Get started with collecting files that match data loss prevention policies from devices
Article
This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied and saved.
Each container inherits the permissions of the storage account that it is in. You can't set different permissions per container. If you need to configure different permissions for different regions, you must create multiple storage accounts, not multiple containers.
You should have answers to the following question before setting up your Azure storage and scoping the feature to users.
Do you need to compartmentalize items and access along role or departmental lines?
For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved files from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for your organization's senior leadership and another for the Human Resources department. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.
Do you want to use containers to organize saved items?
You can create multiple evidence containers within the same storage account for sorting saved files. For example, one for files saved from the HR department and another for those from the IT department.
What is your strategy for protecting against saved item deletion or modification?
In Azure Storage, data protection refers to both the strategies for protecting the storage account and data within it from being deleted or modified and to restoring data after it's deleted or modified. Azure storage also offers options for disaster recovery, including multiple levels of redundancy, to protect your data from service outages due to hardware problems or natural disasters. It can also protect your data using customer-managed failover if the data center in the primary region becomes unavailable. For more information, see Data protection overview.
To save the evidence that Microsoft Purview detects when your data loss prevention policies are applied, you need to set up storage. There are two ways to do this:
For more information and a comparison of these two types of storage, see [Storing evidence when sensitive information is detected (preview)](dlp-copy-matched-items-learn.md#storing-evidence-when-sensitive-information-is-detected-on-policy match-preview).
Create customer-managed storage
The procedures for setting up your Azure storage account, container, and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:
Make sure to select Enable public access from all networks while creating the storage account. Support for Virtual networks and IP addresses and use of private access isn't available
Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal > Home > Storage Accounts > Container > Properties
The format for the Azure blob container URL is:https://storageAccountName.blob.core.windows.net/containerName.
Add an Azure storage blob to your account
There are several ways you can add an Azure storage blob to your account. Chose one of the methods below.
To add Azure blob storage using the Microsoft Purview portal:
Sign in to the Microsoft Purview portal and choose the Settings gear in the menu bar.
Choose Data Loss Prevention.
Select Endpoint DLP settings.
Expand Setup evidence collection for file activities on devices.
Change the toggle from Off to On.
In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
Select a storage type (Customer managed store or Microsoft managed store (preview)) and then select + Add storage.
For Customer-managed storage:
Choose Customer managed store: and then choose + Add storage.
Enter give the account a name and enter the URL for the storage blob.
Choose Save.
For Microsoft-managed storage:
Choose Microsoft managed store (preview)
To add Azure blob storage using the DLP policy creation workflow in the Microsoft Purview portal:
Sign in to the Microsoft Purview portal and choose Data Loss Prevention.
Follow the steps to create a new policy.
At the Locations step, make sure that only the Devices location is selected, and then choose Next.
At the Policy settings step, select Create or customize advanced DLP rules.
Select +Create rule and add Conditions, Actions, User notifications and User overrides with values of your choosing.
In the Incident reports section, the Send an alert to admins when a rule match occurs toggle should be On by default. (If it isn’t, turn it on.)
Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
Select the activities you want to collect evidence for.
Select Add storage next to the checkbox item.
On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.
To add Azure blob storage using the compliance portal:
Starting in the left navigation pane of the compliance portal, navigate to Data Loss Prevention > Overview > Data loss prevention settings > Endpoint DLP Settings.
Expand Setup evidence collection for file activities on devices and set the toggle to On.
In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
Select a storage type (Customer managed store or Microsoft managed store (preview)) and then select + Add storage.
For Customer-managed storage:
Choose Customer managed store: and then choose + Add storage.
Enter give the account a name and enter the URL for the storage blob.
Choose Save.
For Microsoft-managed storage:
Choose Microsoft managed store (preview)
To add Azure blob storage using the DLP policy creation workflow in the compliance portal:
From the left navigation pane, navigate to Data Loss Prevention > Policies.
Choose to edit an existing policy or create a new one.
Work through the policy creation workflow. At the Policy settings page, select Create or customize advanced DLP rules.
On the Locations page, make sure that only the Devices location is selected, and then choose Next.
On the Define policy settings page, select Create or customize advanced DLP rules.
Select + Create rule.
Work through the rule builder as usual, selecting the following options:
In the Incident reports section, select an option for Use this severity level in admin alerts and reports*.
Toggle the Send an alert to admins when a rule match occurs option to On.
Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
Choose Add Storage. The Endpoint DLP settings page opens in a new window.
On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.
For Set evidence cache on device, specify the number of days files should be retained if the device is disconnected from the server.
Select + Add storage.
In the Add account flyout, enter a name and URL for your blob.
Choose Save.
Back in the rule builder, select Send alert every time an activity matches the rule.
Choose Save.
Finish creating or editing your rule, then choose Submit.
Set permissions on the Azure blob storage
Using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on the blobs:
One for the administrators and investigators so they can view and manage evidence
One for users who need to upload items to Azure from their devices
Permissions on Azure blob for administrators and investigators
Once you create the role group for DLP incident investigators, you must configure the permissions described in the Investigator actions and Investigator data actions sections that follow.
For more information on configuring blob access, see these articles:
Expand Setup evidence collection for file activities on devices and set the toggle to On.
In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
Under Select storage type, choose Microsoft managed storage (preview).
Using the Date dropdown, select the Start and End dates for the period you’re interested in.
In the list of results, select the activity you want to investigate.
In the flyout pane, select View details.
Select the Events tab.
In the Detail pane, select the Source tab. The file that was matched displays.
Note
If the file that was matched already exists in the Azure storage blob, it won't be uploaded again until changes are made to the file and a user takes an action on it.
Known Behaviors
Files stored in the device cache don't persist if the system crashes or restarts.
The maximum size for files that can be uploaded from a device is 500 MB.
If Just-in-Time Protection is triggered on a scanned file, OR if the file is stored on a network share, the evidence file is not collected.
When multiple files are opened in the same process (non-office apps) and one of the files matching a policy is egressed, DLP events are triggered for all files. No evidence is captured.
If multiple policy rules are detected in a single file, the evidence file is only stored if the most restrictive policy rule is configured to collect evidence.