Enhancements to Device Status API & Logged-In User Email in Endpoint DLP

1. The Real-World Challenges Encountered by Endpoint DLP Analysts

Prior to the launch of the Device Status API enhancements and enhanced visibility of logged-in users, Endpoint DLP teams frequently faced several issues, which are elaborated below:

Fragmented and Manual Device Visibility – Customers consistently shared:

• We know that some devices are malfunctioning, but we’re unsure of their owners.
• We export the onboarding table to Excel weekly just to track discrepancies.
• By the time we identify a policy issue, users have already been affected.

This resulted in:

• Device onboarding views being merely static snapshots instead of operationally useful.
• Admin teams depending on Excel exports to monitor onboarding, discrepancies, and device health.
• Reporting pipelines that were fragile and constantly out of date.

2. Why the Device Status API Was Requested (Beyond Just “Reporting”)

The Hidden Costs of Relying on Excel: Customers found themselves needing to:

• Manually export device onboarding data.
• Create dashboards anew each time for updated insights.
• Repeat this tedious process weekly or even daily for compliance and SOC reviews.

This method fell short at scale and led to blind spots during incidents. If a device policy sync failed or looked unhealthy, admins lacked real-time visibility to address basic questions such as:

• Is this device set up correctly?
• Is the OS or Defender version outdated?
• Is this issue widespread or specific to one device?

3. The Advantages of Improvement (A New Operational Landscape)

Transitioning from Static Views to Continuous Monitoring with the Device Status API:

• Device health, configuration status, policy sync state, OS version, and Defender version are all now easily queried signals.
• Customers can create custom reports and Advanced Hunting queries that are always up-to-date.
• SOC and Endpoint teams have a unified source of truth regarding devices.

This fundamentally alters how customers monitor Endpoint DLP, transforming it from just a setup task into a dynamic control system. The Device Status API fills this gap by ensuring that device-level status is always available through Advanced Hunting, allowing clients to build dynamic dashboards rather than relying on static reports.

4. The Old Workflow (Customer Frustrations)

Previously, when a device exhibited:

• Policy Sync Failure
• Unhealthy Status
• Configuration Mismatch

Admins had to:

• Exit the Purview console
• Access Microsoft Defender for Endpoint or Intune
• Correlate device IDs or names
• Identify the user
• Begin the remediation process

This constant switching between contexts consumed time, reduced accuracy, and built up uncertainty.

5. The Enhanced User Context is Now Accessible

Admins can now see who is logged in directly on the device onboarding page, aligning the Windows experience with macOS by providing:

• Immediate user context during device issues.
• Quicker outreach and remediation processes.
• A single, unified investigative platform.

What used to require access to three separate portals now occurs all in one place.

6. When Customers Needed This Data but Couldn’t Access It

This enhancement was not simply a matter of curiosity; it arose from critical failure points during production. Here are some common scenarios:

7. New Enhancements for the Device Status API

• The Device Status API offers admins access to detailed device-level information, which can be integrated into custom reports or utilised in advanced hunting queries.
• This has enabled admins to identify users associated with devices without relying on Entra, on-premises Active Directory, or the Intune team.
• If a device is not receiving policies promptly, the API allows for quick identification of the device owner, enabling continuous diagnostics or log collection directly from the device through the Purview console.

8. How to Capture User UPN

1. Admins can begin by logging into Security.microsoft.com as a security admin, then navigates to Investigation and responses > Hunting > Advanced hunting.
2. Device data can be found in the DLPInfo JSON Column within the Deviceinfo table.

3. After executing the above or any other custom query as needed, you’ll see a response as illustrated below.

4. Click on the loggedonuser field, expand the right-side information, and look for DLPUPN under the inspect record.

9. User Login Information on the Purview Onboarding Page

• Admins can now see who is presently logged in on the device onboarding page. This update synchronises the Windows experience with that of macOS, enabling quicker responses when necessary.
• Previously, if a device showed “Policy Sync Failed” or “Unhealthy,” admins had to switch to Microsoft Defender for Endpoint (MDE) or Intune to determine the user affected. Now, all pertinent details are accessible in a single view, streamlining the workflow.

Benefits –

• Admins can swiftly verify device ownership and user context without additional investigation.
• Troubleshooting onboarding or policy issues is simplified, as user context is presented alongside other device insights like status and IP address.
• No disruption to users or DLP policies occurs, and this is enabled by default with no further action needed.

10. Steps to Retrieve User UPN on Purview Admin Console

Log in to Purview.microsoft.com as a compliance admin > Choose settings > Device onboarding > Select a device.

Final Thoughts: The Importance of These Enhancements

“These improvements transform Endpoint DLP from a static, deployment-focused control into a continuously observable, user-aware security signal, considerably reducing investigation times, operational burdens, and trust gaps on a large scale.”