Learn about the data loss prevention on-premises repositories
When you select the On-premises repositories location, Microsoft Purview Data Loss Prevention (DLP) can enforce protective actions on on-premises data-at-rest in file shares and SharePoint document libraries and folders. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP detects sensitive information by using built-in or custom sensitive information types, sensitivity labels or file properties. The information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via DLP policies.
Tip
Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.
DLP relies on Microsoft Purview Information Protection scanner
DLP relies on a full implementation of the Microsoft Purview Information Protection scanner to monitor, label, and protect sensitive items. If you haven't implemented Information Protection scanner, you must do so before you can use DLP. For more information, read these articles:
- What is Azure Information Protection
- Learn about the information protection scanner
- Get started with the information protection scanner
- Configuring and installing the information protection scanner
- Microsoft Purview Information Protection client - Release management and supportability
DLP On-premises repository actions
DLP detects files in on-premises repositories by looking for the following:
- sensitive information types
- sensitivity labels
- file extension
- custom document properties on Office files only
When a detected file poses a compliance policy violation or potential risk if leaked, DLP can take one of the following four actions.
| Action | Description |
|---|---|
| Block people from accessing file stored in on-premises scanner - Block everyone | When enforced, this action blocks access to all accounts except the content owner, the account that last modified the item, and the administrator. It does this by removing all accounts from NTFS/SharePoint permissions at the file level except for the file owner, repository owner (set in the Use a DLP policy setting in content scan job), last modifier (can be identified in SharePoint only), and admin. The scanner account is also granted FC rights on the file. |
| Block only people who have access to your on-premises network and users in your organization who weren't granted explicit access to the files from accessing file | When enforced, this action removes the Everyone, NT AUTHORITY\authenticated users, and Domain Users SIDs from the file access control list (ACL). Only users and groups that have been explicitly granted rights to the file or parent folder will be able to access the file. |
| Set permissions on the file (permissions will be inherited from the parent folder) | When enforced, this action forces the file to inherit the permissions of its parent folder. By default, this action will only be enforced if the permissions on the parent folder are more restrictive than the permissions that are already on the file. For example, if the ACL on the file is set to allow only specific users and the parent folder is configured to allow the Domain Users group, the parent folder permissions wouldn't be inherited by the file. You can override this behavior by selecting the Inherit even if parent permissions are less restrictive option. |
| Remove the file from improper location | When enforced, this action replaces the original file with a stub file with .txt extension and places a copy of the original file in a quarantine folder. |
What's different in the on-premises scanner
There are a few extra concepts that you need to be aware of before you dig into the on-premises scanner.
Scanner repositories and content scan jobs
You must create a content scan job for the information protection scanner and identify the repositories that host the files that you want to DLP to evaluate. Make sure you enable DLP rules in the created content scan job.
Policy tips
Policy tips aren't available in on-premises scanner.
Viewing DLP on-premises scanner events
You view DLP data in the Microsoft Purview compliance portal activity explorer.
Next steps
Now that you've learned about the Information Protection on-premises scanner, your next steps are: