ChatGPT Security: Stop PII Leaks with Microsoft Purview
Generative AI tools such as ChatGPT make it easy for users to summarise documents, analyse records and generate content. However, they also create a new route through which sensitive organisational data can be disclosed.
A user can accidentally paste customer information, login credentials, payment details or other personally identifiable information into an external AI service. Traditional access controls do not necessarily prevent this because the user may be authorised to access both the sensitive information and the AI website.
Microsoft Purview Data Loss Prevention can inspect text entered into supported AI websites through Microsoft Edge for Business and block the submission when it contains sensitive information.
In this article, I demonstrate how to configure a Purview DLP policy that:
- Allows normal ChatGPT prompts
- Detects sensitive information in a prompt
- Blocks the prompt before it is submitted
- Displays a notification to the user
- Records the event in Microsoft Purview
- Provides additional visibility through Data Security Posture Management
Demo objective
The demonstration uses a managed Windows 11 device and a test user called:
bob@michaelwhitehouse.co.uk
Bob can submit a normal prompt such as:
Explain the difference between Azure Policy and Azure RBAC.
However, a prompt containing a test credit card number is blocked:
Summarise this customer record:
Customer: Demo User
Credit card number: 4242 4242 4242 4242
Expiry date: 12/30
Security code: 123
The objective is not to block ChatGPT completely. Instead, ChatGPT remains available while Microsoft Purview controls which information can be sent to it.
Solution architecture
The main components are:
Microsoft Entra ID
↓
Microsoft Intune-managed Windows 11 device
↓
Microsoft Edge for Business
↓
Microsoft Purview inline web traffic DLP policy
↓
Consumer ChatGPT
Microsoft Defender for Cloud Apps supplies the cloud application catalogue and categories used by the adaptive application scopes. Microsoft Purview then applies the sensitive-information policy to the selected unmanaged AI applications.
Microsoft supports blocking sensitive text prompts sent from Edge for Business to consumer AI applications including ChatGPT, consumer Microsoft Copilot, DeepSeek and Google Gemini.
Microsoft documentation: Protect sensitive data shared with AI applications
Is the traffic sent through a proxy?
For this configuration, the entire browser session is not sent through the traditional Defender for Cloud Apps reverse proxy.
Instead:
Purview distributes the DLP policy
↓
Edge for Business receives the policy
↓
Edge inspects the prompt locally
↓
Sensitive prompt → blocked
Normal prompt → submitted to ChatGPT
↓
Policy event reported to Purview
The inspection and enforcement occur inside Edge for Business before the text is submitted to ChatGPT.
The browser still communicates with Microsoft services to receive policy updates and report audit events, policy matches and alerts. This differs from network-level Purview protection, where a SASE or SSE product sends network data to Purview for real-time classification and policy evaluation.
Microsoft documentation: Browser DLP
Prerequisites
For the demonstration, I used:
- Microsoft Entra ID
- Microsoft Intune
- Microsoft Edge for Business
- Microsoft Purview Data Loss Prevention
- Microsoft Purview Suite
- Microsoft Defender for Cloud Apps
- A Windows 11 device
- A test user licensed for the required Purview features
The Windows device must be managed and the user must use an Edge for Business work profile.
User: bob@michaelwhitehouse.co.uk
Device: Windows 11
Management: Microsoft Intune
Browser: Microsoft Edge for Business
Step 1: Confirm the Windows device is managed
Open the Microsoft Intune admin centre and go to:
Devices
→ All devices
→ Select the Windows 11 device
Confirm:
Managed by: Intune
Operating system: Windows
Primary user: bob@michaelwhitehouse.co.uk
Last check-in: Recent
On the device, run:
dsregcmd /status
Confirm:
AzureAdJoined : YES
AzureAdPrt : YES
The Primary Refresh Token confirms that the signed-in user has a valid Microsoft Entra authentication session.
Step 2: Create the assignment groups
I created separate groups for users and devices.
User group
DSPM-AI-Demo-Users
Member:
bob@michaelwhitehouse.co.uk
This group is used to scope the Purview policy.
Device group
DSPM-AI-Demo-Devices
Member:
Windows 11 demo device
The device group can be used for Intune configuration profiles, compliance policies and browser configuration.
Separating user and device groups makes policy troubleshooting easier.
Step 3: Configure Edge for Business
On the Windows 11 device:
- Open Microsoft Edge.
- Select the profile icon.
- Sign in with the work account.
- Confirm the active profile shows the work account.
bob@michaelwhitehouse.co.uk
Work
Open:
edge://management
The browser should report that it is managed by the organisation.
Then open:
edge://policy
This page displays policies applied to Edge and provides a Reload policies button.
Microsoft documentation: In-browser protection
Step 4: Open Microsoft Purview DLP
In the Microsoft Purview portal, go to:
Solutions
→ Data Loss Prevention
→ Policies
→ Create policy
Select:
Inline web traffic
This option protects data transferred in real time to unmanaged cloud applications through Edge for Business and supported network integrations.
Microsoft documentation: Block sensitive data sent to unmanaged AI apps through Edge
Step 5: Create the policy
Select:
Category: Custom
Template: Custom policy
Use a name such as:
DSPM AI Demo - Block Sensitive ChatGPT Prompts
A suitable description is:
Blocks sensitive information entered into unmanaged generative AI applications through Microsoft Edge for Business.
Step 6: Select the cloud application scope
On the cloud applications page, select:
Adaptive app scopes
→ All unmanaged AI apps
This adaptive scope includes unmanaged applications classified as generative AI, such as ChatGPT, Gemini, DeepSeek and others.
The application categories come from the Defender for Cloud Apps cloud application catalogue.
You can review the catalogue from:
Microsoft Defender portal
→ Cloud Apps
→ Cloud app catalog
Filter the catalogue using categories such as:
- Generative AI
- Cloud storage
- Collaboration
- Social network
- Webmail
The exact list of supported AI applications continues to expand, and Microsoft maintains a supported-sites list for Purview AI protection.
Microsoft documentation: Supported AI sites
Step 7: Scope the policy to the test user
For the application scope, select:
Include only specific
Add:
DSPM-AI-Demo-Users
This limits the initial deployment to Bob instead of applying it to the entire organisation.
The resulting scope should show:
Application scope: All unmanaged AI apps
Included group: DSPM-AI-Demo-Users
Excluded users: None
Step 8: Create the DLP rule
Create a rule named:
Block Sensitive Info to AI
Under Conditions, select:
Content contains
→ Sensitive information types
For the first test, add:
Credit Card Number
Start with a single sensitive information type. This makes it easier to verify that the policy is working before adding additional classifiers.
You can later include:
- UK National Insurance Number
- UK passport number
- International Bank Account Number
- Login credentials
- All credential types
- Custom sensitive information types
Step 9: Configure the blocking action
Under Actions, select:
Restrict actions to cloud app locations
Configure:
Text sent to or shared with cloud or AI apps
→ Block
Optionally configure:
Files uploaded to cloud or AI apps
→ Block
For the prompt demonstration, the important control is the text action.
Step 10: Configure the user notification
Enable user notifications and use a message such as:
This prompt contains sensitive information and cannot be shared with an unmanaged AI application.
For the clearest demonstration, configure:
Block without override
An override with business justification can be added later if required by the organisation.
Step 11: Configure alerts
Enable alerts for matching activity.
For a test environment, use:
Alert frequency: Every matching activity
Severity: Medium
This makes it easier to correlate each blocked ChatGPT test with an event in Purview.
Step 12: Activate the policy
Initially, you can use simulation mode to verify detection without blocking.
After validating the event, change the policy mode to:
On
The policy list will show a synchronisation status.
Wait for:
Policy sync status: Completed
DLP policy changes can take time to distribute across Microsoft services and managed browsers.
Step 13: Allow Purview to configure Edge protection
When the first unmanaged cloud application policy is activated, Purview automatically creates the supporting Edge and Intune configuration.
This can include:
- Edge configuration policies
- An included-users security group
- An excluded-users security group
- Intune anti-bypass policies
- Browser restrictions for unsupported protection paths
Microsoft recommends that these automatically created policies and groups are not manually edited.
Microsoft documentation: Microsoft Edge configuration for Purview DLP
You may see a group named:
Purview DLP browser protection - included users
This group may not always show individual users directly, depending on how the Purview scope is configured. The authoritative configuration remains the user or group scope selected in the DLP policy.
Step 14: Synchronise the device
On Bob's Windows device, go to:
Settings
→ Accounts
→ Access work or school
→ Select the organisation
→ Info
→ Sync
Restart Edge and open:
edge://policy
Select:
Reload policies
Also confirm:
edge://management
shows that the browser is managed.
Step 15: Test a normal ChatGPT prompt
Open consumer ChatGPT in Bob's Edge work profile.
Submit:
Explain the difference between Azure Policy and Azure RBAC.
Expected result:
Prompt allowed
This demonstrates that the policy is not simply blocking access to ChatGPT.
Step 16: Test sensitive information
Use test data only.
Summarise this customer record:
Customer: Demo User
Card number: 4242 4242 4242 4242
Security code: 123
Expiry date: 12/30
Expected result:
Prompt blocked before submission
The user should see the configured Purview notification.
The sensitive data should not be submitted to ChatGPT because Edge performs the policy evaluation before allowing the browser action.
Test card details
The following values can be used as demonstration data:
| Card type | Test card number | Security code | Expiry date |
|---|---|---|---|
| Visa | 4242 4242 4242 4242 | 123 | 12/30 |
| Visa debit | 4000 0566 5566 5556 | 456 | 11/30 |
| Mastercard | 5555 5555 5555 4444 | 789 | 10/30 |
| Mastercard 2-series | 2223 0031 2200 3222 | 321 | 09/30 |
| Mastercard debit | 5200 8282 8282 8210 | 654 | 08/30 |
| Mastercard prepaid | 5105 1051 0510 5100 | 987 | 07/30 |
| American Express | 3782 822463 10005 | 1234 | 06/30 |
| Discover | 6011 1111 1111 1117 | 246 | 04/30 |
| Diners Club | 3056 9300 0902 0004 | 975 | 01/30 |
These are test values and must not be used for real transactions.
Step 17: Review the event in Activity Explorer
In Microsoft Purview, go to:
Data Loss Prevention
→ Explorers
→ Activity explorer
Filter by:
User: bob@michaelwhitehouse.co.uk
Policy: DSPM AI Demo - Block Sensitive ChatGPT Prompts
Action: Blocked
Sensitive information type: Credit Card Number
Application: ChatGPT
The event may take some time to appear.
Also check:
Data Loss Prevention
→ Alerts
The alert should show:
- The user
- The destination application
- The matching sensitive information type
- The action taken
- The policy and rule that caused the block
Adding DSPM visibility
Microsoft Purview Data Security Posture Management provides a central location for discovering and monitoring AI use across an organisation. It can highlight users interacting with AI applications, sensitive data risks and recommended security controls.
Open:
Microsoft Purview
→ DSPM
Look for recommendations relating to:
Discover AI application usage
Detect sensitive information shared with AI applications
Extend data security insights
DSPM provides reporting and recommendations. The DLP policy remains the component that performs the real-time blocking action.
Be careful when enabling prompt and response capture. Content capture must be explicitly enabled in relevant collection policies and can result in prompt or response content being collected for investigation.
Microsoft documentation: DSPM for AI
What about Chrome and Firefox?
The inline unmanaged-AI policy demonstrated here is designed around Edge for Business.
For Chrome and Firefox, Microsoft provides Purview browser extensions that work with Endpoint DLP.
Chrome
The Microsoft Purview extension for Chrome can monitor attempts to access or upload sensitive items and apply Endpoint DLP controls. The device must be onboarded into Endpoint DLP and licensed appropriately.
Microsoft documentation: Purview DLP for Chrome
Firefox
Microsoft also provides a Purview extension for Firefox. The Windows device must be onboarded into Endpoint DLP before the extension can be used.
Microsoft documentation: Purview DLP for Firefox
For these browsers, create a separate Endpoint DLP policy using the Devices location.
Typical actions include:
Paste to a supported browser
Upload to a restricted cloud service domain
Copy sensitive content
Print sensitive content
This is not identical to Edge's inline AI prompt inspection. Endpoint DLP often controls actions such as pasting or uploading sensitive content, while Edge can apply the unmanaged AI application policy directly within the browser.
Preventing browser bypass
Purview can create supporting Intune policies intended to prevent users bypassing Edge protection through unsupported browsers.
A practical organisational model is:
Edge for Business
→ ChatGPT allowed
→ Sensitive prompts inspected and blocked
Chrome and Firefox
→ Protected with Endpoint DLP extensions
or
→ Access restricted to prevent bypass
Microsoft describes Edge for Business as supporting controls that block sensitive sharing to unmanaged cloud applications and restrict circumvention through other browsers.
Microsoft documentation: Microsoft Edge security and DLP
Network-wide protection
Organisations requiring consistent inspection across multiple browsers, applications and unmanaged devices can use Microsoft Purview Network Data Security with an integrated SASE or SSE platform.
In that architecture:
Browser or application
→ SASE/SSE service
→ Microsoft Purview classification
→ Allow or block decision
The network security integration sends traffic data to Purview for real-time classification and policy evaluation. This differs from Edge's local in-browser enforcement.
Microsoft documentation: Purview Network Data Security
Final result
The completed demonstration provides a clear security outcome:
Normal ChatGPT prompt
→ Allowed
Prompt containing credit card information
→ Detected by Microsoft Purview
→ Blocked locally in Edge for Business
→ Event reported to Activity Explorer
→ Alert available to administrators
This allows an organisation to provide access to generative AI tools while reducing the risk of users accidentally disclosing sensitive information.
Rather than treating ChatGPT as either completely allowed or completely blocked, Microsoft Purview provides a more targeted control: users can access the service, but sensitive information is prevented from leaving the managed environment.
Watch the video
The accompanying video is titled ChatGPT Security Demo: Stop PII Leaks with Microsoft Purview.
Visit www.michaelwhitehouse.com or subscribe to youtube.com/@mwcloud for more Microsoft cloud, security and administration content.
ChatGPT Security: Stop PII Leaks with Microsoft Purview