cornerstone of effective cybersecurity programs – as data is at the center of cyberattacks. Safeguarding sensitive information, spanning from employee and customer data to intellectual property, financial projections, and operational records, against an array of cyberthreats, data breaches, and insider risks, is a top priority for these organizations. Although essential, for many customers, securing all their data is a complex and multi-faceted undertaking. Organizations typically deploy multiple non-integrated data security solutions, increasing complexity, cost, and security gaps due to fragmented data handling, inconsistent classification, redundant alerts, and limited investigative insights. A vast majority (82%) of decision makers we spoke to agree that an integrated platform is superior to managing multiple isolated tools. To effectively address this complexity, organizations need a unified approach to data security. Microsoft Purview provides a comprehensive integrated set of tools in Information Protection, Insider Risk Management, and Data Loss Prevention that can together help you: Discover hidden risks to your data Create effective protection and prevention policies Quickly respond and remediate data security incidents. These solutions have been built to work better together with reinforced synergy across the platform. New AI-powered data security investigations and analysis Today, we are announcing Microsoft Purview Data Security Investigations (DSI), a new generative AI-powered solution that helps data security teams quickly understand and mitigate risks associated with sensitive data exposure. DSI further expands Microsoft Purview data security offerings, introducing AI-powered deep content analysis to uncover key sensitive data and security risks within incident-related data across multiple languages. DSI can uniquely draw correlations among incident-related data, users, and user activities. Incident investigators can use DSI to collaborate securely with partner teams to enhance mitigation, simplifying previously complex and time-consuming tasks. The solution is also integrated with our Microsoft Security solutions; you can launch a data security investigation via a Defender XDR incident or a Purview Insider Risk Management case. DSI is available for preview starting April 9. Learn more in our blog. Agents designed to unlock new levels of productivity and security efficacy To help customers further increase efficacy of their data security programs and focus on the most critical risks, today we are announcing Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM). These autonomous Security Copilot capabilities integrated into Microsoft Purview offer an agent-managed alert queue that identifies the DLP and IRM alerts that pose the greatest risk to your organization and should be prioritized first. Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools [3], which are often ineffective, create blind spots, and can slow down risk mitigation. Our new agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins and calibrates the triage results to better match the organizations’ priorities. Learn more in our blog. Expanding data discovery and protection to the network and browser At Microsoft Purview, we are committed to helping our customers protect their data wherever it lives or travels - even as the modern data estate grows more complex. Given the nature of modern work is continuously evolving: Generative AI tools are increasingly ubiquitous in the digital workplace and information workers are spending more time working in the browser than ever before [4]. As such, we are extending Purview data security capabilities to the network layer and enhancing our browser-based capabilities for Microsoft Edge for Business. These capabilities include: Inline discovery of sensitive data across the network. Delivered in partnership with Netskope One and iboss Zero Trust SASE through secure access service edge (SASE) integration Inline discovery & protection of sensitive data in Edge for Business Data access restrictions in Edge for Business for unmanaged Windows and macOS devices Learn more in our blog Securing data across various devices, platforms, and data sources Organizations today grapple with securing data across the various devices, platforms, and data sources that comprise their modern ecosystem. This challenge has become even more daunting as unsanctioned and unsupervised generative AI becomes more ubiquitous in the workplace, presenting a new frontier for sensitive data loss. Microsoft Purview Data Loss Prevention (DLP) offers today’s organizations a unified approach to securing data across their ever-evolving data estates. Purview DLP not only is built into the Microsoft 365 apps and desktop devices that you rely on every day but also extends to the expanding range of data types and locations found across your environment. Today we are announcing a number of enhancements to our existing rich set of DLP capabilities Expanded visibility & protection beyond Microsoft 365 with inline discovery of sensitive data across the network, inline protection of sensitive data accessed in Microsoft Edge for Business, and new label-based protections for non-Microsoft file types. Simplified day-to-day admin experiences with policy sync dashboards and a new collection policy workflow to help organizations scale their DLP operations across an expanding data estate. Enhance existing protections with expanded advanced classification support and DLP coverage for previously unscanned files in SharePoint and OneDrive. Learn more in our blog. Expanding visibility into risky AI usage across more AI workloads A growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024[5], while the rise of shadow AI adds to the complexity, with 78% of users bringing their own AI tools like ChatGPT. Emerging threats such as indirect prompt injection attacks are also on the radar, with 11% identifying them as critical risks. Therefore, it is crucial for organizations to understand how their employees interact with generative AI tools. To continue addressing the expansion of GenAI tools and scenarios, today we’re excited to announce new risky GenAI usage detections in Insider Risk Management for Copilot for Power BI and Security Copilot, as well as for 3 rd party apps such as Gemini, ChatGPT consumer, Bing and DeepSeek. The detections will cover a wide range of activities, including risky prompts that contain sensitive information or exhibit risky intent, as well as sensitive responses that either contain sensitive information or are generated from sensitive files or sites, enabling admins to identify and mitigate risky AI usage. Learn more in our blog. And finally, we are also bringing several new capabilities in Information Protection. Learn more in our blog. Getting started with Microsoft Purview You can try these and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. [1] [2] [5] Data Security Index Report, Microsoft Dec 2024 [3] What is AI-Powered Alert Triage? | Intezer [4] Windows telemetryEnhance AI security and governance across multi-model and multi-cloud environments
Generative AI adoption is accelerating, with AI transformation happening in real-time across various industries. This rapid adoption is reshaping how organizations operate and innovate, but it also introduces new challenges that require careful attention. At Ignite last fall, we announced several new capabilities to help organizations secure their AI transformation. These capabilities were designed to address top customer priorities such as preventing data oversharing, safeguarding custom AI, and preparing for emerging AI regulations. Organizations like Cummins, KPMG, and Mia Labs have leveraged these capabilities to confidently strengthen their AI security and governance efforts. However, despite these advancements, challenges persist. One major concern is the rise of shadow AI—applications used without IT or security oversight. In fact, 78% of AI users report bringing their own AI tools, such as ChatGPT and DeepSeek, into the workplace 1 . Additionally, new threats, like indirect prompt injection attacks, are emerging, with 77% of organizations expressing concerns and 11% of organizations identifying them as a critical risk 2 . To address these challenges, we are excited to announce new features and capabilities that help customers do the following: Prevent risky access and data leakage in shadow AI with granular access controls and inline data security capabilities Manage AI security posture across multi-cloud and multi-model environments Detect and respond to new AI threats, such as indirect prompt injections and wallet abuse Secure and govern data in Microsoft 365 Copilot and beyond In this blog, we’ll explore these announcements and demonstrate how they help organizations navigate AI adoption with confidence, mitigating risks, and unlocking AI’s full potential on their transformation journey. Prevent risky access and data leakage in shadow AI With the rapid rise of generative AI, organizations are increasingly encountering unauthorized employee use of AI applications without IT or security team approval. This unsanctioned and unprotected usage has given rise to “shadow AI,” significantly heightening the risk of sensitive data exposure. Today, we are introducing a set of access and data security controls designed to support a defense-in-depth strategy, helping you mitigate risks and prevent data leakage in third-party AI applications. Real-time access controls to shadow AI The first line of defense against security risks in AI applications is controlling access. While security teams can use endpoint controls to block access for all users across the organization, this approach is often too restrictive and impractical. Instead, they need more granular controls at the user level to manage access to SaaS-based AI applications. Today we are announcing the general availability of the AI web category filter in Microsoft Entra Internet Access to help enforce access controls that govern which users and groups have access to different AI applications. Internet Access deep integration with Microsoft Entra ID extends Conditional Access to any AI application, enabling organizations to apply AI access policies with granularity. By using Conditional Access as the policy control engine, organizations can enforce policies based on user roles, locations, device compliance, user risk levels, and other conditions, ensuring secure and adaptive access to AI applications. For example, with Internet Access, organizations can allow your strategy team to experiment with all or most consumer AI apps while blocking those apps for highly privileged roles, such as accounts payable or IT infrastructure admins. For even greater security, organizations can further restrict access to all AI applications if Microsoft Entra detects elevated identity risk. Inline discovery and protection of sensitive data Once users gain access to sanctioned AI applications, security teams still need to ensure that sensitive data isn’t shared with those applications. Microsoft Purview provides data security capabilities to prevent users from sending sensitive data to AI applications. Today, we are announcing enhanced Purview data security capabilities for the browser available in preview in the coming weeks. The new inline discovery & protection controls within Microsoft Edge for Business detect and block sensitive data from being sent to AI apps in real-time, even if typed directly. This prevents sensitive data leaks as users interact with consumer AI applications, starting with ChatGPT, Google Gemini, and DeepSeek. For example, if an employee attempts to type sensitive details about an upcoming merger or acquisition into Google Gemini to generate a written summary, the new inline protection controls in Microsoft Purview will block the prompt from being submitted, effectively blocking the potential leaks of confidential data to an unsanctioned AI app. This augments existing DLP controls for Edge for Business, including protections that prevent file uploads and the pasting of sensitive content into AI applications. Since inline protection is built natively into Edge for Business, newly deployed policies automatically take effect in the browser even if endpoint DLP is not deployed to the device. : Inline DLP in Edge for Business prevents sensitive data from being submitted to consumer AI applications like Google Gemini by blocking the action. The new inline protection controls are integrated with Adaptive Protection to dynamically enforce different levels of DLP policies based on the risk level of the user interacting with the AI application. For example, admins can block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for elevated-risk users. Learn more about inline discovery & protection in the Edge for Business browser in this blog. In addition to the new capabilities within Edge for Business, today we are also introducing Purview data security capabilities for the network layer available in preview starting in early May. Enabled through integrations with Netskope and iboss to start, organizations will be able to extend inline discovery of sensitive data to interactions between managed devices and untrusted AI sites. By integrating Purview DLP with their SASE solution (e.g. Netskope and iBoss), data security admins can gain visibility into the use of sensitive data on the network as users interact with AI applications. These interactions can originate from desktop applications such as the ChatGPT desktop app or Microsoft Word with a ChatGPT plugin installed, or non-Microsoft browsers such as Opera and Brave that are accessing AI sites. Using Purview Data Security Posture Management (DSPM) for AI, admins will also have visibility into how these interactions contribute to organizational risk and can take action through DSPM for AI policy recommendations. For example, if there is a high volume of prompts containing sensitive data sent to ChatGPT, DSPM for AI will detect and recommend a new DLP policy to help mitigate this risk. Learn more about inline discovery for the network, including Purview integrations with Netskope and iBoss, in this blog. Manage AI security posture across multi-cloud and multi-model environments In today’s rapidly evolving AI landscape, developers frequently leverage multiple cloud providers to optimize cost, performance, and availability. Different AI models excel at various tasks, leading developers to deploy models from various providers for different use cases. Consequently, managing security posture across multi-cloud and multi-model environments has become essential. Today, Microsoft Defender for Cloud supports deployed AI workloads across Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock. To further enhance our security coverage, we are expanding AI Security Posture Management (AI-SPM) in Defender for Cloud to improve compatibility with additional cloud service providers and models. This includes: Support for Google Vertex AI models Enhanced support for Azure AI Foundry model catalog and custom models With this expansion, AI-SPM in Defender for Cloud will now offer the discovery of the AI inventory and vulnerabilities, attack path analysis, and recommended actions to address risks in Google VertexAI workloads. Additionally, it will support all models in Azure AI Foundry model catalog, including Meta Llama, Mistral, DeepSeek, as well as custom models. This expansion ensures a consistent and unified approach to managing AI security risks across multi-model and multi-cloud environments. Support for Google Vertex AI models will be available in public preview starting May 1, while support for Azure AI Foundry model catalog and custom models is generally available today. Learn More. 2: Microsoft Defender for Cloud detects an attack path to a DeepSeek R1 workload. In addition, Defender for Cloud will also offer a new data and AI security dashboard. Security teams will have access to an intuitive overview of their datastores and AI services across their multi-cloud environment, top recommendations, and critical attack paths to prioritize and accelerate remediation. The dashboard will be generally available on May 1. The new data & AI security dashboard in Microsoft Defender for Cloud provides a comprehensive overview of your data and AI security posture. These new capabilities reflect Microsoft’s commitment to helping organizations address the most critical security challenges in managing AI security posture in their heterogeneous environments. Detect and respond to new AI threats Organizations are integrating generative AI into their workflows and facing new security risks unique to AI. Detecting and responding to these evolving threats is critical to maintaining a secure AI environment. The Open Web Application Security Project (OWASP) provides a trusted framework for identifying and mitigating such vulnerabilities, such as prompt injection and sensitive information disclosure. Today, we are announcing Threat protection for AI services, a new capability that enhances threat protection in Defender for Cloud, enabling organizations to secure custom AI applications by detecting and responding to emerging AI threats more effectively. Building on the OWASP Top 10 risks for LLM applications, this capability addresses those critical vulnerabilities highlighted on the top 10 list, such as prompt injections and sensitive information disclosure. Threat protection for AI services helps organizations identify and mitigate threats to their custom AI applications using anomaly detection and AI-powered insights. With this announcement, Defender for Cloud will now extend its threat protection for AI workloads, providing a rich suite of new and enriched detections for Azure OpenAI Service and models in the Azure AI Foundry model catalog. New detections include direct and indirect prompt injections, novel attack techniques like ASCII smuggling, malicious URL in user prompts and AI responses, wallet abuse, suspicious access to AI resources, and more. Security teams can leverage evidence-based security alerts to enhance investigation and response actions through integration with Microsoft Defender XDR. For example, in Microsoft Defender XDR, a SOC analyst can detect and respond to a wallet abuse attack, where an attacker exploits an AI system to overload resources and increase costs. The analyst gains detailed visibility into the attack, including the affected application, user-entered prompts, IP address, and other suspicious activities performed by the bad actor. With this information, the SOC analyst can take action and block the attacker from accessing the AI application, preventing further risks. This capability will be generally available on May 1. Learn More. : Security teams can investigate new detections of AI threats in Defender XDR. Secure and govern data in Microsoft 365 Copilot and beyond Data oversharing and non-compliant AI use are significant concerns when it comes to securing and governing data in Microsoft Copilots. Today, we are announcing new data security and compliance capabilities. New data oversharing insights for unclassified data available in Microsoft Purview DSPM for AI: Today, we are announcing the public preview of on-demand classification for SharePoint and OneDrive. This new capability gives data security admins visibility into unclassified data stored in SharePoint and OneDrive and enables them to classify that data on demand. This helps ensure that Microsoft 365 Copilot is indexing and referencing files in its responses that have been properly classified. Previously, unclassified and unscanned files did not appear in DSPM for AI oversharing assessments. Now admins can initiate an on-demand data classification scan, directly from the oversharing assessment, ensuring that older or previously unscanned files are identified, classified, and incorporated into the reports. This allows organizations to detect and address potential risks more comprehensively. For example, an admin can initiate a scan of legacy customer contracts stored in a specified SharePoint library to detect and classify sensitive information such as account numbers or contact information. If these newly classified documents match the classifiers included in any existing auto-labeling policies, they will be automatically labeled. This helps ensure that documents containing sensitive information remain protected when they are referenced in Microsoft 365 Copilot interactions. Learn More. Security teams can trigger on-demand classification scan results in the oversharing assessment in Purview DSPM for AI. Secure and govern data in Security Copilot and Copilot for Fabric for Power BI: We are excited to announce the public preview of Purview for Security Copilot and Copilot for Power BI, offering DSPM for AI, Insider Risk Management, and data compliance controls, including eDiscovery, Audit, Data Lifecycle Management, and Communication Compliance. These capabilities will help organizations enhance data security posture, manage compliance, and mitigate risks more effectively. For example, admins can now use DSPM for AI to discover sensitive data in user prompts and agent responses in Security Copilot and detect unethical or risky AI usage. Purview’s DSPM for AI provides admins with comprehensive reports on user activities and data interactions in Copilot for Power BI, as part of the Copilot in Fabrice experience, and Security Copilot. DSPM Discoverability for Communication Compliance: This new feature in Communication Compliance, which will be available in public preview starting May 1, enables organizations to quickly create policies that detect inappropriate messages that could lead to data compliance risks. The new recommendation card on the DSPM for AI page offers a one-click policy creation in Microsoft Purview Communication Compliance, simplifying the detection and mitigation of potential threats, such as regulatory violations or improperly shared sensitive information. With these enhanced capabilities for securing and governing data in Microsoft 365 Copilot and beyond, organizations can confidently embrace AI innovation while maintaining strict security and compliance standards. Explore additional resources As organizations embrace AI, securing and governing its use is more important than ever. Staying informed and equipped with the right tools is key to navigating its challenges. Explore these resources to see how Microsoft Security can help you confidently adopt AI in your organization. Learn more about Security for AI solutions on our webpage Get started with Microsoft Purview Get started with Microsoft Defender for Cloud Sign up for a free Microsoft 365 E5 Security Trial and Microsoft Purview Trial Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. [1] 2024 Work Trend Index Annual Report, Microsoft and LinkedIn, May 2024, N=31,000. [2] Gartner®, Gartner Peer Community Poll – If your org’s using any virtual assistants with AI capabilities, are you concerned about indirect prompt injection attacks? GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.Simplify & scale data protection in the era of AI with Microsoft Purview Data Loss Prevention
Securing the use of AI may be a daunting charter for many security teams, but it is clear and present need in the modern workplace: 40% of organizations report that their AI apps have already been breached or compromised in a data security incident [1]. As AI technology drives data generation in unprecedented volumes, the need to secure organizational data and prevent loss of sensitive information becomes even more crucial. We believe that a scalable and proactive data security strategy for AI starts with a strong DLP foundation. That's why we continue to invest in data loss prevention that adapts and scales to the contemporary challenges faced by data security teams. Today, Microsoft Purview Data Loss Prevention is announcing several new capabilities that extend DLP protections to new surfaces such as Microsoft 365 Copilot, unlock insights and investigation abilities for DLP admins by leveraging AI, and fortify core data loss prevention controls & coverage: Extended protection: New capabilities that extend our best-of-breed data protection across your modern data ecosystem, including the introduction of DLP controls for Microsoft 365 Copilot and enhancements to endpoint DLP controls on macOS. Strengthened protection: Capabilities that strengthen core data protections on endpoint devices, including expanding file type coverage for endpoint DLP and new blanket protections for non-scannable file types. Streamlined investigation & insights: Capabilities designed to simplify the admin experience as you investigate DLP incidents and look to address gaps in protection, such as new Security Copilot skills in Purview and the new Power Automate connector. Introducing Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot Data oversharing and leakage is top of mind for organizations adopting generative AI technologies, including Microsoft 365 Copilot – 80% of business leaders cite data leakage by employees using AI as their top concern regarding generative AI adoption. [2] Today, we are excited to announce Microsoft Purview DLP for Microsoft 365 Copilot in public preview to help reduce the risk of AI-related oversharing at scale. With DLP for M365 Copilot, data security admins can now create DLP policies to exclude documents with specified sensitivity labels from being summarized or used in responses in M365 Copilot Business Chat. This capability, which currently works with Office files and PDFs in SharePoint, helps ensure that potentially-sensitive content within a labeled document is not readily available to users to copy and paste into other applications or processed by M365 Copilot for grounding data. An example of such content includes confidential legal documents with highly specific semantic that could lead to improper guidance if summarized by AI or modified by end users. This can also apply to "Internal only” documents with data that shouldn’t be copy & pasted into emails sent outside of the organization. This capability can be configured for a specific sensitivity label at a file, group, site, and/or user level, giving you the flexibility to scope the policy based on the needs of your organization. For example, if you have users who are privy to a Merger and Acquisition (M&A) and scoped into an M&A group, you can design your DLP for M365 Copilot policy to prevent Copilot from summarizing M&A-labeled documents for everyone except those in the M&A group. As a reminder, M365 Copilot already has the ability to honor Microsoft Purview Information Protection sensitivity label access settings such as item-level view and extract restrictions when referencing sensitive documents. With this new DLP capability, admins can more easily exclude sensitive content from being used by M365 Copilot for all items with the specified sensitivity label. Read more about new capabilities in Microsoft Purview that support secure generative AI adoption here, and learn more about how Data Security Posture Management (DSPM) for AI, previously known as AI hub, is providing data security admins with visibility into risky generative AI interactions in this blog. Extending additional protections across the data estate Last month, we also announced support for Microsoft Purview Data Loss Prevention for Fabric items. This capability allows you to apply Purview DLP policies to detect the upload of sensitive data, like social security numbers to a lakehouse in Fabric. If detected, the event will automatically be audited. This can also alert the admin and even surface a custom policy tip to data owners to take action and remedy non-compliance with the policy. Today, we are extending the restrict access action in Purview DLP policies to Fabric semantic models. With support for this restrict access action in Fabric, admins can configure policies that will automatically detect sensitive information in semantic models and limit access to internal users or data owners. This control is especially valuable when your tenant includes guest users, and you want to enforce proper restrictions to ensure these users do not accidentally access sensitive information like internal proprietary data. Alongside the introduction of Purview DLP capabilities for M365 Copilot and Fabric, we are broadening our capabilities on macOS devices: Support for archive files, now in public preview: Detect when files are created and added to archives and apply restrictions to archive files when they contain sensitive information. This helps reduce the risk of exfiltration through concealment in archive files on macOS (.zip, .zipx, .rar, .7z, .tar, and .gz file formats). Just-in-time (JIT) protection, now in public preview: With just-in-time protection, admins can proactively secure files containing sensitive information – regardless of type – that may not have been interacted with for a long time by applying restrictions upon egress. JIT suspends the egress operation and performs an evaluation against organizational policies before resuming the operation. JIT can also be enforced for scenarios based on network location, such as printing files on personal versus corporate networks. This capability is also available on Windows devices. Support for web-based activities, now in public preview: These controls, already available in Windows, apply to printing, saving, and copying of web content on macOS. Strengthening core data protections and posture Though data protection controls for genAI and the use of AI as a productivity driver for admins is top of mind for many security teams, we are also committed to strengthening the robustness and reliability of our foundational DLP capabilities. This fortifies protections for your existing data estate and builds the resilience of your data security program as AI-generated data proliferates. In this spirit, we are pleased to share several new improvements to Purview endpoint DLP controls, including: Extended file type coverage for endpoint DLP in public preview: We are greatly expanding the breadth of scannable file types (110+) and extraction limits for endpoint DLP on Windows devices. Not only does this broaden coverage across your environment but also helps ensure that files covered by DLP policies are protected in a consistent way across workloads. This improvement will begin rolling out to customers this month and continue worldwide in the coming weeks. Blanket protections for non-supported file types in public preview: Enforce blanket-level protections for file types that Purview endpoint DLP does not currently scan and classify, ensuring that the diverse range of file types found in your environment are still protected. For example, DLP admins can now prevent copying to USB for all CAD files, regardless of their contents. Pause and resume now generally available: This enhancement to endpoint DLP automatically resumes an initial task such as copying to USB or network share when an end user overrides a policy tip. This helps minimize end user disruption and enables more seamless interaction with sensitive data without sacrificing security. On top of strengthening the breadth & depth of Purview DLP controls, we are doubling down on ways to help admins continuously assess the efficacy and coverage of their DLP programs. Therefore, we are excited to announce the new DLP policy insights skill in Security Copilot in public preview. Historically, the ability to quickly & easily understand the full breadth of DLP policy coverage across the organization has proved a challenging task for many DLP admins. In some organizations, admins have inherited or migrated hundreds, sometimes thousands, of DLP policies that were created in legacy DLP tools and pieced together for coverage. However, environment-wide visibility is critical to ensuring that there are no gaps in protection for business-critical workloads. The embedded Security Copilot-powered policy insights skill summarizes the intent, scope, and resulting matches of existing DLP policies in natural language. Some of the insights provided by the policy insights skill include DLP policies deployed for each workload (such as SharePoint or Exchange), the sensitive information types they are designed to detect, and the number of associated rule matches to those policies. This helps admins quickly identify and address gaps in protection. Purview is also introducing a new platform feature that correlates insights from Purview DLP with insights from Microsoft Purview Information Protection and Microsoft Purview Insider Risk Management to provide data security admins with a more holistic, actionable view of their data security posture. Starting today, Microsoft Purview Data Security Posture Management (DSPM), is now available in public preview in the Purview portal. DSPM offers unified visibility of data risks across your environment with prioritized recommendations for reducing those risks – this includes 1-click DLP policy recommendations designed to address top unresolved data loss risks. To learn more about DSPM in Purview, visit the blog. Streamlining admin investigations & insights Data security teams face an average of 66 alerts per day – up from 52 in 2023 – and only triage 63% of those daily alerts. Furthermore, organizations are experiencing an average of 156 data security incidents annually [3]. Quick triage, investigation, and remediation is key to mitigating downstream financial and infrastructural impact. However, the vast volume of alerts, data sources, and policies for those data sources can make it difficult for admins to prioritize data risks, investigate DLP incidents, and understand how to optimize their DLP program. New enhancements to embedded Security Copilot experiences in Purview DLP We are excited to announce two additional Security Copilot skills in public preview to assist admins with the challenges they face: enhanced hunting & investigation prompts and Activity Explorer prompts for targeted navigation and queries. These capabilities augment the embedded & standalone Security Copilot-powered alert summarization experiences that are already available in Purview DLP: New enhanced hunting prompts let you drill down a step further from Security Copilot-generated alert summaries to gain further context surrounding the data and users behind an incident. Such detail could include the activity performed on the data and the sensitive information type (SIT) detected that resulted in the alert. New Activity Explorer prompts assist admins as they navigate and dive deeper into Activity Explorer insights. For example, pre-built prompts can provide admins with a birds’ eye view of the top activities detected in their environment over the past week such as DLP rule matches or sensitive data used in M365 Copilot interactions. Inversely, admins can prompt Security Copilot to apply the correct investigation filters to Activity Explorer to pinpoint the specific activities or data that they want to narrow in on. Improved support for data security forensic investigations Starting today, the ability to store copies of full files that resulted in a DLP policy match on Windows endpoints is now in public preview worldwide. Customers have the option to store this file evidence in Microsoft-managed storage, or link Azure blob storage to their Purview tenant. With the Microsoft-managed option, admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. However, both storage options are available to customers based on the needs of their organizations. Learn more here. Customizing DLP processes & investigations with Power Automate and in Defender XDR We are also investing in ways to customize Purview DLP to the needs and established processes of your organization. Today, we are announcing the availability of the Power Automate connector in public preview, which enables admins to trigger Power Automate workflows as a DLP policy action. Configure a custom Power Automate workflow as a DLP policy action. This integration unlocks automation and customization options for DLP admins, who can now fold DLP incidents into new or established IT, security, and business operations workflows, such as for stakeholder awareness and remediation. Examples include email notifications to managers of policy violations made by their employees or automatically deleting or moving files in SharePoint that are frequently overshared. To make it easier for customers to get started, the integration will include a pre-built Power Automate template to notify managers in Outlook when policy rules are triggered by their employees. However, you can also start building unique Power Automate workflows, such as creating a ticket in your organization’s IT service management tool of choice when DLP policy conditions are met. Enhanced filtering options for DLP alerts in Defender XDR For teams that prefer to centralize their data security incident investigations in Microsoft Defender XDR, we are announcing additional rich filter options for Purview DLP alerts in public preview. In the Defender XDR Incidents view, you can now streamline alert triage and investigation even further with the ability to apply a specific DLP policy, DLP rule, or DLP workload as a filter. This helps admins better understand the data activities and sources that trigger the most alerts and ultimately drive the most downstream impact and risk. & policy rule Get started You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial! Already have a Windows 10 and 11 device? You can get started easily by turning on endpoint DLP, which is built into your device and does not require an agent or on-premises component. Interested in how Microsoft 365 Copilot can transform the way you work? Contact your Microsoft representative to learn how you can add M365 Copilot to your existing subscription. Additional resources DLP whitepaper on moving from on-premises to cloud native DLP. Mechanics video on how to create one DLP policy that works across your workloads. Updated interactive guides on DLP policy configuration, management, and investigations. Frequently asked questions on DLP for endpoints. Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal. Customer stories to learn why leading enterprises rely on Microsoft Purview DLP. And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join. We look forward to your feedback. Thank you, The Microsoft Purview Data Loss Prevention Team [1, 3] 2024 Data Security Index Report | Microsoft Security [2] Data security market research, n = 638, commissioned by MicrosoftCommon questions on Microsoft Purview Data Loss Prevention for endpoints
This guide covers the top-of-mind FAQs on Microsoft Purview DLP for endpoints. We have collaborated with engineers, designers, and Endpoint DLP experts to increase your confidence on the Endpoint DLP capabilities, and to help you learn more about your setup. We hope you enjoy these guidelines to troubleshoot your most common issues with deployment, if any!
