Purview DLP - Endpoint

🚀 Ready to secure your data?

By implementing DLP policies in Microsoft Purview, you are taking an important step towards better data protection and compliance. DLP in Microsoft Purview comes in many shapes and colors, as I have previously written about Microsoft Purview del 4: Data Loss Prevention (DLP)🔓

See also DLP in Power Platform: Power Platform - DLP policyer

In an era where data breaches and unauthorized sharing of sensitive information are a real threat, it’s more important than ever to have control over how data is handled – especially on devices.

According to Forrester’s Top Threats for 2025, insider threats are one of the most critical threats organizations face this year. The report notes that economic uncertainty, mass layoffs, and the increased use of generative AI have increased the risk that employees – whether consciously or unconsciously – pose a security threat. Forrester’s Top Threats For 2025

In this guide, I'll show you how to use Microsoft Purview to set up a DLP policy that automatically blocks the printing, uploading, and exporting of documents marked "Protected" and "Strictly Protected." This is an effective measure to ensure that sensitive information doesn't leave your organization inappropriately.

🛡️ Guide: How to set up a DLP policy in Microsoft Purview for sensitive content

🎯 Target

Block the following actions on devices:

• Printing

• Copy to clipboard

• Exporting (e.g. saving to USB)

1. Go to the Microsoft Purview portal

Log in to the Microsoft Purview compliance portal.

Navigate to Data loss prevention > Policies.

2. Create a new policy

Click + Create policy.

Select Custom policy and give it a name, e.g. Endpoint DLP

3. Choose where the policy should apply

Select Devices as the location.

You can also include Exchange, SharePoint, Teams, etc., if desired.

4. Define the policy content

Under Rules, click Create rule.

Give the rule a name, e.g.: DLP - Sensitive information - Don't take it out of the house!

🎯 Conditions:

Content contains > Sensitivity labels:

Select "Protected" and "Strictly Protected".

🚫 Actions:

Under Actions, select:

Block with override eller Block for:

Copy to clipboard

Copying to USB/removable media

5. User Experience and Notifications

Choose whether users should see a policy tip message.

You can also enable notifications to administrators for policy violations.

6. Test and deploy

Start with Test mode with notifications to see how the policy works without blocking.

Once you are satisfied, set the policy to Enforce.

7. Monitor and adjust

Go to Activity explorer to view policy events.

Adjust as needed to reduce false positives.

To verify that the device(s) have received the policy, go to Settings -> Device Onboarding -> Devices

Here you will get a status of "Policy sync status"

If you are an impatient soul, like me, it is worth noting that policy updates can take up to 2 hours.

Once the device has received the policy, it will look like this for the end user. Here you can also add links to, for example, internal policies, training, etc.

Back in activity explorer, you can see in the logs that I have tried to print a document that is classified as protected, which in turn is blocked by the DLP policy we have created.

🧩 Summary

Combining Microsoft Purview Endpoint DLP with sensitivity labels and the rest of the Purview portfolio, you get a powerful and comprehensive solution to protect sensitive information – right down to the device level. This is especially important in the face of increasing insider risk, where both accidental mistakes and deliberate actions can lead to data leaks. With the right setup, you can ensure that information stays where it belongs – and that your organization is better equipped for the future.

Bjørnar&AI