Set Up Endpoint DLP Evidence Collection on your Azure Blob Storage
Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings. Before you start setting up the storage, you should review Get started with collecting files that match data loss prevention policies from devices | Microsoft Learn to understand the licensing, permissions, device onboarding and your requirements. Prerequisites Before you begin, ensure the following prerequisites are met: You have an active Azure subscription. You have the necessary permissions to create and configure resources in Azure. You have setup endpoint Data Loss Prevention policy on your devices Configure the Azure Blob Storage You can follow these steps to create an Azure Blob Storage using the Azure portal. For other methods refer to Create a storage account - Azure Storage | Microsoft Learn Sign in to the Azure Storage Accounts with your account credentials. Click on + Create On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account, or you accept the default options and proceed. Learn more about azure storage account properties Once you have provided all the information click on the Networking tab. In network access, select Enable public access from all networks while creating the storage account. Click on Review + create to validate the settings. Once the validation passes, click on Create to create the storage Wait for deployment of the resource to be completed and then click on Go to resource. Once the newly created Blob Storage is opened, on the left panel click on Data Storage -> Containers Click on + Containers. Provide the name and other details and then click on Create Once your container is successfully created, click on it. Assign relevant permissions to the Azure Blob Storage Once the container is created, using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on it: One for the administrators and investigators so they can view and manage evidence One for users who need to upload items to Azure from their devices Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. We will use portal to create these custom roles. Learn more about custom roles in Azure RBAC Open the container and in the left panel click on Access Control (IAM) Click on the Roles tab. It will open a list of all available roles. Open context menu of Owner role using ellipsis button (…) and click on Clone. Now you can create a custom role. Click on Start from scratch. We have to create two new custom roles. Based on the role you are creating enter basic details like name and description and then click on JSON tab. JSON tab gives you the details of the custom role including the permissions added to that role. For owner role JSON looks like this: Now edit these permissions and replace them with permissions required based on the role: Investigator Role: Copy the permissions available at Permissions on Azure blob for administrators and investigators and paste it in the JSON section. User Role: Copy the permissions available at Permissions on Azure blob for usersand paste it in the JSON section. Once you have created these two new roles, we will assign these roles to relevant users. Click on Role Assignments tab, then on Add + and on Add role assignment. Search for the role and click on it. Then click on Members tab Click on + Select Members. Add the users or user groups you want to add for that role and click on Select Investigator role – Assign this role to users who are administrators and investigators so they can view and manage evidence User role – Assign this role to users who will be under the scope of the DLP policy and from whose devices items will be uploaded to the storage Once you have added the users click on Review+Assign to save the changes. Now we can add this storage to DLP policy. For more information on configuring the Azure Blob Storage access, refer to these articles: How to authorize access to blob data in the Azure portal Assign share-level permissions. Configure storage in your DLP policy Once you have configured the required permissions on the Azure Blob Storage, we will add the storage to DLP endpoint settings. Learn more about configuring DLP policy Open the storage you want to use. In left panel click on Data Storage -> Containers. Then select the container you want to add to DLP settings. Click on the Context Menu (… button) and then Container Properties. Copy the URL Open the Data Loss Prevention Settings. Click on Endpoint Settings and then on Setup evidence collection for file activities on devices. Select Customer Managed Storage option and then click on Add Storage Give the storage name and copy the container URL we copied. Then click on Save. Storage will be added to the list. Storage will be added to the list for use in the policy configuration. You can add up to 10 URLs Now open the DLP endpoint policy configuration for which you want to collect the evidence. Configure your policy using these settings: Make sure that Devices is selected in the location. In Incident reports, toggle Send an alert to admins when a rule match occurs to On. In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint. Select the storage account you want to collect the evidence in for that rule using the dropdown menu. The dropdown menu shows the list of storages configured in the endpoint DLP settings. Select the activities for which you want to copy matched items to Azure storage Save the changes Please reach out to the support team if you face any issues. We hope this guide is helpful and we look forward to your feedback. Thank you, Microsoft Purview Data Loss Prevention TeamPurview Webinars
Register for all webinars here🔗 Upcoming Microsoft Purview Webinars MAR 12 (8:00AM) Microsoft Purview | Microsoft Purview AMA - Data Security, Compliance, and Governance MAR 18 (8:00AM) Microsoft Purview | Microsoft Teams and Purview Information Protection: Inheriting Sensitivity Labels from Shared Files to Teams Meetings Microsoft Purview Information Protection now supports label policy settings to apply inheritance from shared files to meetings. This enhances protection in Teams when sensitive files are shared in Teams chat or live shared during meeting. MAR 19 (8:00AM) Microsoft Purview | Unlocking the Power of Microsoft Purview for ChatGPT Enterprise Join us for an exciting presentation where we unveil the seamless integration between Microsoft Purview and ChatGPT Enterprise. Discover how you can effortlessly set up and integrate these powerful tools to ensure that interactions are securely captured, meet regulatory requirements and manage data effectively. Don't miss out on this opportunity to learn about the future of intelligent data management and AI-driven insights! 2025 Past Recordings JAN 8 - Microsoft Purview AMA | Blog Post 📺 Subscribe to our Microsoft Security Community YouTube channel for ALL Microsoft Security webinar recordings, and more!The First Purview AMA of 2025 is Now On-Demand
The Microsoft Purview Community has kicked off a new year picking the brains of subject matter experts to understand all that Purview can do for their data security, governance, and compliance. The panelists: Maxime Bombardier - Purview Data Security and Horizontals Sandeep Shah - Purview Data Governance Peter Oguntoye - Purview Compliance A sampling of the questions: When will we see integration between the container sensitivity labels (groups and sites) and item sensitivity labels (files and emails)? Is there a matrix to see what capabilities in Purview can be used with which license? In Purview Activity Explorers, is there a way to save custom filters? There are the built-in filters, and then you can add additional filters, but never see an option to save. If not possible, is this a future enhancement coming? What is your advice on sharing confidential information with external users and the use of Information Protection labeling? I mean, do you recommend adding external users as guest users, or using a label configured with 'Any Authenticated Users' instead? If a large enterprise customer sees many false positives returned from trainable classifiers like profanity, how can they train or recreate these to more effectively use communication compliance The rest of the questions can be found in this post; even those that didn't make it to the live AMA are answered. Here is the full Jan 8th Purview AMA Recording: And finally, please comment below- what kind of content would you like to see from Purview experts or your fellow community members/users in the future? Thank you for engaging with the Purview Community!Global Reader Role Creating Retention Policies in Purview Compliance: Bug or Intended Behaviour?
Did you know that a user with the Global Reader role in Purview Compliance can create and edit retention policies? Interestingly, while they can create and modify policies, they cannot delete them. The expected behaviour for a Global Reader is read-only access across Microsoft 365, without the ability to make any changes, including creating or editing policies. Has anyone else encountered this, and do you think this is a bug or an intended feature?
New Blog Post | March Ahead w/ Purview: Unify ALL your data using Apache Atlas open API support
March Ahead with Azure Purview: Unify ALL your data using Apache Atlas open API support - Microsoft Tech Community We are debuting a blog series today - "March Ahead with Azure Purview". This blog series is focused on helping you get the most out of your current Purview implementation. Over the month of March, we will have blogs on best practices, tips and tricks and troubleshooting guidance on topics including Scans, Access, Roles, and Proof-of-Concept planning.New Blog Posts | Azure Purview at Spring Ignite 2021
Azure Purview at Spring Ignite 2021 - Microsoft Tech Community Author: Gaurav Malhotra The reception to Azure Purview since launch has been tremendous! We are thrilled to announce that over 14.5 Billion data assets were discovered by customers across their hybrid environments! And today, we are happy to announce that we have some great new features to help our customers do more with Azure Purview. Discover and govern your data in AWS Simple Storage Service (S3) with Azure Purview - Microsoft Tech Community Author: Oded Bergman At the launch in early December, we gave you a sneak peek of the ability to manage multicloud data sources with Azure Purview. Today, I'm happy to announce, that you can now use Azure Purview to discover, manage and govern data residing in Amazon Web Services S3, in public preview. Organize Business glossary terms using hierarchies. - Microsoft Tech Community Author: Naga Yenamandra Azure Purview aims to enable effortless discovery of data by data consumers from across the organization. But for data consumers to meaningfully reason over the data, it must be consistently defined. This is where a business glossary can help. Manage data sources at scale with Azure Purview: Azure Multiple Source registration and scans - Microsoft Tech Community Author: Vishal Anil At the Azure Purview launch, we announced the ability to register and scan individual sources. At Ignite, we announced that we are now making it even easier to register and scan your Azure data at scale, with the Azure multiple source registration feature, now in public preview. This capability allows you to register an entire Azure subscription or resource group in Azure Purview. Purview now supports Non-Microsoft sources - Teradata, Oracle DB, SAP S/4HANA and SAP ECC - Microsoft Tech Community Author: Kavya Chandra Azure Purview expands on the Non-Microsoft Connectors supportability. In addition to the numerous Azure sources supported today, customers can now register and scan from various databases like Teradata and Oracle. Azure purview also supports ERP sources like SAP S/4HANA and SAP ECC.
