Get started with collecting files that match data loss prevention policies from devices

This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied and saved.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Here are the high level steps for configuring and using evidence collection for file activities on devices.

1. Onboard devices
2. Understand your requirements Create your managed Azure storage account
3. Add an Azure storage blob to your account
4. Enable and configure evidence collection on a storage account managed by Microsoft (preview)
5. Configure your DLP policy
6. Preview the evidence

Before you begin

Before you start these procedures, you should review Learn about evidence collection for file activities on devices.

Licensing and Subscriptions

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

See the prerequisites licensing requirements for Microsoft Entra ID P1 or P2 needed to create custom role-based access control (RBAC).

Permissions

Standard Microsoft Purview Data Loss Prevention (DLP) permissions are required. For more information, see Permissions.

Onboard devices

Before you can use copy matched items you have to onboard Windows 10/11 devices into Purview, see Onboard Windows devices into Microsoft 365 overview.

Understand your requirements

Important

Each container inherits the permissions of the storage account that it is in. You can't set different permissions per container. If you need to configure different permissions for different regions, you must create multiple storage accounts, not multiple containers.

You should have answers to the following question before setting up your Azure storage and scoping the feature to users.

Do you need to compartmentalize items and access along role or departmental lines?

For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved files from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for your organization's senior leadership and another for the Human Resources department. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.

Do you want to use containers to organize saved items?

You can create multiple evidence containers within the same storage account for sorting saved files. For example, one for files saved from the HR department and another for those from the IT department.

What is your strategy for protecting against saved item deletion or modification?

In Azure Storage, data protection refers to both the strategies for protecting the storage account and data within it from being deleted or modified and to restoring data after it's deleted or modified. Azure storage also offers options for disaster recovery, including multiple levels of redundancy, to protect your data from service outages due to hardware problems or natural disasters. It can also protect your data using customer-managed failover if the data center in the primary region becomes unavailable. For more information, see Data protection overview.

You can also configure immutability policies for your blob data that protects against the saved items being overwritten or deleted. For more information, see Store business-critical blob data with immutable storage

Supported file types for storing and previewing evidence

Can be Stored	Can be Previewed
All file types monitored by Endpoint DLP	All file types supported for previewing files in OneDrive, SharePoint, and Teams

Save matched items to Azure blob storage

To save the evidence that Microsoft Purview detects when your data loss prevention policies are applied, you need to set up Azure blob storage. There are two ways to do this:

1. Create customer-managed storage
2. Create Microsoft-managed storage (preview)

For more information and a comparison of these two types of storage, see Storing evidence when sensitive information is detected (preview).

Create customer-managed storage

The procedures for setting up your Azure storage account, container, and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:

1. Introduction to Azure Blob Storage
2. Create a storage account
3. Default to and authorize access to blobs using Microsoft Entra ID
4. Manage blob containers using the Azure portal
5. Manage block blobs with PowerShell

Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal > Home > Storage Accounts > Container > Properties

The format for the Azure blob container URL is:https://storageAccountName.blob.core.windows.net/containerName.

Add an Azure storage blob to your account

There are several ways you can add an Azure storage blob to your account. Chose one of the methods below.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview Portal

To add Azure blob storage using the Microsoft Purview portal:

1. Sign in to the Microsoft Purview portal and choose the Settings gear in the menu bar.
2. Choose Data Loss Prevention.
3. Select Endpoint DLP settings.
4. Expand Setup evidence collection for file activities on devices.
5. Change the toggle from Off to On.
6. In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
7. Select a storage type (Customer managed store or Microsoft managed store (preview)) and then select + Add storage.
   1. For Customer-managed storage:
      1. Choose Customer managed store: and then choose + Add storage.
      2. Enter give the account a name and enter the URL for the storage blob.
      3. Choose Save.
   2. For Microsoft-managed storage:
      1. Choose Microsoft managed store (preview)

DLP Policy in the Microsoft Purview portal

To add Azure blob storage using the DLP policy creation workflow in the Microsoft Purview portal:

1. Sign in to the Microsoft Purview portal and choose Data Loss Prevention.
2. Follow the steps to create a new policy.
3. At the Locations step, make sure that only the Devices location is selected, and then choose Next.
4. At the Policy settings step, select Create or customize advanced DLP rules.
5. Select +Create rule and add Conditions, Actions, User notifications and User overrides with values of your choosing.
6. In the Incident reports section, the Send an alert to admins when a rule match occurs toggle should be On by default. (If it isn’t, turn it on.)
7. Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
8. Select the activities you want to collect evidence for.
9. Select Add storage next to the checkbox item.
10. On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.

Compliance portal

To add Azure blob storage using the compliance portal:

1. Starting in the left navigation pane of the compliance portal, navigate to Data Loss Prevention > Overview > Data loss prevention settings > Endpoint DLP Settings.
2. Expand Setup evidence collection for file activities on devices and set the toggle to On.
3. In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
4. Select a storage type (Customer managed store or Microsoft managed store (preview)) and then select + Add storage.
   1. For Customer-managed storage:
      1. Choose Customer managed store: and then choose + Add storage.
      2. Enter give the account a name and enter the URL for the storage blob.
      3. Choose Save.
   2. For Microsoft-managed storage:
      1. Choose Microsoft managed store (preview)

DLP Policy workflow in the compliance portal

To add Azure blob storage using the DLP policy creation workflow in the compliance portal:

1. From the left navigation pane, navigate to Data Loss Prevention > Policies.
2. Choose to edit an existing policy or create a new one.
3. Work through the policy creation workflow. At the Policy settings page, select Create or customize advanced DLP rules.
4. On the Locations page, make sure that only the Devices location is selected, and then choose Next.
5. On the Define policy settings page, select Create or customize advanced DLP rules.
6. Select + Create rule.
7. Work through the rule builder as usual, selecting the following options:
   1. In the Incident reports section, select an option for Use this severity level in admin alerts and reports*.
   2. Toggle the Send an alert to admins when a rule match occurs option to On.
   3. Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
   4. Choose Add Storage. The Endpoint DLP settings page opens in a new window.
   5. On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.
   6. For Set evidence cache on device, specify the number of days files should be retained if the device is disconnected from the server.
   7. Select + Add storage.
   8. In the Add account flyout, enter a name and URL for your blob.
   9. Choose Save.
   10. Back in the rule builder, select Send alert every time an activity matches the rule.
   11. Choose Save.
   12. Finish creating or editing your rule, then choose Submit.

Set permissions on the Azure blob storage

Using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on the blobs:

1. One for the administrators and investigators so they can view and manage evidence
2. One for users who need to upload items to Azure from their devices

Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. To configure user permissions, create roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview.

Permissions on Azure blob for administrators and investigators

Once you create the role group for DLP incident investigators, you must configure the permissions described in the Investigator actions and Investigator data actions sections that follow.

For more information on configuring blob access, see these articles:

• How to authorize access to blob data in the Azure portal
• Assign share-level permissions.

Investigator actions

Configure these object and action permissions for the investigator role:

Object	Permissions
Microsoft.Storage/storageAccounts/blobServices	Read: List Blob Services
Microsoft.Storage/storageAccounts/blobServices	Read: Get blob service properties or statistics
Microsoft.Storage/storageAccounts/blobServices/containers	Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers	Read: List of blob containers
Microsoft.Storage/storageAccounts/blobServices/containers/blobs	Read: Read blob

Investigator data actions

Object	Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs	Read: Read Blob

The JSON for the investigator role group should look like this:

"permissions": [
            {

                "actions": [

                    "Microsoft.Storage/storageAccounts/blobServices/read",

                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",

                 "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"

                ],

                "notActions": [],

                "dataActions": [

                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"

                ],

                "notDataActions": []

            }

        ]

Permissions on Azure blob for users

Assign these object and action permissions to the Azure blob for the user role:

User actions

Object	Permissions
Microsoft.Storage/storageAccounts/blobServices	Read: List Blob Services
Microsoft.Storage/storageAccounts/blobServices/containers	Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers	Write: Put blob container

User data actions

Object	Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs	Write: Write Blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs	Other: Add blob content

The JSON for user role group should look like this:

"permissions": [
  {
     "actions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
       "Microsoft.Storage/storageAccounts/blobServices/read"
     ],
     "notActions": [],
     "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
     ],
     "notDataActions": []
    }
 ]

Enable and configure evidence collection on a storage account managed by Microsoft (preview)

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

To enable and configure evidence collection on a storage account managed by Microsoft from within the Microsoft Purview portal:

1. Sign in to the Microsoft Purview portal > Settings gear in the menu bar.
2. Choose Data Loss Prevention.
3. Select Endpoint DLP settings.
4. Expand Setup evidence collection for file activities on devices and set the toggle to On.
5. Under Select storage type, choose Microsoft managed storage.

Compliance portal

To enable and configure evidence collection on a storage account managed by Microsoft from within the compliance portal:

1. Open Microsoft Purview compliance portal > Data loss prevention > Data loss prevention settings > Endpoint DLP Settings.
2. Expand Setup evidence collection for file activities on devices and set the toggle to On.
3. In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
4. Under Select storage type, choose Microsoft managed storage (preview).

Configure your DLP Policy

Create a DLP policy as you normally would. For policy configuration examples, see Create and Deploy data loss prevention policies.

Configure your policy using these settings:

• Make sure that Devices is the only location selected.
• In Incident reports, toggle Send an alert to admins when a rule match occurs to On.
• In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint.
• Select the storage account you want.
• Select the activities for which you want to copy matched items to Azure storage, such as:
  • Copy to a removable USB device
  • Copy to a network share
  • Print
  • Copy or move using an unallowed Bluetooth app
  • Copy or move using RDP

Preview the evidence

There are different ways to preview your evidence, depending on which type of storage you select.

Storage Type	Preview options
Customer-managed	- Use activity explorer - Use the compliance portal
Microsoft Managed (preview)	- Use activity explorer

Preview evidence via Activity explorer

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal > Data loss prevention > Activity explorer.
2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
3. In the list of results, double-click the line item of the activity you want to investigate.
4. In the flyout pane, the link to the Azure blob where the evidence is stored appears under Evidence file.
5. Select the Azure blob storage link to display the file that was matched.

Compliance portal

1. Open Microsoft Purview compliance portal > Data loss prevention > Activity explorer.
2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
3. In the list of results, select the activity you want to investigate.
4. In the flyout pane, the link to the Azure blob where the evidence is stored appears under Evidence file.
5. Select the Azure blob storage link to display the file that was matched.

Preview evidence via the compliance portal Alerts page

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal > Data loss prevention > Alerts.
2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
3. In the list of results, double-click the line item of the activity you want to investigate.
4. In the flyout pane, select View details.
5. Select the Events tab.
6. In the Detail pane, select the Source tab. The file that was matched displays.

Compliance portal

1. Open the Microsoft Purview compliance portal and navigate to Data Loss Prevention > Alerts.
2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
3. In the list of results, select the activity you want to investigate.
4. In the flyout pane, select View details.
5. Select the Events tab.
6. In the Detail pane, select the Source tab. The file that was matched displays.

Note

If the file that was matched already exists in the Azure storage blob, it won't be uploaded again until changes are made to the file and a user takes an action on it.

Known Behaviors

• Files stored in the device cache don't persist if the system crashes or restarts.
• The maximum size for files that can be uploaded from a device is 500 MB.
• If Just-in-Time Protection is triggered on a scanned file, OR if the file is stored on a network share, the evidence file is not collected.
• If multiple policy rules are detected in a single file, the evidence file is only stored if the most restrictive policy rule is configured to collect evidence.