Purview endpoint DLP block file from copy directly from NAS to USB

Thanks, Venkat

Most of our company important data are stored on NAS, if this scenario can easily bypass the DLP policy, there will be no point to deploy.
is there any method we can restricted the where the file in Nas can copy to? for example, if we only allow file in Nas copy to C: drive, that can solve the issues. any possible way?

Thanks，

Jaden

HI, Venkat Reddy Navari

Thanks for the information, most of our sensitive files are stored on NAS, and we also wish to block file upload to online drive, such as drobox, i tested and it uploaded. if operate file directly on NAS can bypass the DLP policy, then it will be pointless to deploy the solution, is there another way we can consider?

Many thanks!

Jaden

Jaden Tang Thanks for the detailed follow-up, your concerns are completely valid, especially in environments where NAS storage is a central repository for sensitive data.

As mentioned earlier, this behavior is currently a known limitation of Microsoft Purview Endpoint DLP. The DLP agent only monitors file activity on local drives and supported cloud services (e.g., OneDrive, SharePoint). It does not have visibility into file operations conducted directly over the network, such as copying from a NAS to a USB or uploading to cloud storage when files are opened directly from a network share.

Because of this limitation, files accessed directly from a NAS bypass DLP inspection, and actions like copying to USB or uploading to third-party cloud services (e.g., Dropbox) are not blocked by DLP.

Suggested Approaches to Mitigate This:

1. Use Defender for Endpoint (MDE) or Intune for USB Control Enforce USB write restrictions at the device level, regardless of file source. This adds an effective layer of protection even when DLP doesn’t apply.
2. Apply Sensitivity Labels Earlier in the File Lifecycle Consider using Microsoft Purview Information Protection to apply sensitivity labels when files are first created or modified ideally before they’re saved to the NAS. These labels can trigger policy enforcement across platforms and help mitigate data exfiltration even outside monitored paths.
3. Limit Direct NAS Access Where possible, redesign workflows to avoid direct end-user access to NAS shares. For example:
   • Route access through managed applications or mapped drives via systems under DLP monitoring.
   • Implement access controls that restrict file movement from NAS shares to USB devices.
4. Combine with Firewall or Network-Level Controls Explore setting up firewall rules or network ACLs to limit where files from the NAS can be moved. While this isn’t a DLP function, it helps enforce containment based on location.
5. Reevaluate File Storage Strategy If security is a primary driver, consider gradually moving sensitive content to DLP-aware platforms (e.g., SharePoint Online, OneDrive for Business) where policies can be enforced consistently.

Hope this helps. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks, Venkat Reddy Navari

one last question, sorry for the bothering, I tried one function called "Just in time protection" on purview setting->DLP setting, i find once i turn this on, the action of moving from from NAS to USB/Google Drive been blocked, however, it seems override the DLP policy itself, working differently?

do you think DLP+JIT together can somehow solve this issue? of if i map the nas via iSCSI?

Many thanks!