Share via


Block Users From Sharing Sensitive Information to Unmanaged AI Apps Via Edge on Managed Devices (preview)

Microsoft Purview Data Loss Prevention (DLP) capabilities directly integrate into the Microsoft Edge for Business browser, allowing you to protect against users sharing sensitive information to unmanaged AI apps from your managed devices, without having to onboard them into Microsoft Purview.

On Intune-managed devices, Edge communicates directly with Microsoft Purview and Microsoft Edge services to receive policy updates and uses Edge configuration policies to block the use of the protected apps in noncompliant browsers. When a user attempts to access the unmanaged app using a noncompliant browser, the user is blocked and must use Microsoft Edge.

In preview, browser DLP can monitor and take protective actions on sensitive data that users attempt to share from managed devices to unmanaged cloud apps.

Managed Device

Browser DLP (preview) is supported on managed devices running Windows 10/11. A managed device is managed by Intune. Users on managed devices sign into the device with their work or school account credentials.

Unmanaged cloud apps

Unmanaged cloud apps are cloud apps that users access and use without signing into the app with their Microsoft work or school account credentials. An example of this is Gemini, where the user can navigate to the URL for the app and start interacting without first signing into their Microsoft work or school account. In preview, browser DLP supports these unmanaged cloud apps:

  • OpenAI ChatGPT
  • Google Gemini
  • DeepSeek
  • Microsoft Copilot

Important

Browser DLP features only apply to the non-Enterprise (consumer) version of M365 Copilot. Learn more about M365 Copilot Enterprise and Enterprise data protections here.

Supported browsers

The two latest stable versions of Edge, starting with version 138. For more information on the supported versions of Edge, see Microsoft Edge Releases.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Activities you can monitor and take action on

This feature enables you to audit and manage the following types of activities users take on sensitive items on devices running Microsoft Edge in Windows 10/11.

activity description supported policy actions
Upload text to an unmanaged app from a managed device Detects when a user attempts to upload text to an unmanaged app using a supported browser. If the user attempts to upload text via an unsupported browser the attempt is blocked and they're redirected to use Microsoft Edge. allow, block, both actions are audited

Licensing requirements

  • Microsoft 365 E5/A5/G5/, Microsoft 365 Business Premium
  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

Permissions for Purview DLP

The account you use to create and deploy policies must be a member of one of these role groups

  • Compliance administrator
  • Compliance data administrator
  • Information Protection
  • Information Protection Admin
  • Security administrator

Implementation

For full implementation details, see Scenario 7 Block users from sharing sensitive information to unmanaged AI apps via Edge on managed devices (preview).

Viewing data from browser DLP policies

Data from DLP policies, including activities and audit captures, are visible in activity explorer, audit log, and in Defender XDR investigations experiences.

See also