29 April 2025

🏭🗒️Microsoft Fabric: Data Loss Prevention (DLP) in Purview [Notes]

Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)! 

Last updated: 10-Jun-2025

[Microsoft Purview] Data Loss Prevention (DLP)
  • {def} the practice of protecting sensitive data to reduce the risk from oversharing [2]
    • implemented by defining and applying DLP policies [2]
  • {benefit} helps to protect sensitive information with policies that automatically detect, monitor, and control the sharing or movement of sensitive data [1]
    • administrators can customize rules to block, restrict, or alert when sensitive data is transferred to prevent accidental or malicious data leaks [1]
  • {concept} DLP policies
    • allow to monitor the activities users take on sensitive items and then take protective actions [2]
      • applies to sensitive items 
        • at rest
        • in transit [2]
        • in use [2]
      • created and maintained in the Microsoft Purview portal [2]
    • {scope} only supported for Power BI semantic models [1]
    • {action} show a pop-up policy tip to the user that warns that they might be trying to share a sensitive item inappropriately [2]
    • {action} block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification [2]
    • {action} block the sharing without the override option [2]
    • {action} [data at rest] sensitive items can be locked and moved to a secure quarantine location [2]
    • {action} sensitive information won't be displayed 
      • e.g. Teams chat
  • DLP reports
    • provides data from monitoring policy matches and actions, to user activities [2]
      • used as basis for tuning policies and triage actions taken on sensitive items [2]
    • telemetry uses M365 audit Logs and processed the data for the different reporting tools [2]
      • M365 provides with visibility into risky user activities [2]
      • scans the audit logs for risky activities and runs them through a correlation engine to find activities that are occurring at a high volume [1]
        • no DLP policies are required [2]
  • {feature} detects sensitive items by using deep content analysis [2]
    • ⇐ not by just a simple text scan [2]
    • based on
      • keywords matching [2]
      • evaluation of regular expressions [2] 
      • internal function validation [2]
      • secondary data matches that are in proximity to the primary data match [2]
      • ML algorithms and other methods to detect content that matches DLP policies
    • all DLP monitored activities are recorded to the Microsoft 365 Audit log [2]
  • DLP lifecycle
    • {phase} plan for DLP
      • train and acclimate users to DLP practices on well-planned and tuned policies [2]
      • {recommendation} use policy tips to raise awareness with users before changing the policy status from simulation mode to more restrictive modes [2]
    • {phase} prepare for DLP
    • {phase} deploy policies in production
      • {action} define control objectives, and how they apply across workloads [2]
      • {action} draft a policy that embodies the objectives
      • {action} start with one workload at a time, or across all workloads - there's no impact yet
      • {feature} implement policies in simulation mode
        • {benefit} allows to evaluate the impact of controls
          • the actions defined in a policy aren't applied yet
        • {benefit} allows to monitor the outcomes of the policy and fine-tune it so that it meets the control objectives while ensuring it doesn't adversely or inadvertently impacting valid user workflows and productivity [2]
          • e.g. adjusting the locations and people/places that are in or out of scope
          • e.g. tune the conditions that are used to determine if an item and what is being done with it matches the policy
          • e.g. the sensitive information definition/s
          • e.g. add new controls
          • e.g. add new people
          • e.g. add new restricted apps
          • e.g. add new restricted sites
        • {step} enable the control and tune policies [2]
          • policies take effect about an hour after being turned on [2]
      • {action} create DLP policy 
      • {action} deploy DLP policy 
  • DLP alerts 
    • alerts generated when a user performs an action that meets the criteria of a DLP policy [2]
      • there are incident reports configured to generate alerts [2]
      • {limitation} available in the alerts dashboard for 30 days [2]
    • DLP posts the alert for investigation in the DLP Alerts dashboard
    • {tool} DLP Alerts dashboard 
      • allows to view alerts, triage them, set investigation status, and track resolution
        • routed to Microsoft Defender portal 
        • {limitation} available for six months [2]
      • {constraint} administrative unit restricted admins see the DLP alerts for their administrative unit only [2]
  • {concept} egress activities (aka exfiltration)
    • {def} actions related to exiting or leaving a space, system or network [2]
  • {concept}[Microsoft Fabric] policy
    • when a DLP policy detects a supported item type containing sensitive information, the actions configured in the policy are triggered [3]
    • {feature} Activity explorer
      • allows to view Data from DLP for Fabric and Power BI
      • for accessing the data, user's account must be a member of any of the following roles or higher [3]
        • Compliance administrator
        • Security administrator
        • Compliance data administrator
        • Global Administrator 
          • {warning} a highly privileged role that should only be used in scenarios where a lesser privileged role can't be used [3]
        • {recommendation} use a role with the fewest permissions [3]
    • {warning} DLP evaluation workloads impact capacity consumption [3]
    • {action} define policy
      • in the data loss prevention section of the Microsoft Purview portal [3]
      • allows to specify 
        •  conditions 
          • e.g. sensitivity labels
        •  sensitive info types that should be detected [3]
      • [semantic model] evaluated against DLP policies 
        • whenever one of the following events occurs:
          • publish
          • republish
          • on-demand refresh
          • scheduled refresh
        •  the evaluation  doesn't occur if either of the following is true
          • the initiator of the event is an account using service principal authentication [3]
          • the semantic model owner is a service principal [3]
      • [lakehouse] evaluated against DLP policies when the data within a lakehouse undergoes a change
        • e.g. getting new data, connecting a new source, adding or updating existing tables, etc. [3]

References:
[1] Microsoft Learn (2025) Learn about data loss prevention [link]
[2] Microsoft Learn (2024) Purview: Learn about data loss prevention [link]
[3] Microsoft Learn (2025) Get started with Data loss prevention policies for Fabric and Power BI [link]

Resources:
[R1] Microsoft Fabric Updates Blog (2024) Secure Your Data from Day One: Best Practices for Success with Purview Data Loss Prevention (DLP) Policies in Microsoft Fabric [link]
[R2] 

Acronyms:
DLP - Data Loss Prevention
M365 - Microsoft 365
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...

About Me

My photo
Koeln, NRW, Germany
IT Professional with more than 25 years experience in IT in the area of full life-cycle of Web/Desktop/Database Applications Development, Software Engineering, Consultancy, Data Management, Data Quality, Data Migrations, Reporting, ERP implementations & support, Team/Project/IT Management, etc.