top of page

New Endpoint Data Loss Prevention condition: 'Document Property' now in GA


Introduction

Microsoft has made an exciting update to its Endpoint Data Loss Prevention (DLP) capabilities, and I’m happy to share that the Document Property Condition is now generally available across all Microsoft 365 tenants. This new feature allows you to extend your DLP policies to monitor and restrict access to documents based on custom properties, now supported on endpoints as well as in the cloud and on-premises repositories. This is a significant leap forward, and I was fortunate to be part of a private preview that allowed me to test this feature before its public release.

Earlier on this year in one of my blog posts, I discussed how Microsoft had already implemented support for document property conditions with cloud and on-premises repositories, but endpoints were left out. After listening to feedback from the community, Microsoft has added this critical functionality for endpoint DLP, and it’s now available for all users.


Table of contents


How It Works

The Document Property Condition lets you define specific metadata properties that are associated with documents and then trigger actions based on whether the document matches these properties. For instance, you can enforce DLP policies on documents with certain custom properties, like:

  • Client

  • Disposition

  • Document number

  • Department

This functionality is perfect for scenarios where you want to prevent sensitive or confidential documents from being copied, printed, or otherwise moved outside of approved locations or devices, based on their custom properties.


What’s New?

Previously, this condition was supported only for cloud and on-prem repositories, but the update now extends that capability to endpoints as well. With this change, Microsoft 365 admins can enforce DLP policies across their entire digital estate, ensuring greater security for endpoints where data often leaves the company network.

During my testing in the private preview, I was able to configure conditions based on exact text matches (e.g., ABC12345) and regular expressions (e.g., [A-Z]{3}[0-9]{5}). This allowed me to track documents with specific client identifiers, department tags, and more, and enforce actions such as blocking the copying of those documents to USB drives, clipboard, or network shares.


My Testing Results

I tested this feature using the following custom properties and actions:

  • Custom properties: Client, Disposition, Document number, Department.

  • Actions: Block copying to supported browsers, copying to clipboard, copying to a removable device, copying to a network share, and printing.

The testing was mostly successful, with exact text matches triggering the expected results. However, one issue I encountered was that regular expressions didn’t work as expected. Despite trying different regex patterns, they were not recognised by the system. I reached out to my Microsoft contacts, and they confirmed that there are currently no plans to support regex or wildcard matching for custom properties in DLP policies. It’s unfortunate, as many organisations rely on regex for identifying customer-specific data, and it’s impractical to maintain a list of exact values within the DLP policies.


Supported File Types

Currently, the Document Property Condition supports only Office and PDF file types. This means you can set policies for Word, Excel, PowerPoint, and PDF documents based on custom properties.


Getting Started with Endpoint DLP Policies

Prerequisites

Before you begin, ensure that you meet the following prerequisites:

  • Licensing: Make sure your Microsoft 365 tenant includes the appropriate Endpoint DLP SKU/subscriptions (Microsoft 365 E5 or equivalent/ E5 Compliance add-on)

  • Permissions: Assign the correct roles to your DLP administrators.

  • Endpoint Onboarding: Your workstations and virtual machines must be onboarded into Microsoft Endpoint DLP. If you’re unsure how to do this, check out Microsoft’s official documentation on getting started with Endpoint DLP.

  • Device Compatibility: For devices to be eligible for this feature, they must meet certain minimum Windows version requirements. Specifically, you’ll need Windows 10 (KB5034843) or Windows 11 (KB5034848).


Configuration details

You can add custom document properties to your files by, for example, opening up a Word file, going File > Info > Properties > Advanced properties > Go to the 'Custom' tab and fill out one of the fields.

Here’s how you can set up this new condition in your Microsoft Purview portal

  1. Access the Purview Admin Centre: Go to the Solutions > Data Loss Prevention > Policies.

  2. Create a new policy: choose category: custom, regulation: custom policy, and click Next.

  3. Give your new policy a name and a description.

  4. Select 'Devices' as your location and edit the scope to fit your requirements > Next > Create or customize advanced DLP rules > Next.

  5. Create a new rule, give it a name and a description

  6. Add the New Condition: Conditions > Add condition > Document property is, and then specify the custom property values you want to target. For instance, you could define that a document with the Department = Marketing and Project = Secret should be blocked from being copied to a USB drive. There are many different custom properties that you can use, see some examples below.


  7. Configure Actions: Choose the appropriate actions to take when a document with matching properties is detected. Available actions include blocking copy to clipboard, printing, and transferring to a USB or network share, etc.

  8. Configure the rest of your policy as you see fit, eg. modify the user notifications and incident report settings.

  9. Save and Enable the Policy: After configuring the conditions and actions, save the policy and turn it on. It may take up to an hour for the policy to take effect across your devices.


Current limitations

  • Limited to Custom Properties: This feature currently only works with custom document properties, so it won’t apply to more generic conditions.

  • File Types: Supported file types are limited to Office documents and PDFs.

  • No Regex Support: As mentioned earlier, regular expressions and wildcard matching are not supported in this release, which might limit some use cases.


Conclusion

The addition of the Document Property Condition to Microsoft Endpoint DLP is a fantastic step forward in securing sensitive data on endpoints. This feature makes it easier to create granular, policy-driven controls based on document metadata, which is particularly useful in environments where files are regularly transferred or accessed by end users.

While there are some limitations, such as the lack of regex support and the restricted file types, the feature is still incredibly powerful and adds a new layer of security for sensitive documents across your digital estate.

As always, I look forward to seeing how this feature evolves, and I’ll continue to provide updates as Microsoft makes further improvements.

Comments


bottom of page