Getting started with Microsoft DLP IR integration for data loss prevention

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Getting Started with Microsoft DLP IR Integration for Data Loss Prevention

    This guide provides essential information for setting up Microsoft DLP Incident Response (IR) integration for data loss prevention within ServiceNow. It outlines the necessary credentials, roles, and permissions required for seamless integration with Microsoft Purview and cloud storage solutions like AWS and Azure.

    Show full answer Show less

    Key Features

    • Microsoft Purview Credentials: Obtain credentials to fetch event data.
    • Application Registration: Register an application on Microsoft Azure to acquire Client ID, Client Secret, and Tenant ID.
    • Storage Permissions: Assign necessary roles for read/write/delete access to Azure and AWS storage accounts.
    • ServiceNow Roles: Ensure roles such as sndlir.admin are assigned for integration configuration and incident profile setup.
    • API Permissions: Configure required API permissions for Microsoft Azure applications to facilitate data ingestion into ServiceNow.

    Key Outcomes

    By following this guide, ServiceNow customers can effectively integrate Microsoft DLP IR for managing data loss incidents. Customers will be able to:

    • Fetch DLP policy events and sensitive data into ServiceNow.
    • Download relevant files and emails related to DLP events, if required permissions are granted.
    • View detected sensitive information stored externally in Azure Blob Storage or Amazon S3.

    Ensure all prerequisites and configurations are completed for a successful setup and optimal functionality of the integration.

    Review the following information before you start setting up your Microsoft DLP IR integration for data loss prevention.

    Table 1. Checklist
    Setup task Description

    Get the Microsoft Purview credentials to fetch the event data and AWS/Azure Storage account credentials to store the match content

    Register an application with the Microsoft identity platform

    		 Register an application on the Microsoft Azure platform from here to get the Client ID, Client Secret, and Tenant ID. For information on the Roles required for creating an application, see Prerequisites.

    For information on the API Permissions/Roles required on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration, refer to the following table.
    Permissions required for Azure user to get the access of read/write/delete blob on Azure Storage
    1. Assign the Storage Blob Data Contributor role to an existing Azure user to read, write, and delete blobs on Azure Storage. For information about the role, see Azure built-in roles: Storage Blob Data Contributor. Alternatively, create a custom role and specify the actions. For information about creating custom roles, see Azure custom roles.
    2. Assign a shared access key to the user that has the role privileges. For information about account access keys, see View account access keys.
    Permissions required for AWS user to get the access of read/write/delete object on AWS Storage Create a policy that gives list, read, write, and delete access for the object in AWS S3 Storage.
    1. Create and configure an Amazon S3 bucket. For information about creating an S3 bucket, see Create an S3 bucket.
    2. Provide read and write access to Amazon S3 bucket objects. For information about the object accesses, see the example policy. For information about creating policies, see Create IAM policies.
    3. Provide the access key and the secret key to the user. For information about authentication, see Authenticating the AWS tools.
    Assign and verify if you have the required roles for ServiceNow AI Platform and Data Loss Administration roles. The following roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_dlir.admin role.
    • The sn_dlir.admin role performs the following tasks:
      • Configures the integration.
      • Sets up the incident profiles.
    Verify that the ServiceNow core applications required to support the Microsoft DLP IR integration are installed and activated before you configure this integration. Verify that the following DLP IR applications and security support common applications are installed and activated from the ServiceNow Store. If not installed, then install and activate on the application.
    • Security Support Common
    • Data Loss Prevention Incident Response
    Table 2. Required API Permissions/Roles on a Microsoft Azure applicationYou need the following API Permissions/Roles on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration.
    API Permission name Type Description Required for which ServiceNow functionality? Is Admin consent required?
    Office 365 Management API ActivityFeed.ReadDlp Application Read DLP policy events including detected sensitive data. To ingest the DLP events from MSFT Purview to ServiceNow.
    Note:
    This permission is a must to get the MSFT data into ServiceNow.
    		 Yes
    Microsoft Graph API Files.Read.All Application Read files in all site collections that you can access. Download File: To download the attachment on the ServiceNow instance that caused the DLP event from OneDrive or SharePoint
    Note:
    This is optional. You can skip this API permission if you don't want to allow the analysts to download the attachment that caused the DLP event.
    		 Yes
    Mail.Read Application Read mail in all mailboxes. Download File: To download the email content (body and attachment) on the ServiceNow instance that caused the DLP event from Exchange.
    Note:
    Optional. You can skip this API permission if you don't want to allow the analysts to download the email content (body, attachment) that caused the DLP event.
    		 Yes
    User.Read Delegated Sign in and read user profile. Default permission available for all new applications. No

    Detected Sensitive Information (Optional)

    The match content is stored externally in Azure Blob Storage or Amazon S3 bucket and will be pulled from external storage when the user views an incident.

    Any one of the following permissions are required if the users would like to view Match Content/Detected Sensitive Information in the DLP Core application:
    1. If you’re a Microsoft Azure user, you must have the role Storage Blob Data Contributor to read, write, and delete blobs on Azure Storage.
    2. If you’re an Amazon S3 user, you must create a policy that gives list, read, write, and delete access for the object in Amazon S3 Storage.