Kommentar
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
Microsoft Purview Data Loss Prevention (DLP) monitoring and protection are built right into the Microsoft Edge for Business browser. You don't need to onboard the device into Microsoft Purview. This integration helps you stop users from sharing sensitive information to and from cloud apps by using Edge for Business.
Before you begin
If you're new to Microsoft Purview collection policies, Microsoft Purview pay-as-you-go billing models, or Microsoft Purview DLP, familiarize yourself with the information in these articles:
- Collection policies
- Learn about data loss prevention
- Learn about Microsoft Purview billing models
- Get started with activity explorer
Licensing
For information on licensing, see
Protecting data shared from a managed device to an unmanaged app in Edge for Business is a pay-as-you-go feature. For more information, see Learn more about pay-as-you-go-capabilities and request definitions. For information on setting up the pay-as-you-go billing model, see Enable Microsoft Purview pay-as-you-go features for new customers.
Scenarios where data in Microsoft Entra-registered (managed) apps is protected while using Edge for Business are included in a Microsoft 365 E5 or equivalent license.
Permissions
Permissions to create and deploy Microsoft Purview DLP policies are found here.
You also need permissions for prerequisites and configurations outside of Microsoft Purview. For more information on required permissions, see Supported cloud apps.
Managed devices
You can protect Windows 10 and Windows 11 devices that are managed by Microsoft Intune. Users must sign in by using their work or school account.
On these devices, Edge for Business connects directly with Microsoft Purview and Microsoft Edge services to get policy updates and apply protections. Microsoft Edge configuration policies block users from using protected unmanaged cloud apps in unprotected browsers. If users try to access an unmanaged app in an unprotected browser, they're blocked and must use Edge for Business.
Microsoft Purview DLP policies can help prevent sharing via Edge for Business from managed devices to unmanaged AI apps.
Microsoft Purview collection policies can be applied to interactions with unmanaged AI apps from managed devices.
Unmanaged devices
Unmanaged devices aren’t connected to Intune or joined to your organization using Microsoft Entra. Users don’t sign into the device with their work or school account. Instead, they sign into their Edge for Business work profile to access organization managed apps.
Edge for Business applies DLP policies for unmanaged devices only to the work profile. These policies don't apply when users choose a personal or InPrivate profile. When you target policies to managed apps on unmanaged devices, you must enforce the work profile in Edge for Business. Protections for unmanaged devices help prevent users from sharing sensitive information with cloud apps in Edge for Business.
Supported cloud apps
Microsoft Entra connected (managed) apps
Microsoft Entra connected (managed) apps are business apps set up for Microsoft Entra single sign-on (SSO). Policies apply when users access them by using their work or school account. Policies for managed apps in Edge for Business are supported on unmanaged devices and managed devices.
To activate policies that apply to managed apps, you need additional permissions for Conditional Access administration and Microsoft Defender for Edge In-Browser protection.
Unmanaged cloud apps
Your organization doesn't manage these apps. Users access them without signing in by using their Microsoft work or school account. You can use policies for unmanaged cloud apps in Edge for Business on Intune-managed devices. The unmanaged cloud app DLP feature only applies to the consumer version of Microsoft 365 Copilot. For more information on the enterprise version and available DLP features see, Learn more about Microsoft 365 Copilot Enterprise protections.
To create a DLP policy that helps protect against sharing from managed devices to unmanaged apps, you need additional permissions for Microsoft Intune administration and Microsoft Edge administration.
Browser policies in Edge for Business support these unmanaged apps:
- Adobe Firefly
- CapCut
- ChatGPT (consumer)
- Cohere
- DeepAI
- DeepL
- DeepSeek
- Google Gemini
- Grok (xAI)
- Meta AI
- Microsoft Copilot 365 Chat
- Notion AI
- Otter.ai
- Perplexity AI
- QwenAI
- Qwen Chat
- Runway
- Textcortex
- Textcortex Zenochat
- You (You.com)
- Zapier
Note
Some unmanaged AI apps like Runway and Meta AI might intermittently send content in encoded form to dynamically generated endpoints, which can impact policy enforcement.
Important
When multiple catalog entries exist for the same app with differences in the entry name (for example, QwenAI and Qwen Chat), include all entries for the app to avoid unintended coverage gaps. Policies only apply to the apps you specify.
Supported browsers
DLP policies for cloud apps in the browser work directly in Edge for Business.
Edge for Business
These features are available in the two latest stable versions of Edge for Business, starting with version 144. For more information on Edge for Business versions, see Microsoft Edge Releases.
Important
Microsoft Purview browser data security policies don't apply to B2B guest users.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Activities you can monitor and take action on
You can audit and manage these activities on sensitive items in the browser:
| Activity | Device Type | App Type | Supported Policy Actions |
|---|---|---|---|
| Upload text | Managed | Unmanaged | allow, block, both actions audited |
| Upload file | Managed, Unmanaged | Managed, Unmanaged | allow, block, both actions audited |
| Download file | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Cut/copy data | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Paste data | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Print data | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Protected clipboard (Preview) | Managed, Unmanaged | Managed | See Microsoft Edge Protected Clipboard (preview) |
| Screen capture (Preview) | Managed, Unmanaged | Managed | See Microsoft Edge Protected Clipboard (preview) |
Important
Some activities have limitations:
- Cut/copy data, paste data, and print data activities can only be used with the managed or unmanaged devices condition.
- Download file activity isn't supported for apps that don't follow Microsoft Edge for Business's download pipeline.
Policies for managed app interactions
DLP policies that target managed apps in the browser apply to Edge for Business in Windows 10/11 and macOS desktop devices when the user signs in to their Edge for Business work profile.
Edge for Business automatically disables developer tools and blocks the apps from opening in native clients when policies apply to managed apps (in both audit and block modes).
To activate protections in the Edge for Business work profile for managed apps:
- Onboard apps to Conditional Access app control.
- Import user groups from connected apps.
- Set up a Microsoft Entra Conditional Access policy with custom session controls.
- Configure Edge for Business in-browser protection.
- Create a Microsoft Purview DLP policy that targets managed app interactions.
- (Optional) Activate protected clipboard and screen capture prevention capabilities in the Microsoft Admin Portal settings for Microsoft Edge.
For full implementation details, see Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business.
Important
Protections might not apply in Edge for Business to managed apps included in a Microsoft Purview browser policy if the user is in scope for both a Microsoft Purview managed cloud app DLP policy and a Microsoft Defender session policy or Microsoft Purview endpoint DLP policy. You must remove or exclude the users from the Microsoft Defender and the endpoint DLP policies for the managed cloud apps in Edge for Business policy to apply.
When you add users to policies for the first time, the policy might not be applied right away if they're already signed in to the app. The policy applies after their token expires and they sign in again. You can change the sign-in frequency by using conditional access session controls to shorten the wait time.
Some known limitations in Conditional Access app control can impact Microsoft Purview policies that target managed apps in the browser. For more information, see known limitations in Conditional Access app control.
Policies for unmanaged app interactions
DLP policies that target unmanaged apps in the browser apply to Microsoft Edge for Business on Windows 10 and Windows 11 desktop devices managed by Microsoft Intune. For setup details, see Help prevent sharing via Edge for Business to unmanaged AI apps from managed devices.
Activating a Purview DLP policy for unmanaged cloud apps automatically adds included users to the required Microsoft Edge configuration policies. When the Purview DLP policy is set to block, are blocked from using unprotected browsers where the policy doesn’t apply. The experience in Edge for Business isn’t impacted. For more information see: activate your Microsoft Purview policy in Microsoft Edge.
Activating protections in Microsoft Edge for Business follows these phases:
- Create a Microsoft Purview DLP policy targeting unmanaged app interactions.
- Microsoft Edge management service automatically creates the configuration policies that activate DLP policies in Microsoft Edge for Business. The configuration policies use Microsoft Intune policies to activate your Microsoft Purview policies in Microsoft Edge for Business.
- Create a collection policy targeting unmanaged apps in the browser to identify additional sensitive data sharing that might be happening across your organization.
Important
If the automatic behaviors fail to sync, Microsoft Purview shows an error message and policies aren't applied in Microsoft Edge for Business. An admin with the required permissions must resync to resolve the error. For more information, see activate your Microsoft Purview policy in Microsoft Edge.
Default policies for unmanaged AI apps from Microsoft Data Security Posture Management for AI
Microsoft Purview Data Security Posture Management for AI (DSPM for AI) offers recommended policies to monitor and block supported unmanaged generative AI apps. Use one-click policies in DSPM for AI to apply them.
Accessing data from managed app interactions
You can view policy data and alerts in Defender XDR investigations.
Accessing data from unmanaged app interactions
You can view activities and audit log entries in activity explorer, audit logs, and Defender XDR investigations. In activity explorer, filter by enforcement plane set to browser. Data specific to AI apps is also visible in DSPM for AI.