Learn about Adaptive Protection in Data Loss Prevention
Adaptive Protection in Microsoft Purview integrates Microsoft Purview Insider Risk Management with Microsoft Purview Data Loss Prevention (DLP). When insider risk identifies a user who is engaging in risky behavior, they are dynamically assigned to a inside risk level. Then Adaptive Protection can automatically create a DLP policy to help protect the organization against the risky behavior that's associated with that inside risk level. As users insider risk levels change in insider risk management, the DLP policies applied to users can adjust.
You can manually create DLP policies that help protect against risky behaviors that insider risk identifies too.
Once Adaptive Protection is configured in insider risk, a condition called User's risk level for Adaptive Protection is will be available to use in rules that are configured for policies scoped to Exchange Online, Devices, and Teams locations.
The condition Insider risk level for Adaptive Protection is has three values:
Elevated risk level
Moderate risk level
Minor risk level
These insider risk level profiles are defined in insider risk. You can select one, two or all three in a policy rule. Learn more about insider risk levels.
You can manually configure DLP policies that are part of Adaptive Protection and also use the quick setup configuration in insider risk to create DLP policies automatically from a template.
Manual configuration
You manually configure an Adaptive Protection DLP policy just like you would configure any other policy. Just select the Insider risk level for Adaptive Protection is condition and the insider risk level profiles that you want, configure all the other policy options and deploy the policy according to your normal procedures.
Quick setup configuration
If quick setup is used to configure Adaptive Protection in insider risk, DLP policies are created automatically, so you should be on the lookout for them. Quick setup will create one policy for Teams and Exchange Online with two rules, one for the elevated risk profile and one for the moderate and minor insider risk levels. It will also create one policy for Devices with two rules, one for the elevated risk profile and one for the moderate and minor insider risk levels.
Insider risk presents a view of just the DLP policies that use the Insider risk level for Adaptive Protection is condition. Open Microsoft Purview compliance portal > Insider risk management > Adaptive protection to see the list. You'll need DLP to be in one of these roles to access the insider risk node:
Compliance administrator
Compliance Data administrator
Organization management (Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365)
Global administrator
DLP compliance management
View-only DLP compliance management
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should only be used in scenarios where a lesser privileged role can't be used.
Policy values for Teams and Exchange online DLP policy
This is the configuration for the Teams and Exchange DLP policy created during Quick Setup. The policy name is Adaptive Protection policy for Teams and Exchange DLP.
Rule: Adaptive Protection block rule for Teams and Exchange DLP
DLP policy element
Configured value
Insider risk level for Adaptive Protection is - Elevated Risk Level AND - Content is Shared from Microsoft 365 With people outside my organization
Restrict access or encrypt the content in Microsoft 365 locations - Block only people outside your organization
User Notification
On - Notify user with a policy tip – Notify the user who sent, shared, or last modified the content
User Override
Incident reports
On - Severity Level – Low - Send alert every time an activity matches the rule
Additional Options
Run the policy in simulation mode - Policy Tips not selected
Rule: Adaptive Protection audit rule for Teams and Exchange DLP
DLP policy element
Configured value
Insider risk level for Adaptive Protection is - Moderate Risk Level, Minor Risk Level AND - Content is Shared from Microsoft 365 With people outside my organization
User Notification
On - Notify user with a policy tip - Notify the user who sent, shared, or last modified the content
User Override
Incident reports
On - Severity Level – Low - Send alert every time an activity matches the rule
Additional Options
Run the policy in simulation mode - Policy tips not selected
Policy values for Devices DLP policy
This is the configuration for the Devices DLP policy created during Quick Setup. The policy name is Adaptive Protection policy for Endpoint DLP.
For Adaptive Protection to work on Devices, you must either enable Advanced classification scanning and protection or if you are manually creating the Adaptive Protection policy, select the File Type is condition.
If a user is targeted by a default Adaptive Protection Device DLP policy and is targeted by an independent Device DLP policy, only the actions of the most restrictive policy will be applied.
Rule: Adaptive Protection block rule for Endpoint DLP
DLP policy element
Configured value
Insider risk level for Adaptive Protection is - Elevated Risk Level AND - File Type is - Word processing - Spreadsheet - Presentation - Archive - Mail
Audit or Restrict activities on Devices - Upload to a restricted cloud service domain or access from unallowed browsers - Block
File activities for all apps - Apply restrictions to specific activity - Copy to clipboard – Block - Copy to removable USB device – Block - Copy to network share – Block - Print – Block Restricted App activities - Access by restricted apps - Block
User Notification
User Override
Incident reports
On - Severity Level – Low - Send alert every time an activity matches the rule
Additional Options
Run the policy in simulation mode - Policy Tips option not selected
Rule: Adaptive Protection rule for Endpoint DLP
DLP policy element
Configured value
Insider risk level for Adaptive Protection is - Moderate Risk Level, Minor Risk Level AND - File Type is - Word processing - Spreadsheet - Presentation - Archive - Mail
Audit or Restrict activities on Devices - Upload to a restricted cloud service domain or access from unallowed browsers – Audit
File activities for all apps - Apply restrictions to specific activity - Copy to clipboard – Audit - Copy to removable USB device – Audit - Copy to network share – Audit -Print – Audit
Restricted App activities - Access by restricted apps - Audit
User Notification
User Override
Incident reports
On - Severity Level – Low - Send alert every time an activity matches the rule
Additional Options
Run the policy in simulation mode - Policy tips option not selected
Adaptive Protection in Microsoft Purview uses machine learning to dynamically apply the most effective data loss prevention (DLP) controls for identified critical risks, enhancing data security and saving time for security teams.
Demonstrer de grundlæggende principper for datasikkerhed, livscyklusstyring, informationssikkerhed og overholdelse af angivne standarder for at beskytte en Microsoft 365-udrulning.