Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This scenario demonstrates how to use authorization groups in Microsoft Purview DLP to enforce a default block on sensitive data actions while allowing controlled exceptions. In this example, printing of documents classified as legal content is restricted across all devices, except for a defined set of approved legal department printers.
By combining device-level print restrictions with a printer allowlist, this approach enables organizations to protect sensitive information while still supporting legitimate business workflows. It also illustrates how authorization groups can be reused for other scenarios, such as removable storage devices or network shares.
This scenario is for an unrestricted admin creating a full directory policy.
These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.
Authorization groups are mostly used as allowlists. You assigned policy actions to the group that are different than the global policy actions. In this scenario, we go through defining a printer group and then configuring a policy with block actions for all print activities except for the printers in the group. These procedures are essentially the same for Removeable storage device groups, and Network share groups.
In this scenario, we define a group of printers that the legal department uses for printing contracts. Printing contracts to any other printers is blocked.
Prerequisites and assumptions
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
This scenario uses the Confidential sensitivity label, so it requires you to create and publish sensitivity labels. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
This procedure uses a hypothetical distribution group Human Resources and a distribution group for the security team at Contoso.com.
This procedure uses alerts, see: Get started with the data loss prevention alerts
Policy intent statement and mapping
We, Contoso, want to prevent users from printing sensitive legal content to unauthorized printers while still allowing approved business workflows for the legal department. In this scenario, documents that match the Legal Affairs trainable classifier should be protected from being printed broadly across the organization, but users in Legal must be able to print those documents to a defined set of approved printers.
To achieve this, we will create a policy that applies print restrictions on devices for content classified as legal in nature. Printing will be blocked by default, but an authorization group of approved printers will be configured as an exception and allowed. This enables a strong default-protect posture while supporting legitimate business needs through a controlled allowlist model.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “We want to protect sensitive legal documents from being printed to unauthorized printers…” | - Administrative scope: Full directory - Where to monitor: Devices only - Policy scope: All users/devices covered by the policy |
| “We want to identify documents that contain legal-sensitive content…” | - Condition: Content contains = Trainable classifiers, Legal Affairs |
| “We want to restrict printing of that sensitive content across endpoint devices…” | - Action: Audit or restrict activities on devices - Activity type: File activities on all apps - Restriction model: Apply restrictions to specific activity |
| “We want printing to be blocked by default unless explicitly allowed…” | - Activity restriction: Print = Block |
| “We want approved legal department printers to be exempt from the default block…” | - Endpoint settings: Create a Printer group named Legal printers - Group members can be defined by friendly printer name, USB product/vendor ID, IP range, print-to-file, Universal Print, corporate printer, or print to local |
| “We want different policy behavior for approved printers than the global policy action…” | - Authorization group behavior: Choose different print restrictions - Printer group restriction: Add Legal printers - Group-specific action: Allow |
| “We want approved printing activity to remain visible for audit purposes without creating unnecessary alerts…” | - Allow action behavior: Allowed print activity is recorded in the audit log - No alert or user notification is generated for the allowlisted printer action |
| “We want to test the policy safely before enforcement…” | - Policy mode: Run the policy in simulation mode - User experience: Show policy tips while in simulation mode |
| “We want to use this same design pattern for other authorized destinations in the future…” | - Reusable authorization group model: Same approach applies to Removable storage device groups and Network share groups |
Steps to create policy
Create and use printer groups
Sign in to the Microsoft Purview portal > Data loss prevention > Settings (gear in the upper left hand corner) > Data Loss Prevention > Endpoint settings > Printer groups.
Select Create printer group and enter a Group a name. In this scenario, we use
Legal printers.Select Add printer and provide a name. You can define printers by:
- Friendly printer name
- USB product ID
- USB vendor ID
- IP range
- Print to file
- Universal print deployed on a printer
- Corporate printer
- Print to local
Select Close.
Configure policy printing actions
Sign in to the Microsoft Purview portal.
Navigate to Data loss prevention > Policies.
Select Create policy.
Data stored in connected sources.
Select the Custom from the Categories then Custom policy template from Regulations.
Give your new policy a Name and Description.
Accept the default Full directory under Admin units.
Scope the location to only the Devices location.
Create a rule with the following values:
- Add a Condition: Content contains = Trainable classifiers, Legal Affairs
- Actions = Audit or restrict activities on devices
- Then pick File activities on all apps
- The select Apply restrictions to specific activity
- Select Print = Block
Select Choose different print restrictions
Under Printer group restrictions, select Add group and select Legal printers.
Set Action = Allow.
Tip
The Allow action wil record and audit event to the audit log, but not generate an alert or notification.
Select Save and then Next.
Accept the default Run the policy in simulation mode value and choose Show policy tips while in simulaiton mode. Choose Next.
Review your settings and choose Submit.
The new DLP policy appears in the policy list.