Purview update: because apparently blocking dodgy AI in Edge was just too difficult

Users can’t resist. Give them half a chance and they’ll paste company secrets into whatever shiny GenAI toy they found on Reddit – usually through an unmanaged browser on their personal laptop. Brilliant. And who gets to clean up the mess? You, the admin.

Microsoft, in a shocking twist, has actually made something easier for admins. Purview now tightens its grip on Edge so you can enforce policies without spending your evenings hand-crafting XML and praying nobody notices the gaps.

Why on earth did we ever do this manually?

Until now, you had to create Edge configuration policies by hand to enforce DLP or Collection rules. Because nothing says “Friday fun” like hand-crafting XML just to stop Bob uploading spreadsheets to DefinitelyNotAScamAI.com.

Automated wizardry, finally

Now Microsoft Purview actually does some of the graft for you:

• Collection Policies – these govern how browser activity and traffic are collected for auditing. Before, you had to bolt on an extra Edge config policy to capture that data. Now, Edge just respects the Purview Collection Policy natively. No extra JSON/XML juggling, no duct tape.
• Data Loss Prevention (DLP) Policies – these protect sensitive data from strolling off to random cloud apps. With this update, every time you define a DLP policy, Edge will automatically generate the corresponding configuration so the browser knows when to trigger restrictions. In other words: the browser finally listens without you needing to micromanage it.

And yes, you still get the familiar modes:

• Audit Mode → “We’ll log that you tried to upload the entire HR folder to ShadyAI.co.uk, but we won’t actually stop you. Yet.”
• Block Mode → “No chance. That file is staying right here, and Edge will slam the door in your face.”

Time to clean up your own mess

If you’ve already cobbled together your own Edge policies, now’s the moment to scrap them. Otherwise you’ll end up double-blocking and the users will riot. Update your DLP policies and let Microsoft’s automation do the donkey work.

For those of you who actually want to look up the Microsoft Roadmap:

• Roadmap ID 486368 – for when you want to look clever dropping numbers in meetings.
• Currently in preview, rolling out more broadly later this autumn (assuming Microsoft doesn’t quietly change its mind halfway through, as per tradition)

Admins, over to you

How to actually do this (because bullet points alone don’t fix configs)

1. Review your existing Edge configuration policies

• Head into Microsoft Intune (Endpoint Manager) or wherever you’ve been pushing your Edge policies.
• Look for custom policies that set conditions for Purview DLP or “collection” behaviour.
• Pay special attention to anything that blocks unmanaged browsers, or applies “use Edge only” restrictions. Those are the ones most likely to clash.

Tip: If you see XML or JSON you copy-pasted from a blog post in 2019, this is what we’re talking about., and just enough detail to win the next “what’s new in Purview” meeting.

2. Bin the ones that clash

• If a policy is duplicating what Purview will now enforce automatically, retire it.
• In Intune, this means: disable or delete those custom Edge policies.
• The goal: stop double-blocking users (nothing like watching someone get locked out of SharePoint twice for the price of one).

3. Update your Purview DLP policies

• Go to the Microsoft Purview compliance portal → Data loss prevention.
• Edit your existing DLP policies and check that the rules include the apps, locations, and data you care about (Exchange, SharePoint, OneDrive, Teams, plus now Edge browser).
• Save and publish the policies. When you do, Purview will now auto-generate the Edge configuration in the background.

4. Choose your flavour: Audit or Block

• Audit mode = logs the dodgy behaviour, but doesn’t stop it. Great for piloting or for showing your CISO just how reckless the marketing team is.
• Block mode = actually stops the action in Edge. Perfect for when you’re done playing nice and want to keep payroll data out of “DefinitelyNotAScamAI.com.”

5. Test before you brag

• Grab a test account, apply your shiny new DLP policy, and try to upload something sensitive in Edge.
• Confirm Audit vs Block behaves the way you expect.
• Then, and only then, roll it out wider.

So that’s the job: audit what you’ve built, bin the cruft, let Purview do the heavy lifting, and test before you tell your boss it’s sorted.

It’s not magic – users will still find new and exciting ways to spill data where it doesn’t belong – but at least you won’t be babysitting hand-rolled Edge configs anymore. One less XML rabbit hole to fall into, and one more chance to look smug in the next IT steering meeting.