You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/content-inspection.md
+9-13Lines changed: 9 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,29 +1,23 @@
1
1
---
2
2
title: DLP content inspection
3
3
description: This article describes the process Defender for Cloud Apps follows when performing DLP content inspection on data in your cloud.
4
-
ms.date: 06/16/2025
4
+
ms.date: 06/26/2025
5
5
ms.topic: how-to
6
6
---
7
7
# DLP content inspection in Microsoft Defender for Cloud Apps
8
8
9
-
When you enable content inspection, you can choose to inspect content using preset expressions or custom expressions that you define. You can also set a minimum number of content violations that must be detected before a file is considered a policy violation. For example, to trigger a policy when at least 10 credit card numbers are found in a file, set the violation threshold to 10.
10
9
11
-
When content matches an expression, the matched text is masked by replacing it with "X" characters. By default, Defender for Cloud Apps displays 100 characters of surrounding context before and after each violation. Any numbers in the surrounding context are replaced with "#" characters and aren't stored in Defender for Cloud Apps.
12
-
13
-
If you want to partially reveal detected values, you can enable the **Unmask the last four characters of a match** option in the file policy. This option reveals only the last four characters of the matched text.
14
-
15
-
You must specify which file elements are included in the inspection: content, metadata, or file name. By default, content and metadata are inspected.
10
+
Data Loss Prevention (DLP) in Defender for Cloud Apps relies on content inspection for identifying sensitive data within files. This inspection allows you to define expressions, thresholds, and rules that determine when files violate your organization’s data protection policies. Together, DLP policies and content inspection enable automated detection, alerting, and enforcement across files stored in connected cloud applications.
16
11
17
-
This enables inspection of protected content, helping you detect sensitive data, enforce compliance, and apply governance actions on encrypted files. It helps reduce false positives and align policy enforcement with internal classification standards.
12
+
When you enable content inspection, you can choose to inspect content using preset expressions or custom expressions that you define. You can also set a minimum number of content violations that must be detected before a file is considered as a policy violation. For example, to trigger a policy when at least 10 credit card numbers are found in a file, set the violation threshold to 10.
18
13
14
+
When content matches an expression, the matched text is masked by replacing it with "X" characters. By default, Defender for Cloud Apps displays 100 characters of surrounding context before and after each violation. Any numbers in the surrounding context are replaced with "#" characters and aren't stored in Defender for Cloud Apps.
19
15
20
-
## Prerequisites
21
-
22
-
Before you can inspect encrypted files, you must grant one-time admin consent.
16
+
This approach is critical for meeting compliance regulations. For example, if an employee shares a file containing sensitive information such as credit card numbers or ID numbers with an unauthorized party (such as a vendor), the file policy can alert administrators or block the activity. This ensures that sensitive data is protected and that vendors or external parties can't access information that violates compliance policies.
23
17
24
-
1. In the Defender portal, go to **Settings > Cloud Apps > Microsoft Information Protection > Inspect protected files**.
18
+
If you want to partially reveal detected values, you can enable the **Unmask the last four characters of a match** option in the file policy. This option reveals only the last four characters of the matched text.
25
19
26
-
1. Select Grant permission and to grant Defender for Cloud Apps permission in Microsoft Entra ID.
20
+
You must specify which file elements are included in the inspection: content, metadata, or file name. By default, content and metadata are inspected. This enables inspection of protected content, helping you detect sensitive data, enforce compliance, and apply governance actions on encrypted files. It helps reduce false positives and align policy enforcement with internal classification standards.
27
21
28
22
## Content inspection for protected files
29
23
@@ -41,6 +35,8 @@ The following app IDs apply based on your Microsoft cloud environment:
>These app IDs represent the internal service principal (app registration) used by Defender for Cloud Apps in each environment (Public, Fairfax, and GCCM) to enable inspection and enforcement of protected files. Disabling or removing this app breaks inspection and prevent DLP policies from applying to protected files. Always verify that the app ID for your environment is present and enabled to maintain inspection and enforcement capabilities.
44
40
45
41
## Configure Microsoft Information Protection settings
0 commit comments