Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The features used in this scenario are in preview.
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that helps prevent sharing sensitive information with unmanaged AI apps through network data security using an integrated SASE solution, such as Microsoft Entra GSA Internet Access. Work through this scenario in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
Prerequisites and assumptions
- For Microsoft Entra GSA Internet Access apps, the device must be Entra ID joined.
- For Microsoft Entra GSA Internet Access apps, you've configured a file policy for network content filtering in Microsoft Entra GSA Internet Access.
- For third party SASE providers, ensure you've completed the integration steps outlined in your provider's documentation.
- This procedure uses hypothetical distribution groups, one named Finance Team, and another group for the Security Team. You have to create these groups in your environment or substitute your own groups.
Policy intent statement and mapping
We want to embrace responsible AI use within our organization while protecting customer and organizational sensitive data from intentional or accidental exposure. Because the Finance department regularly handles highly sensitive information, we need to create a policy that blocks Finance users from sharing sensitive content with any unsanctioned generative AI application. Since many of our users have flexibility in which browser they choose to use, as well as the ability to use locally installed AI apps and Office add-ins, we need to ensure broad endpoint coverage through network data security protection. Given the sensitivity of the Finance department’s access to data, we need to prevent financial data, personally identifiable information (PII), or confidential documents from being shared through text prompts or uploaded files. Then, to ensure efficient and quick incident management, we must generate alerts and ensure our security team is notified via email any time a block occurs. Lastly, we want this policy to take effect immediately to begin protecting company data as soon as possible.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| Because the Finance department regularly handles highly sensitive information, we need to create a policy that blocks Finance users from sharing sensitive content with any unsanctioned generative AI application. | Choose cloud apps to apply the policy: - Select + Add cloud apps - Select the Adaptive app scopes tab - Choose All unmanaged AI apps and select Add - Select Edit scope - Select Include only specific - Choose the Finance department group |
| Since many of our users have flexibility in which browser they choose to use, as well as the ability to use locally installed AI apps and Office add-ins, we need to ensure broad endpoint coverage through network data security protection. | Choose where to enforce the policy: - Enable Network |
| Given the sensitivity of the Finance department’s access to data, we need to prevent financial data, personally identifiable information (PII), or confidential documents... | Customize advanced DLP rules: - Select + Create rule - Select + Add condition and choose Content contains - Select Add and chooose Sensitive info types - Select ABA Routing Number, U.S. Bank Account Number, Credit Card Number, U.S. Social Security Number (SSN) and select Add - Select Add and choose Sensitivity labels - Choose Confidential and select Add - Ensure the Group operator is set to Any of these |
| ...from being shared through text prompts or uploaded files. | Actions: - Select + Add an action and choose Restrict browser and network activities - Select Text sent to or shared with cloud or AI apps and File uploaded to or shared with cloud or AI apps - Select Block for both |
| Then, to ensure efficient and quick incident management, we must generate alerts and ensure our security team is notified via email any time a block occurs. | Incident reports: - Set the severity level to High -Ensure Send an alert to admins when a rule match occurs is On - Select + Add or remove users and choose the SecurityOps distribution group - Ensure Send alert every time an activity matches the rule is selected, and then Save the rule |
| Lastly, we want this policy to take effect immediately to begin protecting company data as soon as possible. | Policy mode: - Select Turn the policy on immediately |
SASE provider ingtegration
Important
You must have a SASE provider integrated with Purview to begin discovering and protecting content shared over the network.
- Sign in to the Microsoft Purview portal.
- Open Settings (in the upper right hand corner) > Data loss prevention > Integrations
- Select Get started for the Microsoft Global Secure Access (Preview).
- Complete the steps provided in the integration wizard.
Steps to create policy
- Sign in to the Microsoft Purview portal.
- Select Data loss prevention > Policies > + Create policy.
- Select Inline web traffic.
- Select Custom from the Categories list and then select Custom policy from the Regulations list.
- Choose Next.
- Enter a policy name and provide an optional description. You can use the policy intent statement here.
- Choose Next.
- Select + Add cloud apps.
- Select the Adaptive app scopes tab, then choose All unmanaged AI apps and select Add (1).
- Select Edit scope on All unmanaged AI apps.
- Select the Include only specific option on the Add or edit the scope for All Unmanaged AI Apps.
- Select + Add inclusions.
- Select Specific users and groups.
- Search for and select the Finance department group, then select Add.
- Select Save and close.
- Choose Next.
- On the Choose where to enforce the policy page, ensure Network is On, then select Next.
Note
You can only select network when pay-as-you-go billing is setup. Learn more about pay-as-you-go billing.
- On the Define policy settings page, ensure Create or customize advanced DLP rules is selected and select Next.
- On the Customize advanced DLP rules page, select + Create rule.
- Give the rule a unique name and optional description.
- Under Conditions
- Select + Add condition then choose Content contains.
- Select Add and choose Sensitive info types.
- Choose ABA Routing Number, U.S. Bank Account Number, Credit Card Number, U.S. Social Security Number (SSN) and select Add.
- Select Add and choose Sensitivity labels
- Choose Confidential and select Add.
- Ensure the Group operator is set to Any of these for the Content contains group.
- Under Actions
- Select + Add an action and choose Restrict browser and network activities.
- Select Text sent to or shared with cloud or AI apps and **File uploaded to or shared with cloud or AI apps.
- Select Block for both.
Important
Microsoft Entra GSA Internet Access supports file activities only
- Under Incident reports
- Set the Severity level in admin alerts and reports to High
- Ensure Send an alert to admins when a rule match occurs is On
- Select + Add or remove users and choose the SecurityOps distribution group
- Ensure Send alert every time an activity matches the rule is selected
- Select Save.
- Review the rule configuration, ensure it's status is On, and select Next.
- On the Policy mode page choose Turn the policy on immediately and then select Next.
- Review the policy information then select Submit to create the policy.