All Guides and Articles
List view
Pay-as-you-go
Pay-as-you-go
Information Protection
Information Protection
Data Loss Prevention
Data Loss Prevention
Structural Breakdown
Structural Breakdown
DSPM for AI
DSPM for AI
Insider Risk Management
Insider Risk Management
Prerequisites
Prerequisites
Introduction
As organizations continue to adopt cloud-based applications and browser-driven workflows, a growing amount of sensitive data is being accessed, created, and shared directly through web browsers. While Microsoft Purview Data Loss Prevention (DLP) provides strong protection across Microsoft 365 services and endpoints, gaps can emerge when users interact with non-Microsoft or unmanaged web applications.
To address this, Microsoft introduced the Microsoft Purview Browser Extension, enabling organizations to extend DLP controls into browsers like Google Chrome and Mozilla Firefox. This integration allows organizations to monitor and restrict sensitive data interactions across web apps - including third-party SaaS platforms, directly within the browser experience.
By deploying the Purview Browser Extension alongside Microsoft Intune and Microsoft Defender for Endpoint, organizations can enforce DLP policies consistently across both managed and browser-based activities, reducing the risk of data exfiltration in an increasingly web-centric world.
At this time, only the following browsers are currently supported:
- Microsoft Edge for Business (No extension required | Built-in)
- Google Chrome (Requires extension)
- Firefox (Requires extension)
Example Scenario: Preventing Sensitive Data Sharing in AI Tools & Services
A user in the HR department is working with a document containing employee records, including personally identifiable information (PII) such as addresses, salaries, and Social Security numbers. While researching a task, the user opens a public chatbot (ChatGPT) and copies a portion of the document to ask for help summarizing the data. By doing this, they paste sensitive employee information into the prompt.
With the Microsoft Purview Browser Extension deployed to Chrome or Firefox:
- The extension monitors clipboard and browser input activity tied to DLP policies
- As the user attempts to paste sensitive data into the web application, the system detects PII based on configured Sensitive Information Types (SITs)
- The action is blocked or warned in real time, depending on policy configuration
- A policy tip appears in the browser, educating the user that sharing this data externally is not permitted
- The event is captured in Microsoft Purview, giving security teams visibility into risky user behavior within Activity Explorer or Data Security Posture Management for AI (DSPM)
This scenario highlights a common modern risk: Not malicious intent, but accidental data exposure through everyday tools like AI assistants, web forms, or support portals.
By extending DLP controls into the browser, organizations can proactively prevent sensitive data from being shared outside approved boundaries, even during routine workflows.
Next, follow the steps outlined below to deploy the Purview Browser Extension using Microsoft Intune.
Chrome Installation
- Sign in to the Microsoft Intune admin center > Go to Devices > Configuration > Select Create New Policy > Select Windows 10 and later as the platform > Select Settings catalog as the profile type > Custom as the template name > Create
- Enter a name and optional description on the Basics tab and select Next
- Select "Add settings" on the Configuration settings tab
- Search for "Google" > Select Google Chrome Extensions > Select Configure the list of force-installed apps and extensions > Change the toggle to Enabled
- Enter the following value for the extensions and app IDs and update URL - these should be on separate lines: echcggldkblhodogklpincgchnpgcdco | https://clients2.google.com/service/update2/crx
- Select Next > Add or edit scope tags on the Scope tags tab as needed and select Next
- Add the required deployment users, devices, and groups on the Assignments tab and select Next
- Add applicability rules on the Applicability Rules tab as required and select Next > Create
The Chrome Extension policy has now been created.
Firefox Installation
Compared to Google Chrome, Firefox requires a different configuration to be deployed. Before adding the extension to the list of force-installed extensions, it's important to ingest the Firefox ADMX file.
Navigate to Firefox's official GitHub and download the policy_templates.zip file here
- This will provide us with the required ADMX file.
Now that we have the file, we can continue by ingesting it within Intune.
- Sign in to the Microsoft Intune admin center > Go to Devices > Configuration > Select Create New Policy > Select Windows 10 and later as the platform > Select "Custom" > Create
- Enter a name and optional description on the Basics tab and select Next
- On the Configuration Settings page, click on Add next to OMA-URI Settings > Enter a Name and Description (optional) > Enter the following OMA-URI:
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx> Data type: String > Value: Copy all of the text from the downloaded firefox.admx file into the Value field > Save & Create the Configuration Policy
Once the ADMX policy has been created, we can proceed with creating a deployment policy to push out the Extension to Firefox.
- Similar to the previous step, Go to Devices > Configuration > Select Create New Policy > Select Windows 10 and later as the platform > Select "Custom" > Create
- Enter a name and optional description on the Basics tab and select Next
- On the Configuration Settings page, click on Add next to OMA-URI Settings > Enter a Name and Description (optional) > Enter the following OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings> Data type: String > Value:<enabled/><data id="ExtensionSettings" value='{"microsoft.defender.browser_extension.native_message_host@microsoft.com":{"installation_mode": "force_installed", "install_url": "https://github.com/microsoft/purview/raw/main/endpointDLP/browser_extension/prod-1.1.0.212.xpi","updates_disabled":false}}'/>
Note: It's critical that updates_disabled is set to false so that the extension can automatically update over time.
- Save & Create the Configuration Policy
With the policies now created, the browser extension will be automatically deployed to your onboarded devices in Intune.
Validating the Deployment
To ensure the policies are working as intended, we need to allow enough time for the changes to sync and propagate onto our machines. This can take anywhere between 2 to 8 hours.
We can check the deployment status by selecting one of our policies and viewing the check-in status report in Intune:
Within Chrome, click on the Extensions icon > Manage Extensions > Verify that the “Microsoft Purview Extension” appears
There should be a notice at the top of the page indicating that the browser is managed by your organization. Additionally, the Microsoft Purview Extension should be toggled on and grayed out, indicating a successful deployment.
In Firefox, the same process can be followed. Click on the Extensions icon > Manage Extensions > Verify that the “Microsoft Purview Extension” appears
Now that the extension has been added to both browsers, we are ready to begin using Endpoint DLP policies within Purview.