Learn about the data loss prevention on-premises repositories
When you select the On-premises repositories location, Microsoft Purview Data Loss Prevention (DLP) can enforce protective actions on on-premises data-at-rest in file shares and SharePoint document libraries and folders. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP detects sensitive information by using built-in or custom sensitive information types, sensitivity labels or file properties. The information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via DLP policies.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
DLP relies on Microsoft Purview Information Protection scanner
DLP relies on a full implementation of the Microsoft Purview Information Protection scanner to monitor, label, and protect sensitive items. If you haven't implemented Information Protection scanner, you must do so before you can use DLP. For more information, read these articles:
- What is Azure Information Protection
- Learn about the information protection scanner
- Get started with the information protection scanner
- Configuring and installing the information protection scanner
- Azure Information Protection unified labeling client - Version release history and support policy
DLP On-premises repository actions
DLP detects files in on-premises repositories by looking for the following:
- sensitive information types
- sensitivity labels
- file extension
- custom document properties on Office files only
When a detected file poses a compliance policy violation or potential risk if leaked, DLP can take one of the following four actions.
|Block people from accessing file stored in on-premises scanner - Block everyone||When enforced, this action blocks access to all accounts except the content owner, the account that last modified the item, and the administrator. It does this by removing all accounts from NTFS/SharePoint permissions at the file level except for the file owner, repository owner (set in the Use a DLP policy setting in content scan job), last modifier (can be identified in SharePoint only), and admin. The scanner account is also granted FC rights on the file.|
|Block only people who have access to your on-premises network and users in your organization who weren't granted explicit access to the files from accessing file||When enforced, this action removes the Everyone, NT AUTHORITY\authenticated users, and Domain Users SIDs from the file access control list (ACL). Only users and groups that have been explicitly granted rights to the file or parent folder will be able to access the file.|
|Set permissions on the file (permissions will be inherited from the parent folder)||When enforced, this action forces the file to inherit the permissions of its parent folder. By default, this action will only be enforced if the permissions on the parent folder are more restrictive than the permissions that are already on the file. For example, if the ACL on the file is set to allow only specific users and the parent folder is configured to allow the Domain Users group, the parent folder permissions wouldn't be inherited by the file. You can override this behavior by selecting the Inherit even if parent permissions are less restrictive option.|
|Remove the file from improper location||When enforced, this action replaces the original file with a stub file with .txt extension and places a copy of the original file in a quarantine folder.|
What's different in the on-premises scanner
There are a few extra concepts that you need to be aware of before you dig into the on-premises scanner.
AIP repositories and content scan jobs
You must create a content scan job in the information protection scanner and identify the repositories that host the files that you want to DLP to evaluate. Make sure you enable DLP rules in the created AIP content scan job.
Policy tips aren't available in on-premises scanner.
Viewing DLP on-premises scanner events
You view DLP data in the Microsoft Purview compliance portal activity explorer.
Now that you've learned about the Information Protection on-premises scanner, your next steps are: