Implement the Microsoft Purview Extension

  • 7 minutes

The Microsoft Purview Extension is able to provide existing Endpoint DLP capabilities to non-native applications, such as the Google Chrome browser.

With the Microsoft Purview Extension installed, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome. Protective actions via DLP can then be enforced. Actions taken on sensitive items inside the Chrome browser on user devices are audited or blocked and made visible in the Microsoft Purview DLP activity explorer. You can enforce protective actions on those items via DLP policies.

With the Microsoft Purview Extension, companies are able to do the following:

  • Allow users to use Chrome as an approved browser by supporting DLP for working with sensitive data.
  • Create custom and fine-grained DLP policies for Chrome to ensure sensitive data is properly handled and protected from disclosure including:
    • Audit mode: Records policy violation events without impacting end-user activity.
    • Block with Override mode: Records and blocks the activity but allows the user to override when they have a legitimate business need.
    • Block mode: Records and blocks the activity without giving the user the ability to override.
  • Use DLP events from Microsoft Purview Extension for Chrome to support Insider Risk Management assessments and investigations.
  • Deliver new insights related to the obfuscation, exfiltration, or infiltration of sensitive information by insiders.

The Microsoft Purview Extension for Chrome can automatically alert users when they take a risky action with sensitive data. Users are provided with actionable policy tips and guidance to remediate properly to ensure the safety of sensitive company data.

The following table shows different monitoring activities on user devices using the Chrome browser:

Activity Description Supported policy actions
file copied to cloud Detects when a user attempts to upload a sensitive item to a restricted service domain through the Chrome browser audit, block with override, block
file printed Detects when a user attempts to print a sensitive item that is open in the Chrome browser to a local or network printer audit, block with override, block
file copied to clipboard Detects when a user attempts to copy information from a sensitive item that is being viewed in the Chrome browser and then paste it into another app, process, or item. audit, block with override, block
file copied to removable storage Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Chrome browser to removable media or USB device audit, block with override, block
file copied to network share Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Chrome browser to a network share or mapped network drive. audit, block with override, block

Implementing Microsoft Purview Extension

Microsoft Purview Extension is an installable extension from the Google Chrome web store for the Chrome browser. To implement the solution, an organization must be configured for using Endpoint DLP and user devices must be onboarded to Windows Defender for Endpoint.

Three basic options exist for installing the Microsoft Purview Extension for Google in an organization:

  • Basic Setup Single Machine Selfhost: User self-service installation via the Chrome web store.
  • Deploy using Microsoft Endpoint Manager: Organization-wide deployments by using Chrome ADMX in Microsoft Endpoint Manager.
  • Deploy using Group Policy: Organization-wide deployments by using Chrome ADMX with traditional Group Policies.

Basic Setup Single Machine Selfhost

The fastest way to deploy the Microsoft Purview Extension for Google to user devices is to let them install the extension directly from the Google web store by following these steps:

  1. Open the Chrome browser and navigate to Microsoft Purview Extension - Chrome Web Store (google.com)
  2. Select the Add to Chrome button.
  3. In the message window, select Add extension.
  4. Select the x in the upper left-side of the success message to close the message.

The extension can be used to enable working with sensitive content in the Chrome browser.

Deploy using Microsoft Endpoint Manager

For centralized deployments to Endpoint Manager enrolled devices, a configuration profile with enabled Chrome ADMX and an OMA-URI definition con is used. First, the Chrome ADMX must be added to the custom templates in a tenant. Then a second definition in the same configuration profile needs to be created for the Chrome browser extension installation.

Before adding the extension to the list of force-installed extensions, it's important to ingest the Chrome ADMX. Steps for this process in Microsoft Endpoint Manager are documented by Google: Manage Chrome Browser with Microsoft Intune - Google Chrome Enterprise Help.

The next steps can be followed to create a configuration profile for this extension after ingesting the ADMX.

  1. Sign in to the Microsoft Endpoint Manager Admin Center (https://endpoint.microsoft.com).
  2. Navigate to Configuration Profiles.
  3. Select Create Profile.
  4. Select Windows 10 and later as the platform.
  5. Select Templates as the profile type.
  6. Select Custom as the template name.
  7. Select Create.
  8. Enter a name and optional description on the Basics tab and select Next.
  9. Select Add on the Configuration settings tab.
  10. Enter the following policy information.
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
    • Data type: String
    • Value: <enabled/><data id='ExtensionInstallForcelistDesc' value='1&#xF000;echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx'/>
  11. Select Save and then select Next.
  12. Add or edit scope tags on the Scope tags tab as needed and select Next.
  13. Add the required deployment users, devices, and groups on the Assignments tab and select Next.
  14. Add applicability rules on the Applicability Rules tab as required and select Next.
  15. Select Create.

Note

Installing the Microsoft Purview Extension via Microsoft Endpoint Manager using 'ExtensionInstallForcelistDesc' hinders users to disable the extension from the browser settings on their device.

Deploy using Group Policy

If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the extension across your organization. Follow these steps to deploy the extension via a GPO and the Chrome ADMX:

  1. In the Group Policy Management Editor, navigate to your OU.
  2. Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Google > Google Chrome > Extensions. This path may vary depending on your configuration.
  3. Select Configure the list of force-installed extensions.
  4. Right click and select Edit.
  5. Select Enabled.
  6. Select Show.
  7. Under Value, add the following entry: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx

The Microsoft Purview Extension for Google will be deployed automatically to devices affected by the GPO.

Testing Microsoft Purview Extension

After deploying the Microsoft Purview Extension, you can verify the correct functionality on a user device already affected by Endpoint DLP policies by using the Chrome browser to upload sensitive data to an Service domain on the configured Block list in the Microsoft Purview compliance portal. You'll see the Chrome browser act similarly to the Microsoft Edge browser, and you'll be able to see new events in the Activity explorer in the Microsoft compliance portal.

To view the events logged on user devices on working with sensitive data with the Chrome browser, follow these steps:

  1. Sign in to the Microsoft Purview compliance portal at https://compliance.microsoft.com/
  2. Select Data loss prevention from the left-side pane.
  3. Select Activity explorer from the top pane.
  4. Select Filters from above the Date pane.
  5. Activate the checkbox of Application from the right-side Filter pane and select Done.
  6. Select the Application: Any and activate the checkbox of chrome.exe.
  7. Review the Activity list to see the events related to the Chrome browser.

Note

Incognito mode is not supported and must be disabled.