489842 – Microsoft Purview Compliance Portal: Endpoint DLP – Protect shadow files for OneDrive

Product:

OneDrive, Purview, Purview Communication Compliance, Purview compliance portal

Platform:

US Instances, Web, World tenant

Status:

Launched

Change type:

Links:

Details:

Admins can protect OneDrive shadow files, that are not locally synced on an endpoint device. This feature has a dependency on Just-in-time (JIT) to provide the interim protection.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2025-05-02

updated:
2026-01-21

Public Preview Start Date

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Data Loss Prevention (DLP) Implementation
Without proper preparation, the implementation of DLP for OneDrive shadow files may lead to unintentional data exposure or loss, as users may not be aware of the new restrictions and protections in place.
   - roles: IT Administrators, End Users
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-purview-compliance-portal-endpoint-dlp-protect-shadow/ba-p/3741230

User Experience Disruption
If the change is made without adequate communication and training, users may experience confusion or frustration due to unexpected restrictions on file access and sharing, impacting productivity.
   - roles: End Users, Support Staff
   - references: https://www.microsoft.com/en-us/microsoft-365/blog/2022/06/30/announcing-microsoft-purview-compliance-portal/

Increased Support Tickets
The lack of preparation for the new DLP feature may result in a surge of support tickets from users facing issues with accessing their files, leading to increased workload for IT support teams.
   - roles: Support Staff, IT Administrators
   - references: https://www.microsoft.com/en-us/microsoft-365/blog/2022/06/30/announcing-microsoft-purview-compliance-portal/

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Data Protection
Implementing Endpoint DLP for OneDrive shadow files enhances data protection by preventing unauthorized access to sensitive files that are not locally synced. This reduces the risk of data breaches and ensures compliance with data protection regulations.
   - next-steps: Conduct a risk assessment to identify sensitive data stored in OneDrive. Implement Endpoint DLP policies tailored to protect this data effectively.
   - roles: Compliance Officers, IT Security Managers, Data Protection Officers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity-blog/protecting-shadow-files-with-endpoint-dlp-in-onedrive/ba-p/3654725

Improved User Experience
By protecting shadow files, users can have peace of mind knowing their data is secure, which can enhance productivity and trust in IT systems. Users will experience fewer interruptions related to data security concerns.
   - next-steps: Gather user feedback on current data security concerns and adjust DLP policies to align with user needs while maintaining security.
   - roles: End Users, IT Support Staff, Product Managers
   - references: https://www.microsoft.com/en-us/microsoft-365/blog/2023/05/01/announcing-new-features-in-onedrive-and-sharepoint-to-improve-user-experience/

Streamlined IT Operations
The integration of JIT with Endpoint DLP can streamline IT operations by automating the protection of files without requiring constant manual intervention, thus reducing administrative overhead.
   - next-steps: Evaluate current IT workflows to identify areas where automation can be applied. Train IT staff on the new processes for managing DLP settings.
   - roles: IT Administrators, Operations Managers, System Administrators
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity-blog/just-in-time-privileged-access-in-microsoft-purview-compliance/ba-p/3654725

Potentional Risks**

XXXXXXX ... paid membership only

Data Protection**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

Hypothetical Work Council Statement**

XXXXXXX ... paid membership only

DPIA Draft**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine your office as a library. In this library, you have a special section for books that are very important and need extra protection. These books are like the files you store in OneDrive, a cloud service where you can keep your documents safe and accessible from anywhere.

Now, think of the Microsoft Purview Compliance Portal as the librarian who ensures that these important books are not only well-organized but also protected from any unauthorized access. One of the tasks this librarian handles is safeguarding "shadow files." Shadow files are like copies of books that you can read online but don't physically exist on the library shelves. They are accessible but not stored directly on your computer.

To keep these shadow files secure, Microsoft uses a method called Just-in-time (JIT) protection. Imagine JIT as a security guard who steps in right when someone tries to access these online books, ensuring they have the right permissions to do so. This way, even though the files aren't physically on your device, they are still protected as if they were.

This feature is available to organizations using OneDrive and the Microsoft Purview compliance portal, ensuring that sensitive information remains secure, even when it's not directly stored on your computer. It's like having a virtual security system that keeps an eye on your digital library, making sure that only authorized personnel can access the valuable information within.