ChatGPT Security: Stop PII Leaks with Microsoft Purview

Generative AI tools such as ChatGPT make it easy for users to summarise documents, analyse records and generate content. However, they also create a new route through which sensitive organisational data can be disclosed.

A user can accidentally paste customer information, login credentials, payment details or other personally identifiable information into an external AI service. Traditional access controls do not necessarily prevent this because the user may be authorised to access both the sensitive information and the AI website.

Microsoft Purview Data Loss Prevention can inspect text entered into supported AI websites through Microsoft Edge for Business and block the submission when it contains sensitive information.

In this article, I demonstrate how to configure a Purview DLP policy that:

  • Allows normal ChatGPT prompts
  • Detects sensitive information in a prompt
  • Blocks the prompt before it is submitted
  • Displays a notification to the user
  • Records the event in Microsoft Purview
  • Provides additional visibility through Data Security Posture Management

Demo objective

The demonstration uses a managed Windows 11 device and a test user called:

bob@michaelwhitehouse.co.uk

Bob can submit a normal prompt such as:

Explain the difference between Azure Policy and Azure RBAC.

However, a prompt containing a test credit card number is blocked:

Summarise this customer record:

Customer: Demo User
Credit card number: 4242 4242 4242 4242
Expiry date: 12/30
Security code: 123

The objective is not to block ChatGPT completely. Instead, ChatGPT remains available while Microsoft Purview controls which information can be sent to it.

Solution architecture

The main components are:

Microsoft Entra ID
        ↓
Microsoft Intune-managed Windows 11 device
        ↓
Microsoft Edge for Business
        ↓
Microsoft Purview inline web traffic DLP policy
        ↓
Consumer ChatGPT

Microsoft Defender for Cloud Apps supplies the cloud application catalogue and categories used by the adaptive application scopes. Microsoft Purview then applies the sensitive-information policy to the selected unmanaged AI applications.

Microsoft supports blocking sensitive text prompts sent from Edge for Business to consumer AI applications including ChatGPT, consumer Microsoft Copilot, DeepSeek and Google Gemini.

Microsoft documentation: Protect sensitive data shared with AI applications

Is the traffic sent through a proxy?

For this configuration, the entire browser session is not sent through the traditional Defender for Cloud Apps reverse proxy.

Instead:

Purview distributes the DLP policy
        ↓
Edge for Business receives the policy
        ↓
Edge inspects the prompt locally
        ↓
Sensitive prompt → blocked
Normal prompt → submitted to ChatGPT
        ↓
Policy event reported to Purview

The inspection and enforcement occur inside Edge for Business before the text is submitted to ChatGPT.

The browser still communicates with Microsoft services to receive policy updates and report audit events, policy matches and alerts. This differs from network-level Purview protection, where a SASE or SSE product sends network data to Purview for real-time classification and policy evaluation.

Microsoft documentation: Browser DLP

Prerequisites

For the demonstration, I used:

  • Microsoft Entra ID
  • Microsoft Intune
  • Microsoft Edge for Business
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview Suite
  • Microsoft Defender for Cloud Apps
  • A Windows 11 device
  • A test user licensed for the required Purview features

The Windows device must be managed and the user must use an Edge for Business work profile.

User: bob@michaelwhitehouse.co.uk
Device: Windows 11
Management: Microsoft Intune
Browser: Microsoft Edge for Business

Step 1: Confirm the Windows device is managed

Open the Microsoft Intune admin centre and go to:

Devices
→ All devices
→ Select the Windows 11 device

Confirm:

Managed by: Intune
Operating system: Windows
Primary user: bob@michaelwhitehouse.co.uk
Last check-in: Recent

On the device, run:

dsregcmd /status

Confirm:

AzureAdJoined : YES
AzureAdPrt    : YES

The Primary Refresh Token confirms that the signed-in user has a valid Microsoft Entra authentication session.

Step 2: Create the assignment groups

I created separate groups for users and devices.

User group

DSPM-AI-Demo-Users

Member:

bob@michaelwhitehouse.co.uk

This group is used to scope the Purview policy.

Device group

DSPM-AI-Demo-Devices

Member:

Windows 11 demo device

The device group can be used for Intune configuration profiles, compliance policies and browser configuration.

Separating user and device groups makes policy troubleshooting easier.

Step 3: Configure Edge for Business

On the Windows 11 device:

  1. Open Microsoft Edge.
  2. Select the profile icon.
  3. Sign in with the work account.
  4. Confirm the active profile shows the work account.
bob@michaelwhitehouse.co.uk
Work

Open:

edge://management

The browser should report that it is managed by the organisation.

Then open:

edge://policy

This page displays policies applied to Edge and provides a Reload policies button.

Microsoft documentation: In-browser protection

Step 4: Open Microsoft Purview DLP

In the Microsoft Purview portal, go to:

Solutions
→ Data Loss Prevention
→ Policies
→ Create policy

Select:

Inline web traffic

This option protects data transferred in real time to unmanaged cloud applications through Edge for Business and supported network integrations.

Microsoft documentation: Block sensitive data sent to unmanaged AI apps through Edge

Step 5: Create the policy

Select:

Category: Custom
Template: Custom policy

Use a name such as:

DSPM AI Demo - Block Sensitive ChatGPT Prompts

A suitable description is:

Blocks sensitive information entered into unmanaged generative AI applications through Microsoft Edge for Business.

Step 6: Select the cloud application scope

On the cloud applications page, select:

Adaptive app scopes
→ All unmanaged AI apps

This adaptive scope includes unmanaged applications classified as generative AI, such as ChatGPT, Gemini, DeepSeek and others.

The application categories come from the Defender for Cloud Apps cloud application catalogue.

You can review the catalogue from:

Microsoft Defender portal
→ Cloud Apps
→ Cloud app catalog

Filter the catalogue using categories such as:

  • Generative AI
  • Cloud storage
  • Collaboration
  • Social network
  • Webmail

The exact list of supported AI applications continues to expand, and Microsoft maintains a supported-sites list for Purview AI protection.

Microsoft documentation: Supported AI sites

Step 7: Scope the policy to the test user

For the application scope, select:

Include only specific

Add:

DSPM-AI-Demo-Users

This limits the initial deployment to Bob instead of applying it to the entire organisation.

The resulting scope should show:

Application scope: All unmanaged AI apps
Included group: DSPM-AI-Demo-Users
Excluded users: None

Step 8: Create the DLP rule

Create a rule named:

Block Sensitive Info to AI

Under Conditions, select:

Content contains
→ Sensitive information types

For the first test, add:

Credit Card Number

Start with a single sensitive information type. This makes it easier to verify that the policy is working before adding additional classifiers.

You can later include:

  • UK National Insurance Number
  • UK passport number
  • International Bank Account Number
  • Login credentials
  • All credential types
  • Custom sensitive information types

Step 9: Configure the blocking action

Under Actions, select:

Restrict actions to cloud app locations

Configure:

Text sent to or shared with cloud or AI apps
→ Block

Optionally configure:

Files uploaded to cloud or AI apps
→ Block

For the prompt demonstration, the important control is the text action.

Step 10: Configure the user notification

Enable user notifications and use a message such as:

This prompt contains sensitive information and cannot be shared with an unmanaged AI application.

For the clearest demonstration, configure:

Block without override

An override with business justification can be added later if required by the organisation.

Step 11: Configure alerts

Enable alerts for matching activity.

For a test environment, use:

Alert frequency: Every matching activity
Severity: Medium

This makes it easier to correlate each blocked ChatGPT test with an event in Purview.

Step 12: Activate the policy

Initially, you can use simulation mode to verify detection without blocking.

After validating the event, change the policy mode to:

On

The policy list will show a synchronisation status.

Wait for:

Policy sync status: Completed

DLP policy changes can take time to distribute across Microsoft services and managed browsers.

Step 13: Allow Purview to configure Edge protection

When the first unmanaged cloud application policy is activated, Purview automatically creates the supporting Edge and Intune configuration.

This can include:

  • Edge configuration policies
  • An included-users security group
  • An excluded-users security group
  • Intune anti-bypass policies
  • Browser restrictions for unsupported protection paths

Microsoft recommends that these automatically created policies and groups are not manually edited.

Microsoft documentation: Microsoft Edge configuration for Purview DLP

You may see a group named:

Purview DLP browser protection - included users

This group may not always show individual users directly, depending on how the Purview scope is configured. The authoritative configuration remains the user or group scope selected in the DLP policy.

Step 14: Synchronise the device

On Bob's Windows device, go to:

Settings
→ Accounts
→ Access work or school
→ Select the organisation
→ Info
→ Sync

Restart Edge and open:

edge://policy

Select:

Reload policies

Also confirm:

edge://management

shows that the browser is managed.

Step 15: Test a normal ChatGPT prompt

Open consumer ChatGPT in Bob's Edge work profile.

Submit:

Explain the difference between Azure Policy and Azure RBAC.

Expected result:

Prompt allowed

This demonstrates that the policy is not simply blocking access to ChatGPT.

Step 16: Test sensitive information

Use test data only.

Summarise this customer record:

Customer: Demo User
Card number: 4242 4242 4242 4242
Security code: 123
Expiry date: 12/30

Expected result:

Prompt blocked before submission

The user should see the configured Purview notification.

The sensitive data should not be submitted to ChatGPT because Edge performs the policy evaluation before allowing the browser action.

Test card details

The following values can be used as demonstration data:

Card type Test card number Security code Expiry date
Visa 4242 4242 4242 4242 123 12/30
Visa debit 4000 0566 5566 5556 456 11/30
Mastercard 5555 5555 5555 4444 789 10/30
Mastercard 2-series 2223 0031 2200 3222 321 09/30
Mastercard debit 5200 8282 8282 8210 654 08/30
Mastercard prepaid 5105 1051 0510 5100 987 07/30
American Express 3782 822463 10005 1234 06/30
Discover 6011 1111 1111 1117 246 04/30
Diners Club 3056 9300 0902 0004 975 01/30

These are test values and must not be used for real transactions.

Step 17: Review the event in Activity Explorer

In Microsoft Purview, go to:

Data Loss Prevention
→ Explorers
→ Activity explorer

Filter by:

User: bob@michaelwhitehouse.co.uk
Policy: DSPM AI Demo - Block Sensitive ChatGPT Prompts
Action: Blocked
Sensitive information type: Credit Card Number
Application: ChatGPT

The event may take some time to appear.

Also check:

Data Loss Prevention
→ Alerts

The alert should show:

  • The user
  • The destination application
  • The matching sensitive information type
  • The action taken
  • The policy and rule that caused the block

Adding DSPM visibility

Microsoft Purview Data Security Posture Management provides a central location for discovering and monitoring AI use across an organisation. It can highlight users interacting with AI applications, sensitive data risks and recommended security controls.

Open:

Microsoft Purview
→ DSPM

Look for recommendations relating to:

Discover AI application usage
Detect sensitive information shared with AI applications
Extend data security insights

DSPM provides reporting and recommendations. The DLP policy remains the component that performs the real-time blocking action.

Be careful when enabling prompt and response capture. Content capture must be explicitly enabled in relevant collection policies and can result in prompt or response content being collected for investigation.

Microsoft documentation: DSPM for AI

What about Chrome and Firefox?

The inline unmanaged-AI policy demonstrated here is designed around Edge for Business.

For Chrome and Firefox, Microsoft provides Purview browser extensions that work with Endpoint DLP.

Chrome

The Microsoft Purview extension for Chrome can monitor attempts to access or upload sensitive items and apply Endpoint DLP controls. The device must be onboarded into Endpoint DLP and licensed appropriately.

Microsoft documentation: Purview DLP for Chrome

Firefox

Microsoft also provides a Purview extension for Firefox. The Windows device must be onboarded into Endpoint DLP before the extension can be used.

Microsoft documentation: Purview DLP for Firefox

For these browsers, create a separate Endpoint DLP policy using the Devices location.

Typical actions include:

Paste to a supported browser
Upload to a restricted cloud service domain
Copy sensitive content
Print sensitive content

This is not identical to Edge's inline AI prompt inspection. Endpoint DLP often controls actions such as pasting or uploading sensitive content, while Edge can apply the unmanaged AI application policy directly within the browser.

Preventing browser bypass

Purview can create supporting Intune policies intended to prevent users bypassing Edge protection through unsupported browsers.

A practical organisational model is:

Edge for Business
→ ChatGPT allowed
→ Sensitive prompts inspected and blocked

Chrome and Firefox
→ Protected with Endpoint DLP extensions
or
→ Access restricted to prevent bypass

Microsoft describes Edge for Business as supporting controls that block sensitive sharing to unmanaged cloud applications and restrict circumvention through other browsers.

Microsoft documentation: Microsoft Edge security and DLP

Network-wide protection

Organisations requiring consistent inspection across multiple browsers, applications and unmanaged devices can use Microsoft Purview Network Data Security with an integrated SASE or SSE platform.

In that architecture:

Browser or application
→ SASE/SSE service
→ Microsoft Purview classification
→ Allow or block decision

The network security integration sends traffic data to Purview for real-time classification and policy evaluation. This differs from Edge's local in-browser enforcement.

Microsoft documentation: Purview Network Data Security

Final result

The completed demonstration provides a clear security outcome:

Normal ChatGPT prompt
→ Allowed

Prompt containing credit card information
→ Detected by Microsoft Purview
→ Blocked locally in Edge for Business
→ Event reported to Activity Explorer
→ Alert available to administrators

This allows an organisation to provide access to generative AI tools while reducing the risk of users accidentally disclosing sensitive information.

Rather than treating ChatGPT as either completely allowed or completely blocked, Microsoft Purview provides a more targeted control: users can access the service, but sensitive information is prevented from leaving the managed environment.

Watch the video

The accompanying video is titled ChatGPT Security Demo: Stop PII Leaks with Microsoft Purview.

Visit www.michaelwhitehouse.com or subscribe to youtube.com/@mwcloud for more Microsoft cloud, security and administration content.

ChatGPT Security: Stop PII Leaks with Microsoft Purview

Next
Next

The overwhelming pace of change: Or how I learned to stop worrying and love the score