Learn about Microsoft Purview Network Data Security (preview)

2025-05-12

In preview, Microsoft Purview network data security enables organizations to ingest and classify http and https network traffic from third party network security solutions. This feature makes use of Microsoft Purview Data Loss Prevention (DLP) capabilities, and the classifiers that you already use in other Microsoft Purview policies, and collection policies (preview), to give you insight into sensitive data that is being shared with generative AI and other unmanaged cloud apps.

With network data security you can identify sensitive items that are being shared through these interactions:

Interactions with Generative AI through browsers, apps, and add-ins, such as Chat GPT, Gemini, and Claude.
Files uploaded to unsanctioned cloud storage providers, including Dropbox, Box, and Google Drive.
Emails and file attachments shared with cloud email providers, such as Gmail.
Form submissions through online form services, including Google Forms.
Social media posts on common services like Facebook and X

Before you begin

If you're new to Microsoft Purview collection policies, Microsoft Purview pay-as-you-go billing models, or Microsoft Purview DLP before, you should familiarize yourself with the information in these articles:

Licensing

For information on licensing, see

Network data security requires both E5 per-seat licenses and the pay-as-you-go billing model. If your organization doesn't have pay-as-you-go setup for your Microsoft 365 tenant, you must configure that before you can use the network data security feature. The pay-as-you-go billing model allows you to pay for the Microsoft Purview features that you use and are enabled for it. This model is designed to be flexible and cost-effective, allowing you to scale your usage up or down as needed.

For information on setting up the pay-as-you-go billing model, see Enable Microsoft Purview pay-as-you-go features for new customers.

How network data security works

Looking at it from a broad perspective the Microsoft Purview network data security solution is a combination of two components:

Network security solution

The network data security solution integrates your secure access service edge (SASE) solutions directly into Microsoft Purview. The network security solutions are responsible for monitoring network traffic and sending the data to Microsoft Purview. The data is then classified using the same classifiers that you use in other Microsoft Purview policies. The network security solution sends the date to Microsoft Purview asynchronously.

For more information on which SASE solutions are supported, see Microsoft Purview Data Loss Prevention Integrations page.

Microsoft Purview

You configure the integration between Microsoft Purview and the network security solution in DLP settings Integrations tab. This integration establishes the bidirectional communication channel between the network security solution and Microsoft Purview.

The next step is to configure a collection policy (preview) that defines the conditions, activities, and data sources of network data that you want the network security solution to collect and send to Microsoft Purview. For more information on how to create a collection policy for network data security, see Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network (preview).

Microsoft Purview sends the collection policy configuration to your SASE solution and the SASE solution sends the sensitive data matches to Microsoft Purview for classification asynchronously. If you configure content capture in the collection policy, the conversation that happens between the user and the AI app is captured and sent to Microsoft Purview as well.

After the data is classified, it's available in activity explorer and activity explorer in DSPM for AI.

Once you've successfully configured the integration between Microsoft Purview and your network security solution, allow up to 24 hours for your collection policies to be distributed to the network security solution and for the first data to show up. Once the two services are fully communicating with each other, it can take up to 30 minutes for data about a request from a client to a website or cloud app to appear in the audit log and activity explorer.

Supported network data security collection policy configuration

The Microsoft Purview side of the configuration is done via a collection policy. Here are the configuration options that are supported in public preview:

Conditions - The conditions you can use in a network data security collection policy are the same as the conditions you can use in other Microsoft Purview policies. For example, you can use the Content contains > Sensitive information types condition to classify sensitive items that are being shared with generative AI and other unmanaged cloud apps.

Note

Network data security doesn't support the file size and file extension conditions.

Activities - Network data security supports four activities:
- Text sent to or shared with cloud or AI app.
- File uploaded to or shared with cloud or AI app.
- Text received from cloud or AI app.
- File downloaded from cloud or AI app.

Note

The activities supported may differ depending on integrated SASE solution. Check with your SASE solution provider for details on supported activities.

Data sources - These are the locations that the endpoint device is communicating with.
- Unmanaged cloud apps - Network data security collection policies support all the sources that are in the Microsoft Defender for Cloud Apps Cloud app catalog which includes over 34,000 discoverable cloud apps.
- Adaptive scopes - all apps categorized as generative AI.

Default policy from Microsoft Purview Data Security Posture Management for AI

Microsoft Purview Data Security Posture Management for AI (DSPM for AI) offers recommendations to help monitor communications with generative AI apps. Select the recommendation Extend insights into sensitive data in AI app interactions to create a one-click policy named DSPM for AI - Detect sensitive info shared with AI via network. After it's created, you can edit this default policy for network data security as you would any collection policy.

Supported network protocols

At public preview, network data security supports classifying traffic sent from an endpoint device over http and https protocols to websites, cloud apps, and generative AIs.

Accessing network data security data

Data from network data security are appear in activity explorer and Data Security Posture Management for AI activity explorer events.

Activity explorer

In activity explorer, you can filter on enforcement plane set to network. This shows you classification events that are generated from network data security collection policies.

Billing model

Network data security uses the request as unit of measure for pay-as-you-go billing purposes. A request is defined as each network call made from a devices or browser to a website or API. This doesn't include the responses to the requests. For more information on pay-as-you-go billing for network data security, see Other Microsoft Purview solutions that use Pay-As-You-Go and Requests

Here are some examples:

Activity	Data type	Example
Text sent to or shared with cloud or AI app	Human readable strings transmitted inline	- submitting a form with textual information - sending raw text or a prompt to a generative AI - the body of an email - sending JSON data to an API
File uploaded to or shared with cloud or AI app	Byte streams, including text based file, binary files, txt files, source code, documents, images, videos, .exe's, .pdf's, archive files	- Uploading a profile picture to social media - sending a document or .pdf file as an email attachment - sharing a document with generative AI - transferring a document or .zip files to a cloud storage solution

Next steps

Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network (preview)

Share via