Share via

Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that helps prevent sharing sensitive information from a managed device to an AI app. Work through this scenario in your test environment to familiarize yourself with the policy creation UI.

Important

This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.

How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

This feature is in preview.

Use this scenario to use Edge to block the exfiltration of sensitive information from business managed apps, like ServiceNow and Workday. The apps must be onboarded to Entra Conditional Access with session controls applied. Access to the protected apps must be blocked outside of the Edge work profile.

Prerequisites and assumptions

This procedure uses a hypothetical distribution group named External. For more information on DLP protections applying in the browser, see browser data security resources.

Important

Read Learn about Data Loss Prevention for Cloud Apps in Edge for Business before you start this procedure. It provides important information about the prerequisites and assumptions for this scenario.

Setting up a policy to protect data sharing with Entra-managed apps in the browser follows these phases:

  1. Onboard apps to Conditional Access app control.
  2. Create an Entra Conditional Access policy policy that’s configured with custom session controls enabled.
  3. Enable Edge for Business in-browser protection, configured to enforce Edge work profile sign in for business apps on all devices.
  4. Create a Purview DLP policy targeting user interactions with managed apps.

Important

The user and the app must both be in scope for all the prerequisite protections for the policy to apply to the user in Edge.

Policy intent statement and mapping

We need to allow users to access resources in business apps from their BYOD and personal devices, but block them from downloading the data to those devices. Contractors and vendor employees use these types of devices to collaborate for their work activities. When they attempt to download files containing sensitive information, like customer banking information, the action should be blocked. We also have to meet alerting requirements. Lastly, we want this to take effect as soon as possible.

Statement Configuration question answered and configuration mapping
We need to allow users to access resources in business apps like Workdayfrom their BYOD and personal devices, but block them from downloading the data to their devices … - Choose where to apply the policy: Data in browser activity
-Administrative scope: Full directory
- Where to apply the policy: Managed apps > Workday
Contractors and vendor employees use these types of devices to collaborate for their work activities.... - scope alongside apps" specific users and groups, Include users and groups > External
When they attempt to download files containing sensitive information, like customer banking information, the action should be blocked. What to monitor: - use the custom policy template
- Conditions for a match: Content contains Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number
- Action: Restrict browser and network activities > **File download ** > Block.
We also have to meet alerting requirements. Our security team must have a way to investigate and take actions against the policy match outcomes. - Incident reports: Send an alert to admins when a rule match occurs is on by default
...Lastly, we want this to take effect as soon as possible.... Policy mode: **on **

Steps to setup prerequisites

  1. Onboard apps to Conditional Access app control. For more information, please see Onboard non-Microsoft IdP catalog apps for Conditional Access app control and Onboard non-Microsoft IdP custom apps for Conditional Access app control.  To apply policies to groups, you must also import user groups from connected apps
  2. Sign into the Microsoft Entra admin center.
  3. Create a new Conditional Access policy that targets cloud apps with session controls. Custom policy must be selected in the session controls dropdown.
  4. In the Microsoft Defender portal at https://security.microsoft.com), go to System > Settings > Cloud apps > Conditional Access App Control section > Edge for Business protection. Or, to go directly to the Edge for Business protection page, use https://security.microsoft.com/cloudapps/settings?tabid=edgeIntegration.
  5. Configure in-browser protection for Edge on, selecting Allow access only from Edge and All devices

Steps to create the policy

  1. Sign in to the Microsoft Purview portal.
  2. Select Data loss prevention > Policies > + Create policy.
  3. Select Data in browser activity.
  4. Select Custom from the Categories list and then Custom policy from the Regulations list.
  5. Choose Next.
  6. Provide a policy name and give a description. You can use the policy intent statement here.
  7. Select Next.
  8. Accept the default Full directory on the Assign admin units page.
  9. Choose Next.
  10. Select Managed cloud apps
  11. Select Specific users and groups.
  12. Choose + Include and then Include groups.
  13. Select External.
  14. Choose Done and then choose Next.
  15. Select + Include managed apps.
  16. Select Workday
  17. Choose Done
  18. On the Define policy settings page, the Create or customize advanced DLP rules option should already be selected.
  19. Choose Next.
  20. On the Customize advanced DLP rules page, select + Create rule.
  21. Name the rule and give a description.
  22. Select Add condition and use these values:
    1. Select Content contains.
    2. Select Add > Sensitive information types > Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number.
  23. Choose Add.
  24. Under Actions, add an action with these values:
    1. Restrict browser and network activities
    2. File download > Block
  25. Under Incident reports select: 2. The toggle for Send an alert to admins when a rule match occurs defaults to On.
  26. Choose Save and then choose Next.
  27. On the Policy mode page, choose On.
  28. Choose Next and then choose Submit.
  29. Choose Done.

Important

The DLP policy won't be applied in Edge until all requirements are met.