Get started with the Microsoft Purview extension for Firefox
Use these procedures to roll out the Microsoft Purview extension for Firefox.
Tip
Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.
Before you begin
To use the Microsoft Purview extension for Firefox, the device must be onboarded into endpoint DLP. Review these articles if you're new to DLP or endpoint DLP
- Learn about Microsoft Purview extension for Firefox
- Learn about Microsoft Purview Data Loss Prevention
- Create and Deploy data loss prevention policies
- Learn about endpoint data loss prevention
- Get started with Endpoint data loss prevention
- Onboarding tools and methods for Windows 10 devices
- Configure device proxy and internet connection settings for Information Protection
- Using Endpoint data loss prevention
SKU/subscriptions licensing
Before you get started, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
- Microsoft 365 E5
- Microsoft 365 A5 (EDU)
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
- Microsoft 365 A5 information protection and governance
For detailed licensing guidance, see Microsoft 365 licensing guidance for security & compliance.
- Your organization must be licensed for Endpoint DLP
- Your devices must be running Windows 10 x64 build 1809 or later.
- The device must have Antimalware Client Version is 4.18.2202.x or later. Check your current version by opening Windows Security app, select the Settings icon, and then select About.
Permissions
Data from Endpoint DLP can be viewed in Activity explorer. There are seven roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.
- Global administrator
- Compliance admin
- Security admin
- Compliance data admin
- Global reader
- Security reader
- Reports reader
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should only be used in scenarios where a lesser privileged role can't be used.
Roles and Role Groups
There are roles and role groups that you can use to fine tune your access controls.
Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal.
- Information Protection Admin
- Information Protection Analyst
- Information Protection Investigator
- Information Protection Reader
Here's a list of applicable role groups. To learn more about these role groups, see Permissions in the Microsoft Purview compliance portal.
- Information Protection
- Information Protection Admins
- Information Protection Analysts
- Information Protection Investigators
- Information Protection Readers
Overall installation workflow
Deploying the extension is a multi-phase process. You can choose to install on one machine at a time, or use Microsoft Intune or Group Policy for organization-wide deployments.
- Prepare your devices.
- Basic Setup Single Machine Selfhost
- Deploy using Microsoft Intune
- Deploy using Group Policy
- Test the extension
- Use the Alerts Management Dashboard to view Firefox DLP alerts
- Viewing Firefox DLP data in activity explorer
Prepare infrastructure
If you're rolling out the extension to all your monitored Windows 10 devices, you should remove Mozilla Firefox from the unallowed app and unallowed browser lists. For more information, see Unallowed browsers. If you're only rolling it out to a few devices, you can leave Firefox on the unallowed browser or unallowed app lists. The extension bypasses the restrictions of both lists for those computers where it's installed.
Prepare your devices
- Use the procedures in these articles to onboard your devices:
Basic Setup Single Machine Selfhost
This is the recommended method.
Download the initial XPI file.
Locate the extension in your file explorer and drag the file into an open Mozilla Firefox window.
Confirm the installation.
Deploy using Microsoft Intune
Use this setup method for organization-wide deployments.
Microsoft Intune Force Install Steps
Before adding the extension to the list of force-installed extensions, it's important to ingest the Firefox ADMX. Steps for this process in Microsoft Intune are documented below. Before beginning these steps, please ensure you have downloaded the latest Firefox ADMX from the Firefox GitHub.
The following steps can be followed to ingest Firefox ADMX.
Sign in to the Microsoft Endpoint Manager Admin Center.
Navigate to Devices then to Configuration.
Select Create New Policy.
Select Windows 10 and later as the platform.
Select Templates and Custom as profile type then click Create.
Enter a descriptive name like Firefox ADMX and an optional description.
Click Add OMA-URI Settings and enter the following policy information.
Name: Descriptive name.
Description: Optional description
OMA-URI:
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data type:
String
Value: Copy all of the text from the downloaded firefox.admx file into the Value field
Select create.
After ingesting the ADMX, the steps below can be followed to create a configuration profile for this extension.
Sign in to the Microsoft Intune admin center.
Navigate to Configuration Profiles.
Select Create Profile.
Select Windows 10 as the platform.
Select Custom as profile type.
Select the Settings tab.
Select Add.
Enter the following policy information.
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings
Data type:String
Value:<enabled/><data id="ExtensionSettings" value='{"microsoft.defender.browser_extension.native_message_host@microsoft.com":{"installation_mode": "force_installed", "install_url": "https://github.com/microsoft/purview/raw/main/endpointDLP/browser_extension/prod-1.1.0.212.xpi","updates_disabled":false}}'/>
Note: It's critical that
updates_disabled
is set tofalse
so that the extension can automatically update over time.Select create.
Deploy using Group Policy
If you don't want to use Microsoft Intune, you can use group policies to deploy the extension across your organization.
Adding the Firefox extension to the ForceInstall List
In the Group Policy Management Editor, navigate to your OU.
Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Firefox > Extensions. This path may vary depending on your configuration.
Select Extensions to install.
Right click and select Edit.
Select Enabled.
Select Show.
Under Value, add the following entry:
https://github.com/microsoft/purview/raw/main/endpointDLP/browser_extension/prod-1.1.0.212.xpi
Select OK and then Apply.
Test the extension
Upload to cloud service, or access by unallowed browsers Cloud Egress
- Create or get a sensitive item and, try to upload a file to one of your organization’s restricted service domains. The sensitive data must match one of our built-in Sensitive Info Types, or one of your organization’s sensitive information types. You should get a DLP toast notification on the device you're testing from that shows that this action isn't allowed when the file is open.
Testing other DLP scenarios in Firefox
Now that you’ve removed Firefox from the disallowed browsers/apps list, you can run simulations on the policy for these scenarios below to confirm the behavior meets your organization’s requirements:
- Copy data from a sensitive item to another document using the Clipboard
- To test, open a file that is protected against copy to clipboard actions in the Firefox browser and attempt to copy data from the file.
- Expected Result: A DLP toast notification showing that this action isn't allowed when the file is open.
- Print a document
- To test, open a file that is protected against print actions in the Firefox browser and attempt to print the file.
- Expected Result: A DLP toast notification showing that this action isn't allowed when the file is open.
- Copy to USB Removable Media
- To test, try to save the file to a removable media storage.
- Expected Result: A DLP toast notification showing that this action isn't allowed when the file is open.
- Copy to Network Share
- To test, try to save the file to a network share.
- Expected Result: A DLP toast notification showing that this action isn't allowed when the file is open.
Use the Alerts Management Dashboard to view Firefox DLP alerts
Open the Data loss prevention page in the Microsoft Purview compliance portal and select Alerts.
Refer to the procedures in Get started with the data loss prevention Alerts dashboard and Investigate data loss incidents with Microsoft Defender XDR to view alerts for your Endpoint DLP policies.
Viewing Firefox DLP data in activity explorer
Open the Data classification page for your domain in the Microsoft Purview compliance portal and choose Activity explorer.
Refer to the procedures in Get started with Activity explorer to access and filter all the data for your Endpoint devices.
Known Issues and Limitations
- Incognito mode isn't supported and must be disabled.
Next steps
Now that you have onboarded devices and can view the activity data in Activity explorer, you're ready to move on to your next step where you create DLP policies that protect your sensitive items.