Forum Discussion
Purview -> DLP -> Settings -> Endpoint DLP Settings
I have configured Browser and Domain Restrictions to sensitive data, with a condition as a sensitivity label. I used the Allow for a whitelist for sites, and all others should be blocked. I created...
Hi. Appreciate the response. We were using WIP before and would like the same functionality and possibly expand on it. Given my research, reading and site configurations - I believe this is all doable. I have further been directed by microsoft techs to get Defender for Endpoint stand alone license and the configurations should 'kickin' which has not happened when i purchased a Defender for Endpoint for one user for testing.
Core needs:
-have a whitelist of sites, and block others based on file sensitivity label. I believe this is done by "Browser and domain restrictions to sensitive data".
-allow\block apps from accessing data based on file sensitivity label.
-disable printing and other actions if needed of sensitive files
I think I may be on a new thread of why it is not working. We have one license for Defender for Endpoint and many for Defender for Business. Apparently we cannot mix licenses and it will revert to the lowest license. Not sure at this point - but going to get more Endpoint licenses and see if this fixes the issue.
Hi learnazure_ad learnazure_ad Thanks for clarifying, I think WIP is mostly outdated. Next solution you have is Defender for Endpoint + Microsoft Purview, In Business Premium, you have defender for business (Likely same functionality as Defender for Endpoint P2. Obviously with some limitations). However, defender comes in Business Premium is sufficient to get the defender function required. Your website blocking based on sensitive data, as I said you need Information Protection and Governance E5, which provide Endpoint DLP capability. If we drilled down to website blocking when sensitive data available, 1. We can block uploading data to a external website 2. Block website if required, This require purview browser extension and purview endpoint DLP capability. Your "mixed license" scenario does not apply as Defender for Business is sufficient to work on your scenario. There is another scenario where as we call WCF, web content filtering based on categories such as Gambling, Gaming etc. you can achieve that functionality through Defender for Business.
- We can block uploading data to a external website - Yes i can block specific websites via Defender portal > Settings > Endpoints > Rules\Indicators > URLs\Domains\IP's\etc.
But this does not give me the whitelist or block. I have to explicitly set the site, leaving any sites that are not blocked as allowed. Not very helpful to blanket block all then have a allowed list of sites. If there is something I am missing please let me know.
2. WCF - not great. General headings (Gambling\Social Media\etc) without knowing what sites it deems to block is not very helpful and will cause problems down the line, as it has in testing.
Ultimately I am getting that to move from WIP which is deprecated in latest Win11 release, which allows everything that i want. Is only supported for all features in E5. Which is 2x the cost of Business Premium and needs the additional license for Teams as that is not included.
- We can block uploading data to a external website - Yes i can block specific websites via Defender portal > Settings > Endpoints > Rules\Indicators > URLs\Domains\IP's\etc. ( This blocking is not based on content you upload. If your user uploads content like credit card number, purview DLP can block just that. All other data can be uploaded. 2. You can still block websites from purview DLP, talking from compliance perspective, Purview MIP and DLP is way to go. Below are some use cases, sensitive data redacted purposefully.
Purview DLP is not working - it will not block sites based off of DLP or MIP (microsoft information protection?)
Information Protection - I have created sensitivity labels and published. Reaching the data - I can see the label on the data.
Tied the Sensitivity labels as the condition to DLP policy. I have set DLP up in "Browser and Domain Restrictions to sensitive data" with list of Allow sites, which is supposed to only allow those sites and block all others. This should be pushed to all DLP policies as it is in the DLP settings.
Nothing is getting blocked when i upload the data to google drive for instance. What am I missing?In defender portal I can see on the device that it is not getting the DLP policy.
Contacting support\sales of Microsoft they tell me I need additional licensing, that is why it is greyed out and why the DLP settings are not going to device. They instructed me to purchase the Defender for Endpoint license, which they told me would fix this issues. Needless to say it did not fix the issue.
Please share if you are referring to another way to block data from being uploaded to sites and apps via Purview. Or if you know why it is not sync'ing or how to sync. Anything to help. Frustrating as support and sales do not seem to know what is what.
- We can block uploading data to a external website - Yes i can block specific websites via Defender portal > Settings > Endpoints > Rules\Indicators > URLs\Domains\IP's\etc. ( This blocking is not based on content you upload. If your user uploads content like credit card number, purview DLP can block just that. All other data can be uploaded. 2. You can still block websites from purview DLP, talking from compliance perspective, Purview MIP and DLP is way to go. Below are some use cases, sensitive data redacted purposefully.
