Microsoft Purview: Integration with Entra GSA Internet Access to enable sensitive file filtering at the network layer

Microsoft Purview DLP policies will integrate with Entra Global Secure Access Internet Access to inspect and control sensitive file traffic at the network layer. Public preview starts mid-November 2025, enabling granular policy enforcement across unmanaged cloud apps, with centralized alert management in Purview and Defender.

[Introduction]

To help organizations better protect sensitive files in transit, we're introducing a public preview for extending Microsoft Purview Data Loss Prevention (DLP) policies to the network through integration with Entra Global Secure Access Internet Access. Through this integration, organizations can intercept and inspect file traffic at the network layer and enforce actions based on DLP policy conditions. It helps prevent sensitive files from being shared with untrusted cloud applications through browsers, apps, APIs, add-ins, and more—including generative AI platforms, cloud storage, and content-sharing services—while managing alerts and incidents through Purview and Microsoft Defender.

This message is associated with Roadmap ID 522096.

[When this will happen:]

• Public preview: Rollout begins mid-November 2025 and completes by mid-December 2025.
• General availability: Rollout begins mid-June 2026 and completes by mid-July 2026.

[How this affects your organization:]

• Who is affected: Microsoft 365 tenants with E3 or E5 licenses; Admins managing Microsoft Purview DLP and Entra Global Secure Access.
• What will happen:
  • A new “Inline Web Traffic” scenario will be available in Purview DLP policy creation.
  • Admins can configure granular policies and rules to detect and protect sensitive files transmitted to over 35,000 unmanaged cloud applications.
  • Policy matches, alerts, and incidents will be managed centrally in Microsoft Purview and Microsoft Defender.
  • The feature will be available by default but requires configuration to activate.

[What you can do to prepare:]

• Ensure your GSA administrator configures the following in Entra Global Secure Access:
  • Enabled the internet access traffic profile and ensure the correct user assignments apply.
  • Configure TLS inspection and configure a TLS inspection policy.
  • Create a file policy and add a rule that specifies the action "Scan with Purview".
  • Configure a security profile with the above policies and link it to a conditional access policy.
• Your global admin must activate Purview pay-as-you-go to enable this capability. No charges will apply during public preview.
• Review your current DLP and network configurations to assess impact.
• Communicate this change to helpdesk and security teams.
• Update internal documentation to reflect new policy options.
• For more details, refer to: Learn about data loss prevention

[Compliance considerations:]

Compliance Area	Explanation
Alters how existing customer data is processed	Sensitive file traffic is inspected at the network layer before reaching unmanaged cloud apps.
Introduces AI/ML capabilities	DLP policies may interact with generative AI platforms to prevent data leakage.
Modifies DLP enforcement	Adds network-layer enforcement to existing Purview DLP capabilities.
Adds integration to extend Purview DLP controls	Integrates with Entra Global Secure Access Internet Access.
Includes admin control	Controlled via Purview and Entra admin portals.
Can be controlled through Entra ID group membership	Policy scoping can leverage Entra ID groups.