Microsoft Continues to Enhance DLP Customer Value with New Capabilities

Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer, or use.

In the past few months, Microsoft has introduced a wide range of new capabilities in General Availability and Public Preview that are designed to provide new ways of protecting data across a wider breadth of use cases and workloads and provide greater visibility into how sensitive content is used, stored and shared. These include:

• Customizable DLP policy violation justifications
• Protect sensitive data when it is shared across Bluetooth
• Protect sensitive data when it is shared across Remote Desktop Protocol (RDP) sessions
• Automatically quarantine sensitive files when they’re accessed by an unallowed app
• Displaying of cloud DLP policy events from Exchange, SharePoint-OneDrive, and Teams in Activity explorer
• Displaying of sensitivity label activity from Office native (Word, Excel, PowerPoint, Outlook) in Activity explorer
• Displaying of sensitive information, sensitivity label, and retention label detection events for files and documents from OneDrive in Activity Explorer

Customizable DLP Policy Violation Justifications – General Availability

Many organizations offer their users the ability to override certain policy violations when there is a justifiable business need. These can range from a requirement to address a specific situation where the risks are limited:

• For example, copying sensitive files to an encrypted USB for sharing with an authorized partner because the approved process such as an online file sharing service is not available due to a service outage

To addressing a business need when an alternate process has not been defined or is incorrectly scoped:

• For example, there is a business need to share information with a new partner, but no approved process is in place to support this action and the user has been granted approval on this occasion to override the policy.

Microsoft supports up to five built-in justifications that can be selected by users when they override a DLP policy:

• This is part of an established business workflow
• My manager has approved this action
• Urgent access required. I’ll notify my manager separately
• The information in these files is not sensitive
• Other

You can customize and replace the out-of-the-box justifications with your organization’s own text to better define the type and scope override. (See Figure 1: DLP policy blocking override - customizable justification to address business needs)

Figure 1: DLP policy blocking override - customizable justification to address business needs

In addition to built-in selections, you can also offer users the ability to provide a text field to enter a more contextually descriptive justification for why they are overriding the DLP policy block. This capability can provide organizations with a deeper understanding of why users override a DLP policy and also additional visibility into processes and policies which could benefit from additional refinement, user education, or another review.

Enforcement of DLP Policies for File Sharing Across Bluetooth – General Availability

Users enjoy the flexibility of tethering their Bluetooth-enabled devices to share data for ubiquitous access anywhere at any time. While there are tangible benefits to Bluetooth tethering, organizations face the risks that sensitive data may be inappropriately shared or stored on unapproved devices.

Microsoft Endpoint DLP provides customers the ability to create and enforce DLP policies that regulate the sharing of sensitive data to Bluetooth devices using the same DLP policy creation and management solution they currently use to support DLP across Microsoft’s fully unified DLP offering with the experience their users are already familiar with.

DLP controls for Bluetooth include:

• Audit mode: Records policy violation events without impacting end-user activity
• Block with Override mode: Records and blocks the activity, but allows the user to override when they have a legitimate business need
• Block mode: Records and blocks the activity without giving the user the ability to override 

Enforcement of DLP Policies for File Sharing Across an RDP session – General Availability

Customers use Remote Desktop Protocol (RDP) to provide remote users the ability to connect and use a windows desktop located elsewhere via a network connection. Over the past two years, many organizations have increasingly leveraged RDP as a solution to support remote workers.

Microsoft Endpoint DLP provides customers the ability to create and enforce DLP policies to regulate the sharing of sensitive data over an RDP session, using the same familiar DLP policy tools and user experience from Microsoft’s fully unified DLP offering.

DLP controls for RDP include support for deploying DLP policies in Audit mode, Block with Override mode, and Block mode.

Auto-Quarantine of Sensitive Files Accessed by Unallowed Apps – Public Preview

Apps can be defined in DLP as not allowed to access specific sensitive content. Some apps are automated and can generate repeated DLP alert notifications when they continuously access sensitive content for which they are unallowed.

For example, when a user deploys an external file synch solution that is unallowed to access sensitive content and the local sharing folder contains a sensitive file that cannot be shared externally. In this example, the file synch upload activity will be repeatedly blocked by DLP. Each blocked activity will generate a notification on the user’s desktop, and each will also be recorded as a DLP event until the file has been removed from the local sharing folder. This impacts the user experience and creates unnecessary event volumes.

To address this potential concern, Microsoft is introducing a new auto-quarantine capability that can be assigned to individual unallowed apps when configuring a DLP policy.

Using the same scenario as above, if the external file synch solution is defined in a DLP policy as an unallowed app for sensitive data, and auto-quarantine is enabled, the sensitive data would be removed from the home folder and would be stored in a predefined approved quarantine folder. A text file replaces the original file with details for the user to explain the auto-quarantined action. In this instance, the user would only be notified once, and auto-quarantine would prevent repeated DLP policy violations and reduce the risk of sensitive data exfiltration. (see Figure 2: DLP Auto-Quarantine of Sensitive Content)

Figure 2: DLP Auto-Quarantine of Sensitive Content 

Displaying Cloud DLP, Office, and AIP data in Activity Explorer and Displaying OneDrive data in Content Explorer– General Availability

Customers require the ability for different administrative users to have different views and levels of functionality depending on the role they have when reviewing user and label activity related to sensitive data. Microsoft offers three distinct ways to view this activity with ‘Overview’, ‘Content Explorer’, and ‘Activity explorer’.

With these General Availability announcements customers will have new visibility into events in their environment:

1. Office Native feeds in Activity Explorer: Customers will be able to display sensitivity label activities around Label applied, label changed, and label removed in Activity Explorer.
2. Cloud DLP in Activity Explorer: Customers will be able to display data from Exchange, SharePoint,-OneDrive, and Teams in Activity Explorer.
3. OneDrive data in Content Explorer: Customers will be able to display Sensitive information, Sensitivity labels, and Retention labels detected on files/documents in OneDrive in the Content Explorer.
4. Azure Information Protection (AIP) data in Activity Explorer: Customers will be able to display data logged by AIP client and scanner audit

(Note that the default behavior for AIP data in Activity explorer is Opt-in. If customers would prefer to opt-out, they have to follow steps here to disable sending logs to Activity Explorer)

Microsoft Unified DLP Quick Path to Value

To help customers accelerate their deployment of comprehensive information protection and data loss prevention strategy across all their environments containing sensitive data and help ensure immediate value, Microsoft provides a one-stop approach to data protection and DLP policy deployment within the Microsoft 365 Compliance Center.

Microsoft Information Protection (MIP) provides a common set of classification and data labeling tools that leverage AI and machine learning to support even the most complex of regulatory or internal sensitive information compliance mandates. MIP’s over 150 sensitive information types and over 40 built-in policy templates for common industry regulations and compliance offer a quick path to value.

Consistent User Experience

No matter where DLP is applied, users have a consistent and familiar experience when notified of an activity that is in violation of a defined policy.  Policy Tips and guidance are provided using a familiar look and feel users are already accustomed to from applications and services they use every day. This approach can reduce end-user training time, eliminates alert confusion, increases user confidence in prescribed guidance and remediations, and improves overall compliance with policies – without impacting productivity.

Integrated Insights

Microsoft DLP integrates with other Security & Compliance solutions such as MIP, Microsoft Defender, and Insider Risk Management to provide broad and comprehensive coverage and visibility required by organizations to meet regulatory and policy compliance.

Figure 3: Integrated Insights

This approach reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations and educate users on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.

Get Started

Microsoft DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 Compliance Center to get started today.

Additional resources:

• For more information on Data Loss Prevention, please see this and this
• For videos on Microsoft Unified DLP approach and Endpoint DLP see this and this 
• For a Microsoft Mechanics video on Endpoint DLP see this 
• For more information about the new features in Activity Explorer, see this
• For more information on the Microsoft Compliance Extension for Chrome see this and this
• For more information on DLP Alerts and Event Management, see this 
• For more information on Sensitivity Labels as a condition for DLP policies, see this  
• For more information on Sensitivity Labels, please see this  
• For more information on conditions and actions for Unified DLP, please see this
• For the latest on Microsoft Information Protection, see this and this
• For our previous DLP blog, see this

Thank you,

The Microsoft Information Protection team