Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This scenario shows how to use network-based conditions in Microsoft Purview DLP to apply different protections based on where users access sensitive data. By defining VPN connections and configuring network exceptions, the policy adjusts actions—such as auditing or blocking clipboard activity—based on network context, enabling more precise control for hybrid work environments without uniformly restricting user activity.
This scenario is for an unrestricted admin creating a full directory policy.
Prerequisites and assumptions
This scenario requires that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.
In this scenario, we define a list of VPNs that hybrid workers use for accessing organization resources.
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
This scenario uses the Confidential sensitivity label, so it requires you to create and publish sensitivity labels. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
This procedure uses a hypothetical distribution group Human Resources and a distribution group for the security team at Contoso.com.
This procedure uses alerts, see: Get started with the data loss prevention alerts
Policy intent statement and mapping
We, Contoso, want to control how sensitive legal content is handled based on the network context in which users are operating. In particular, we want to apply different levels of restriction depending on whether users are connected through trusted corporate networks or VPN connections used by hybrid workers.
To achieve this, we will define known VPN connections and use them in network exception rules within a DLP policy. This allows us to enforce stricter controls—such as blocking clipboard activity with override—when users are connected through specific VPNs, while maintaining less restrictive (audit-only) behavior in other contexts. This approach enables contextual data protection that adapts to how and where users access sensitive data.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “We want to apply different data protection controls depending on the network users are connected from…” | - Administrative scope: Full directory - Where to monitor: Devices only - Policy scope: All users/devices or targeted users |
| “We want to identify VPN connections used by hybrid workers…” | - Endpoint settings: Configure VPN settings using Server address or Network address - Data gathered via PowerShell commands (Get-VpnConnection, Get-NetConnectionProfile) |
| “We want to detect sensitive legal content handled on endpoints…” | - Condition: Content contains = Trainable classifiers, Legal Affairs |
| “We want to control specific user activities involving sensitive content…” | - Action: Audit or restrict activities on devices - Activity type: File activities on all apps - Specific activity: Copy to clipboard (extendable to others like print or USB copy) |
| “We want less restrictive monitoring under normal conditions…” | - Default activity action: Audit only for copy to clipboard |
| “We want stricter controls when users are connected through defined VPN networks…” | - Network exception: Select VPN and set action to Block with override - Priority: VPN must be set as top priority in network exception configuration |
| “We want to support user productivity while maintaining accountability…” | - Override capability: Users can proceed with justification when blocked under VPN conditions |
| “We want to ensure correct precedence of network-based rules…” | - Configuration behavior: VPN rules take precedence over Corporate network settings when ordered correctly - Caution: ‘Apply to all activities’ can overwrite other activity-specific configurations |
| “We want to safely test the policy behavior before full enforcement…” | - Policy mode: Run in simulation mode - User experience: Show policy tips while in simulation mode |
| “We want to validate policy behavior through monitoring and testing…” | - Monitoring: Use Activity explorer to review policy matches - Testing: Perform clipboard copy action under different network conditions (VPN vs non-VPN) |
Steps to create policy
Create and use a Network exception
Network exceptions enable you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the VPN settings list you've defined and use the Corporate network option. The actions can be applied individually or collectively to these user activities:
- Copy to clipboard
- Copy to a USB removable device
- Copy to a network share
- Copy or move using unallowed Bluetooth app
- Copy or move using RDP
Get the Server address or Network address
On a DLP monitored Windows device, open a Windows PowerShell window as an administrator.
Run this cmdlet:
Get-VpnConnectionRunning this cmdlet returns multiple fields and values.
Find the ServerAddress field and record that value. You use this when you create a VPN entry in the VPN list.
Find the Name field and record that value. The Name field maps to the Network address field when you create a VPN entry in the VPN list.
Determin if the device is connected through a Corporate network
On a DLP monitored Windows device, open a Windows PowerShell window as an administrator.
Run this cmdlet:
Get-NetConnectionProfileIf the NetworkCategory field is DomainAuthenticated, then the device is connected to a corporate network. If its anything else, the device's connection is not through a corporate network.
Add a VPN
Sign in to the Microsoft Purview portal.
Open Settings > Data Loss Prevention > Endpoint settings > VPN settings.
Select Add or edit VPN addresses.
Provide either the Server address or Network address from running Get-VpnConnection.
Select Save.
Close the item.
Configure policy actions
Sign in to the Microsoft Purview portal.
Open Data Loss Prevention > Policies.
Select Create policy
Data stored in connected sources.
Select the Custom from the Categories then Custom policy template from Regulations.
Name your new policy and provide a description.
Select Full directory under Admin units.
Scope the location to Devices only.
Create a rule where:
- Content contains = Trainable classifiers, Legal Affairs
- Actions = Audit or restrict activities on devices
- Then pick File activities on all apps
- The select Apply restrictions to specific activity
- Select the actions that you want to configure Network exceptions for.
Select Copy to clipboard and the Audit only action
Select Choose different copy to clipboard restrictions.
Select VPN and set the action to Block with override.
Important
When you want to control the activities of a user when they're connected through a VPN you must select the VPN and make the VPN the top priority in the Network exceptions configuration. Otherwise, if the Corporate network option is selected, then that action defined for the Corporate network entry will be enforced.
Caution
The Apply to all activities option will copy the network exceptions that are defined here and apply them to all the other configured specific activities, like Print, and Copy to a network share. This will overwrite the network exceptions on the other activities The last saved configuration wins.
Save.
Accept the default Run the policy in simulation mode value and choose Show policy tips while in simulation mode. Choose Next.
Review your settings and choose Submit and then Done.
The new DLP policy appears in the policy list.