Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how Microsoft Edge for Business supports data loss prevention (DLP) with Endpoint DLP, inline browser DLP, and Windows Information Protection (WIP).
What is Data Loss Prevention (DLP)?
Data loss prevention (DLP) is a system of technologies that help identify and safeguard sensitive enterprise data from unauthorized disclosure. To comply with business standards and industry regulations, organizations must protect sensitive information and prevent unauthorized disclosure. Sensitive information can include financial data or personal information (for example, credit card numbers, social security numbers, or health records).
Remote work and the blending of personal and work activities on devices have amplified the need for Data Loss Prevention (DLP). With increased use of personal devices to access sensitive organizational data, the risk of data leakage and the need to protect against it is greater than ever. The net result is a dramatically increased risk of exposing sensitive data.
The next screenshot shows the briefcase icon in the lock icon within the address bar, indicating that work-related information is accessed in an organization-managed cloud app via the Edge browser.
Endpoint DLP in Edge for Business
Microsoft Endpoint DLP provides OS-level data loss prevention built into Windows 10/11, macOS, and Microsoft Edge with no additional agents or browser plugins required. Endpoint DLP enforces policies across all applications on managed devices, including Edge for Business.
Microsoft Edge enforces admin-configured policies for sensitive files, and records audit events for non-compliant activities.
Some of the user activities that you can audit and manage on devices running Windows 10/11 include the following activities:
- File Upload: Protect sensitive file upload to unauthorized cloud locations.
- Clipboard Protection: Protect sensitive data from being copied out of the file.
- Print Protection: Protect sensitive files from being printed.
- Save to USB/Network: Protect sensitive file from being saved to removable USB storage or unauthorized network locations.
Endpoint DLP also provides protection across different Microsoft Edge usage scenarios:
- InPrivate Mode Support: Endpoint DLP detects and audits egress activities performed in Microsoft Edge InPrivate mode.
- Work and Personal Profiles: Endpoint DLP monitors and applies policy protections in both work and personal Microsoft Edge profiles.
To learn more about Endpoint DLP, use the following resources:
- Endpoint activities you can monitor and take action on.
- Video: Microsoft Edge and Data loss prevention (DLP).
- Learn about Microsoft 365 Endpoint data loss prevention
- Get started with Endpoint data loss revention
Inline browser data security protections for cloud apps
Edge for Business enforces Purview DLP policies inline directly in browser, empowering organizations to safeguard sensitive data in real time. With Edge for Business, admins can:
- Block sharing of sensitive information to unmanaged cloud apps, including generative AI tools like ChatGPT, DeepSeek, and Gemini.
- Prevent file uploads, downloads, copy/paste, and printing on managed cloud apps for unmanaged (BYOD) devices.
- Enforce browser restrictions that prevent circumvention via other browsers.
Just as with Endpoint DLP, Edge for Business can audit (log) or block sensitive activities including text uploads, file transfers, clipboard operations, and printing, ensuring that all events are recorded and reported to administrators via Microsoft Purview Activity Explorer and Microsoft Defender portals.
For a deeper dive into inline DLP capabilities for cloud apps in Edge, see:
- Learn about Data Loss Prevention for Cloud Apps in Edge for Business.
- Help prevent sharing via Microsoft Edge for Business to unmanaged AI apps from managed devices.
- Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business | Microsoft Learn.
- Data Loss Prevention policy reference.
Example Scenarios
- Unmanaged Gen AI App Blocking: A finance employee attempts to share bank account numbers into ChatGPT. Edge detects sensitive info and blocks the action.
- BYOD Download Prevention: A contractor on a personal laptop tries to download a customer file from SharePoint. Edge blocks the download and logs the event.
Microsoft Information Protection Integration with Edge for Business
Edge for Business supports Microsoft Information Protection (MIP) sensitivity labels as conditions in Purview DLP policies. When users open labeled documents in Office Online (Word, Excel, PowerPoint), Edge enforces label-based restrictions directly in the browser. This allows admins to:
- Block copy, paste, print, and screenshot based on sensitivity label restrictions.
- Enforce protections on labeled content viewed in Edge for Business.
- View label-based policy matches in audit logs.
Example Scenarios
An employee opens a Confidential-labeled spreadsheet in Excel Online. Edge for Business blocks copy/paste and printing in accordance with the document's sensitivity label restrictions.
MIP and DLP work together to classify, protect, and control sensitive data in the browser. Learn about sensitivity labels.
Windows Information Protection
Note
Windows information protection will be discontinued over time. For more information, see Announcing the sunset of Windows Information Protection (WIP).
Check out Support for Windows Information Protection, which describes how Microsoft Edge supports Windows Information Protection (WIP). You can learn more about system requirements, benefits, and supported features in the following sections:
- System Requirements
- Windows Information Protection Benefits
- WIP features supported in Microsoft Edge