Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied and saved.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Here are the high level steps for configuring and using evidence collection for file activities on devices.
- Onboard devices
- Understand your requirements Create your managed Azure storage account
- Add an Azure storage blob to your account
- Enable and configure evidence collection on a storage account managed by Microsoft
- Configure your DLP policy
- View usage of Microsoft managed storage
Before you begin
Before you start these procedures, you should review Learn about evidence collection for file activities on devices.
Licensing and Subscriptions
For information on licensing, see
See the prerequisites licensing requirements for Microsoft Entra ID P1 or P2 needed to create custom role-based access control (RBAC).
Permissions
Standard Microsoft Purview Data Loss Prevention (DLP) permissions are required. For more information, see Permissions.
Permissions for preview or download of evidence
When you want to preview or download the evidence, the account used needs to be in these roles:
- Preview the evidence: Data Classification Content Viewer
- Download the evidence: Data Classification Content Download
The Data Classification Content Download role is preassigned to these built-in role groups:
- Data Security Management
- Information Protection
- Information Protection Investigators
If you need to manage users, roles and role groups, see Permissions in the Microsoft Purview portal.
Onboard devices
Before you can use copy matched items you have to onboard Windows 10/11 devices or macOS devices (Preview) into Purview, see Onboard Windows devices into Microsoft 365 overview.
Understand your requirements
Important
Each container inherits the permissions of the storage account that it is in. You can't set different permissions per container. If you need to configure different permissions for different regions, you must create multiple storage accounts, not multiple containers.
You should have answers to the following question before setting up your Azure storage and scoping the feature to users.
Do you need to compartmentalize items and access along role or departmental lines?
For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved files from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for your organization's senior leadership and another for the Human Resources department. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.
Do you want to use containers to organize saved items?
You can create multiple evidence containers within the same storage account for sorting saved files. For example, one for files saved from the HR department and another for those from the IT department.
What is your strategy for protecting against saved item deletion or modification?
In Azure Storage, data protection refers to both the strategies for protecting the storage account and data within it from being deleted or modified and to restoring data after it's deleted or modified. Azure storage also offers options for disaster recovery, including multiple levels of redundancy, to protect your data from service outages due to hardware problems or natural disasters. It can also protect your data using customer-managed failover if the data center in the primary region becomes unavailable. For more information, see Data protection overview.
You can also configure immutability policies for your blob data that protects against the saved items being overwritten or deleted. For more information, see Store business-critical blob data with immutable storage
Supported file types for storing and previewing evidence
| Can be Stored | Can be Previewed | 
|---|---|
| All file types provided they match the policy | All file types supported for previewing files in OneDrive, SharePoint, and Teams | 
Note
To understand how to create policies for different file types see Create and deploy DLP policies
Save matched items to your preferred storage
To save the evidence that Microsoft Purview detects when your data loss prevention policies are applied, you need to set up storage. There are two ways to do this:
For more information and a comparison of these two types of storage, see Storing evidence when sensitive information is detected.
Create customer-managed storage
The procedures for setting up your Azure storage account, container, and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:
- Introduction to Azure Blob Storage
- Create a storage account
- Default to and authorize access to blobs using Microsoft Entra ID
- Manage blob containers using the Azure portal
- Manage block blobs with PowerShell
Note
Make sure to select Enable public access from all networks while creating the storage account. Support for Virtual networks and IP addresses and use of private access isn't available
Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal > Home > Storage Accounts > Container > Properties
The format for the Azure blob container URL is:https://storageAccountName.blob.core.windows.net/containerName.
Add an Azure storage blob to your account
There are several ways you can add an Azure storage blob to your account. Chose one of the methods below.
- Sign in to the Microsoft Purview portal and choose the Settings gear in the menu bar.
- Choose Data Loss Prevention.
- Select Endpoint DLP settings.
- Expand Setup evidence collection for file activities on devices.
- Change the toggle from Off to On.
- In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
- Select a storage type (Customer managed store or Microsoft managed store) and then select + Add storage.
- For Customer-managed storage:
- Choose Customer managed store: and then choose + Add storage.
- Enter give the account a name and enter the URL for the storage blob.
- Choose Save.
 
- For Microsoft-managed storage:
- Choose Microsoft managed store
 
 
- For Customer-managed storage:
To add Azure blob storage using the DLP policy creation workflow in the Microsoft Purview portal:
- Sign in to the Microsoft Purview portal and choose Data Loss Prevention.
- Follow the steps to create a new policy.
- At the Locations step, make sure that only the Devices location is selected, and then choose Next.
- At the Policy settings step, select Create or customize advanced DLP rules.
- Select +Create rule and add Conditions, Actions, User notifications and User overrides with values of your choosing.
- In the Incident reports section, the Send an alert to admins when a rule match occurs toggle should be On by default. (If it isn’t, turn it on.)
- Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
- Select the activities you want to collect evidence for.
- Select Add storage next to the checkbox item.
- On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.
Set permissions on the Azure blob storage
Using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on the blobs:
- One for the administrators and investigators so they can view and manage evidence
- One for users who need to upload items to Azure from their devices
Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. To configure user permissions, create roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview.
Permissions on Azure blob for administrators and investigators
Once you create the role group for DLP incident investigators, you must configure the permissions described in the Investigator actions and Investigator data actions sections that follow.
For more information on configuring blob access, see these articles:
Investigator actions
Configure these object and action permissions for the investigator role:
| Object | Permissions | 
|---|---|
| Microsoft.Storage/storageAccounts/blobServices | Read: List Blob Services | 
| Microsoft.Storage/storageAccounts/blobServices | Read: Get blob service properties or statistics | 
| Microsoft.Storage/storageAccounts/blobServices/containers | Read: Get blob container | 
| Microsoft.Storage/storageAccounts/blobServices/containers | Read: List of blob containers | 
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs | Read: Read blob | 
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Other: Generate a user delegation key | 
Investigator data actions
| Object | Permissions | 
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs | Read: Read Blob | 
Your JSON for the investigator role group should look like this:
"permissions": [
            {
                "actions": [
                 "Microsoft.Storage/storageAccounts/blobServices/read",
                 "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                 "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
                ],
                "notDataActions": []
            }
        ]
Permissions on Azure blob for users
Assign these object and action permissions to the Azure blob for the user role:
User actions
| Object | Permissions | 
|---|---|
| Microsoft.Storage/storageAccounts/blobServices | Read: List Blob Services | 
| Microsoft.Storage/storageAccounts/blobServices/containers | Read: Get blob container | 
| Microsoft.Storage/storageAccounts/blobServices/containers | Write: Put blob container | 
User data actions
| Object | Permissions | 
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs | Write: Write Blob | 
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs | Other: Add blob content | 
The JSON for user role group should look like this:
"permissions": [
  {
     "actions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
       "Microsoft.Storage/storageAccounts/blobServices/read"
     ],
     "notActions": [],
     "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
     ],
     "notDataActions": []
    }
 ]
Enable and configure evidence collection on a storage account managed by Microsoft
To enable and configure evidence collection on a storage account managed by Microsoft from within the Microsoft Purview portal:
- Sign in to the Microsoft Purview portal > Settings gear in the menu bar.
- Choose Data Loss Prevention.
- Select Endpoint DLP settings.
- Expand Setup evidence collection for file activities on devices and set the toggle to On.
- Under Select storage type, choose Microsoft managed storage.
Configure your DLP Policy
Create a DLP policy as you normally would. For policy configuration examples, see Create and Deploy data loss prevention policies.
Configure your policy using these settings:
- Make sure that Devices is the only location selected.
- In Incident reports, toggle Send an alert to admins when a rule match occurs to On.
- In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint.
- Select the storage account you want.
- Select the activities for which you want to copy matched items to Azure storage, such as:
- Access by restricted apps (preview)
- Paste to supported browsers
- Upload to cloud service domains or access unallowed browsers
- Copy to a removable USB device
- Copy to a network share
- Copy or move using an unallowed Bluetooth app
- Copy or move using RDP
 
View usage of Microsoft Managed Storage
You can view and export the daily usage for past 6 months for Microsoft Managed storage.
- Sign in to the Microsoft Purview portal > Settings gear in the menu bar.
- Choose Data Loss Prevention.
- Select Endpoint DLP settings.
- Expand Setup evidence collection for file activities on devices.
- Click on View Usage button, a panel will open. Here you can see month wise graph of daily usage and also export the usage data.
Preview and Download the evidence
There are different ways to preview your evidence, depending on which type of storage you select.
| Storage Type | Preview options | 
|---|---|
| Customer-managed | - Use activity explorer - Use the Microsoft Purview portal | 
| Microsoft Managed | - Use activity explorer - Use the Purview portal | 
Note
Reminder, the account you use to preview and download needs to be in these roles:
- Preview the evidence: Data Classification Content Viewer
- Download the evidence: Data Classification Content Download
Preview evidence via Activity explorer
- Sign in to the Microsoft Purview portal > Data loss prevention > Activity explorer.
- Using the Date dropdown, select the Start and End dates for the period you’re interested in.
- In the list of results, double-click the line item of the activity you want to investigate.
- In the flyout pane, the link to the Azure blob where the evidence is stored appears under Evidence file.
- Select the Azure blob storage link to display the file that was matched.
Preview evidence via the Purview portal Alerts page
- Sign in to the Microsoft Purview portal > Data loss prevention > Alerts.
- Using the Date dropdown, select the Start and End dates for the period you’re interested in.
- In the list of results, double-click the line item of the activity you want to investigate.
- In the flyout pane, select View details.
- Select the Events tab.
- In the Detail pane, select the Source tab. The file that was matched displays.
Note
If the file that was matched already exists in the Azure storage blob, it won't be uploaded again until changes are made to the file and a user takes an action on it.
Known Behaviors
- The maximum size for files that can be uploaded from a device is 500 MB.
- If Just-in-Time Protection is triggered on a scanned file, OR if the file is stored on a network share, the evidence file is not collected.
- When multiple files are opened in the same process (non-office apps) and one of the files matching a policy is egressed, DLP events are triggered for all files. No evidence is captured.
- If multiple policy rules are detected in a single file, the evidence file is only stored if the most restrictive policy rule is configured to collect evidence.