Use data loss prevention policies for non-Microsoft cloud apps

You can scope DLP policies to Instances to monitor, detect, and take actions when sensitive items are used and shared via non-Microsoft cloud apps.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions and licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Permissions

The user who creates the DLP policy should be a:

• Global administrator
• Compliance administrator: assign in Microsoft Entra ID
• Compliance data administrator: assign in Microsoft Entra ID

Prepare your Defender for Cloud Apps environment

Before you configure DLP policies scoped to Instances, you must prepare your Defender for Cloud Apps environment. For instructions, see Quickstart: Get started with Microsoft Defender for Cloud Apps.

Connect a non-Microsoft cloud app

To use a DLP policy that's scoped to a specific non-Microsoft cloud app, the app must be connected to Defender for Cloud Apps. For information, see:

• Connect Box
• Connect Dropbox
• Connect Google Workspace
• Connect Salesforce
• Connect Cisco Webex

After you connect your cloud apps to Defender for Cloud Apps, you can create DLP policies for them.

Create a DLP policy scoped to a non-Microsoft cloud app

Refer to Create and Deploy data loss prevention policies for the procedures to create a DLP policy. Keep these points in mind as you configure your policy:

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal.

2. Open Data loss prevention > Policies > + Create policy.

3. Select Custom > Custom policy.

4. Name the policy and add a description.

5. Set the Admin units scope as desired.

6. On the Locations page, toggle the Instances location to on.

7. To select a specific app or instance, select Edit > Specific instances > + Include instances and then the instances (cloud apps) you want to include. If you don't select a instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant.

8. Create rule with the desired settings. For more information on policy creation, see Create and Deploy data loss prevention policies.

   1. Under Actions select Restrict Third Party Apps and select any of the apps listed.

Compliance portal

1. Open Microsoft Purview compliance portal > Data loss prevention > Policies >.

2. Select + Create policy.

3. Select Custom > Custom policy.

4. Name the policy and add a description.

5. Set the Admin units scope as desired.

6. On the Locations page, toggle the Instances location to on.

7. To select a specific app or instance, select Edit > Specific instances > + Include instances and then the instances (cloud apps) you want to include. If you don't select a instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant.

8. Create rule with the desired settings. For more information on policy creation, see Create and Deploy data loss prevention policies.

   1. Under Actions select Restrict Third Party Apps and select any of the apps listed.

Note

When you create a DLP policy that is scoped to Instances, the same policy will be automatically created in Microsoft Defender for Cloud Apps.

See Also

• Create and Deploy data loss prevention policies
• Get started with the default DLP policy
• Create and Deploy data loss prevention policies