Protect Office 365 Sensitive Data with Data Loss Prevention (DLP) Policy

Every organization wants to safeguard its sensitive data safe and secure, as the data breach could have disastrous consequences. Keeping sensitive data secure is essential for every organization, particularly those that require compliance with strict data regulations This is where Data loss prevention in Office 365 comes in.

Microsoft 365 DLP is a comprehensive data protection plan that lets you audit and protects the sharing of sensitive data. You can use Data Loss Prevention Policy (DLP) to set rules and ensure the security of sensitive data in your Office 365 environment.

Synopsis of the contents:

What is Data Loss Prevention(DLP) in Office 365?

To hold the sensitive information from falling into the prey’s hands, data loss prevention was included as part of Microsoft Information Protection (MIP). It helps to identify and prevent unauthorized messages from being shared, altered, or exploited.

The Data loss prevention rules identify whether the data shared contains any sensitive information (like credit card numbers, IP addresses, etc.) that could result in a breach of security. If it detects any such data, then it enforces the configured policies and prevents sharing.

What Can You Do With the DLP Policy?

Office 365 has a wide range of sensitive information types that are distinct to each country. Such information could include passport numbers, social security numbers, credit card numbers, and a lot more. Microsoft provides a complete guide to sensitive information types and how to identify them by a specific keyword, internal functions, regular expressions, or pattern matching.

For example:  When a user attempts to mail sensitive information (such as IP addresses), the DLP policy will identify the action and alert the user or immediately block it.

Data loss prevention - sample example


What Are All the License Requirements to Avail Data Loss Prevention?

Before delving into the DLP license requirements, it’s mandatory to understand the license options available.  Currently, there are two types of DLP licenses.

  • Data loss prevention
  • Data loss prevention for teams

And DLP is also available as a stand-alone.

Data Loss Prevention Licensing

Data Loss Prevention Data Loss Prevention for Teams
Ensures the security of sensitive data shared among OneDrive, SharePoint, and Exchange Online. In addition, it protects a few aspects of Teams because Teams uses SharePoint to store files.
• Microsoft 365 business premium
• Microsoft 365 E3
A DLP policy for teams focuses on the overall aspects of teams that include Teams chat, channel messages along private channel messages.

• Office 365 E5/A5/G5
• Microsoft 365 E5/A5/G5
• Microsoft 365 E5/A5/G5 Information Protection and Governance
• Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance


How to Allow Users to Access the Data Loss Prevention Policy?

The DLP policy’s purpose is to guide users on how to keep sensitive data safe and secure. To set up a DLP policy, you must first be granted access to the compliance center. Usually, tenant administrators create, edit, and delete DLP policies, and they can assign permission to anyone who needs access to the compliance center.

To assign permissions to access the DLP policy:

  1. Navigate to Microsoft 365 compliance →Permissions→ Compliance center. 
  2. Create a role group.
  3. In the Choose roles, select the DLP compliance management. Here, you can either select DLP compliance management or View-only DLP compliance management based on your preference.
  4. Then in Choose members, add the members you want to give access to data loss prevention.
  5. Bingo!! It’s over. Hereafter, the added members can create, modify and remove DLP policies.


How to Setup a Default DLP Policy?

Initially, a default policy will be set up. Here, the default policy is for teams.

  • Whenever a credit card number is shared via Teams chat, this policy automatically sends out a notification to the admin. Admins can change the response action for the detection based on our preferences.
  • There are 40+ in-built policy templates for common industry regulations and compliance needs.

set up a default DLP policy

Steps to Create a Default Data Loss Prevention Policy:

  1. To create DLP policy from default templates, Navigate to Microsoft 365 compliance → Data loss prevention.
  2. After clicking on the create policy, there will be a lot of default DLP policy templates to start from. These defaults cover the fundamentals of compliance.
  3. Select the categories and templates that fit your requirements from the categories tab and proceed to the next.
    set up a defa0ult DLP policy - categories
  4. By default, the name, description, and service locations are all set. You can either change it or leave it as rest.
  5. Finishing up all this leads to policy settings. As said previously, you can either choose the default rules or create customized rules. Here, we consider the default settings from the template.
    ⇒While using default templates, you can also edit the sensitive data you want to protect.
    set up a default DLP policy - policy settings
  6. Then, the protection actions will set the rule for the policy. You can either choose the default rules or create customized rules.
    ⇒Here, we consider the default settings from the template.set up a default DLP policy - set the rule
  7. Finally, after completing all the steps, it’ll ask you to either turn on or test the policy.Always make sure to stay compliant without affecting users’ productivity! So, to ensure that your policies perform as intended, test them first before turning them on. This will allow you to see how it affects your users and make any required changes ahead of time.

How to Create a Custom DLP Policy?

Rather than setting up a default policy, you can opt to create an entire custom policy of your own. You can create DLP policies for each Office 365 service in their respective admin centers as well as compliance center. Make sure all DLP policies are configured tenant-wide. So, instead of only configuring email, you can also configure to the files stored in SharePoint, OneDrive Business, etc.

To create a custom DLP policy,

1. Navigate to Microsoft 365 compliance Data loss prevention.

2. In the categories tab and click the custom option to create a custom policy.

3. After creating, give the DLP policy a name along with the description.

4. Next to the naming of the policy, you have to determine the service locations, where your policy must be enforced. Furthermore, you can customize by including or excluding any group, site, workspace, etc…

5. Define your policy settings. It determines the rule that will be applied to your policies. There are two options you can choose from, either you can

    • Customize the default settings and set them or
    • Create or Customize advanced DLP rules.

6. To create a custom DLP rule, select the Create or customize advanced DLP rules. It has rich flexibility in configuring rules and enforcement actions.

  • Among the 100+ sensitive info types, add the types of sensitive information you’d like to prevent from sharing.

When assigning confidence levels to sensitive info types, make sure to keep the level at medium confidence. Sometimes, high confidence leads to false positives.

  • The instance count denotes how many times the sensitive information is suspected in an email or document to be blocked.

It should be set to 1 because it should not permit any confidential data to leave the organization.

7. Next, the setting of the rule comes over. It consists of several conditions and actions that govern how your users can utilize your sensitive data. You can choose according to your preference.

  • Monitor – If you only want to audit the behavior over the content but still allow the user to access it.
  • Block – Restricts the process completely.
  • Override –Restricts activities while allowing users to override if specified conditions are met. Here, the user will receive a policy tip while enclosing such data.Custom DLP policy - setting rule for Office 365 Data loss prevention

8. After saving the rule with proper conditions and actions, the status of the rule will get turned on. In this case, when a user tries to enclose an IP address, the DLP rule identifies IP addresses as sensitive data, and it’ll perform the following actions:

Action – It’ll prompt the policy tip and notify the administrator about the disclosure. Finally, his access will be restricted.

custom DLP policy - DLP rule

9. Finally, after completing all the steps, you’ll be asked to either turn on or test the policy. Testing the DLP policies before turning them on is the best practice to carry out, as you could see their impact earlier without incurring much risk. And there you have it! That’s how DLP policies get established. Eventually, review all your settings and get the advantage of it.

How to Create a DLP policy Using PowerShell?

Even though the UI mode offers a smooth interface to work with, it’s not capable of automating bulk operations. This is where PowerShell comes in! With PowerShell, you can create a DLP policy at a fast pace.

Before creating the DLP policy, we need to connect to the Security and Compliance center PowerShell.

Both MFA-enabled and non-MFA accounts can be managed using this cmdlet. After connecting with the Compliance center, proceed with the following steps to create a DLP policy using PowerShell.

1. New-DlpCompliancePolicycreate the DLP policy. It supports a variety of parameters.

  • Here, -Mode is enabled. It denotes the actions and notifications level of the DLP policy. Depending on your preference, you can turn it on or off or just test it with and without notifications.
  • Next. you have to determine the locations where the policies are going to be enforced. -All denotes that the policies will be enforced in all the Exchange Online, SharePoint, and OneDrive locations. You can also specify the SharePoint site URL to be used.

2. After naming the policy, add a descriptive comment that describes the policy.

          Set-DlpCompliancePolicy – modify the DLP policies.

The Set-DlpCompliancePolicy has a range of parameters. You can also add the locations to be enforced using the parameters like ExceptIfOneDriveBy, ExchangeSenderMemberOf, OneDriveSharedByMemberOf, etc…

3. As of now, only the DLP policy is created, along with the definition of locations. Lastly, we need to set the rule to the created DLP policy. The DLP rule defines sensitive information to be secured and what actions should be taken when a rule matches up.

      New-DlpComplianceRule – create the rule for the DLP policy.

5. That’s it!! The rule is set. And the policy is ready to take charge. Ultimately, if done correctly, the new DLP policy appears in the UI phase of DLP. This policy blocks any user in your tenant who shares the US Social Security Number.


How to View DLP Policy?

Navigate to Data loss prevention in the compliance center to keep track of the policies you configured.

You can view, manage and export all the DLP policies under the Policies tab.

View Data loss prevention policies


How to View DLP Reports?

After configuring, you’ll need to monitor the reports of your DLP policy. View your DLP policy effects graphically by selecting the reports in the compliance center.

With DLP policy reports, you can quickly view

  • Number of the rule matches
  • Number of the false positives and overrides happened.

You may further narrow down the results by defining a specific policy, rule, or action, as well as a time frame and location.


As storage techniques in the cloud have advanced, employees are now able to access organizational data in more ways than ever before. All of these might raise the likelihood of data loss. Deploying Microsoft 365 DLP will assist you in ensuring the safety of your data, minimizing the chance of data loss. Also, admins can use the improvised Test-Message cmdlet to troubleshoot issues related to Exchange DLP policies. Overall, the DLP policy,

  • Identifies and prevents sensitive information across various services, such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Office apps, Microsoft cloud apps.
  • Maintain compliance without interrupting users’ progress.