Configure network content filtering with file policies (Preview)

Implementation Effort: Medium

User Impact: Medium

Overview

In a Zero Trust security model, organizations must protect sensitive data at every layer—including the network edge—to prevent unauthorized data exfiltration regardless of user location or destination. Network content filtering with file policies extends data loss prevention capabilities to the network layer through Global Secure Access, enabling real-time inspection and control of file transfers to prevent data leaks to unsanctioned destinations such as generative AI applications, unmanaged cloud apps, and untrusted internet sites.

This solution combines Microsoft Purview's advanced data classification service with Global Secure Access's identity-centric network security policies to create a comprehensive network-layer Data Loss Prevention (DLP) solution. By integrating content inspection with real-time user risk evaluation and identity-aware policies delivered through Conditional Access, organizations can enforce granular controls over sensitive data movement without compromising productivity or security posture.

Implementation steps:

• Enable Internet Access traffic forwarding profile and assign users/groups
• Configure TLS inspection policy (prerequisite for inspecting encrypted traffic)
• Verify Global Secure Access client is properly routing internet traffic
• Create file policies with basic actions (Allow/Block) or "Scan with Purview" for advanced DLP
• Configure matching conditions (activities: upload/download, file types: MIME types, destinations: FQDNs/categories)
• Link file policies to security profiles with appropriate priority
• Create Conditional Access policies targeting "All internet resources with Global Secure Access" and assign security profiles
• Test policy enforcement by attempting file uploads/downloads to configured destinations
• Monitor enforcement through Traffic logs and DLP alerts

Important considerations:

• Microsoft Purview license required for "Scan with Purview" action (basic file policy works without Purview)
• Preview currently supports HTTP/1.1 file traffic only (not text content)
• Multipart encoding not supported (affects applications like Google Drive)
• Destination applications using WebSocket (e.g., Copilot) not supported
• Apps may use multiple URLs/FQDNs—ensure all relevant destinations are configured for policies to take effect

Reference

• Create a file policy to filter network file content (preview)
• Learn about Microsoft Purview Network Data Security
• Configure Transport Layer Security inspection