Microsoft 365 Message Center Archive

MC1181769 - Microsoft Purview: Integration with Entra GSA Internet Access to enable sensitive file filtering at the network layer

Message ID

MC1181769

View in Message Center

Service

Microsoft Purview

Published

Oct 31, 2025

Tag

New feature
Admin impact

Roadmap ID

522096

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview DLP policies will integrate with Entra Global Secure Access Internet Access to inspect and control sensitive file traffic at the network layer. Public preview starts mid-November 2025, enabling granular policy enforcement across unmanaged cloud apps, with centralized alert management in Purview and Defender.

More information

Introduction

To help organizations better protect sensitive files in transit, we're introducing a public preview for extending Microsoft Purview Data Loss Prevention (DLP) policies to the network through integration with Entra Global Secure Access Internet Access. Through this integration, organizations can intercept and inspect file traffic at the network layer and enforce actions based on DLP policy conditions. It helps prevent sensitive files from being shared with untrusted cloud applications through browsers, apps, APIs, add-ins, and more—including generative AI platforms, cloud storage, and content-sharing services—while managing alerts and incidents through Purview and Microsoft Defender.

This message is associated with Roadmap ID 522096.

When this will happen:

  • Public preview: Rollout begins mid-November 2025 and completes by mid-December 2025.
  • General availability: Rollout begins mid-June 2026 and completes by mid-July 2026.

How this affects your organization:

  • Who is affected: Microsoft 365 tenants with E3 or E5 licenses; Admins managing Microsoft Purview DLP and Entra Global Secure Access.
  • What will happen:
    • A new “Inline Web Traffic” scenario will be available in Purview DLP policy creation.
    • Admins can configure granular policies and rules to detect and protect sensitive files transmitted to over 35,000 unmanaged cloud applications.
    • Policy matches, alerts, and incidents will be managed centrally in Microsoft Purview and Microsoft Defender.
    • The feature will be available by default but requires configuration to activate.

What you can do to prepare:

  • Ensure your GSA administrator configures the following in Entra Global Secure Access:
    • Enabled the internet access traffic profile and ensure the correct user assignments apply.
    • Configure TLS inspection and configure a TLS inspection policy.
    • Create a file policy and add a rule that specifies the action "Scan with Purview".
    • Configure a security profile with the above policies and link it to a conditional access policy.
  • Your global admin must activate Purview pay-as-you-go to enable this capability. No charges will apply during public preview.
  • Review your current DLP and network configurations to assess impact.
  • Communicate this change to helpdesk and security teams.
  • Update internal documentation to reflect new policy options.
  • For more details, refer to: Learn about data loss prevention

Compliance considerations:

Compliance Area Explanation
Alters how existing customer data is processed Sensitive file traffic is inspected at the network layer before reaching unmanaged cloud apps.
Introduces AI/ML capabilitiesDLP policies may interact with generative AI platforms to prevent data leakage.
Modifies DLP enforcementAdds network-layer enforcement to existing Purview DLP capabilities.
Adds integration to extend Purview DLP controls Integrates with Entra Global Secure Access Internet Access.
Includes admin controlControlled via Purview and Entra admin portals.
Can be controlled through Entra ID group membership Policy scoping can leverage Entra ID groups.