500895 – Microsoft Purview compliance portal: Endpoint Data Loss Prevention – Endpoint DLP support classification of Azure RMS protected Office documents

Product:

Purview Communication Compliance, Purview Data Loss Prevention

Platform:

Web, World tenant

Status:

In development

Change type:

Links:

Details:

Endpoint DLP can now classify Office files stored in Windows devices that have Azure RMS protection applied. Classification will be triggered when file is used in applications or when just-in-time classification is enabled

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2025-08-22

updated:
2025-08-22

Public Preview Start Date

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Data Loss Prevention Implementation
Without proper preparation, the implementation of Endpoint DLP may lead to unintentional data exposure or loss, as users may not be aware of the new classification protocols, resulting in mishandling of sensitive information.
   - roles: Data Protection Officer, IT Support Specialist
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/endpoint-dlp-supports-classification-of-azure-rms-protected/ba-p/3701230, https://www.microsoft.com/en-us/security/business/solutions/data-loss-prevention

User Experience Disruption
If users are not trained on the new classification features, they may experience confusion or frustration when accessing or sharing Azure RMS protected documents, leading to decreased productivity and potential errors.
   - roles: End User, Compliance Officer
   - references: https://www.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention, https://www.forbes.com/sites/bernardmarr/2021/06/14/the-importance-of-user-experience-in-data-protection/?sh=4c1c1c1e7b5e

Configutation Options**

XXXXXXX ... paid membership only

Data Protection**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine you have a highly secure filing cabinet where you store important documents. Each document has a label that indicates its level of importance or sensitivity. Now, imagine you have a system that can automatically read these labels and decide how to handle each document based on its label. This is similar to what Microsoft Purview's Endpoint Data Loss Prevention (DLP) does for digital files.

In the digital world, Office files stored on Windows devices can be protected by something called Azure Rights Management Services (RMS). Think of Azure RMS as a digital lock that ensures only authorized people can access the files. With the new update, Endpoint DLP can now read the "labels" on these digitally locked files. This means that even if a file is protected, the system can still classify it based on its content and apply the necessary rules to prevent data loss.

This classification can happen in two ways. First, it can occur when the file is actively used in applications, similar to how a librarian might check a book's label when someone checks it out. Second, it can happen through a process called just-in-time classification, which is like having a security guard who quickly checks the labels on documents as they are moved around the office.

By classifying these protected files, organizations can ensure that sensitive information is handled appropriately, reducing the risk of data breaches. This is particularly important for maintaining compliance with various data protection regulations. The system acts like an automated security team, constantly monitoring and managing files to keep them safe.