Learn about Microsoft Purview Network Data Security

Microsoft Purview network data security enables organizations to monitor, classify, and apply protections to HTTP and HTTPS traffic through integrations with one or more integrated secure access service edge (SASE) solutions:

• In preview, network content filtering with Microsoft Entra GSA Internet Access (files only).
• In general availablity, integration with third-party SASE network security solutions (text and files).

This feature uses Microsoft Purview Data Loss Prevention (DLP) capabilities for protection, the classifiers that you already use in other Microsoft Purview policies, and collection policies, to give you insight into and apply protections to sensitive data that is being shared with generative AI and other unmanaged cloud apps. You can use either policy type or both depending on your organization's needs. You can use collection policies for discovery of data and DLP policies for prevention of data exfiltration.

With network data security, you can identify, block, and alert on sensitive content that's shared through these interactions:

• Interactions with generative AI through browsers, apps, and add-ins, such as Chat GPT, Gemini, and Claude.
• Files uploaded to unsanctioned cloud storage providers, including Dropbox, Box, and Google Drive.
• Emails and file attachments shared with cloud email providers, such as Gmail.
• Form submissions through online form services, including Google Forms.
• Social media posts on common services like Facebook and X.

Before you begin

If you're new to Microsoft Purview collection policies, Microsoft Purview pay-as-you-go billing models, or Microsoft Purview DLP, you should familiarize yourself with the information in these articles:

• Collection Policies solution overview
• Learn about data loss prevention
• Learn about Microsoft Purview billing models
• Get started with activity explorer

Licensing

For information on licensing, see

• Microsoft 365 Enterprise Plans
• Microsoft 365 Service Descriptions

Network data security requires the Microsoft Purview pay-as-you-go billing model. If your organization hasn’t set up pay-as-you-go for your Microsoft 365 tenant, you must configure it before using any network data security features. The pay-as-you-go model lets you pay only for the Microsoft Purview features you use. It’s designed to be flexible and cost-effective, allowing you to scale usage up or down as needed.

Important

To use collection policies, you must have E5 per-seat licenses in addition to the pay-as-you-go subscription. To use DLP policies with network data security only, the pay-as-you-go subscription is all you need. If you use any other DLP functionality, you must have per-seat licensing.

For information on setting up the pay-as-you-go billing model, see Enable Microsoft Purview pay-as-you-go features for new customers.

Note

The Microsoft Entra GSA Internet Access integration is currently excluded from pay-as-you-go billing for in transit protection while in preview. However, you still need to configure pay-as-you-go billing before setting up any Microsoft Purview collection or DLP policies. Other pay-as-you-go charges may continue to apply based on capabilities used.

How network data security works

From a broad perspective, the Microsoft Purview network data security solution combines two components:

Network security solution

The network data security solution integrates your secure access service edge (SASE) solutions directly into Microsoft Purview. The network security solutions monitor network traffic and send the data to Microsoft Purview for classification and policy evaluation. When you apply protections via the use of DLP policies, the communication between your SASE solution and Microsoft Purview is in real time. If you are using network data security for monitoring only via collection policies, the communication is asynchronous.

For more information on which SASE solutions are supported, see Microsoft Purview Data Loss Prevention Integrations page.

Important

If you choose to integrate with non-Microsoft partners, they will be able to access and possibly store some policy configuration, including user identifiers. Their terms, conditions, and privacy policy will govern the usage and storage of this data.

Microsoft Purview

You configure the integration between Microsoft Purview and the network security solution in DLP settings Integrations tab. This integration establishes the bidirectional communication channel between the network security solution and Microsoft Purview.

Next, configure a collection policy or data loss prevention policy that defines the conditions, activities, and cloud apps that you want the network security solution to collect and send to Microsoft Purview.

• For more information on how to create a collection policy for network data security, see Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network.
• For more information on how to create a data loss prevention policy for network data security, see Use Network Data Security to help prevent sharing sensitive information with unmanaged AI

Microsoft Purview sends the appropriate DLP and collection policy configuration values to your SASE solution, and the SASE solution sends any matching network data to Microsoft Purview for classification and policy evaluation. If you configure content capture in the collection policy, the full conversation that happens between the user and the AI app is captured and sent to Microsoft Purview as well.

After the data is classified, it's available in activity explorer and activity explorer in DSPM for AI. If a data loss prevention policy is matched, and you have configured alerts, they will be available in DLP alerts.

After you configure the integration between Microsoft Purview and your network security solution, allow up to 24 hours for your policies to be distributed to the network security solution and for the first data to show up. Once the two services fully communicate with each other, it can take up to 30 minutes for data about a request from a client to a website or cloud app to appear in the audit log and activity explorer.

Supported network data security collection policy configuration

The Microsoft Purview side of the configuration is done via a collection policy. Here are the configuration options that are supported:

• Conditions - The conditions you can use in a network data security collection policy are the same as the conditions you can use in other Microsoft Purview policies. For example, you can use the Content contains > Sensitive information types condition to classify sensitive items that are being shared with generative AI and other unmanaged cloud apps.

• Activities - Network data security supports four activities:

  • Text sent to or shared with cloud or AI app.
  • File uploaded to or shared with cloud or AI app.
  • Text received from cloud or AI app.
  • File downloaded from cloud or AI app.

Note

The activities supported may differ depending on integrated SASE solution. Check with your SASE solution provider for details on supported activities.

• Data sources - These are the locations that the endpoint device is communicating with.
  • Unmanaged cloud apps - Network data security collection policies support all the sources that are in the Microsoft Defender for Cloud Apps Cloud app catalog which includes over 35,000 discoverable cloud apps.
  • Adaptive app scopes - all apps in multiple categories including generative AI, cloud storage, collaboration, social network, and webmail.

Supported network data security data loss prevention policy configuration

This configuration requires a Entra Global Secure Access for network content filtering, Create a file policy to filter network file content (preview)

The Microsoft Purview side of the configuration is done via a data loss prevention policy. Here are the configuration options that are supported:

• Data sources - These are the locations that the endpoint device is communicating with.

  • Unmanaged cloud apps - Network data security collection policies support all the sources that are in the Microsoft Defender for Cloud Apps Cloud app catalog which includes over 35,000 discoverable cloud apps.
  • Adaptive app scopes - all apps in multiple categories including generative AI, cloud storage, collaboration, social network, and webmail.

• Conditions - The conditions you can use in a network data security collection policy are the same as the conditions you can use in other Microsoft Purview policies. For example, you can use the Content contains > Sensitive information types condition to classify sensitive items that are being shared with generative AI and other unmanaged cloud apps.

• Actions - Network data security supports Audit only and Block actions for the following activities:

  • Text sent to or shared with cloud or AI app.
  • File uploaded to or shared with cloud or AI app.
  • Text received from cloud or AI app.
  • File downloaded from cloud or AI app.

Note

The activities and actions supported may differ depending on integrated SASE solution. Check with your SASE solution provider for details on supported activities.

Default policy from Microsoft Purview Data Security Posture Management for AI

Microsoft Purview Data Security Posture Management for AI (DSPM for AI) offers recommendations to help monitor communications with generative AI apps. Select the recommendation Extend insights into sensitive data in AI app interactions to create a one-click policy named DSPM for AI - Detect sensitive info shared with AI via network. After it's created, you can edit this default policy for network data security as you would any collection policy.

Supported network protocols

In preview, network data security supports classifying traffic sent from an endpoint device over HTTP and HTTPS protocols to websites, cloud apps, and generative AIs.

Accessing network data security data

Data from network data security appear in activity explorer, Data Security Posture Management for AI activity explorer events, and if alerts are enabled, DLP alerts.

Activity explorer

In activity explorer, you can filter on enforcement plane set to network. This filter shows you classification events that network data security collection policies generate.

Billing model

Network data security uses the request as unit of measure for pay-as-you-go billing purposes. A request is each network call made from a device or browser to a website or API. This definition doesn't include the responses to the requests. For more information on pay-as-you-go billing for network data security, see Other Microsoft Purview solutions that use pay-as-you-go pricing and Requests.

Here are some examples:

Activity	Data type	Example
Text sent to or shared with cloud or AI app	Human readable strings transmitted inline	- submitting a form with textual information - sending raw text or a prompt to a generative AI - the body of an email - sending JSON data to an API
File uploaded to or shared with cloud or AI app	Byte streams, including text based file, binary files, txt files, source code, documents, images, videos, .exe's, .pdf's, archive files	- Uploading a profile picture to social media - sending a document or .pdf file as an email attachment - sharing a document with generative AI - transferring a document or .zip files to a cloud storage solution

Next steps

• Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network (preview)
• Use Network Data Security to help prevent sharing sensitive information with unmanaged AI
• If using Entra Global Secure Access for network content filtering Entra Global Secure Access for network content filtering, Create a file policy to filter network file content (preview)