Share via

Help prevent sharing via Microsoft Edge for Business to unmanaged AI apps from managed devices

Note

The features used in this scenario are in preview.

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that helps prevent sharing sensitive information from a managed device to an AI app. Work through this scenario in your test environment to familiarize yourself with the policy creation UI.

Important

This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.

How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

Block users from sharing sensitive information to unmanaged AI apps via Edge on managed devices

Use this scenario to use Edge as the control point to block the sharing of sensitive information to unmanaged AI apps, like OpenAI ChatGPT, DeepSeek, or Google Gemini. It requires that the devices are managed by Intune.

Policy intent statement and mapping

We need to block members of the finance team from sharing sensitive information to unmanaged AI apps via Edge. Other teams don't have access to this highly sensitive information, so the block only needs to apply to this team. When their text prompts contain information like bank account, routing, or the SWIFT numbers of our international customers, the sharing is blocked. We also have to meet alerting requirements. We want to notify our security team with an email every time there's a match to the policy. Lastly, we want this to take effect as soon as possible after testing and need to be able to see related activity within the system.

Prerequisites

This procedure uses hypothetical distribution groups, one named Finance Team, and another group for the Security Team.

Important

Before you start this procedure, read Block Users From Sharing Sensitive Information to Unmanaged AI Apps Via Edge on Managed Devices (preview). It provides important information about the prerequisites and assumptions for this scenario.

Implementing browser DLP follows these phases:

  1. Create a browser DLP policy (the procedure in this article) in the Microsoft Purview Data Loss Prevention portal.
  2. In the Edge admin center, use the Edge Management Service to activate the DLP policy by deploying a block for accessing the apps in non-compliant browsers.

Important

The user must be in scope of both the DLP policy and the Edge configuration policy for the policy to apply to the user in Edge.

Statement Configuration question answered and configuration mapping
We need to block members of the finance team from sharing sensitive information to unmanaged AI apps via Edge… - Choose where to apply the policy: Data in browser activity
-Administrative scope: Full directory
- Where to apply the policy: OpenAI ChatGPT,. Google Gemini, Microsoft Copilot, DeepSeek
Action: Block
Other teams don’t have access to this information, so the block only needs to apply to this team... - scope for each app" specific users and groups, Include users and groups > Finance Team
When their text prompts contain information like bank account, routing or the SWIFT numbers of our international customers, the sharing should be blocked. What to monitor: - use the custom policy template
- Conditions for a match: Content contains Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number
- Action: Restrict browser and network activities > Text upload > Block.
We also have to meet alerting requirements. We want to notify our security team with an email every time there’s a match to the policy. - Incident reports: Send an alert to admins when a rule match occurs
- Send email alerts to these people (optional): add the Security team
- Send an alert every time an activity matches the rule: selected
- Use email incident reports to notify you when a policy match occurs: On
- Send notifications to these people: add individual admins as desired
- You can also include the following information in the report: select all options
...Lastly, we want this to take effect as soon as possible after testing and need to be able to see related activity within the system.... Policy mode: on in simulation

Steps to create policy

  1. Sign in to the Microsoft Purview portal.
  2. Select Data loss prevention > Policies > + Create policy.
  3. Select Data in browser activity.
  4. Select Custom from the Categories list and then select Custom policy from the Regulations list.
  5. Choose Next.
  6. Enter a policy name and provide a description. You can use the policy intent statement here.

Important

You can't rename policies.

  1. Choose Next.

  2. Accept the default Full directory on the Assign admin units page.

  3. Choose Next.

  4. Select Edit in the Actions column next to each ___location

    1. Select OpenAIChatGPT, Google Gemini, Microsoft Copilot, DeepSeek.

  5. Select Specific users and groups.

  6. Choose + Include and then Include groups.

  7. Select Finance Team.

  8. Select Done and then select Next.

  9. On the Define policy settings page, the Create or customize advanced DLP rules option should already be selected.

  10. Choose Next.

  11. On the Customize advanced DLP rules page, select + Create rule.

  12. Enter a name and description for the rule.

  13. Select Add condition and use these values:

    1. Select Content contains.
    2. Select Add > Sensitive information types > Sensitive info types > ABA Routing Number, Australia Bank Account Number, Canada Bank Account Number, International Bank Account Number (IBAN), Israel Bank Account Number, Japan Bank Account Number, New Zealand bank account number, SWIFT Code, U.S Bank Account Number.

  14. Select Add.

  15. Under Actions, add an action with these values:

    1. Restrict browser and network activities
    2. Text upload > Block

  16. Under Incident reports select:

    1. Set Use this severity level in admin alerts and reports to Low.
    2. Set the toggle for Send an alert to admins when a rule match occurs to On.
    3. Under Send email alerts to these people (optional), select + Add or remove users and then add the email address of the security team.

  17. Select Save and then select Next.

  18. On the Policy mode page, select Run the policy in simulation mode.

  19. Select Next and then select Submit.

  20. Select Done.

  21. Sign in to Microsoft Admin portal portal.

  22. Select Edge.

  23. Create and apply a configuration profile to the Finance Team group.

  24. Edit the configuration policy and apply the setting to block LLMs in non-compliant browsers.

Important

The DLP policy isn't applied in Edge until both the DLP and Edge Management Service requirements are met.

Note

When a user attempts sharing by using Chrome, the user is blocked at the app level. Users are blocked at the device level from opening Firefox and other browsers, and from opening Chrome if Microsoft Purview extension for Chrome extensions aren't installed or are out of date.