Protect your organization’s data with Microsoft Purview. Gain complete visibility into potential data leaks, from AI applications to unmanaged cloud services, and take immediate action to prevent unwanted data sharing. Microsoft Purview unifies data security controls across Microsoft 365 apps, the Edge browser, Windows and macOS endpoints, and even network communications over HTTPS —all in one place.
Take control of your data security with automated risk insights, real-time policy enforcement, and seamless management across apps and devices. Strengthen compliance, block unauthorized transfers, and streamline policy creation to stay ahead of evolving threats. Roberto Yglesias, Microsoft Purview Principal GPM, goes beyond Data Loss Prevention (DLP) and shows how to ensure your data stays protected no matter where it goes.
► QUICK LINKS:
00:00 - Data Loss Prevention in Microsoft Purview
01:33 - Assess DLP Policies with DSPM
03:10 - DLP across apps and endpoints
04:13 - Unmanaged cloud apps in Edge browser
04:39 - Block file transfers across endpoints
05:27 - Network capabilities
06:41 - Updates for policy creation
08:58 - New options
09:36 - Wrap up
► Link References
Get started at https://aka.ms/PurviewDLPUpdates
► Unfamiliar with Microsoft Mechanics?
As Microsoft's official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast
► Keep getting this insider knowledge, join us on social:
• Follow us on Twitter: https://twitter.com/MSFTMechanics
• Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
• Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
• Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
Episode Transcript
As more and more people use lesser known
and untrusted shadow AI applications
and file sharing services at work,
the controls to proactivelyprotect your sensitive data
need to evolve too.
And this is where DataLoss Prevention, or DLP,
in Microsoft Purview unifies the controls
to protect your data in one place.
(00:23):
And if you haven't lookedat this solution in a while,
the scope of protection has expanded
to ensure that your sensitivedata stays protected
no matter where it goesor how it's consumed
with controls that extend
beyond what you've seenacross Microsoft 365.
Now adding browser-level protections
that apply to unmanaged andnon-Microsoft cloud apps
(00:45):
when sensitive information is shared.
For your managed endpoints,
today file system operationsare also protected
on Windows and macOS.
And now we are expandingdetection to the network layer.
Meaning that as sensitiveinformation is shared into apps
and gets transmitted over web protocols,
as an admin, you havevisibility over those activities
(01:09):
putting your information at risk,
so you can take appropriate action.
Also, Microsoft Purviewdata classification
and policy management engines
share the same classification service.
Meaning that you can define
the sensitive informationyou care about once,
and we will proactively detect it
even before you create any policies,
(01:29):
which helps you streamlinecreating policies
to protect that information.
That said, as you look toevolve your protections,
where do you even start?
Well, to make it easier toprioritize your efforts,
Data Security Posture Management, or DSPM,
provides a 360 degree viewof data potentially at risk
and in need of protection,
(01:50):
such as potential dataexfiltration activities
that could lead to data loss,
along with unprotected sensitiveassets across data sources.
Here at the top of the screen,you can see recommendations.
I'll act on this one todetect sensitive data leaks
to unmanaged apps using something new
(02:10):
called a Collection Policy.
More on how you can configurethis policy a bit later.
With the policy activated,
new insights will take up to a day
to reflect on our dashboard,
so we'll fast forward in time a little,
and now you can see a new content category
at the top of the chartfor sensitive content
shared with unmanaged cloud apps.
(02:31):
Then back to the top,
you can see the tile on the right
has another recommendationto prevent users
from performing cumulativeexfiltration activities.
And when I click it,
I can enable multiple policies
for both Insider Risk Managementand Data Loss Prevention,
all in one click.
So DSPM makes it easierto continually assess
(02:52):
and expand the protectionof your DLP policies.
And there's even a dedicated view
of AI app-related risks with DSPM for AI,
which provides visibility
into how people in yourorganization are using AI apps
and potentially putting your data at risk.
Next, let me show you DLP in action
(03:12):
across different apps and endpoints,
along with the new browserand network capabilities.
I'll demonstrate the userexperience for managed devices
and Microsoft 365 apps when theright controls are in place.
Here I have a letter of intent
detailing an upcomingbusiness acquisition.
Notice it isn't labeled.
(03:33):
I'll open up Outlook,
and I'll search for andattach the file we just saw.
Due to the sensitivity
of the informationdetected in the document,
it's fired up a policy tip warning me
that I'm out of compliancewith my company policy.
Undeterred, I'll type aquick message and hit send.
And my attempt to overridethe warning is blocked.
(03:55):
Next, I'll try something else.
I'll go back to Word
and copy the text intothe body of my email,
and you'll see the same policy tip.
And, again, I'm blocked when Istill try to send that email.
These protections also extend
to Teams chat, Word,Excel, PowerPoint and more.
Next, let me show you howprotections even extend
(04:17):
to unmanaged cloud appsrunning in the Edge browser.
For example, if you want touse a generative AI website
like you're seeing here with DeepSeek,
even if I manually type in content
that matches my DataLoss Prevention policy,
you'll see that when I hit submit,
our Microsoft Purview policy blocks
the transmission of this content.
(04:39):
This is different from endpoint DLP,
which can protect file system operations
like copy and paste.
These Edge browser policies
complement existingendpoint DLP protections
in Windows and macOS.
For example, here I have the same file
with sensitive informationthat we saw before.
(04:59):
My company uses Microsoft Teams,
but a few of our suppliers use Slack,
so I'll try to upload mysensitive doc into Slack,
and we see a notificationthat my action is blocked.
And since theseprotections are on the file
and run in the file system itself,
this would work for any app.
That said, let's try another operation
(05:21):
by copying the sensitive documentto my removable USB drive.
And here I'm also blocked.
So we've seen how DLP protections extend
to Microsoft 365 apps, managedbrowsers, and file systems.
Additionally, new protections can extend
to network communicationprotocols when sharing information
with local apps running againstweb services over HTTPS.
(05:45):
In fact, here I have a local install
of the ChatGPT app running.
As you see, this is not in a browser.
In this case,
if I unintentionally add sensitiveinformation to my prompt,
when it passes theinformation over the network
to call the ChatGPT APIs,
Purview will be able to detect it.
Let's take a look.
If I move over to DSPM forAI in Microsoft Purview,
(06:09):
as an admin, I have visibilityinto the latest activity
related to AI interactions.
If I select an activity whichfound sensitive data shared,
it displays the user and app details,
and I can even click intothe interaction details
to see exactly what wasshared in the prompt
as well as what specifically was detected
(06:30):
as sensitive information on it.
This will help me decidethe actions we need to take.
Additionally, the ability to block sharing
over network protocols iscoming later this year.
Now, let's switch gears
to the latest updates for policy creation.
I showed earlier setting upthe new collection policy
in one click from DSPM.
(06:51):
Let me show you how we wouldconfigure the policy in detail.
In Microsoft Purview,
you can set this up inData Loss Prevention
under Classifiers on the newCollection Policies page.
These policies enable you to tailor
the discovery of data and activities
from the browser, network, and devices.
(07:11):
You can see that I alreadyhave a few created here,
and I'll go ahead and createa new one right from here.
Next, for what data to detect,
I can choose the right classifiers.
I have the option to scope these down
to include specific classifiers,
or include all except for theones that I want to exclude.
I'll just keep them all.
(07:33):
For activities to detect,
I can choose the activities I want.
In this case, I'll select text and files
shared with a cloud or AI app.
Now, I'll hit add.
And next I can choose whereto collect the data from.
This includes connected data sources,
like devices, Copilot experiences,or Enterprise AI apps.
(07:54):
The unmanaged cloud apps tab uses
the Microsoft Defenderfor Cloud Apps catalog
to help me target theapplications I want in scope.
In this case,
I'll go ahead and select allthe first six on this page.
For each of these applications,
I can scope which usersthis policy applies to
(08:15):
as a group or separately.
I'll scope them alltogether for simplicity.
Here I have the option
to include or exclude usersor groups from the policy.
In this case, I'll keepall selected and save it.
Next, I have the option of choosing
whether I want AI prompt andresponses that are detected
(08:36):
to be captured and preserved in Purview.
This enabled the experience we saw earlier
of viewing the full interaction.
Finally, in mode, youcan turn the policy on.
Or if you leave it off,
this will save it so thatyou can enable it later.
Once I have everything configured,
I just need to reviewand create my policy,
(08:56):
and that's it.
In addition, as you create DLP policies,
you'll notice new corresponding options.
Let me show you the main one.
For each policy,
you'll now be asked what typeof data you want to protect.
First is data stored in connected sources.
This includes Microsoft365 and endpoint policies,
(09:17):
which you're likely already using now.
The new option is data inbrowser and network activity.
This protects data in real-time
as it's being used in the browser
or transmitted over the network.
From there, configuringeverything else in the policy
should feel familiar with other policies
you've already defined.
To learn more and get started
(09:37):
with how you can extendyour DLP protections,
check out aka.ms/PurviewDLPUpdates.
Keep checking back to Microsoft Mechanics
for all the latest updatesand thanks for watching.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.