Integrate Adaptive Protection with DLP

  • 7 minutes

Adaptive Protection in Microsoft Purview works alongside Microsoft Purview Insider Risk Management to automatically adjust data loss prevention (DLP) policies based on user behavior. This adaptive approach ensures that data protection evolves as risk levels associated with specific users change.

When Insider Risk Management identifies risky behaviors, Adaptive Protection assigns users to a risk level, Minor, Moderate, or Elevated. Based on these assignments, DLP policies dynamically apply stricter controls for higher-risk users, such as blocking data transfers, while more lenient policies are applied for lower-risk users. As risk levels shift, policies update accordingly.

How Adaptive Protection works

  • Dynamic risk levels: Users are assigned a risk level based on their behavior, which updates automatically as new information about their actions emerges.

  • DLP policy integration: Adaptive Protection adds the Insider risk level for Adaptive Protection is condition to DLP policies. This allows DLP rules to apply different protections for users based on their risk level in services such as Exchange Online, Teams, and Devices.

Configure Adaptive Protection policies

Before you can create DLP policies using Adaptive Protection, you must enable it within Insider Risk Management. This integration ensures DLP policies can adapt dynamically to changing user risk levels.

Custom setup

For manual configuration, you need to:

  1. Create an Insider Risk Management policy: This defines the risky behaviors you want to monitor.

  2. Configure the policy for Adaptive Protection: Assign the insider risk policy to be used with Adaptive Protection.

  3. Define Risk Levels: You assign Elevated, Moderate, or Minor risk levels.

Once these steps are complete, you can manually create an Adaptive Protection DLP policy by selecting Insider risk level for Adaptive Protection is as a Condition when you create an Advanced DLP rule in the DLP policy creation process.

Screenshot showing the Insider risk level for Adaptive Protection is condition in DLP.

This condition allows you to define rules that apply to specific risk levels (Elevated, Moderate, or Minor). For example, you can block external data sharing for users with an Elevated risk level, while only logging actions for users with Moderate or Minor risk levels.

Screenshot showing where to configure the risk level for Adaptive Protection in DLP.

Quick setup

Alternatively, you can use Quick setup to automatically generate DLP policies based on risk levels. The setup generates policies that apply different controls to users in Exchange, Teams, and Devices based on their risk profile.

Adaptive Protection policy for Teams and Exchange DLP

Quick setup generates one policy for both Teams and Exchange, which includes two rules:

  • Block Rule for Elevated Risk Level: Blocks content from being shared externally, notifying the user with a policy tip.

  • Audit Rule for Moderate and Minor Risk Levels: Allows content sharing but logs the event for auditing purposes.

Adaptive Protection Policy for Endpoint DLP

For endpoint devices, quick setup creates more restrictive policies, depending on the user's risk level:

  • Block Rule: If a user is at an Elevated Risk Level, actions such as copying data to USB drives, cloud services, or printing sensitive information might be blocked.

  • Audit Rule: For Moderate and Minor Risk Levels, the same actions might be audited but not blocked, providing visibility into potential risks without disrupting workflows.

By default, these policies are configured to run in simulation mode during quick setup, so they don't enforce actions immediately. This allows you to review how the policies perform and make any necessary adjustments before turning them on for enforcement.

Adaptive Protection provides a more dynamic approach to DLP, enabling organizations to adjust data security policies as risk levels change, ensuring both flexibility and protection.