Microsoft Purview Data Loss Prevention Deep Dive

#WPNinjasNO
#WPNinjasNO
DLP Deep Dive
Nikki Chapple | Principal Cloud Architect CloudWay | MVP

#WPNinjasNO
Thank you sponsors
Gold Sponsors
Silver Sponsors
Community Sponsors

#WPNinjasNO
About Nikki Chapple
Focus
Microsoft Purview |
Microsoft 365
From
London | UK
My Blog
NikkiChapple.com
All Things M365 Compliance
podcast
Contact
Hobbies
Holidays, learning Portuguese
Certifications
SC-300 | SC-401| Microsoft 365
Enterprise Administrator | TOGAF
Enterprise Architect PROSCI
Change Manager

#WPNinjasNO
What is DLP
Agenda
Prerequisites DLP Policies Examples Top Tips
Data Loss Prevention (DLP) Intro DLP Prerequisites Create DLP Policies
DLP Examples
DLP Top Tips

#WPNinjasNO
Data Loss Prevention (DLP) Intro

#WPNinjasNO
Data Security is critical for strong cybersecurity!
Data security
incidents are
widespread and
severe
20%
Increase in severity of data
security incidents compared
to 2023
Insiders account for
a large portion of
data breaches,
adding to costs
63%
of data breach incidents stem
from inadvertent, negligent,
or malicious users2
80%+
of leaders cited leakage of
sensitive data as their main
concern around adopting
Generative AI3
Source:
1Microsoft Data Security Index report
2Microsoft Data Security Index report
3First Annual Generative AI Study: Business Rewards vs. Security Risks,
Q3 2023, ISMG, N=400
Organizations are
concerned about
data leak in
Generative AI

#WPNinjasNO
But securing data is complex
Different types
of data, users,
and objectives
AI transformation
brings new data risk
Regulations
continue to evolve

#WPNinjasNO
Data security controls
Block
endpoint
Allow endpoint
Block
sensitive data
Allow sensitive data
Allow low
risk user
Block high
risk user

#WPNinjasNO
Minor
risk
Policy tips
DLP
Policy 3
DLP
Policy 2
Moderate
risk
Block with
override
DLP
Policy 1
Elevated
risk
Block
DLP policy match
Endpoint patch
required
VM login
compromised
DLP Integrated insights and alerting
9
Know the context
Leverage classification and labeling
on sensitive data from Information
Protection
Understand the intent
Automatically apply risk insights from
Insider Risk Management to DLP
policies
Integrate alert investigation
Integrate DLP alerts with Microsoft
Defender XDR and Sentinel for richer
investigation experience

#WPNinjasNO
DLP Prerequisites
1 2 3 4
Onboard
Devices
Deploy Purview
browser
extension
Block access to
unapproved
browsers
Configure
Adaptive
scopes
5
Licensing

#WPNinjasNO
E3/Business
Premium
E5
Compliance
PAYG
Files and Email Yes Yes N/A
Teams No Yes N/A
Endpoint No Yes N/A
Adaptive scopes No Yes N/A
Fabric No No Yes
Non-Microsoft 365 locations No No Yes
DLP Licensing
modern-work-plan-comparison-enterprise.pdf
modern-work-plan-comparison-smb5.pdf

#WPNinjasNO
Onboard Devices into Purview
Process varies depending on how devices are managed

#WPNinjasNO
If Devices enrolled in Intune

#WPNinjasNO
One click onboard devices into Purview

#WPNinjasNO
If devices not managed by Intune
Devices will report to Defender for Endpoint, even if a different antivirus or anti-malware solution
is in use. In such cases, these systems will report to Defender for Endpoint in passive mode.

#WPNinjasNO
Block Unauthorised Browsers
Configured in Intune > Device > Configuration

#WPNinjasNO
Block unauthorised browsers

#WPNinjasNO
Users can only user managed browsers

#WPNinjasNO
Add Purview Browser Extension
Configured in Intune > Device > Configuration

#WPNinjasNO
Add Purview Browser Extension to Edge

#WPNinjasNO
Add Purview Browser Extension to Chrome
Instructions

#WPNinjasNO
Add Purview Browser Extension to
Firefox
Instructions

#WPNinjasNO
Tips
Purview browser extension for Edge, Chrome & Firefox
macOS devices do not require the extension
Block other browsers
Incognito mode isn't supported on Google Chrome and Firefox so it must
be disabled

#WPNinjasNO
Configure Adaptive Protection
Requires Insider Risk Management

#WPNinjasNO
Insider
risk level
Continuously evaluate
and publish risk level
Elevated
risk
Moderate
risk
Minor
risk
Data Loss
Prevention
Dynamically prevent
unauthorized use
Block action
Block action,
allow override
Policy tip
Conditional
Access
Dynamically prevent
unauthorized access
Block access
Terms of use
Data Lifecycle
Management
Dynamically preserve
deleted files
Preserve data
Adaptive Protection

#WPNinjasNO
Set user risk level

#WPNinjasNO
One-Click IRM policy – Visit AI site

#WPNinjasNO
View users at each risk level

#WPNinjasNO
Create DLP Policies

#WPNinjasNO
DLP Policy Structure

#WPNinjasNO
B
D
A C
Plan and Design Polices
Business
requirement
Actions to Take
What sensitive data to protect
Where to Monitor

#WPNinjasNO
Data Explorer - What sensitive data to protect

#WPNinjasNO
Where to Monitor
Exchange
SharePoint
OneDrive
Teams
Devices
Common
Conditions

#WPNinjasNO
Only Exchange email Multiple locations
Common conditions
Only SharePoint sites

#WPNinjasNO
Actions
Block Block with
override
Warn Monitor Allow

#WPNinjasNO
Extend DLP beyond Microsoft 365

#WPNinjasNO
Demo
Microsoft
Purview DLP

#WPNinjasNO
Protect Sensitive Information

#WPNinjasNO
Configure DLP Settings

#WPNinjasNO
Endpoint DLP Settings

#WPNinjasNO
Restrict Cloud Sync apps

#WPNinjasNO
Auto-quarantine settings

#WPNinjasNO
Just-in-time protection

#WPNinjasNO
DLP One-Click Policies

#WPNinjasNO
Create One-Click policies from DLP

#WPNinjasNO
Create One-Click policies in DSPM

#WPNinjasNO
Create One-Click Policies in DSPM for AI

#WPNinjasNO
1. Create DLP Policy to Block
External Sharing for labelled
content

#WPNinjasNO
Locations SharePoint & OneDrive

#WPNinjasNO
1. Block External Sharing for
labelled content
User Experience

#WPNinjasNO
User experience – visual identifiers
Block
Warn

#WPNinjasNO
Display a Policy Tip

#WPNinjasNO
Block External Sharing

#WPNinjasNO
Allow overrides in emails

#WPNinjasNO
2. Create DLP Policy to Block
device and browser actions for
labelled content

#WPNinjasNO
Location just Devices

#WPNinjasNO
Option to scope to Devices and Users

#WPNinjasNO
Endpoint DLP Policy Rules
Rule Name Condition Action
Block Copy to Clipboard If content contains label "Secret" Block copy to clipboard
Block Copy to USB If content contains label "Secret" Block copy to removable USB
Block Print If content contains label "Secret" Block print
Block Upload to Restricted
Cloud or Unallowed
Browser
If content contains label "Secret" Block upload to restricted
domains or unallowed browsers

#WPNinjasNO
Rule 1 – Block file activities

#WPNinjasNO
Rule 2 - Block upload to 3rd Party Gen AI Apps

#WPNinjasNO
Web site URL allow/block list
If the DLP has a block action for Upload to a restricted cloud service domain or access
from an unallowed browser. Then if there is an allow list for Service domains then only
these sites can be accessed

#WPNinjasNO
2. Block device and browser
actions for labelled content
User experience

#WPNinjasNO
Copy to USB Blocked

#WPNinjasNO
Block copy from document

#WPNinjasNO
Block upload to 3rd party Gen AI site

#WPNinjasNO
Location & Condition

#WPNinjasNO
Just In Time actions

#WPNinjasNO
Block with override

#WPNinjasNO
3. Block Copilot processing for
labelled content (Preview)
Block access to Copilot if content contains specific sensitivity
labels

#WPNinjasNO
3. Block Copilot processing for
labelled content User
Experience
Block access to Copilot if content contains specific sensitivity labels

#WPNinjasNO
Copilot does not work in labelled file

#WPNinjasNO
Copilot cannot use labelled file as source

#WPNinjasNO
Microsoft 365 Copilot cannot summarise content

#WPNinjasNO
Microsoft 365 Copilot can’t reference labelled file

#WPNinjasNO
Copilot Agent cannot access content

#WPNinjasNO
4. Configure DLP Policy with
Adaptive protection
Different controls based on risk

#WPNinjasNO
View DLP Policies using Adaptive protection

#WPNinjasNO
DLP Alerts in Purview

#WPNinjasNO
Investigate Alert in Purview

#WPNinjasNO
DLP Alerts now in Defender XDR

#WPNinjasNO
Investigate Alert in Defender XDR

#WPNinjasNO
B
D
A C
Design Polices based on business requirements
What sensitive
data to monitor
Actions to take
Where to Monitor
Conditions for
match

#WPNinjasNO
Statement Configuration question answered and configuration mapping
"Contoso need to detect Office
documents containing sensitive
health care information covered
by HIPPA...
- What to monitor: Office docs, use the U.S. Health Insurance Act (HIPAA) template.
- Conditions for a match: (preconfigured but editable) - item contains U.S. SSN and Drug
Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM),
International Classification of Diseases (ICD-10-CM), users share content with people outside
my organization.
- Drives conversations to clarify the triggering threshold for detection like confidence levels,
and instance count (called leakage tolerance).
...that employees stored in
OneDrive/SharePoint and
protect against users sharing
information in Teams chat and
channel messages...
- Where to monitor: Location scoping by including or excluding OneDrive and SharePoint
sites and Teams chat/channel accounts or distribution groups.
...and restrict everyone from
sharing these documents with
unauthorized third parties."
- Actions to take: You add Restrict access or encrypt the content in Microsoft 365 locations.
- Drives conversation on what actions to take when someone triggers a policy. Protective
actions may include sharing restrictions. Awareness actions may include notifications and
alerts. User empowerment actions may include allowing user overrides of a blocking action.
Design Polices based on business requirements

#WPNinjasNO
Deployment Approach

#WPNinjasNO
https://forms.office.com/e/vZt63PirDv
We value your feedback

Microsoft Purview Data Loss Prevention Deep Dive

More Related Content

Similar to Microsoft Purview Data Loss Prevention Deep Dive

More from Nikki Chapple

Recently uploaded

Microsoft Purview Data Loss Prevention Deep Dive