Listen to this Post

Introduction:
Organizational data no longer lives within the confines of managed endpoints and corporate applications. In the AI era, sensitive information flows constantly between trusted devices and unmanaged web apps, SaaS platforms, personal cloud repositories, and—most critically—generative AI tools over the network. Traditional data loss prevention (DLP) approaches lack real-time visibility and enforcement, often flagging incidents only after data has already left the organization. Microsoft has addressed this gap by extending data security to the network layer through the integration of Microsoft Entra SASE (Global Secure Access) with Microsoft Purview data classification, DLP policies, and insider risk detection—now available in public preview.
Learning Objectives:
- Understand how Microsoft Entra SASE and Purview integration enables real-time, identity-aware data protection across network traffic.
- Learn to configure content policies in Global Secure Access that leverage Purview’s sensitive data classification.
- Master the end-to-end setup of Purview DLP policies for inline web traffic inspection and enforcement.
- Gain practical skills in testing and validating network-layer data protection for AI apps and SaaS services.
You Should Know:
1. Understanding the Integration Architecture
The integration brings together Microsoft Purview’s data classification service and the identity-centric network security policies in Global Secure Access. This combination creates an advanced network-layer Data Loss Prevention (DLP) solution that’s identity-centric and policy-driven. By combining content inspection with real-time user risk evaluation, organizations can enforce granular controls over sensitive data movement across the network without compromising user productivity or security posture.
At its core, the solution enables organizations to dynamically apply protections based on three critical factors: the sensitivity of the data itself, who the user is, and how that user has historically interacted with sensitive data. This approach moves beyond static boundaries and after-the-fact controls, providing protection that preempts data leakage by detecting and blocking sensitive data in transit before it’s exposed.
2. Prerequisites and Licensing Requirements
Before implementing network content filtering with Purview integration, ensure your environment meets these prerequisites:
- A valid Microsoft Entra tenant with Global Secure Access enabled
- Microsoft Entra Internet Access license
- Microsoft Purview license (required for Scan with Purview inspection)
- Microsoft Purview pay-as-you-go billing configured before creating Purview collections or DLP policies
- Global Secure Access Administrator role in Microsoft Entra ID
- Global Secure Access client installed on Windows or macOS endpoints
- Conditional Access policies configured to route internet traffic through Global Secure Access
3. Configuring Content Policies in Global Secure Access
Content policies are the foundation of network-layer data protection. Here’s how to configure them:
Step 1: Create a Content Policy
- Sign in to the Microsoft Entra admin center (entra.microsoft.com) as a Global Secure Access Administrator
- Navigate to Global Secure Access > Secure > Content policies
- Select + Create Policy and configure the Basics tab with a name and description
Step 2: Define Rules
- Add a new rule with appropriate Name, Description, Priority, and Status
- For the Action menu, select:
- Allow or Block for basic data policy (file MIME type based)
- Scan with Purview (preview) to leverage Purview data classification and DLP policies
- Configure Matching conditions with appropriate Activities and Content types
- Add destinations by specifying exact URLs and FQDNs used by target applications
Step 3: Link to Security Profile
- Browse to Global Secure Access > Secure > Security profiles
- Select the security profile and switch to the Link policies view
- Link the content policy by selecting + Link a policy > Existing Content policy
4. Configuring Conditional Access for Enforcement
To enforce the security profile, create a Conditional Access policy:
– In the Microsoft Entra admin center, browse to Identity > Protection > Conditional Access
– Select + Create new policy and name it
– Select users and groups to apply the policy to
– Set Target resources to All internet resources with Global Secure Access
– Under Session, select Use Global Secure Access Security Profile and choose the profile
– Create the policy
- Creating Purview DLP Policies for Network Data Security
If you selected Scan with Purview in your content policy, you must configure a corresponding DLP policy in Microsoft Purview.
Step 1: Access Purview Portal
- Sign in to the Microsoft Purview portal (purview.microsoft.com)
- Select Data loss prevention > Policies > + Create policy
Step 2: Configure Policy Settings
- Select Inline web traffic as the policy template
- Choose Custom from Categories and Custom policy from Regulations
- Enter a policy name and description
Step 3: Define Scope
- Add cloud apps to monitor, selecting app categories like “All unmanaged AI apps”
- Ensure Network and non-Microsoft secure browsers is enabled on the enforcement page
Step 4: Create DLP Rules
- Select + Create rule and configure:
- Under Conditions, add Content contains with sensitive information types or sensitivity labels
- Under Actions, select Restrict browser and network activities
- Choose actions: Text sent to/shared with cloud or AI apps, File uploaded to/shared with cloud or AI apps
- Set each action to Audit or Block
Step 5: Finalize
- Configure incident reports and alert settings
- Choose policy mode (Turn on immediately or simulation mode)
- Review and submit
6. Verification and Troubleshooting Commands
Windows – Verify Global Secure Access Client Connectivity:
Check if Global Secure Access client is running Get-Service -1ame "GlobalSecureAccess" | Select-Object Status, DisplayName View client logs for troubleshooting Get-Content -Path "$env:ProgramData\Microsoft\Global Secure Access\Logs\client.log" -Tail 50 Test network routing through Global Secure Access Test-1etConnection -ComputerName entra.microsoft.com -Port 443
Windows – Check Traffic Routing:
Verify forwarding profile rules Get-1etRoute -DestinationPrefix 0.0.0.0/0 | Select-Object InterfaceAlias, NextHop Flush DNS cache if experiencing resolution issues ipconfig /flushdns Reset Winsock if connectivity problems persist netsh winsock reset
macOS – Verify Global Secure Access Connectivity:
Check if Global Secure Access process is running ps aux | grep -i "globalsecureaccess" View client logs tail -f /var/log/globalsecureaccess/client.log Test DNS resolution for target endpoints dig chatgpt.com Check routing table netstat -rn | grep -E "default|0.0.0.0"
Azure CLI – Verify Global Secure Access Configuration:
List security profiles az rest --method GET \ --url "https://graph.microsoft.com/beta/networkAccess/securityProfiles" Get content policies az rest --method GET \ --url "https://graph.microsoft.com/beta/networkAccess/contentPolicies" Check traffic logs (replace with your tenant ID) az rest --method GET \ --url "https://graph.microsoft.com/beta/networkAccess/reports/traffic?startDateTime=2026-07-01T00:00:00Z&endDateTime=2026-07-04T23:59:59Z"
7. Real-World Validation: Blocking Sensitive Data Exfiltration
Example 1: Block Sensitive Text in Gmail
To prevent users from sending emails containing credit card numbers or Social Security numbers through Gmail:
– Configure content policy destination: Add `mail.google.com` as FQDN
– Action: Select Scan with Purview (preview)
– Activities: Select Upload
– Text content types: Select the types for Purview inspection
– Create Purview DLP policy detecting sensitive info types with Block action
– Validate by attempting to send sensitive content through Gmail
Example 2: Block Sensitive PDF Uploads to ChatGPT
To prevent uploading PDFs containing sensitive data to ChatGPT:
– Add specific ChatGPT upload endpoints: `https://chatgpt.com/backend-api/files`, `https://chatgpt.com/backend-api/files/process_upload_stream`, .oaiusercontent.com
– Select PDF and other relevant file content types
– Create Purview DLP policy targeting ChatGPT with Block action
– Use browser developer tools to identify upload endpoints for other applications
What Undercode Say:
- Key Takeaway 1: The integration of Entra SASE with Purview represents a paradigm shift from reactive, endpoint-centric data protection to proactive, network-layer enforcement that follows data wherever it travels.
- Key Takeaway 2: Real-time, identity-aware enforcement based on user risk and data sensitivity enables organizations to balance security with productivity—blocking risky activities without introducing unnecessary friction for legitimate users.
Analysis: This integration fundamentally changes how security teams approach data protection in the AI era. Traditional DLP solutions operate at the endpoint or application layer, creating blind spots for traffic moving through unmanaged SaaS apps and AI tools. By extending Purview’s classification capabilities to the network layer through Entra SASE, Microsoft provides unified visibility and enforcement across browser sessions, SaaS usage, and AI interactions. The identity-centric approach ensures that enforcement adapts dynamically based on who the user is and their risk profile, not just what data is being transmitted. This reduces alert fatigue and false positives while catching genuine threats in real-time. The unified investigation workflows correlating identity, data, and insider risk signals across Purview, Entra, and Defender create a single pane of glass for security operations. However, organizations must carefully plan their deployment, ensuring proper licensing, pay-as-you-go billing configuration, and thorough testing in simulation mode before enforcement. The preview nature of Scan with Purview means features may evolve, so staying current with Microsoft’s documentation and release notes is essential.
Prediction:
- +1 This integration will accelerate enterprise adoption of SASE architectures by demonstrating clear security value beyond traditional networking benefits, making network-layer data protection a standard requirement in security RFPs.
- +1 As AI adoption continues to surge, network-layer DLP will become as fundamental as email filtering, with this Microsoft integration setting the benchmark for how security platforms must evolve to protect against AI-related data leakage.
- -1 Organizations that fail to implement such network-layer protections will face increasing regulatory scrutiny and breach risks as employees increasingly leverage unmanaged AI tools for productivity, creating a widening security gap.
- +1 The unified policy model—where Purview classifications enforce consistently across endpoints, applications, and network—will reduce operational overhead and policy conflicts, enabling security teams to manage fewer policies with greater effectiveness.
- +1 Microsoft’s integration of insider risk detection with network enforcement will enable proactive threat hunting, identifying risky user behavior patterns before they result in data exfiltration, shifting security from reactive to predictive.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Markolauren Sase – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


