Use data loss prevention policies for non-Microsoft cloud apps

You can scope DLP policies to Instances to monitor, detect, and take actions when sensitive items are used and shared via non-Microsoft cloud apps.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Before you begin

SKU/subscriptions and licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Permissions

The user who creates the DLP policy should be a:

  • Global administrator
  • Compliance administrator: assign in Microsoft Entra ID
  • Compliance data administrator: assign in Microsoft Entra ID

Prepare your Defender for Cloud Apps environment

Before you configure DLP policies scoped to Instances, you must prepare your Defender for Cloud Apps environment. For instructions, see Quickstart: Get started with Microsoft Defender for Cloud Apps.

Connect a non-Microsoft cloud app

To use a DLP policy that's scoped to a specific non-Microsoft cloud app, the app must be connected to Defender for Cloud Apps. For information, see:

After you connect your cloud apps to Defender for Cloud Apps, you can create DLP policies for them.

Create a DLP policy scoped to a non-Microsoft cloud app

Refer to Create and Deploy data loss prevention policies for the procedures to create a DLP policy. Keep these points in mind as you configure your policy:

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal.

  2. Open Data loss prevention > Policies > + Create policy.

  3. Select Custom > Custom policy.

  4. Name the policy and add a description.

  5. Set the Admin units scope as desired.

  6. On the Locations page, toggle the Instances location to on.

  7. To select a specific app or instance, select Edit > Specific instances > + Include instances and then the instances (cloud apps) you want to include. If you don't select a instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant.

  8. Create rule with the desired settings. For more information on policy creation, see Create and Deploy data loss prevention policies.

    1. Under Actions select Restrict Third Party Apps and select any of the apps listed.

Note

When you create a DLP policy that is scoped to Instances, the same policy will be automatically created in Microsoft Defender for Cloud Apps.

See Also