Share via

Help protect against sharing of a defined set of unsupported files

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy that helps protect against sharing of a defined set of unsupported files. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.

Important

This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.

How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

Apply controls to some unsupported files

Note

Apply controls to some file types is in preview.

Use this configuration to apply Audit, Block with override, or Block controls to a list of file types only. For example, you can apply controls to video files like .mp3 files (which aren't monitored by endpoint Data Loss Prevention) only.

Important

This feature only supports following action types:

  • Upload to a restricted cloud service domain
  • Copy to a removable USB device
  • Copy to a network share
  • Print

This configuration uses a combination of a File extension group and the Document could not be scanned condition. It doesn't use the File extension is condition. This configuration means that Microsoft Purview endpoint Data Loss Prevention (DLP) doesn't scan the content of the files that you include in the File extension group and you don't see values for Sensitive info type in events or alerts that are generated by policy matches.

Policy intent statement and mapping

We, Wingtip Toys, have a list of file types on devices which are NOT on the monitored files list and that we want to apply controls to. We know that they're not on the monitored files list for Endpoint DLP. We want to prevent users from copying those files to a USB device or to a network share. When they do try, we want to let them know, to educate them, that they are attempting a prohibited action.

Statement Configuration question answered and configuration mapping
“We have a list of file types on devices that are NOT on the Monitored files list and that we want to apply controls to....” - Administrative scope: Full directory
- Where to monitor: Devices
-Scope: Allusers, groups, devices, device groups
"we want to apply controls to a list of file types on devices that are on the Monitored files list but that is not covered by Endpoint DLP scanning..." - Conditions for a match: Document could not be scanned
- Action: select audit or restrict activities on devices
- clear Upload to a restriced cloud service domain or access from an unallowed browser
- select Apply restrictions to specific activity
- select Copy to a removable USB device, > Block
- Copy to a network share > Block
- clear Copy to clipboard, Print, Copy or move using unallowed Bluetooth app, and Copy or move using RDP
- select file could not be scanned
- select apply restrictions to only unsupported file extensions.
"We know that they're not on the monitored files list for Endpoint DLP." - Endpoint settings: create a File extension group
"...We need to prevent users from copying those files to a USB device or to a network share." - Conditions for a match: Document could not be scanned
- Action: select audit or restrict activities on devices
- clear Upload to a restricted cloud service domain or access from an unallowed browser
- select Apply restrictions to specific activity
- select Copy to a removable USB device, > Block
- Copy to a network share > Block
- clear Copy to clipboard, Print, Copy or move using unallowed Bluetooth app, and Copy or move using RDP
- select file could not be scanned
- select apply restrictions to only unsupported file extensions.
"When they do try, we want to let them know, to educate them, that they are attempting a prohibited action." - Use notifications to inform your users and help educate them on the proper use of sensitive info: On
- Endpoint devices > Show users a policy tip notification when an activity is restricted...: selected
- Customize the notification: selected > Notification Title: Wingtip toys don't copy files > Notification Content: FYI, Wingtip Toy policy doesn't let you copy that type of file to USB device or a network share. (preview) Ability to add hyperlinks in Endpoint policy tip notifications

Create a File extension group

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal.

  1. Sign in to the Microsoft Purview portal.
  2. Open Settings > Data Loss Prevention > Endpoint DLP settings > File extension groups.
  3. Select Create file extension group and enter a Group name. In this scenario, use Non-classified file extensions.
  4. Provide extensions.
  5. Select Save.
  6. Close the item.

Configure policy actions

  1. Sign in to the Microsoft Purview portal.
  2. Open Data Loss Prevention > Policies.
  3. Select Create policy.
  4. Select Data stored in connected sources.
  5. Select Custom from the Categories then select Custom policy template from Regulations.
  6. Name your new policy and provide a description.
  7. Select Full directory under Admin units.
  8. Scope the location to Devices only.
  9. Create a rule where:
    1. In Conditions.
      1. Document could not be scanned.
    2. In Actions:
      1. Select: Audit or restrict activities on devices.
      2. Clear: Upload to a restricted cloud service domain or access from an unallowed browser.
      3. Select: Apply restrictions to specific activity.
      4. Clear: Copy to clipboard.
      5. Select: Copy to a removable USB device > Block.
      6. Select: Copy to a network share > Block.
      7. Clear: Print.
      8. Clear: Copy or move using unallowed Bluetooth app.
      9. Clear: Copy or move using RDP.
      10. Clear: Access by restricted apps.
      11. Select: Apply restrictions to only unsupported file extensions.
      12. Select: Add file extension group and select Non-classified file extensions.
  10. Set User notifications to On.
    1. Under Endpoint devices select Show users a policy tip notification when an activity is restricted....
    2. Select Customize the notification.
      1. Enter Wingtip toys don't copy files in the Notification Title.
      2. Enter FYI, Wingtip Toy policy doesn't let you copy that type of file to USB device or a network share in the Notification Content.
  11. Save.
  12. Choose Turn the policy on immediately. Choose Next.
  13. Review your settings and choose Submit.

Important

You can't use the Document could not be scanned condition with other conditions in this scenario.