Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This scenario shows how to scope a Microsoft Purview Endpoint DLP policy to specific device groups. For example, you can enforce a policy only when Finance users access data from Windows devices while excluding macOS devices. Device groups are commonly defined using dynamic device groups in Microsoft Entra ID.
This scenario is for an unrestricted admin creating a full directory policy.
This scenario requires that you already have devices onboarded and reporting into activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.
Prerequisites and assumptions
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important as policy design. Deploy a DLP policy shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
You've created a dynamic device group.
Policy intent statement and mapping
An organization wants to enforce a DLP policy that blocks copying sensitive items with credit card data to USB devices when Finance users access data from Windows devices, and does not apply when the same users work from macOS devices.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “An organization wants to enforce a DLP policy that blocks copying sensitive items with credit card data to USB devices..." | - Administrative scope: Full directory - Where to monitor: Devices only - Policy scope: All users/Finance Windows Devices group |
| “when Finance users access data from Windows devices…” | - Condition: Content contains = Credit Card Number |
| “…and does not apply when the same users work from macOS devices…” | - Action: Audit or restrict activities on devices - Activity type: File activities on all apps - Restriction model: Apply restrictions to specific activity - Copy to a removable USB device = Block |
Create a device group
If you're unfamiliar with dynamic device groups, see:
- Create or update a dynamic membership group in Microsoft Entra ID
- Manage rules for dynamic membership groups in Microsoft Entra ID.
To create the device group for this scenario:
- Create a new dynamic device group named Finance Windows Device for the Windows devices that the finance team uses.
Create a policy scoped to the dynamic device group
Sign in to the Microsoft Purview portal > Data loss prevention > policies.
Select Create policy.
Select Enterprise applications & devices.
Select the Custom from the Categories then Custom policy template from Regulations. Select Next.
Give your new policy a Name and Description.
Accept the default Full directory under Admin units.
Scope the location to only the Devices location.
Select Edit on the Devices location.
Accept the default All users, groups, and adaptive scopes
Select Specific devices and device groups and add the Finance Windows Device that you created.
Create a rule with the following values:
- Condition: Content contains = Sensitive Info types = Credit Card Number
- Action: Audit or restrict activities on devices > File activities for all apps > Apply restrictions to specific activity > Copy to a removable USB device = Block.
Select Save and then Next.
Accept the default Run the policy in simulation mode value and choose Show policy tips while in simulation mode. Choose Next.
Review your settings and choose Submit.
The new DLP policy appears in the policy list.