Share via


Get started with collecting files that match data loss prevention policies from devices

This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied and saved.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Here are the high level steps for configuring and using evidence collection for file activities on devices.

  1. Onboard devices
  2. Understand your requirements Create your managed Azure storage account
  3. Add an Azure storage blob to your account
  4. Enable and configure evidence collection on a storage account managed by Microsoft (preview)
  5. Configure your DLP policy
  6. Preview the evidence

Before you begin

Before you start these procedures, you should review Learn about evidence collection for file activities on devices.

Licensing and Subscriptions

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

See the prerequisites licensing requirements for Microsoft Entra ID P1 or P2 needed to create custom role-based access control (RBAC).

Permissions

Standard Microsoft Purview Data Loss Prevention (DLP) permissions are required. For more information, see Permissions.

Onboard devices

Before you can use copy matched items you have to onboard Windows 10/11 devices into Purview, see Onboard Windows devices into Microsoft 365 overview.

Understand your requirements

Important

Each container inherits the permissions of the storage account that it is in. You can't set different permissions per container. If you need to configure different permissions for different regions, you must create multiple storage accounts, not multiple containers.

You should have answers to the following question before setting up your Azure storage and scoping the feature to users.

Do you need to compartmentalize items and access along role or departmental lines?

For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved files from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for your organization's senior leadership and another for the Human Resources department. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.

Do you want to use containers to organize saved items?

You can create multiple evidence containers within the same storage account for sorting saved files. For example, one for files saved from the HR department and another for those from the IT department.

What is your strategy for protecting against saved item deletion or modification?

In Azure Storage, data protection refers to both the strategies for protecting the storage account and data within it from being deleted or modified and to restoring data after it's deleted or modified. Azure storage also offers options for disaster recovery, including multiple levels of redundancy, to protect your data from service outages due to hardware problems or natural disasters. It can also protect your data using customer-managed failover if the data center in the primary region becomes unavailable. For more information, see Data protection overview.

You can also configure immutability policies for your blob data that protects against the saved items being overwritten or deleted. For more information, see Store business-critical blob data with immutable storage

Supported file types for storing and previewing evidence

Can be Stored Can be Previewed
All file types monitored by Endpoint DLP All file types supported for previewing files in OneDrive, SharePoint, and Teams

Save matched items to your preferred storage

To save the evidence that Microsoft Purview detects when your data loss prevention policies are applied, you need to set up storage. There are two ways to do this:

  1. Create customer-managed storage
  2. Create Microsoft-managed storage (preview)

For more information and a comparison of these two types of storage, see [Storing evidence when sensitive information is detected (preview)](dlp-copy-matched-items-learn.md#storing-evidence-when-sensitive-information-is-detected-on-policy match-preview).

Create customer-managed storage

The procedures for setting up your Azure storage account, container, and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:

  1. Introduction to Azure Blob Storage
  2. Create a storage account
  3. Default to and authorize access to blobs using Microsoft Entra ID
  4. Manage blob containers using the Azure portal
  5. Manage block blobs with PowerShell

Note

Make sure to select Enable public access from all networks while creating the storage account. Support for Virtual networks and IP addresses and use of private access isn't available

Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal > Home > Storage Accounts > Container > Properties

The format for the Azure blob container URL is:https://storageAccountName.blob.core.windows.net/containerName.

Add an Azure storage blob to your account

There are several ways you can add an Azure storage blob to your account. Chose one of the methods below.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

To add Azure blob storage using the Microsoft Purview portal:

  1. Sign in to the Microsoft Purview portal and choose the Settings gear in the menu bar.
  2. Choose Data Loss Prevention.
  3. Select Endpoint DLP settings.
  4. Expand Setup evidence collection for file activities on devices.
  5. Change the toggle from Off to On.
  6. In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
  7. Select a storage type (Customer managed store or Microsoft managed store (preview)) and then select + Add storage.
    1. For Customer-managed storage:
      1. Choose Customer managed store: and then choose + Add storage.
      2. Enter give the account a name and enter the URL for the storage blob.
      3. Choose Save.
    2. For Microsoft-managed storage:
      1. Choose Microsoft managed store (preview)

Set permissions on the Azure blob storage

Using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on the blobs:

  1. One for the administrators and investigators so they can view and manage evidence
  2. One for users who need to upload items to Azure from their devices

Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. To configure user permissions, create roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview.

Permissions on Azure blob for administrators and investigators

Once you create the role group for DLP incident investigators, you must configure the permissions described in the Investigator actions and Investigator data actions sections that follow.

For more information on configuring blob access, see these articles:

Investigator actions

Configure these object and action permissions for the investigator role:

Object Permissions
Microsoft.Storage/storageAccounts/blobServices Read: List Blob Services
Microsoft.Storage/storageAccounts/blobServices Read: Get blob service properties or statistics
Microsoft.Storage/storageAccounts/blobServices/containers Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers Read: List of blob containers
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Read: Read blob
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action Other: Generate a user delegation key
Investigator data actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Read: Read Blob

Your JSON for the investigator role group should look like this:

"permissions": [
            {
                "actions": [
                 "Microsoft.Storage/storageAccounts/blobServices/read",
                 "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                 "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
                ],
                "notDataActions": []
            }
        ]

Permissions on Azure blob for users

Assign these object and action permissions to the Azure blob for the user role:

User actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices Read: List Blob Services
Microsoft.Storage/storageAccounts/blobServices/containers Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers Write: Put blob container
User data actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Write: Write Blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Other: Add blob content

The JSON for user role group should look like this:

"permissions": [
  {
     "actions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
       "Microsoft.Storage/storageAccounts/blobServices/read"
     ],
     "notActions": [],
     "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
     ],
     "notDataActions": []
    }
 ]

Enable and configure evidence collection on a storage account managed by Microsoft (preview)

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

To enable and configure evidence collection on a storage account managed by Microsoft from within the Microsoft Purview portal:

  1. Sign in to the Microsoft Purview portal > Settings gear in the menu bar.
  2. Choose Data Loss Prevention.
  3. Select Endpoint DLP settings.
  4. Expand Setup evidence collection for file activities on devices and set the toggle to On.
  5. Under Select storage type, choose Microsoft managed storage.

Configure your DLP Policy

Create a DLP policy as you normally would. For policy configuration examples, see Create and Deploy data loss prevention policies.

Configure your policy using these settings:

  • Make sure that Devices is the only location selected.
  • In Incident reports, toggle Send an alert to admins when a rule match occurs to On.
  • In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint.
  • Select the storage account you want.
  • Select the activities for which you want to copy matched items to Azure storage, such as:
    • Paste to supported browsers
    • Upload to cloud service domains or access unallowed browsers
    • Copy to a removable USB device
    • Copy to a network share
    • Print
    • Copy or move using an unallowed Bluetooth app
    • Copy or move using RDP

Preview the evidence

There are different ways to preview your evidence, depending on which type of storage you select.

Storage Type Preview options
Customer-managed - Use activity explorer
- Use the compliance portal
Microsoft Managed (preview) - Use activity explorer
- Use the compliance portal

Preview evidence via Activity explorer

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Data loss prevention > Activity explorer.
  2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
  3. In the list of results, double-click the line item of the activity you want to investigate.
  4. In the flyout pane, the link to the Azure blob where the evidence is stored appears under Evidence file.
  5. Select the Azure blob storage link to display the file that was matched.

Preview evidence via the compliance portal Alerts page

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Data loss prevention > Alerts.
  2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
  3. In the list of results, double-click the line item of the activity you want to investigate.
  4. In the flyout pane, select View details.
  5. Select the Events tab.
  6. In the Detail pane, select the Source tab. The file that was matched displays.

Note

If the file that was matched already exists in the Azure storage blob, it won't be uploaded again until changes are made to the file and a user takes an action on it.

Known Behaviors

  • Files stored in the device cache don't persist if the system crashes or restarts.
  • The maximum size for files that can be uploaded from a device is 500 MB.
  • If Just-in-Time Protection is triggered on a scanned file, OR if the file is stored on a network share, the evidence file is not collected.
  • When multiple files are opened in the same process (non-office apps) and one of the files matching a policy is egressed, DLP events are triggered for all files. No evidence is captured.
  • If multiple policy rules are detected in a single file, the evidence file is only stored if the most restrictive policy rule is configured to collect evidence.