MC1419797 - Microsoft Purview | Data Loss Prevention - Extend Purview data security to the network layer via Entra GSA integration

Message Center

Summary

Microsoft Purview extends data loss prevention to the network layer via integration with Entra Internet Access, enabling inspection and protection of sensitive data in AI interactions and cloud services. It supports policy enforcement, alerts, and auditing, with rollout from July to October 2026, affecting Purview, Entra, and Defender administrators.

Published

Jul 7, 2026

Service

Microsoft Purview

Tag

Major change
New feature
Admin impact

Platforms

Web

More information

What and Why:

Extend Microsoft Purview data security controls to the network layer by integrating with Entra Internet Access. This integration helps organizations detect and protect sensitive data in text, prompts, and AI interactions by enabling inspection at the network layer, enforcing actions based on DLP policies, and identifying risky user activity through Insider Risk Management. It also helps prevent sensitive data from being shared with untrusted cloud applications—including generative AI platforms, social media, and collaboration tools—across browsers, apps, APIs, and add-ins, while managing alerts and incidents through Purview and Microsoft Defender.

For more information, refer to Protect sensitive data in motion across SaaS and AI apps with Microsoft Purview and Microsoft Entra. This message is associated with Microsoft 365 Roadmap ID 566528.

Rollout Schedule:

  • Public Preview: Beginning early July 2026; expected to complete by late July 2026
  • General Availability (Worldwide): Beginning late September 2026; expected to complete by late October 2026

Impact on Your Organization:

Who is affected:

  • Purview administrators
  • Security administrators
  • Compliance administrators
  • Entra Global Secure Access administrators

Platforms/Services:

  • Microsoft Purview
  • Microsoft Purview DLP
  • Microsoft Entra Internet Access
  • Microsoft Entra Global Secure Access
  • Microsoft Defender

What will happen:

  • The integration will become available automatically in eligible tenants as rollout completes.
  • Administrators can create policies that inspect network traffic using Entra Internet Access.
  • Organizations can apply Purview classifications and DLP controls to network-layer traffic.
  • Sensitive text, prompts, and files can be inspected and protected when transmitted to supported cloud and AI services.
  • Administrators can audit or block policy violations based on sensitive information types, sensitivity labels, or user risk levels.
  • Alerts and incidents can be surfaced through Microsoft Purview and Microsoft Defender.
  • Existing inline web traffic policies and network-based Purview protections continue to function without interruption.
  • The capability is administrator-configured and is not enabled for enforcement until policies are created and deployed.
  • Support extends to unmanaged AI applications, cloud storage providers, webmail, social media, forms, and other internet destinations supported by the service. 

Action Required/Recommendations:

No immediate action is required before rollout.

Recommended preparation activities:

  • Review whether your organization uses or plans to deploy Microsoft Entra Internet Access.
  • Evaluate licensing and prerequisite requirements for Microsoft Purview DLP and Entra Internet Access.
  • Review current DLP policies and determine whether network-layer protection scenarios should be added.
  • Identify unmanaged AI applications and cloud services that may require monitoring or policy enforcement.
  • Review pay-as-you-go billing requirements associated with Microsoft Purview Network Data Security.
  • Validate existing TLS inspection and Global Secure Access deployment readiness if planning to use the feature.
  • Inform security operations and compliance teams of the upcoming capability.

Learn more about the solution (including prerequisites): 

Compliance Considerations:

Area Explanation
Data processing Microsoft Purview DLP inspection is extended to the network layer through Entra Internet Access integration. Network traffic containing files, text, and AI interactions can be intercepted, inspected, classified, and evaluated against Purview policies before data is sent to external cloud services.
AI/ML capabilities Organizations can inspect prompts and responses involving generative AI services and apply Purview classifications, DLP policies, and Insider Risk Management controls to AI-related interactions at the network layer.
Communication methods The feature does not create new communication channels, but it adds monitoring and enforcement capabilities for communications and content exchanges with external AI platforms, cloud services, collaboration tools, and social media applications.
AI user interaction The primary purpose is governance and protection rather than enabling new AI experiences. However, organizations may allow or restrict AI interactions differently based on newly available network-layer DLP controls.
DLP enforcement Existing Purview DLP capabilities are expanded to include network-layer enforcement through Entra Internet Access. Organizations can block, audit, or monitor sensitive data transfers to external destinations using existing DLP policy constructs.
Information protection Existing sensitivity labels and sensitive information types can be used for inspection and enforcement against network traffic, extending the scope of existing protection controls.
Conditional Access Administrators may need to create or update Conditional Access policies to apply Global Secure Access security profiles that enforce content filtering and network inspection policies.
Audit logging Additional monitoring, alerts, incidents, traffic logs, and investigation data become available through Purview, Defender, and Global Secure Access logging experiences.
Compliance reporting Administrators gain new visibility into network-layer data movements, AI interactions, DLP alerts, incidents, investigations, and risky behavior through Purview and Microsoft Defender portals.
Third-party services The solution can inspect interactions with external generative AI applications, social media services, collaboration platforms, cloud storage providers, and other third-party internet destinations through Entra Internet Access controls.
Admin controls Administrators must configure content filtering, DLP policies, security profiles, and associated Conditional Access assignments. User targeting can be managed through standard Entra ID group-based assignments.