We’re witnessing a significant surge in the adoption of generative AI tools, including ChatGPT, Google Gemini, and DeepSeek. Employees (myself included!) are using tools like ChatGPT, Google Gemini, DeepSeek, and many others to boost productivity. However, this convenience comes with a price: data exposure.
The scary part is without realizing it, we are handing over sensitive company information to consumer apps with just a few typed words.
- It might be a marketing intern who accidentally types unreleased campaign data into ChatGPT.
- It might be a sales rep asks Gemini to summarize a proposal, not realizing it includes M&A info.
- It might be a project lead uses AI to write documentation with embedded IP details.
Now multiply that across your organization. That’s a potential data leak waiting to happen, right from the browser. But what if your organization could detect and block sensitive data before it’s even submitted into a web form or AI prompt? No uploading. No copy-paste. Just typed text. Yep, that’s soon going to be possible.
The new Inline Data Protection in Microsoft Edge for Business, a powerful new capability introduced in Microsoft Purview’s Data Loss Prevention (DLP) suite.
Inline Protection from Purview DLP in Edge for Business
The Inline Protection in Microsoft Purview DLP is a powerful capability that prevents data leakage as users are typing sensitive information into web applications or generative AI prompts. The goal is simple but powerful:
Prevent sensitive data from being leaked via typed text inside web apps, including AI tools like ChatGPT, Google Gemini, and DeepSeek.
This is huge! It means you can use this protection even if you don’t have a full-blown endpoint DLP solution deployed across your entire organization. It’s a foundational layer of security that complements your existing protections for things like uploading or pasting content.
With inline protection enabled and a DLP policy in place, we’d be immediately blocked from sending that prompt. Not just because I copied or uploaded a document, just because I typed a risky sentence. Something great, right?
This isn’t a blanket block either. Admins can tailor it using the Adaptive Protection feature in Microsoft Purview to react based on the user’s risk level. So low-risk users might be allowed more flexibility, while high-risk users face stricter enforcement.
Note for you: Initially, this feature will focus on some of the most popular consumer generative AI applications – ChatGPT, Google Gemini, and DeepSeek. This is a smart move, addressing a major area of concern right out of the gate. Microsoft also plans to continuously expand this list to cover a much broader range of unmanaged apps, including other generative AI services, email platforms, collaboration tools, and even social media.
Licensing Requirements for Inline Data Protection
This is always an important question, right? Understanding what you need to have in place to use these powerful new features is key for planning and budgeting.
Inline discovery and protection in Edge for Business is included with several of Microsoft’s enterprise-level licensing bundles. Specifically, you’ll find it within:
- Microsoft 365 E5
- Microsoft 365 E5 Compliance
- Microsoft 365 E5 Information Protection & Governance
A crucial point to note here, and one that Microsoft has highlighted, is regarding usage thresholds:
While inline protection for Edge for Business is currently part of these E5 licenses today, Microsoft reserves the right to monitor telemetry (basically, how much the feature is being used). They may, at a later date, declare a certain threshold of usage that will be absorbed within your existing E5 license. Beyond that specific threshold, Microsoft reserves the right to introduce additional charges based on your usage.
Configure Inline Data Protection in Microsoft Purview
Since this feature is currently in public preview and still evolving, all I can give is a high-level overview.
Everything begins in the Microsoft Purview compliance portal. From there, you can define what qualifies as sensitive data, whether it’s M&A details, financial records, or intellectual property and create enforcement policies tailored to your organization’s needs.
What truly sets this feature apart is how seamlessly it connects with the broader Purview data security ecosystem:
- DSPM integration: Even if no DLP policy is applied yet, Purview’s Data Security Posture Management can still detect risky behavior and proactively recommend relevant protections.
- Insider Risk Management: If a user repeatedly attempts to send sensitive prompts to GenAI tools, their risk level increases automatically, enabling tighter controls through Adaptive Protection.
- Unified visibility: Admins gain full insight into browser-based activity, GenAI interactions, and potential data exposure—all from one centralized dashboard.
It’s a powerful, integrated approach that blends real-time browser protection with intelligent risk-based enforcement.
And just a quick reminder, this feature is still in public preview, and Microsoft hasn’t announced a General Availability date yet. So while it’s already functional and valuable, more updates and refinements are likely on the way!
Blocking AI Prompt with Sensitive Data
Let’s say an employee tries to submit this to Google Gemini:
“Summarize this internal report about upcoming product pricing and negotiations with partner X.”
Edge for Business (with Purview inline protection) recognizes “pricing” + “negotiations” + “partner X” as sensitive terms. The policy works, and here’s what they’d experience:
This is fantastic because it’s an immediate, in-browser alert. The user can’t accidentally proceed and expose the data. It prevents the leakage before it even leaves the browser. Instead of letting that sensitive input go through, the system instantly steps in, blocking the action before it can happen. The ‘Enter’ key? Disabled. The risk? Averted. This visual feedback is crucial for both security and user education. It makes the user aware of what’s happening and why, helping to foster a culture of data security.
And it’s not just GenAI tools. Microsoft says this protection will eventually expand to cover email clients, social media platforms, and other unmanaged web apps too.
My Opinion…
Honestly, I love where Microsoft is headed with this. Data protection can no longer wait until after something is uploaded or emailed; it needs to happen as it’s being created!
Inline protection in Edge for Business is a modern, real-world response to the surge in browser-based AI usage. It puts the control back in the hands of organizations without killing productivity. And best of all is it doesn’t require complex installations or endpoint dependencies; it works right from the browser, natively.
The best I would suggest is to review your sensitive data classifications, update your DLP policies in Microsoft Purview, and monitor the IRM dashboard for emerging risks frequently!
