Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This scenario demonstrates how to restrict unintentional sharing of sensitive information to unapproved cloud applications and services using Microsoft Purview DLP. By defining sensitive service domains and enforcing controls through supported browsers, organizations can monitor and guide how sensitive data is uploaded or accessed.
Note
The following web browsers are supported:
- Microsoft Edge (Win/macOS)
- Chrome (Win/macOS)- Microsoft Purview extension for Chrome Windows only
- Firefox (Win/macOS)- Microsoft Purview extension for Firefox Windows only
- Safari (macOS only)
When a policy is configured for the Devices location, unsupported browsers are prevented from accessing sensitive content, and users are redirected to Microsoft Edge, where DLP controls can block or restrict actions based on policy conditions. This browser-aware enforcement helps reduce the risk of data exfiltration while maintaining a consistent and guided user experience.
To implement this approach, you define restricted destinations (domains, services, or IPs), specify unsupported browsers, and configure DLP rules that detect sensitive content and apply controls such as Upload to cloud services and Access from unallowed browser.
This configuration enables organizations to audit user behavior, refine policies, and progressively enforce stricter controls as needed, while minimizing disruption to legitimate business activities.
Prerequisites and assumptions
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
This scenario uses the Confidential sensitivity label, so it requires you to create and publish sensitivity labels. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
This procedure uses a hypothetical distribution group Human Resources and a distribution group for the security team at Contoso.com.
This procedure uses alerts, see: Get started with the data loss prevention alerts
Policy intent statement and mapping
We, Contoso, want to prevent users from unintentionally sharing sensitive information to unapproved cloud applications and services from endpoint devices. At the same time, we want to ensure users can continue to access and work with non-sensitive data without unnecessary restrictions. To achieve this, we will define a set of restricted cloud service domains and enforce controls when sensitive information is detected in user activity. When users attempt to upload sensitive content to these unapproved services—or access such content through unsupported browsers—we will audit the activity and guide users toward supported, compliant workflows (such as using Microsoft Edge). This approach allows us to gradually enforce controls by first auditing user behavior, understanding risk patterns, and refining the policy before moving to stricter enforcement if needed.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “We want to prevent users from sharing sensitive information to unapproved cloud apps and services…” | - Administrative scope: Full directory - Where to monitor: Devices only - Policy scope: All users/devices (or targeted users for testing) |
| “We want to define which cloud services are considered unallowed for sensitive data sharing…” | - Endpoint settings: Create Sensitive service domain group - Domains defined using URL/IP/IP range (with wildcard support) - Group reused in policy rules |
| “We want to detect sensitive content being shared to these services…” | - Conditions: Content contains selected Sensitive info types - Detection logic: Built-in or custom sensitive information types |
| “We want to monitor attempts to upload sensitive content or access it through unsupported browsers…” | - Actions: Upload to a restricted cloud service domain or access from an unallowed browser - Browser control integrated with Endpoint DLP |
| “We want to initially observe user behavior without blocking business processes…” | - Action mode: Audit only for service domain and browser activities - No blocking or override enforced at this stage |
| “We want to redirect users toward supported, policy-aware browsers…” | - Endpoint behavior: Unallowed browsers are prevented from accessing sensitive content - User experience: Redirection to Microsoft Edge where DLP controls are enforced |
| “We want to maintain flexibility to extend protections over time…” | - Design capability: Add more domain groups, apps, and policies as needed - Policy extensibility: Supports future transition to block or block with override |
| “We want to monitor and optionally control other file activities across apps…” | - Additional actions: Configure File activities for all apps as needed - Fine-grained monitoring or restriction of endpoint behaviors |
| “We want this policy to be active immediately for evaluation…” | - Policy mode: Turn it on right away - Deployment: Immediate enforcement in audit mode |
Steps to create policy
Sign in to the Microsoft Purview portal > Data loss prevention > Settings (gear icon in the upper left hand corner) > Data Loss Prevention > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domain groups.
Select Create sensitive service domain group.
Name the group.
Enter the Sensitive service domain for the group. You can add multiple websites to a group and use wildcards to cover subdomains. For example,
www.contoso.comfor just the top level website, or: *.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com.Select the Match type you want. You can select from URL, IP address, IP address range.
Select Save.
In the left navigation pane, select Data loss prevention > Policies.
Data stored in connected sources.
Create and scope a policy that is applied only to the Devices location. For more information on how to create a policy, see Create and Deploy data loss prevention policies. Be sure to scope the Admin units to Full directory.
On the Define policy settings page, select Create or customize advanced DLP rules and choose Next.
Create a rule, as follows:
- Under Conditions, select + Add condition and select Content contains from the drop-down menu.
- Give the group a name.
- Choose Add and then select Sensitive info types.
- Select a Sensitive info type from the flyout pane, then choose Add.
- Add the action Audit or restrict activities on devices.
- Under Service domain and browser activities, choose Upload to a restricted cloud service domain or access from an unallowed browser and set the action to Audit only.
- Select + Choose different restrictions for sensitive service domains and then choose Add group.
- On the Choose sensitive service domain groups flyout, select the sensitive service domain group(s) you want, choose Add and then choose Save.
- Under File activities for all apps, select the user activities you want to monitor or restrict and the actions for DLP to take in response to those activities.
- Finish creating the rule and choose Save and then Next.
- On the confirmation page, choose Done.
- On the Policy mode page, choose Turn it on right away. Choose Next and then Submit.