Share via

Help prevent sharing via Microsoft Edge for Business to unmanaged AI apps from managed devices

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that helps prevent sharing sensitive information from organization managed devices to unmanaged AI apps in Microsoft Edge for Business. Work through this scenario in your test environment to familiarize yourself with the policy creation UI.

Use this scenario to use the Edge for Business browser as the control point to block the sharing of sensitive information to unmanaged AI apps. It requires that the devices are managed by Intune.

Important

This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.

How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

Prerequisites and assumptions

This procedure uses hypothetical distribution groups, one named Finance Team, and another group for the Security Team.

Important

Before you start this procedure, read Learn about Data Loss Prevention for Cloud Apps in Edge for Business. It provides important information about the prerequisites and assumptions for this scenario.

Implementing DLP policies for unmanaged apps in the browser follows these phases:

  1. Create a DLP policy targeting unmanaged apps in the browser (the procedure in this article) in the Microsoft Purview Data Loss Prevention portal.

  2. The creation of the DLP policy triggers the Microsoft Edge management service to automatically create the required configuration policies to activate DLP policies in Edge for Business. The configuration policies use Microsoft Intune policies to fully activate your Microsoft Purview policies in Microsoft Edge.

  3. We recommend that you create a collection policy targeting unmanaged apps in the browser to identify additional sensitive data sharing that might be happening across your organization.

Important

The user must be in scope of both the DLP policy and the Microsoft Edge configuration policy for the policy to apply to the user in Edge for Business.

Billing

This feature uses pay-as-you-go billing or per-user licensing for Microsoft Purview capabilities or both. To help you understand and manage your usage, Microsoft Purview provides a Usage center in the Microsoft Purview portal. For more information, see Manage pay-as-you-go and per-user licensing usage.

Policy intent statement and mapping

We need to block members of the finance team from sharing sensitive information to unmanaged AI apps in Edge for Business. Other teams don't have access to this highly sensitive information, so the block only needs to apply to this team. When their prompts contain information like bank account, routing, or the SWIFT numbers of our international customers, the sharing is blocked. We also have to meet alerting requirements. We want to notify our security team with an email every time there's a match to the policy. Lastly, we want this to take effect as soon as possible after testing and need to be able to see related activity within the system.

Statement Configuration question answered and configuration mapping
We need to block members of the finance team from sharing sensitive information to unmanaged AI apps via Edge… - Choose where to apply the policy: Edge for Business
-Administrative scope: Full directory
- Where to apply the policy: Adaptive app scopes > All unmanaged AI apps
Other teams don’t have access to this information, so the block only needs to apply to this team... - scope for each app" specific users and groups, Include users and groups > Finance Team
When their text prompts contain information like bank account, routing or the SWIFT numbers of our international customers, the sharing should be blocked. What to monitor: - use the custom policy template
- Conditions for a match: Content contains Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number
- Action: Restrict browser and network activities > Text upload > Block and File upload > Block
We also have to meet alerting requirements. We want to notify our security team with an email every time there’s a match to the policy. - Incident reports: Send an alert to admins when a rule match occurs
- Send email alerts to these people (optional): add the Security team
- Send an alert every time an activity matches the rule: selected
- Use email incident reports to notify you when a policy match occurs: On
- Send notifications to these people: add individual admins as desired
- You can also include the following information in the report: select all options
...Lastly, we want this to take effect as soon as possible after testing and need to be able to see related activity within the system.... Policy mode: on in simulation

Steps to create policy

  1. Sign in to the Microsoft Purview portal.
  2. Select Data loss prevention > Policies > + Create policy.
  3. Select Inline web traffic.
  4. Select Custom from the Categories list and then select Custom policy from the Regulations list.
  5. Choose Next.
  6. Enter a policy name and provide a description. You can use the policy intent statement here.

Important

You can't rename policies.

  1. Choose Next.
  2. Select + Add cloud apps > Adaptive app scopes
    1. Select All unmanaged AI apps > Add. Unmanaged apps in the Generative AI category are included in this scope.

Important

Some unmanaged AI apps aren't supported in Edge for Business. For more information see, Learn more about which apps are supported.

  1. Select Edit scope

  2. Select Include only specific

  3. Choose + Add inclusions

  4. Select Finance Team

  5. Select Add and then select Save and Close and then select Next.

  6. On the Choose where to enforce the policy step, select Edge for Business.

  7. On the Define policy settings page, the Create or customize advanced DLP rules option should already be selected.

  8. Choose Next.

  9. On the Customize advanced DLP rules page, select + Create rule.

  10. Enter a name and description for the rule.

  11. Select Add condition and use these values:

    1. Select Content contains.
    2. Select Add > Sensitive information types > Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number.

  12. Select Add.

  13. Under Actions, add an action with these values:

    1. Restrict browser and network activities

    2. Text sent to or shared with cloud or AI apps > Block

    3. File uploaded to or shared with cloud or AI app > Block

  14. Under Incident reports select:

    1. Set Use this severity level in admin alerts and reports to Low.
    2. Set the toggle for Send an alert to admins when a rule match occurs to On.
    3. Under Send email alerts to these people (optional), select + Add or remove users and then add the email address of the security team.

  15. Select Save and then select Next.

  16. On the Policy mode page, select Run the policy in simulation mode.

  17. Select Next and then select Submit.

  18. Select Done.

  19. The Microsoft Edge management service automatically creates the required configuration policies and required Microsoft Intune policies to activate your Microsoft Purview policies in Microsoft Edge. Additional permissions are required for Microsoft Intune administration and Microsoft Edge administration for this step.

Important

If the automatic behaviors fail to sync, Microsoft Purview shows an error message and policies aren't applied in Edge for Business. An Admin with the required permissions must resync to resolve the error. For more information see: activate your Microsoft Purview policy in Microsoft Edge.

Note

When the action of the policy is configured to Block, users are blocked at the device level from opening Firefox and other browsers. They are also blocked from opening Chrome if Microsoft Purview extension for Chrome isn't installed or is out of date. In Chrome with Microsoft Purview extension, access to a dynamic set of generative AI apps is blocked. For more information, see: Activate your Microsoft Purview policies in Microsoft Edge

Steps to review outcomes of the policy in Microsoft Purview activity explorer

Please see get started with activity explorer for instructions on how to monitor and view activities in activity explorer.

Steps to review outcomes of Microsoft Purview policy in Microsoft Defender

Please see investigate and respond for instructions for how to investigate and respond using Microsoft Defender.

  • Last updated on