Microsoft Endpoint DLP Lightning-Round

Posted by

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Season’s greetings, my fellow IT Pros of the world!  


As you know, M365 is a set of services for business productivity, security and compliance.  Across those services, Microsoft has interwoven an information protection ‘platform,’ which is referred to as Microsoft Information Protection, or MIP. 


I was bit confused when I first heard about MIP because it looks/sounds/reads/seems alot like 'AIP' (Azure Information Protection).  My first thought was "Oh, we re-named AIP to MIP."  However, that's not right - AIP and MIP are two different types of things - but both are related to information protection.

  • AIP is a ‘thing.’  A product you can purchase, deploy and setup.  There is a Windows client and the service has numerous capabilities to label and protect information.  You should be aware that AIP end of life is planned for March 2021.
  • MIP is not a thing - it's a collective set of information protection capabilities (including most of what AIP can do) across other things.  It’s not a product, per se.  There is a Windows client but there are also capabilities built-in to the Office desktop/web/mobile apps, as well as the M365 services (think not only Exchange Online, SharePoint Online/OneDrive for Business but also Teams, PowerBI, MCAS, etc.).  Further, these MIP capabilities are ever-expanding - there are ideas afoot to extend this into Azure and even 3rd party services.       


It is Thanksgiving here in the US and I spent some quality time in my lab over the holiday, going through an “end-to-end scenario” with a part of that MIP platform - our recently-released Endpoint DLP .


I was moved by how cool this capability is, so I thought I’d share some screenshots/pictures of what moved me – some ‘moving pictures,’ if you will (a not-so-subtle reference to one of my favorite bands, Rush, their great album – Moving Pictures - and a sad-nod to the departed drummer/lyricist Neil Peart). 

  • Consider this post ‘inspirational’ … it is not intended to be all-inclusive of configuring EDLP.  Use the docs to perform all the steps.  For example, I don’t cover device on-boarding at all here – but it needs to be done.

Let’s roll …


Portal/service settings:

  • Select a Sensitive Information Type
    • From the Data Classification page in the M365 Compliance portal, select one of the built-in Sensitive Information Types (SIT) or create a ‘custom’ one to use for the DLP policy.  Here, I created one that has a keyword string of ‘Gizmo’



  • Create a Sensitivity Label
    • From the Information Protection page in the M365 Compliance portal, I created a Sensitivity Label that automatically labels files and emails that have 3 or more instances of the “Gizmo” Sensitive Information Type



  • Configure Endpoint DLP Settings
    • From the Data Loss Prevention page in the M365 Compliance portal, I selected the Endpoint DLP Settings tab and entered a few “service domains” which I set to "Block."  This will block uploads from the Edge browser (which is enlightened for EDLP - another feature of Edge) to both G-drive and OneDrive personal cloud services.
      • The keen eye will notice I also added Firefox as an ‘unallowed browser’ – this doesn’t block the use of the browser full-stop; rather, it only blocks labeled/sensitive files from being accessed from Firefox.



  • Create a DLP Policy
    • From the same Data Loss Prevention page in the M365 Compliance portal, on the Policies tab, I created a DLP Policy, scoped to “Devices,” that is triggered by the "Gizmo" Sensitivity Label




  • The DLP Policy has the below restrictions defined and I also enabled “User notifications” (with custom text for the notification email subject/body) and “Incident reports” with admin email alerts:


Admin Recap

  • I created a custom Sensitive Information Type that is keyed on the text string ‘Gizmo’
  • I created a Sensitivity Label that looks for 3+ instances of that "Gizmo" Sensitive Info Type in a file or email and automatically applies that label to the file
  • I configured Endpoint DLP Settings to block un-managed browsers (Firefox in this case) and to restrict several activities, including: copy/paste, print, upload to specified blocked cloud services, and saving the file to a USB drive
  • I created a DLP Policy that applies to Devices and triggers on files or emails with the "Gizmo" Sensitivity Label

End-user Experience

What does this look like for an end user?  Let’s take a look…

  • First, the user first creates and saves a Word doc w/ 3 (or more) instances of the ‘Gizmo’ text string.  
    • Once the file is labeled (manually or, in the case of this specific Label, automatically), the Sensitivity Label settings apply to the file:
      • The yellow ‘Policy Tip’ banner informs the user
      • The visual markings apply to the file – a GIZMO! header and watermark
      • The status bar at the bottom shows the Label name – Gizmo in this case


  • Now, the user does a ‘Select all’ on the text and a Copy … at this point, the Copy action is NOT blocked.  This is because the EDLP system allows the content to be copied/pasted into another file within the same process (i.e. another Word file in this case).
    • However, the user then launches Notepad … at that point, the copy/clipboard action IS blocked – and a UI ‘toast’ is popped.  This prevents the content from being copied out of process (i.e. into PowerPoint, or Notepad in this case).


  • The user now tries to print the file … that, too, is met with a block and a Toast:


  • So, the user tries to upload to a personal G-Drive via Edge … Nope.


  • So, the user tries to upload to a personal OneDrive via Edge … Negatory.


  • Not easily deterred, the user tries to save the file to a USB stick … care to guess if it worked? 


  • Finally, our user tries to dodge the DLP rule by using Firefox to upload the content to G-Drive… “Would you like butter with that toast?”


A few FAQs:

  • “Does this only work on Windows?”
    1.  Yes, today, this is only possible on Windows 10 but since this capability leverages aspects of the Microsoft Defender for Endpoint (MDE) client, which is cross-platform, other platforms are being explored (i.e. MacOS).


  • “Do we need to be using Microsoft Defender for Endpoint for PC protection?  Today, we use a 3rd party product for endpoint protection.” 
    1. No, you don’t need to be running MDE actively on your endpoints to be able to use EDLP, you can on-board the devices into the EDLP service without on-boarding them into MDE.

 So, there you have it folks … a quick run through of Microsoft Endpoint DLP. 


Hopefully, this post helped clarify the difference between AIP and MIP, illustrated how several components of the MIP platform can be combined to provide effective endpoint DLP controls - and I hope the pictures “moved” you enough to get you started with this in your environment.


Cheers and Happy Holidays!





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.