Microsoft Endpoint DLP is a unified and integrated experience to protect sensitive information used by information workers every day.
The new reality of significant numbers of employees working from home or other remote locations indefinitely has created renewed emphasis on providing strong, coordinated, and unified protections across all user touchpoints with sensitive data.
Microsoft continues to invest in developing cutting-edge information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to know your data, protect your data, and prevent data loss across an enterprise – in Microsoft 365 apps, services, on-premises, devices, and third-party SaaS applications and services. Microsoft’s Data Loss Prevention (DLP) is a core element of MIP that extends data protection to common egress points.
Organizations rely on Microsoft DLP to enforce policies that identify and prevent risky or inappropriate sharing, transfer, or use of sensitive information consistently across cloud, on-premises and endpoints. We are thrilled to announce several new DLP capabilities today.
Microsoft Endpoint DLP – General Availability
First, we are excited to announce the general availability of Microsoft Endpoint Data Loss Prevention.
With Microsoft’s Unified DLP, and now Endpoint DLP, your organization can further reduce dependencies on individual and uncoordinated solutions, moving from disparate set of tools to a unified solution to monitor user actions, remediate policy violations, and educate users in context on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.
Endpoint DLP provides a familiar user experience, seamless deployment, integrated insights.
A familiar user experience
No matter where DLP is applied, users have a consistent and familiar look and feel they are already accustomed to from the applications and services they use every day. Endpoint DLP also reduces end-user training time and alert confusion, increasing user confidence in prescribed guidance and remediations, and improving policy compliance – without impacting productivity.
Figure 1: Familiar User Experience – User notified of an unapproved copying of sensitive text in Office
Figure 2: Familiar User Experience – User notified of an unapproved copying of sensitive file in Edge
Endpoint DLP is a cloud-managed solution that is built into Microsoft 365 Compliance Center. Built natively into Microsoft’s Unified DLP solution, it’s easy to extend your existing DLP policies and custom sensitive content identifiers to endpoint devices without extensive reconfiguration.
Broad classification support
Endpoint DLP uses the same classification technology as our other MIP solutions, providing consistent discovery of sensitive content across Microsoft 365 Apps (Office 365), Exchange, OneDrive, SharePoint, and Microsoft Teams. With over 100 sensitive information types and built-in policy templates, it’s easy to turn on Endpoint DLP to identify sensitive data across common industry regulations and compliance-related data types.
Insights on activity with sensitive data on the endpoint start flowing to the Security and Compliance solutions like MIP’s Data Classification dashboard, Microsoft Defender for Endpoint, and Insider Risk Management as soon as onboarding has been completed, and before any DLP policy is deployed. These insights provide comprehensive coverage and visibility of active data protections, device states, and user actions that may be required by organizations to meet regulatory and policy compliance. Furthermore, they can be used to help identify the most critical needs for DLP policies and can assist in guiding DLP policy creation priority.
Microsoft DLP alerting management – Public Preview
We are excited to announce the public preview of a DLP alert management experiences in Microsoft 365 compliance center – a single place to view an manage DLP alerts. Alerts provide details on DLP events including the sensitive information types detected in the content, confidence score rating and event count to further assist DLP reviewers in quickly identifying high risk events and to more effectively manage event triage and remediations.
This latest addition to Microsoft’s DLP solution provides customers with direct visibility into DLP policy enforcement activity in Exchange, SharePoint, OneDrive, Teams, and Devices.
Advanced DLP alert options are configured in the existing DLP policy authoring workflow. These provide eligible DLP customers with the ability to tailor how they organize and display DLP policy enforcement event alerts with the information they need to investigate and address DLP policy violations quickly. Historical workflow information for alerts is available in the Management log.
Figure 3: Data Loss Prevention Event Alerts
Individual alerts provide exhaustive metadata associated with the DLP policy violation, change alert status (Active, Investigating, Dismissed or Resolved), include additional comments entered by reviewers and defined workflow actions such as assigning alerts to individuals for follow up.
Figure 4: Data Loss Prevention Event Alert Details
Alerts can trigger notifications to keep your administrators informed when DLP policy violations occur. For more advanced scenarios, eligible customers can turn on threshold-based alerts that will keep them informed when a combination match occurs over a period of time or over a specified amount of data.
For customers interested in learning how to extend DLP activity and alerts to their SIEM for advanced incident management, an example using Sentinel is available here.
Sensitivity label-aware DLP policies
One of the leading capabilities within MIP is sensitivity labels.
Sensitivity labels allow you to classify data according to sensitivity such as Public, General, Confidential, Highly Confidential or any other sensitivity label created by the organization to meet its needs. This sensitivity information is added to the file information and is used to guide users, applications and services in how to handle and use sensitive data such as:
- Protect content in Microsoft 365 Apps across different platforms and devices
- Enforce protection settings such as encryption or watermarks on labeled content
- Protect content in third-party apps and services
- Extend sensitivity labels to third-party apps and services
- Classify content without using any protection settings
- Expand the quality of insights to intelligently flag potential insider risks
Figure 5: Sensitivity label in Microsoft 365 Apps - Excel
With the announcement of sensitivity labels as a condition for Microsoft DLP policies, you can now define new enforcement actions and locations that take into account the sensitivity context of information to better meet protection requirements.
Figure 6: Choosing a sensitivity label as a condition in a DLP policy
DLP policies using sensitivity labels apply to Exchange Online email messages, SharePoint Online, OneDrive for Business, Teams and Windows 10 devices.Figure 7: Supported services, items, policy tips and enforceability
Advanced Controls in DLP for Email protection – Public Preview
Those of you familiar with using existing Exchange Transfer Rules (ETR) to define special handing actions for email messages matching the rules can now implement these controls directly in Unified DLP for Exchange! You can use the same conditions, exceptions, and DLP-related actions you’re familiar with from ETR to enhance and extend your Unified DLP Email policies with even more fine-grained controls.
The new conditions and exceptions announced in public preview enhance the already existing capabilities in DLP. (See highlighted in Figure 7. New Conditions and Exceptions) These provide the ability to give additional granular control over the scoping and application of a DLP policy and ensure policies are applied as intended.
Figure 8: New Conditions and Exceptions for Email
New actions to enforce email DLP controls from a Unified DLP policy. (See highlighted in Figure 8. New Actions)
Figure 9: New DLP Actions for Email
Microsoft’s DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.
- For more information on Data Loss Prevention, please see this and this
- For videos on Microsoft Unified DLP approach and Endpoint DLP see this and this
- For a Microsoft Mechanics video on Endpoint DLP see this
- For more information on DLP Alerts and Event Management, see this
- For more information on Sensitivity Labels as a condition for DLP policies, see this
- For more information on Sensitivity Labels, please see this
- For more information on conditions and actions for Unified DLP, please see this
- For the latest on Microsoft Information Protection, see this and this
The Microsoft Information Protection team