Microsoft has delayed the general availability of its network-layer data loss prevention feature that integrates Microsoft Purview with Entra Global Secure Access. The capability, which inspects file content before it leaves managed Windows devices for unapproved cloud services and generative AI tools, now has a target release date of September 2026, according to a July 17 update to the Microsoft 365 roadmap (ID 522096). The delay leaves a critical gap for organizations that want automatic, context-aware blocking of sensitive data uploads outside Microsoft 365, but basic network filtering based on file types is already available and can be deployed today.

What the roadmap update actually changed

Roadmap ID 522096 originally promised to deliver Purview DLP integration with Global Secure Access, allowing organizations to “intercept and inspect files at the network layer” and enforce restrictive actions when policy conditions match. The July 17 entry now states that general availability “has moved” to September 2026, with no further details or explanation.

This does not mean all network content filtering is on hold. Microsoft already provides a generally available feature for basic network content policies that block or allow file transfers based on MIME types—for example, stopping any PDF upload to a given destination. What remains in preview, and what the delayed GA covers, is the Scan with Purview option, which performs deep content inspection against sensitivity labels, custom sensitive information types, and user risk levels. That preview remains documented as such on Microsoft Learn, and no date is given for its exit from preview.

For administrators, the roadmap update simply extends the timeline for the fully integrated solution. It does not change the availability of the underlying Entra Internet Access traffic-forwarding components or the basic MIME-type filters.

What the delay means for your data security posture

For most end users, nothing changes immediately. They can continue uploading files to consumer cloud storage, collaboration tools, and AI chatbots as before, assuming no other DLP controls are in place. For IT and security teams, however, the delay means a longer window during which sensitive data might leave managed endpoints without content-level inspection at the network edge.

The risk is especially acute for organizations that have already rolled out Conditional Access and endpoint DLP but still worry about data that users intentionally—or inadvertently—share through browser-based uploads, desktop clients, or API integrations that bypass traditional email and document-sharing channels. Network-layer DLP is the only mechanism that sits between the endpoint and the internet destination, capable of evaluating the actual file content before it leaves the corporate perimeter.

Without it, companies must rely on other layers:
- Endpoint DLP can block or audit certain actions, but only when the agent is installed and the application is supported.
- Cloud Access Security Brokers (CASBs) can inspect traffic, but often require reverse proxy or API configurations that don’t cover all paths.
- Secure web gateways (SWGs) can enforce policy, but rarely understand Microsoft’s sensitivity labels or custom classifiers in real time.

Purview-backed network filtering would close that gap with a single policy engine that works across Microsoft 365 and arbitrary internet destinations. Its delay means that patchwork approach persists.

How we arrived at September 2026

The Purview–Global Secure Access integration is part of Microsoft’s broader secure service edge (SSE) strategy, which unifies identity, device compliance, and network controls under the Entra umbrella. Global Secure Access includes two components: Internet Access (for web, SaaS, and Microsoft 365 traffic) and Private Access (for on-premises resources). Marrying Purview DLP with Internet Access was a logical next step, enabling data protection policies that follow users beyond Microsoft’s own productivity suite.

Microsoft first signaled this integration on its public roadmap in early 2025, and the preview became available later that year. Observers expected general availability sometime in 2026, but the September date now provides a concrete, if distant, target. The company hasn’t explained the delay, but the complexity of inspecting content at line speed on a centralized cloud proxy, while maintaining low latency and high fidelity for file classification, is likely a factor. The preview’s documented limitations—no support for UDP/QUIC, imperfect file type detection, and the need to manually map every upload endpoint—hint at the engineering challenges.

What you should do now: A practical preparation plan

September 2026 is 14 months away. That’s ample time to build readiness, but only if you start now. Use these steps to gain protection from the available tools and lay the groundwork for content-aware filtering later.

1. Deploy basic network content filtering today

If you already have Entra Internet Access licenses, turn on MIME-type-based blocking for high-risk destinations. Even crude controls—for example, blocking all PDF and ZIP uploads to consumer AI tools—can reduce immediate risk. Microsoft Learn documents how to create a network content policy that references a destination list and specifies allowed or blocked file types. Start with a simulation mode to measure impact before enforcing blocks.

2. Inventory your cloud destinations and upload endpoints

Content-aware filtering will require you to specify not just domain names but the precise URLs used for file uploads. For each unmanaged service you intend to govern, map the full set of endpoints: web UI login pages, upload handlers, API gateways, and content delivery networks. Microsoft’s own example for ChatGPT lists multiple FQDNs, including a wildcard. Your inventory should be equally granular. Use proxy logs, endpoint DLP telemetry, and browser history reports to build this list over time.

3. Set up Purview policies in simulation mode now

You don’t need the network integration to begin writing and testing DLP rules. Use the built-in simulation feature in Microsoft Purview to create policies that match sensitive data types and labels, then review the activity explorer reports to see what would have been captured. This dry run lets you tune false positives and understand the volume of sensitive data movements before you ever turn on enforcement.

4. Assess endpoint readiness and licensing

Network-level inspection via Global Secure Access requires the Global Secure Access client to be installed on every managed endpoint. The client supports only Microsoft Entra joined or hybrid-joined devices, so unmanaged or personally owned devices won’t be covered. Audit your estate to see how many corporate users fall outside that scope, and plan compensating controls.

On the licensing front, Microsoft’s documentation states that network data security features require Microsoft 365 E7 or a combination of Purview E5-equivalent and Entra Internet Access-equivalent licenses. During the public preview, policies enforced through Global Secure Access do not incur additional charges, but you must still set up pay-as-you-go billing for Purview. Validate your current subscriptions and start the billing configuration process now, even if you don’t deploy the feature until next year.

5. Test protocol support and traffic paths

Because the inspection only works for HTTP/1.1 traffic and cannot decrypt QUIC or UDP streams, modern web applications that favor HTTP/3 may bypass your policies entirely. Work with your networking team to identify which of your target destinations use QUIC and whether you can force HTTP/1.1 via browser configuration or network settings. Also verify that compressed uploads (which are detected as ZIP but not decompressed) won’t hide sensitive data.

6. Prepare a phased rollout plan

When content-aware filtering does become generally available, you’ll want to deploy it gradually:
- Select a pilot group and a restricted set of destinations—ideally, high-risk consumer AI services already blocked by MIME type.
- Begin with audit-only mode, using Purview reports and Global Secure Access traffic logs to confirm that the policies fire as expected.
- Expand to block mode only after you have a clear escalation path for false positives and a communication plan for affected users.

Outlook: What to watch between now and September 2026

Microsoft is likely to refine the preview over the coming months. Watch for updates to the Microsoft Learn documentation that address current limitations—especially around protocol support and file type detection fidelity. The company may also release incremental improvements to the Global Secure Access client or the admin portal that simplify destination discovery.

Keep an eye on the roadmap entry itself. A September 2026 date is a target, not a promise. If the complexity proves greater than anticipated, further slippage is possible. The fact that Microsoft hasn’t published a firm GA date beyond the third quarter suggests this feature remains a multi‑year journey. The smart move is to treat the current basic controls as your near-term defense and build toward content-aware enforcement at a pace that matches your organization’s tolerance for operational friction.