Announcing general availability of Microsoft 365 Endpoint DLP

Endpoint data loss prevention (DLP) for Microsoft 365 identifies sensitive information on endpoints and protects it from risky or inappropriate sharing, transfer, or use within applications and services that only exist on the endpoint, or originate from an endpoint, without the need to deploy any additional DLP software. To use this capability, you will need to onboard the endpoint in your environment using your established device management onboarding process.

This message is associated with Microsoft 365 Roadmap ID 68852

When this will happen

Rollout begins in mid-November and is expected to be complete by mid-December.

How this will affect your organization

Endpoint DLP allows you to extend the comprehensive Microsoft Information Protection (MIP) capability already available in Microsoft 365 apps, services, and third-party SaaS applications to the endpoint. Endpoint DLP is managed via the cloud and the Microsoft 365 compliance center.

Existing MIP policies can be deployed to Endpoint DLP without additional reconfiguration. Organizations that use the intuitive MIP interface to create custom sensitive content identifiers and policies can also deploy these to Endpoint DLP without any reconfiguration.

What you need to do to prepare

To use Endpoint DLP, organizations must create in MIP a policy that identifies sensitive data, assigns it a label, and defines the appropriate mode to monitor and restrict activities. Once created, the policy only needs to be activated on the endpoint using Microsoft 365 compliance center.

The Microsoft DLP solutions offer three different modes to monitor and restrict activities in each DLP policy to ensure the intended compliance objectives are achieved:

• Audit: Only records policy violation events without impacting end user activity
• Block: Records and blocks the activity without the ability to override
• Block with Override: Records and blocks the activity, but allows the user to override when they have a legitimate business need

Endpoint DLP can enforce policies for a broad range of activities unique to the endpoint including:

• Accessing a sensitive file by an unallowed app
• Copying a sensitive file to an external USB media device
• Copying a sensitive file to a network share
• Copying sensitive content to the clipboard
• Printing a sensitive file
• Uploading a sensitive file to a cloud service

To get started with Endpoint DLP, review documentation.

To enable the solution with one click, visit the device onboarding page in Microsoft 365 compliance center.