Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview Data Loss Prevention (DLP) monitoring and protection are built right into the Microsoft Edge for Business browser. You don’t need to onboard the device into Microsoft Purview. This integration helps you stop users from sharing sensitive information to and from cloud apps using Edge.
Licensing requirements
To use this feature, you need one of these licenses:
- Microsoft 365 E5/A5/G5, Microsoft 365 Business Premium
- Office 365 E5/A5/G5
- Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
Important
Licensing and billing details for preview features may change.
Permissions
Permissions to create and deploy Purview DLP policies are found here.
Permissions are also required for prerequisites and configurations outside of Purview. For more information on required permissions, see Supported cloud apps.
Managed Devices
You can protect Windows 10/11 devices that are managed by Intune. Users must sign in with their work or school account.
On these devices, Edge connects directly with Microsoft Purview and Edge services to get policy updates and apply protections. Edge configuration policies block users from using protected apps in unprotected browsers. If users try to access an unmanaged app in an unprotected browser, they’ll be blocked and must use Microsoft Edge.
In preview, browser DLP can Help prevent sharing via Microsoft Edge for Business to unmanaged AI apps from managed devices.
Unmanaged devices
Unmanaged devices aren’t connected to Intune or joined to your organization using Microsoft Entra. Users don’t sign into the device with their work or school account. Instead, they sign into their Edge work profile to access organization managed apps.
Browser DLP policies for unmanaged devices only apply to the work profile in Edge. These policies don’t apply when users use a Personal or InPrivate profile.
These protections can Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business.
Supported cloud apps
Microsoft Entra Connected (Managed) Apps
Microsoft Entra connected (managed) apps are business apps set up for Microsoft Entra Single Sign-On (SSO). Policies apply when users access them with their work or school account.
For policies applying to managed apps, additional permissions are required for Conditional Access administration and Microsoft Defender for Edge In-Browser protection.
Unmanaged cloud Apps
These apps aren’t managed by your organization. Users access them without signing in with their Microsoft work or school account. Supported unmanaged cloud apps include:
- OpenAI ChatGPT
- Google Gemini
- DeepSeek
- Microsoft Copilot
Important
Unmanaged cloud app features only apply to the consumer version of Microsoft 365 Copilot. Learn more about Microsoft 365 Copilot Enterprise protections.
For policies applying to unmanaged apps on managed devices, additional permissions are also required for Microsoft Intune administration and Microsoft Edge administration.
Supported Browsers
DLP policies for cloud apps in the browser work directly in Microsoft Edge for Business.
Edge for Business
These features are available in the two latest stable versions of Edge, starting with version 138. For more information on the supported versions of Edge, see Microsoft Edge Releases.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Activities you can monitor and take action on
You can audit and manage these activities on sensitive items in the browser:
| Activity | Device Type | App Type | Supported Policy Actions |
|---|---|---|---|
| Upload text | Managed | Unmanaged | allow, block, both actions audited |
| Upload file | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Download file | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Cut/copy data | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Paste data | Managed, Unmanaged | Managed | allow, block, both actions audited |
| Print data | Managed, Unmanaged | Managed | allow, block, both actions audited |
Policies for Managed App Interactions
DLP policies targeting managed apps in the browser apply on desktop devices running Microsoft Edge in Windows 10/11 and macOS.
Edge automatically disables developer tools and blocks the apps from being opened in native clients when policies apply to managed apps (in both audit and block modes).
To activate protections in Edge for managed apps:
- Onboard apps to Conditional Access app control
- Import user groups from connected apps
- Set up a Microsoft Entra Conditional Access policy with custom session controls
- Configure Edge for Business in-browser protection
- Create a Purview DLP policy targeting managed app interactions
For full implementation details, see Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business.
Important
If a user is scoped in Purview DLP policies for managed cloud apps in Edge and Microsoft Defender session policies or Purview Endpoint DLP policies, protections might not apply in Edge from the Purview browser policy. Remove or exclude users from the other policies to allow the Purview policy for managed cloud apps in Edge to apply.
When you add users to policies for the first time, the policy might not be applied right away if they’re already signed in to the app. The policy applies after their token expires and they sign in again. You can change the sign in frequency using conditional access session controls to shorten the wait time.
There are some known limitations in Conditional Access app control that can impact Purview policies targeting managed apps in the browser. For more information, see known limitations in Conditional Access app control
Policies for Unmanaged App Interactions
In preivew, DLP policies targeting unmanaged apps in the browser apply can monitor and protect sensitive data shared from managed desktop devices in Edge on Windows 10/11.
To activate protections in Edge:
- Create a Purview DLP policy
- Set up an Edge configuration policy
For full setup details, see Help prevent sharing via Microsoft Edge for Business to unmanaged AI apps from managed devices.
Default Policies for unmnaged AI Apps from Microsoft Data Security Posture Management for AI
Microsoft Purview Data Security Posture Management for AI (DSPM for AI) offers recommended policies to monitor and block generative AI apps. Use one-click policies in DSPM for AI to apply them.
Accessing Data from Managed App Interactions
You can view policy data and alerts in Defender XDR investigations.
Accessing Data from Unmanaged App Interactions
You can view activities and audit log entries in activity explorer, audit logs, and Defender XDR investigations. In activity explorer, filter by enforcement plane set to browser. Data specific to AI apps is also visible in DSPM for AI.