Jump to content
Microsoft Windows Bulletin Board

Recommended Posts

Posted

Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings.

Before you start setting up the storage, you should review Get started with collecting files that match data loss prevention policies from devices | Microsoft Learn to understand the licensing, permissions, device onboarding and your requirements.

Configure the Azure Blob Storage

You can follow these steps to create an azure storage blob using the Azure portal. For other methods refer to Create a storage account - Azure Storage | Microsoft Learn

  1. Sign in into your Azure portal and open this link to create a new blob storage: https://portal.azure.com/#browse/Microsoft.Storage%2FStorageAccounts
  2. Click on + Create
  3. On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account, or you accept the default options and proceed. Learn more about azure storage account properties
  4. Once you have provided all the information click on Networking tab. In network access, select Enable public access from all networks while creating the storage account
  5. Click on Review + create to validate and create the account. Azure will run validation on the storage account settings that you have chosen. If validation passes, you can proceed to create the storage account. If validation fails, then the portal indicates which settings need to be modified.
  6. Click on Create to create the blob storage
  7. Wait for deployment of the resource to be completed and then click on Go to resource.
  8. Once the created blob storage is opened, on the left panel click on Data Storage -> Containers
  9. Click on + Containers. Provide the name and other details and then click on Create
  10. Once your container is successfully created, click on it.

Assign relevant permissions to the storage blob

Once the container is created, using Microsoft Entra authorization, you must configure two sets of permissions (role groups) on it:

  • One for the administrators and investigators so they can view and manage evidence
  • One for users who need to upload items to Azure from their devices

Best practice is to enforce least privilege for all users, regardless of role. By enforcing least privilege, you ensure that user permissions are limited to only those permissions necessary for their role. We will use portal to create these custom roles. Learn more about custom roles in Azure RBAC

  1. Open the container and in the left panel click on Access Control (IAM)
  2. Click on Roles tab. It will open a list of all available roles. Open context menu of Owner role using ellipsis button (…) and click on Clone.
  3. Now you can create a custom role. Click on Start from scratch. We have to create two new custom roles. Based on the role you are creating enter basic details like name and description and then click on JSON tab.
  4. JSON tab gives you the details of the custom role including the permissions added to that role. For owner role JSON looks like this:

    Now edit these permissions and replace with permissions required based on the role:
  5. Once you have created these two new roles, we will assign these roles to relevant users. Click on Role Assignments tab, then on Add + and on Add role assignment.
  6. Search for the role and click on it. Then click on Members tab
  7. Click on + Select Members. Add the users or user groups you want to add for that role and click on Select
  8. Investigator role – Assign this role to users who are administrators and investigators so they can view and manage evidence
  9. User role – Assign this role to users who will be under the scope of the DLP policy and from whose devices items will be uploaded to the storage
  10. Once you have added the users click on Review+Assign to save the changes.
  11. Now we can add this storage to DLP policy.

For more information on configuring blob access, see these articles:

  1. How to authorize access to blob data in the Azure portal
  2. Assign share-level permissions.

Configure storage in your DLP policy

Once you have configured the required permissions on the azure blob storage, we will add the storage to DLP endpoint settings. Learn more about configuring DLP policy

  1. Open the storage you want to use. In left panel click on Data Storage -> Containers. Then select the container you want to add to DLP settings. Click on the Context Menu (… button) and then Container Properties.
  2. Copy the URL
  3. Open the Data Loss Prevention Settings. Click on Endpoint Settings and then on Setup evidence collection for file activities on devices. Select Customer Managed Storage option and then click on Add Storage
  4. Give the storage name and copy the container URL we copied. Then click on Save. Storage will be added to the list.
  5. Storage will be added to the list for use in the policy configuration. You can add up to 10 URLs
  6. Now open the DLP endpoint policy configuration for which you want to collect the evidence. Configure your policy using these settings:
  7. Make sure that Devices is selected in the location.
  8. In Incident reports, toggle Send an alert to admins when a rule match occurs to On.
  9. In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint.
  10. Select the storage account you want to collect the evidence in for that rule using the dropdown menu. The dropdown menu shows the list of storages configured in the endpoint DLP settings.
  11. Select the activities for which you want to copy matched items to Azure storage
  12. Save the changes

 

 

Please reach out to the support team if you face any issues. We hope this guide is helpful and we look forward to your feedback. 

Thank you,

Microsoft Purview Data Loss Prevention Team

 

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...