Key Takeaways:
- Microsoft Purview DLP now extends security controls to networks, Edge for Business, macOS devices, and non-Microsoft file types.
- New DLP controls block sensitive data from being entered into generative AI apps and untrusted SaaS platforms.
- IT admins gain improved visibility and control with new dashboards and customizable policies.
Microsoft has announced several new security features for its Purview Data Loss Prevention (DLP) solution. The company will soon extend Microsoft Purview data security capabilities to the network and the Microsoft Edge for Business browser.
Inline data discovery for the network
Microsoft Purview DLP now integrates with the secure service edge (SASE) solution. SASE is a network architecture that combines wide-area networking (WAN) and security functions to offer secure access to apps and data. This integration allows administrators to monitor sensitive data that is being sent outside of the organization from company devices. For instance, files uploaded to personal cloud storage services and data sent to third-party AI services from apps on a user’s desktop. This feature will be available in public preview in May 2025.
Inline data protection in Microsoft Edge for Business
Microsoft mentioned that information workers spend a significant amount of their time using web browsers. It’s important for companies to protect sensitive data that might be sent to untrusted locations from the web browser. Examples of risky actions include typing and submitting data to unmanaged software-as-a-service (SaaS) applications or consumer GenAI apps such as Deep Seek and Google Gemini.
Microsoft has announced the public preview of Purview DLP controls built into Edge for Business. These controls allow security teams to enforce DLP policies to prevent sensitive data from being entered into generative AI apps. These new controls will work alongside existing protections that prevent sensitive content from being uploaded or pasted into the browser. This feature will be available in public preview in April.
Expanded protection for non-Microsoft files and macOS devices
Microsoft is adding enhanced protection for non-Microsoft file types such as Java, Adobe Creative Cloud, and AutoCAD. This capability will help to ensure that sensitive files remain secure even when moved or shared.
In addition to this, administrators can deploy Purview endpoint DLP on macOS devices without needing device management solutions such as Microsoft Intune and Jamf. Users can enable endpoint DLP by logging in through an Entra ID account or using the Microsoft Enterprise SSO plugin for Apple devices.
Microsoft announced that certain DLP features, which were previously available on Windows, are now available for macOS devices in public preview. These include coverage & exclusions for network shares and network share groups, OCR cost estimation, detection & prevention of sensitive data pasted to supported browsers, full file evidence storage for endpoint DLP policy matches, and appearance of file read events in Activity Explorer.
Microsoft has also announced the general availability of just-in-time protection for removable media and network shares for macOS devices. This feature blocks all actions on monitored files until the DLP policy evaluation is completed.
Simplified Admin experiences
Microsoft Purview has added new collection policies in public preview, allowing IT admins to configure rules about what data is gathered from different sources. The initial focus will be on data from endpoint devices, network traffic, and the Edge for Business browser. Moreover, Microsoft has launched a new dashboard that allows administrators to view the status of their DLP policies for cloud services. It currently supports Microsoft Teams, Exchange, OneDrive, and SharePoint policies.
Furthermore, Microsoft mentioned that administrators can now apply DLP policies to specific devices or Entra device groups. It’s also possible for IT admins to use administrative units defined in Entra ID to target DLP policies. Microsoft has provided IT admins with a comprehensive view of all DLP policies in place within their organization. This feature is available for Microsoft Purview DLP customers with Security Copilot Units (SCUs).
Microsoft has also introduced the ability to save and reuse filters in Activity Explorer. Other capabilities that are currently available in public preview, include a new filter for DLP alerts based on label and evidence summaries for all supported file types in endpoint DLP.
Enhanced user and data protections
Last but not least, Microsoft has broadened its DLP coverage across various workloads, file types, and platforms. The company has rolled out four key enhancements, including an on-demand classification for dormant files in SharePoint and OneDrive, IP-based restrictions for network shares and URL groups, advanced classification methods for a wider range of file types on Windows, and custom hyperlinks in policy tips for user education.