Data Loss Prevention - Prerequisites

Before implementing Data Loss Prevention (DLP) in Microsoft Purview, ensure your environment is configured to support the policies and controls you plan to enforce. DLP relies on underlying services such as identity, device management, and endpoint visibility. Missing or misconfigured prerequisites can lead to inconsistent enforcement or unexpected behavior.

This page provides an overview of the prerequisites for deploying DLP across Microsoft 365 workloads, endpoints, and browsers. Validating these components helps ensure a smoother deployment, reduces troubleshooting, and maximizes the effectiveness of your data protection strategy.

You must be assigned one of the following licenses:

Microsoft 365 E3/A3/G3/E5/A5/G5

You must be assigned the appropriate roles and permissions within Entra. Eligible permissions (highest to least privileged):

Global Administrator

Compliance Administrator

Security Administrator

Security Operator

Security Reader

These permissions are found in the Entra Portal > Roles & Admins.

MDM devices must be onboarded to Purview and have the Purview Browser Extension deployed (optional).

This setting is optional if you will not be using Endpoint DLP. A guide on onboarding devices and installing the browser extension can be found as a standalone guide.