Message Center
Microsoft Purview extends data loss prevention to the network layer via integration with Entra Internet Access, enabling inspection and protection of sensitive data in AI interactions and cloud services. It supports policy enforcement, alerts, and auditing, with rollout from July to October 2026, affecting Purview, Entra, and Defender administrators.
What and Why:
Extend Microsoft Purview data security controls to the network layer by integrating with Entra Internet Access. This integration helps organizations detect and protect sensitive data in text, prompts, and AI interactions by enabling inspection at the network layer, enforcing actions based on DLP policies, and identifying risky user activity through Insider Risk Management. It also helps prevent sensitive data from being shared with untrusted cloud applications—including generative AI platforms, social media, and collaboration tools—across browsers, apps, APIs, and add-ins, while managing alerts and incidents through Purview and Microsoft Defender.
For more information, refer to Protect sensitive data in motion across SaaS and AI apps with Microsoft Purview and Microsoft Entra. This message is associated with Microsoft 365 Roadmap ID 566528.
Rollout Schedule:
Impact on Your Organization:
Who is affected:
Platforms/Services:
What will happen:
Action Required/Recommendations:
No immediate action is required before rollout.
Recommended preparation activities:
Learn more about the solution (including prerequisites):
Compliance Considerations:
| Area | Explanation |
|---|---|
| Data processing | Microsoft Purview DLP inspection is extended to the network layer through Entra Internet Access integration. Network traffic containing files, text, and AI interactions can be intercepted, inspected, classified, and evaluated against Purview policies before data is sent to external cloud services. |
| AI/ML capabilities | Organizations can inspect prompts and responses involving generative AI services and apply Purview classifications, DLP policies, and Insider Risk Management controls to AI-related interactions at the network layer. |
| Communication methods | The feature does not create new communication channels, but it adds monitoring and enforcement capabilities for communications and content exchanges with external AI platforms, cloud services, collaboration tools, and social media applications. |
| AI user interaction | The primary purpose is governance and protection rather than enabling new AI experiences. However, organizations may allow or restrict AI interactions differently based on newly available network-layer DLP controls. |
| DLP enforcement | Existing Purview DLP capabilities are expanded to include network-layer enforcement through Entra Internet Access. Organizations can block, audit, or monitor sensitive data transfers to external destinations using existing DLP policy constructs. |
| Information protection | Existing sensitivity labels and sensitive information types can be used for inspection and enforcement against network traffic, extending the scope of existing protection controls. |
| Conditional Access | Administrators may need to create or update Conditional Access policies to apply Global Secure Access security profiles that enforce content filtering and network inspection policies. |
| Audit logging | Additional monitoring, alerts, incidents, traffic logs, and investigation data become available through Purview, Defender, and Global Secure Access logging experiences. |
| Compliance reporting | Administrators gain new visibility into network-layer data movements, AI interactions, DLP alerts, incidents, investigations, and risky behavior through Purview and Microsoft Defender portals. |
| Third-party services | The solution can inspect interactions with external generative AI applications, social media services, collaboration platforms, cloud storage providers, and other third-party internet destinations through Entra Internet Access controls. |
| Admin controls | Administrators must configure content filtering, DLP policies, security profiles, and associated Conditional Access assignments. User targeting can be managed through standard Entra ID group-based assignments. |