Use data loss prevention policies for non-Microsoft cloud apps

You can scope DLP policies to Microsoft Defender for Cloud Apps to monitor, detect, and take actions when sensitive items are used and shared via non-Microsoft cloud apps.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons. To access and use this functionality, you must have one of these subscriptions or add-ons:

• Microsoft 365 E5
• Microsoft 365 E5 Compliance
• Microsoft 365 E5 Security

Permissions

The user who creates the DLP policy should be a:

• Global administrator
• Compliance administrator: assign in Microsoft Entra ID
• Compliance data administrator: assign in Microsoft Entra ID

Prepare your Defender for Cloud Apps environment

Before you configure DLP policies scoped to Microsoft Defender for Cloud Apps, you must prepare your Defender for Cloud Apps environment. For instructions, see Quickstart: Get started with Microsoft Defender for Cloud Apps.

Connect a non-Microsoft cloud app

To use a DLP policy that's scoped to a specific non-Microsoft cloud app, the app must be connected to Defender for Cloud Apps. For information, see:

• Connect Box
• Connect Dropbox
• Connect Google Workspace
• Connect Salesforce
• Connect Cisco Webex

After you connect your cloud apps to Defender for Cloud Apps, you can create DLP policies for them.

Create a DLP policy scoped to a non-Microsoft cloud app

Refer to Create and Deploy data loss prevention policies for the procedures to create a DLP policy. Keep these points in mind as you configure your policy:

• Turn on the Microsoft Defender for Cloud Apps location.
• To select a specific app or instance, select Choose instance. If you don't select an instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant.
• You can select from a number of Actions to enforce on third party apps. To restrict third-party apps, select Restrict Third Party Apps and then select the specific actions.

Note

When you create a DLP policy that is scoped to Microsoft Defender for Cloud Apps, the same policy will be automatically created in Microsoft Defender for Cloud Apps.

See Also

• Create and Deploy data loss prevention policies
• Get started with the default DLP policy
• Create and Deploy data loss prevention policies