Microsoft Purview compliance portal: Endpoint Data Loss Prevention- Separate role added for downloading the original file evidence for Endpoint

🚨 The Signal: A new, separate role in Microsoft Purview now controls who can download original file evidence from Endpoint DLP. This enhances data access control, reducing the risk of unauthorized evidence exfiltration by restricting sensitive data access.

The Impact

Security teams and compliance officers are affected by enhanced control over sensitive DLP evidence, reducing insider risk.

• Security teams: Gain granular control over DLP evidence access.
• Compliance officers: Improved auditability of sensitive data handling.
• Incident responders: Must be assigned the new role to download evidence.
• Privileged users: Reduced risk of unauthorized evidence download.

The Action

1. Identify users who require the ability to download original DLP evidence.
2. Navigate to Microsoft Purview compliance portal > Roles & scopes > Permissions.
3. Create or modify a role group to include the new 'Download original file evidence' permission.
4. Assign identified users to this role group.
5. Review existing DLP evidence access policies to ensure alignment with the new role.

Domain: Purview · Impact: medium · Workload: Microsoft Purview · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898