Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview collection and DLP policies targeting user interactions with unmanaged apps in Microsoft Edge for Business trigger automation in the Microsoft Edge management service. This automatically manages the required configurations and policies outside of Purview to fully activate your Purview policies in Edge for Business.
After you save your Purview collection or DLP policy, the Microsoft Edge management service automatically creates and updates the required Edge configuration policies, Microsoft Intune policies, and security groups needed to activate the policy in the browser and prevent circumvention. The automatically created policies stay in sync with the Purview policy and don’t require extra setup or ongoing management by administrators.
How it works
- Define protection intent and policy scope in Purview. Create or update a Purview DLP or collection policy targeting unmanaged apps in Edge for Business, including the users or groups to scope.
- Edge configuration policies are created and updated automatically, including supporting Security Groups The Microsoft Edge management service creates Edge configuration policies that activate in‑browser enforcement in Edge for Business. These policies are scoped to new Security Groups that are automatically created and updated to match the scope of users and groups included or excluded from your Purview policy.
- Microsoft Intune policies are created to help prevent circumvention. The Edge configuration policy for Purview DLP uses Microsoft Intune to block data sharing to browsers where protections don’t apply. These associated Microsoft Intune policies are automatically created and scoped to the same Security Groups as the Edge configuration policy.
- Purview policy changes stay in sync. Updates to users or groups included or excluded to the Purview policy are automatically reflected across the Security Groups targeted by the Edge configuration policies and Microsoft Intune policies. If all Purview policies targeting unmananged apps in Edge for Business are deleted, the automatic policies are also deleted.
What's automatically created and updated
| Area | Type | Name | Description |
|---|---|---|---|
| Microsoft 365 admin center | Configuration policy | Purview - Allow Purview collection policies to apply to all users | Enables Purview collection policies to apply to users on managed devices. Automatically created and scoped to all users. Doesn’t block user activities and doesn’t require admin management. |
| Microsoft 365 admin center | Configuration policy | Purview - Block use of browsers where DLP protections for unmanaged Generative AI apps don’t apply | Enables Purview DLP policies to apply to users on managed devices. Automatically scoped to the users targeted by relevant Purview DLP policies. Helps prevent data sharing in browsers where protections don’t apply. |
| Microsoft Intune admin center | Microsoft Intune policy | Edge policy to block use of browsers where Purview DLP protections for unmanaged AI apps don’t apply | Helps prevent data sharing in browsers where protections don’t apply by blocking use of unprotected browsers. Automatically scoped to the users targeted by relevant Purview DLP policies. |
| Microsoft Intune admin center | Microsoft Intune policy | Edge policy to block use of unmanaged GenAI apps in browsers where in-browser protections don’t apply | Helps prevent data sharing to unmanaged apps in browsers other than Edge for Business where protections don’t apply by blocking use of select apps in the Google Chrome browser. Automatically scoped to the users targeted by relevant Purview DLP policies. |
| Microsoft 365 admin center | Security Group | Purview DLP browser protection - included users | Includes users and groups included in relevant Purview DLP policies. Used to scope Edge configuration policies and Microsoft Intune policies that apply in‑browser protections. |
| Microsoft 365 admin center | Security Group | Purview DLP browser protection - excluded users | Includes users and group explicitly excluded from Purview DLP browser protections. Used to scope Edge configuration policies and Microsoft Intune policies that apply in‑browser protections. |
.
What happens when users are blocked from using unprotected browsers
When these settings are applied, users included in Purview DLP policies that block data sharing to unmanaged cloud apps have their experience limited or blocked in unprotected browsers where the policies don't apply. The user experience in Edge isn't impacted.
When these settings are applied, users are impacted as follows:
- In Chrome with Microsoft Purview extension: Use of the browser might be allowed depending on extension status and policy scope. If allowed, access to a dynamic set of generative AI apps is blocked. For more information and a list of apps, please see: manage enterprise secure AI settings
- In Firefox and other browsers: Use of these browsers is blocked. For more information please see: Block other browsers.
Note
When a user signs in to Microsoft Edge for Business on a managed device using their EntraID credentials, the Edge configuration policy settings are applied.
View configuration policies in the Microsoft Admin Center
Follow these steps to view the configurations policies:
- Go to the Microsoft 365 admin center.
- Sign in and select Settings > Microsoft Edge.
- Select the policy to view more information.
Note
The setting “Block use of cloud apps in browsers where Purview in-browser protections doesn’t apply.” is used for the Edge configuration policy created to activate the Purview DLP policies.
Manually activate or resync your Microsoft Purview DLP policy in Microsoft Edge
If the automatic process fails to complete, for example if the Purview Admin doesn't have permissions required for Microsoft Intune or if a system error occurs, Admins can initiate a resync from the Microsoft Admin Center. To resync:
- Sign into the Microsoft Admin center
- Navigate to Settings > Edge
- On the Overview tab in the Microsoft Purview DLP protections card, select Sync now
Important
To use this feature, Admins must be assigned to a role that can create service principals, and have permissions assigned for Microsoft Intune administration
FAQs
Can these policies be edited?
Automatically created policies are read-only and can be updated by making updates to the policies in Purview.
Can these policies be deleted?
Automatically created policies can only be deleted by deleting all Microsoft Purview collection and DLP policies targeting unmanaged apps in Edge for Business. This will automatically delete the auto-created Edge configuration policies and Intune policies. For manually created policies, if you’re an admin, you can delete the configuration policy that was deployed to users or uncheck the feature configuration.
- Go to the policy.
- Click Delete.
- In the side panel, acknowledge and confirm the changes.
- Click Delete.
On other configuration policies, will my other settings work if I check the “Block other browsers” box?
No, the “Block other browsers” box takes precedence over all other settings. Only one setting can be turned on at a time.
Can I sync changes manually?
Yes, a manual sync option is available on the Edge settings overview page. Admins can sync by clicking the sync now action on the Microsoft Purview DLP protections card.