All Guides and Articles
List view
Pay-as-you-go
Pay-as-you-go
Information Protection
Information Protection
Data Loss Prevention
Data Loss Prevention
Structural Breakdown
Structural Breakdown
DSPM for AI
DSPM for AI
Insider Risk Management
Insider Risk Management
Prerequisites
Prerequisites
Introduction
In today’s modern workplace, data no longer lives solely within Microsoft 365 workloads like Exchange, SharePoint, or Teams. It extends to the endpoints where users create, modify, and share information daily. As organizations adopt more flexible work environments, protecting sensitive data at the device level has become a critical component of any comprehensive security strategy.
Microsoft Purview Data Loss Prevention (DLP) enables organizations to monitor and protect sensitive information across Microsoft 365 services, but its full potential is unlocked when extended to endpoints. By integrating Microsoft Intune and Microsoft Defender, organizations can onboard devices into Purview and enforce DLP policies directly on Windows devices - providing visibility and control over data in real time, regardless of where it resides.
Example Scenario: Preventing Data Exfiltration by a Departing Employee
An employee in the finance department is preparing to leave the company. In their final days, they attempt to copy sensitive financial data including spreadsheets containing bank account numbers from their corporate device to a personal USB drive.
With Endpoint DLP enabled, the organization has policies in place that detect sensitive information types (SITs) such as financial data and enforce protective actions at the device level. As the user attempts to copy the file to the USB device:
- The DLP policy detects the presence of sensitive financial data.
- The action is blocked in real time based on the configured policy.
- A policy tip is displayed to the user explaining why the action is not allowed.
- The event is logged in Microsoft Purview, providing visibility to security and compliance teams.
- Optional alerts can be triggered to notify administrators of potential data exfiltration behavior.
Even if the user tries alternative methods, such as uploading the file to a personal cloud storage service or copying content into an unauthorized application, Endpoint DLP can enforce restrictions across these vectors as well. This scenario highlights how Endpoint DLP extends protection beyond traditional cloud locations, ensuring that sensitive data remains secure directly on managed devices, where the risk of insider threats and accidental data loss is often greatest.
This article will walk through how to onboard devices into Microsoft Purview using Intune and Defender, ensuring that your DLP policies go beyond the cloud and into the endpoints where data risk is often highest.
Enabling the Microsoft Intune Connection within Defender
- Navigate to the Defender Portal > Settings > Endpoints > Advanced Features
- Toggle the "Microsoft Intune Connection"
Enabling the Microsoft Intune connection grants us the ability to:
- Automatically onboard devices to Defender for Endpoint by using an onboarding policy in Intune.
- Enforce Defender policies such as ASR Rules, File Policies, and more via Intune.
- Send endpoint security signals & device telemetry data from Defender to Intune.
- Unify device inventory between both solutions.
Once the connection has been enabled, it can take several hours to sync within the Intune Portal:
Creating the Defender for Endpoint Onboarding Policy in Intune
To automatically deploy the Defender for Endpoint sensor to your onboarded machines in Intune, you will need to create an onboarding policy. In this case, we will be using Microsoft's built-in EDR policy.
Navigate to the Intune Portal > Endpoint Security > Endpoint detection & response > + Create policy > Select the platforms you will be onboarding into Defender > Click create
On the Basics page, add a Name and description for the EDR policy
On the Configuration Settings page, click the drop down next to "Microsoft Defender for Endpoint Client Configuration Package Type" and select "Auto from connector". This option is only available if you successfully established the Defender and Intune connection.
IMPORTANT
If you recently turned this setting on and don't see the "Auto from connector" option, wait a couple of minutes before refreshing your page and trying again. If you still do not see this option appear, you may expect a longer propagation delay exceeding 8 hours.
Continue clicking Next until you reach the Assignments page. Here, click on the "Search by group name..." tab and select "All devices" to target all devices in Intune. If you are testing the deployment, it's highly recommended to begin with a pilot group first.
Proceed to the Review + create page and save the policy.
Once the policy has been created and is working as intended, any devices that are onboarded into Intune will automatically have the Defender for Endpoint sensor installed onto their machines. This can take anywhere between 8 to 24 hours. To verify whether or not devices are successfully being onboarded into Defender, review the EDR Onboarding Status report. This report will give you insight on which devices have been onboarded and which may have failed.
Onboarding Devices into Purview
Now that all of the prerequisites are in place, we can now proceed with onboarding the devices to Purview.
- Navigate to the Purview Portal > Click on Settings > Devices > Turn on device onboarding
When you turn this on, any devices that already onboarded to Microsoft Defender for Endpoint (MDE) will appear in the device list. However, it may take some time before any devices appear while device monitoring syncs.
Once that has been enabled, we are ready to begin using Endpoint DLP policies in Purview.