(78) Microsoft Purview Extensions

Endpoint data loss prevention (endpoint DLP) extends the activity monitoring and protection capabilities of Microsoft Purview data loss prevention (DLP) to sensitive items that are on Windows 10/11 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via data loss prevention policies.

To use Microsoft Extension for Google Chrome and Mozilla Firefox, the device must be onboarded into Endpoint DLP.

Licensing:

• Microsoft 365 E5

• Microsoft 365 A5 (EDU)

• Microsoft 365 E5 compliance

• Microsoft 365 A5 compliance

• Microsoft 365 E5 information protection and governance

• Microsoft 365 A5 information protection and governance

Permissions:

Data from Endpoint DLP can be viewed in Activity explorer, the seven roles that grant permission to activity explorer are:

• Global admin

• Compliance admin

• Security admin

• Compliance data admin

• Global reader

• Security reader

• Reports reader

Roles and Role Groups:

There are roles and role groups that can be used to fine tune access controls.

Roles:

• Information Protection Admin

• Information Protection Analyst

• Information Protection Investigator

• Information Protection Reader

Role Groups:

• Information Protection

• Information Protection Admins

• Information Protection Analysts

• Information Protection Investigators

• Information Protection Readers

If you have a device proxy and internet connections for Information Protection, click here.

Installation for Single Machine Selfhost (Google):

1. Navigate to Microsoft Purview Extension - Chrome Web Store (google.com).

2. Install the extension using the instructions on the Chrome Web Store page.

Installation for Single Machine Selfhost (Mozila Firefox):

1. Download the initial XPI file.

2. Locate the extension in your file explorer and drag the file into an open Mozilla Firefox window.

3. Confirm the installation.

Deploy using Microsoft Intune (Google):

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows then select Device Configuration.

3. Select Create Profile then select Windows 10 and later then select Settings Catalog.

4. Enter the following:

Name: Windows - Microsoft Purview Extension for Chrome

Select Add Setting, search for Configure the list of force-installed apps and extensions. Tick the option and select as Enabled then enter the following:

echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx

Deploy using Microsoft Intune (Mozilla Firefox):

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows then select Device Configuration.

3. Select Create Profile then select Windows 10 and later then select Templates then select Custom.

4. Enter the following:

Name: Windows - Microsoft Purview Extension for Mozilla Firefox

Enter the following for OMA-URI:

Name: PurviewExtensionFirefox

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings

Data type: String

Value:

<enabled/><data id="ExtensionSettings" value='{ "microsoft.defender.browser_extension.native_message_host@microsoft.com": { "installation_mode": "force_installed", "install_url": “https://firefoxdlp.blob.core.windows.net/packages-prod/prod-1.1.0.210.xpi”, “updates_disabled”: false } }'/>

Testing the extensions:

1. Sign in to the Microsoft Purview compliance portal at https://compliance.microsoft.com/

2. Select Data loss prevention.

3. Select Activity explorer.

4. Select Filters.

5. Activate the checkbox of Application from the right-side Filter pane and select Done.

6. Select the Application: Any and activate the checkbox of chrome.exe.

7. Review the Activity list to see the events related to the Chrome browser.

Upload to cloud service, or access by unallowed browsers Cloud Egress

1. Create or get a sensitive item and, try to upload a file to one of your organization’s restricted service domains. The sensitive data must match one of our built-in Sensitive Info Types, or one of your organization’s sensitive information types. You should get a DLP toast notification on the device you are testing from that shows that this action is not allowed when the file is open.

2. Testing other scenarios:

   • Copy data from a sensitive item to another document using the Clipboard

     • To test, open a file that is protected against copy to clipboard actions in the browsers and attempt to copy data from the file.

     • Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

   • Print a document

     • To test, open a file that is protected against print actions in the browses and attempt to print the file.

     • Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

   • Copy to USB Removeable Media

     • To test, try to save the file to a removeable media storage.

     • Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.

   • Copy to Network Share

     • To test, try to save the file to a network share.

     • Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.