Data Loss Prevention (DLP)
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Understanding Data Loss Prevention (DLP) in Microsoft Purview
In the modern workplace, data is the most valuable asset an organization owns. It is also the most mobile. Employees share documents via email, collaborate on Microsoft Teams, upload files to cloud storage, and move data to portable USB drives. While this mobility is great for productivity, it creates a massive challenge for security and compliance teams. How do you ensure that a sensitive spreadsheet containing thousands of customer credit card numbers doesn't accidentally end up in a public folder or an unauthorized personal inbox?
This is where Data Loss Prevention (DLP) comes in. DLP is a set of technologies and processes designed to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Within the Microsoft Purview ecosystem, DLP acts as a digital guardrail. It doesn't just sit back and watch; it actively identifies, monitors, and automatically protects sensitive information across different platforms like Office 365, OneDrive, SharePoint, and even local Windows and macOS devices.
Understanding DLP is not just about knowing which buttons to click in an admin portal. It is about understanding the lifecycle of data, the risks associated with human error, and the balance between keeping an organization secure and allowing employees to do their jobs without unnecessary friction. In this lesson, we will dive deep into the mechanics of Microsoft DLP, how to build effective policies, and the best practices for implementing a DLP strategy that actually works.
The Core Components of a DLP Policy
To understand how DLP works, you have to look at it as a series of "If/Then" statements. Every DLP policy you create is essentially a rule that says: "If the system detects X type of data in Y location, then it should perform Z action." To build these rules, Microsoft Purview uses several core components that work together to identify and protect information.
Sensitive Information Types (SITs)
The foundation of any DLP policy is the ability to identify what is actually sensitive. Microsoft Purview uses Sensitive Information Types (SITs) to do this. A SIT is a pattern-based recognizer. For example, a Credit Card Number SIT looks for a string of 16 digits that passes the Luhn check (a mathematical algorithm used to validate credit card numbers) and is surrounded by keywords like "CVV," "expiry," or "VISA."
Microsoft provides hundreds of built-in SITs covering everything from Social Security Numbers and Passport IDs to medical record numbers and financial terms specific to different countries. However, most organizations also have unique data, such as internal project codes or employee IDs. For these, you can create Custom SITs using regular expressions (Regex) or keyword lists.
Trainable Classifiers
Sometimes, a simple pattern isn't enough to identify sensitive data. Consider a "Performance Review" or a "Legal Contract." These documents don't always have a specific number format you can track with Regex. Trainable Classifiers use machine learning to understand the context of a document. By feeding the system hundreds of examples of a specific document type, the AI learns what that document looks like. Once trained, it can identify similar documents even if they don't contain specific keywords or patterns.
Exact Data Match (EDM)
For organizations that need extremely high accuracy, Exact Data Match (EDM) is the gold standard. Instead of looking for any 16-digit number, EDM allows you to upload a schema of your actual database (like a list of your specific customer IDs). The DLP engine then only triggers an alert if it sees a number that matches a record in your actual database. This virtually eliminates false positives, as it is no longer guessing based on patterns—it is checking against known facts.
Callout: SITs vs. EDM
While a Sensitive Information Type (SIT) looks for a general pattern (like any valid credit card format), an Exact Data Match (EDM) looks for a specific piece of data that belongs to your organization (like a specific customer’s account number). Use SITs for broad compliance (GDPR, HIPAA) and use EDM for protecting your specific, proprietary database records where false positives must be kept to an absolute minimum.
Where DLP Operates: Locations and Scopes
One of the strongest features of Microsoft Purview DLP is its reach. It isn't limited to just email; it extends across the entire Microsoft 365 ecosystem and into the physical hardware of your employees' workstations.
- Exchange Online: Scans emails and attachments in real-time. It can prevent an email from being sent if it contains sensitive data or automatically encrypt it before it leaves the organization.
- SharePoint and OneDrive: Monitors files stored in the cloud. If a file is shared with an "External" guest and contains sensitive data, DLP can automatically revoke that share or restrict the file to "view only."
- Microsoft Teams: This is a critical area for many businesses. DLP can scan chat messages and channel conversations. If a user types a credit card number into a Teams chat, DLP can "mask" the message so other participants cannot see it, replacing the text with a notice that the message was blocked.
- Endpoint DLP: This extends protection to the operating system level (Windows 10/11 and macOS). It can prevent users from copying sensitive data to a USB drive, printing a sensitive document, or uploading a protected file to a non-corporate web browser like personal Gmail or Dropbox.
- Microsoft Defender for Cloud Apps: This allows DLP policies to extend to non-Microsoft apps like Salesforce, Box, or Google Drive, provided they are connected to your environment.
Note: For Endpoint DLP to work, devices must be "onboarded" to Microsoft Purview. This is typically done through Microsoft Intune or by using a configuration script. Without onboarding, the DLP engine has no visibility into what is happening on the local physical machine.
Designing and Implementing a DLP Policy
Creating a DLP policy requires a methodical approach. If you are too aggressive, you will block legitimate business processes and frustrate users. If you are too lenient, you won't stop data leaks. The following steps outline the standard workflow for deploying a policy.
Step 1: Define the Policy Intent
Before touching the admin center, you must know what you are trying to protect. Are you trying to comply with HIPAA? Are you trying to protect intellectual property? Start with a single goal. For this example, let's say we want to prevent employees from sharing "Customer Financial Data" with anyone outside the organization via email or OneDrive.
Step 2: Choose a Template or Custom Policy
In the Microsoft Purview compliance portal, you can start with a template. Microsoft provides pre-configured templates for various regulations (PCI-DSS, GDPR, etc.). These are great starting points because they already include the relevant SITs. Alternatively, you can build a custom policy from scratch if your needs are unique.
Step 3: Configure Locations
Select where the policy should be active. For our example, we would toggle on Exchange, SharePoint, and OneDrive. You can choose to include all users or exclude specific departments (like the Legal or Finance team who might actually need to send this data as part of their job).
Step 4: Define Rules (Conditions and Actions)
This is the "brain" of the policy. You define the condition: "Content contains Credit Card Numbers" AND "Content is shared with people outside my organization." Then, you define the action: "Block the user from sending the info" and "Send an email notification to the user's manager."
Step 5: User Notifications and Overrides
This is a critical step for user adoption. You should almost always enable "User Notifications" (Policy Tips). A Policy Tip is a small banner that appears in Outlook or OneDrive, telling the user why their action is being blocked.
You can also allow "User Overrides." This allows a user to bypass the block if they provide a business justification. This is helpful for preventing "false positives" from stopping urgent work. All overrides are logged for later review by the security team.
Step 6: Test Mode (Simulation)
Never deploy a DLP policy in "Turn it on right away" mode. Always use the "Test it out first" option. In this mode, the policy runs in the background. It identifies matches and generates reports, but it does not actually block the users. This allows you to see how many "hits" the policy gets and adjust the sensitivity before it starts impacting the workforce.
Technical Implementation: Using PowerShell for DLP
While most admins use the Purview web interface, PowerShell is incredibly useful for bulk operations or for documenting your policies as code. Below is an example of how you might create a simple DLP policy and rule using the Exchange Online and Compliance PowerShell modules.
# First, connect to the Compliance Center
Connect-IPPSSession
# Create the top-level DLP Policy container
New-DlpCompliancePolicy -Name "Protect_PII_Policy" `
-Comment "Policy to prevent sharing of PII outside the org" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-Mode TestWithNotifications
# Create a rule within that policy
# This rule looks for Social Security Numbers and blocks external sharing
New-DlpComplianceRule -Name "Block_SSN_External" `
-Policy "Protect_PII_Policy" `
-ContentContainsSensitiveInformation @(@{Name="U.S. Social Security Number (SSN)"; MinCount=1}) `
-ContentIsSharedWith External `
-BlockAccess $true `
-NotifyUser "[email protected]"
Explanation of the Code:
Connect-IPPSSession: This establishes the connection to the Security & Compliance PowerShell endpoint.New-DlpCompliancePolicy: This creates the "bucket" for your rules. We set the-ModetoTestWithNotifications. This is a best practice; it ensures the policy is active for reporting and user education but doesn't actually stop the data flow yet.New-DlpComplianceRule: This is the specific logic.- The
ContentContainsSensitiveInformationparameter specifies we are looking for the built-in SSN SIT. MinCount=1means even a single instance will trigger the rule.ContentIsSharedWith Externalensures the rule only triggers if the data is heading outside the company.BlockAccess $truetells the system to stop the action.
- The
Endpoint DLP: Protecting the Physical Device
Endpoint DLP is a significant step up from standard cloud-based DLP. It requires the Microsoft Purview extension for Chrome (if not using Edge) and ensures that the protection follows the data even when it's offline or being moved to hardware.
Key Capabilities of Endpoint DLP:
- Removable Media Control: You can set a policy that says: "Users can read files from a USB drive, but they cannot copy any file containing 'Project X' keywords onto a USB drive."
- Browser Protection: You can prevent users from uploading sensitive files to "unallowed browsers" or specific websites. For example, you can allow uploads to the corporate SharePoint site but block uploads to a personal Mega.nz or MediaFire account.
- Clipboard Protection: You can prevent users from copying sensitive data from a protected Word document and pasting it into a personal chat app or a web form.
- Network Share Protection: Prevents users from moving sensitive data to unsecured local network folders.
Configuring Endpoint Settings
In the Purview portal, under "DLP Settings," you will find "Endpoint Settings." Here, you define your global "Unallowed" lists. You might list chrome.exe or firefox.exe as unallowed browsers if you want to force users to use Microsoft Edge (which has native DLP integration). You can also define "Service Domains" (like personal-dropbox.com) that are specifically blocked from receiving sensitive uploads.
Warning: Blocking entire browsers can lead to a "Shadow IT" rebellion. It is usually better to use the "Service Domain" restrictions or the Microsoft Purview extension for Chrome, which allows the browser to work normally while still enforcing DLP rules on specific files.
Best Practices for Data Loss Prevention
Implementing DLP is as much about psychology and communication as it is about technology. If users feel like the "security police" are preventing them from working, they will find workarounds (like taking a photo of their screen with a phone).
1. Start with "Audit Only"
Run every new policy in "Audit" or "Test" mode for at least 2 to 4 weeks. Analyze the logs in the Activity Explorer. You will likely find that your SITs are triggering on things you didn't expect. For example, a specific internal part number might look exactly like a Swedish Tax ID. Testing allows you to tune the "Confidence Level" of the SIT to reduce these false positives.
2. Use "High Confidence" for Blocking
DLP SITs have a confidence level (usually 65% to 85% or higher). When you are first starting out, only set "Block" actions for "High Confidence" matches. If the system is 90% sure it's a credit card, blocking it is safe. If it's only 60% sure, it's better to just audit the event or notify the user rather than stopping the business process.
3. Educate via Policy Tips
The "Policy Tip" is your best friend. Instead of a generic "Access Denied" message, customize the tip to say: "It looks like this document contains customer IDs. Per company policy, these cannot be shared via OneDrive. Please use the Secure File Transfer portal instead." This teaches the user the correct behavior for next time.
4. The Principle of Least Privilege
Apply DLP policies to the groups that actually handle sensitive data. You don't necessarily need to scan the "Marketing" team's OneDrive for "Medical Records" if they never handle that data. Scoping your policies makes them more efficient and reduces the processing load on the tenant.
5. Focus on the "Exit Points"
While internal protection is good, the highest risk is at the exit points: External email, external sharing links, and USB drives. Prioritize these "Egress" points in your initial deployment phase.
Common Pitfalls and How to Avoid Them
Even with the best tools, DLP projects can fail. Here are the most common mistakes organizations make.
Over-Scanning and Performance Issues
If you create a single policy that looks for 200 different SITs across every single location in your company, you may experience latency. Users might notice that it takes a few seconds longer for an email to send or for a file to save.
- Solution: Break policies down by department or data type. Have one policy for "Financial Data" and another for "Health Data."
Ignoring False Positives
If a user gets blocked incorrectly and they report it, but the admin does nothing, the user loses trust in the system.
- Solution: Regularly review the "DLP Alerts" dashboard. If a specific rule is causing too many false positives, adjust the "Instance Count" (e.g., only trigger if more than 5 credit card numbers are found) or add "Exceptions" to the rule.
Neglecting the "Internal" Risk
Many organizations focus entirely on stopping data from leaving the company. However, a significant amount of data loss happens internally when a user accidentally moves a sensitive file into a "Public" or "All Company" folder.
- Solution: Ensure your SharePoint DLP policies include conditions for "Content shared with 'Everyone'" or "Content shared with 'People in my organization'."
Failure to Update Policies
Regulations change, and so does the way your company handles data. A DLP policy created three years ago might not cover a new software platform your company just adopted.
- Solution: Schedule a quarterly review of your DLP alerts and policy configurations to ensure they still align with the current business environment.
Comparison: DLP Actions
When configuring a rule, you have several options for what happens when a match is found. Choosing the right one is essential for balancing security and productivity.
| Action | Description | Best Use Case |
|---|---|---|
| Audit Only | Logs the event but does nothing to the user or the file. | New policies; gathering a baseline of data movement. |
| Notify User | Shows a Policy Tip or sends an email to the sender. | Education-first approach; low-risk data types. |
| Block with Override | Stops the action but allows the user to say "I need to do this anyway." | High-productivity environments where false positives are costly. |
| Block | Completely prevents the action (e.g., email isn't sent, file isn't copied). | Highly sensitive data (SSNs, Trade Secrets) and high-confidence matches. |
| Encrypt (Exchange) | Allows the email to be sent but automatically applies Office 365 Message Encryption. | When data must be sent to a partner but must remain secure in transit. |
Callout: DLP vs. Sensitivity Labels
It is easy to confuse Sensitivity Labels (Information Protection) with DLP. Think of it this way: Sensitivity Labels are like a "Top Secret" stamp on a physical folder. It identifies the content's importance. DLP is like the security guard at the door who checks the folders. The guard (DLP) can look at the stamp (Label) to decide whether to let you through, but the guard can also look inside the folder to see what's there, even if there is no stamp. They work best together: Use Labels to classify data, and use DLP to enforce rules based on those labels.
Monitoring and Incident Response
Once your policies are live, the work shifts to monitoring. Microsoft Purview provides three main tools for this:
- DLP Alerts Dashboard: This is where you see high-priority incidents. If a user tries to upload 1,000 credit card numbers to a personal Dropbox, it will show up here. Admins can assign these alerts to investigators, leave comments, and close them once resolved.
- Activity Explorer: This is a deep-dive tool. It shows every single "hit" or "match" across your entire tenant, even those that didn't trigger a "Block." It’s incredibly useful for seeing trends—for example, noticing that the Accounting department has started using a new cloud service you weren't aware of.
- DLP Reports: These provide high-level summaries. You can see which policies are being triggered most often and which users are the most frequent "offenders." This data is vital for reporting to executive leadership about the "Value" of the compliance program.
Responding to an Incident
When an alert is triggered, the response should follow a standard procedure:
- Verify: Is it a false positive? Look at the "Matched Content" snippet in the alert to see what actually triggered the rule.
- Contextualize: Who was the user? Was this a part of their normal job?
- Remediate: If the data was shared externally, you can use the "Revoke Access" features. If the user was acting maliciously, involve HR or Legal.
- Tune: If the alert was a false positive, update the policy immediately to prevent it from happening again.
FAQ: Common Questions about Microsoft Purview DLP
Q: Does DLP scan encrypted files? A: It depends. If the file is encrypted using Microsoft Purview Information Protection (Sensitivity Labels), the DLP engine can decrypt it to scan the content because it has the necessary keys. However, if a user puts a sensitive file inside a password-protected ZIP file or uses third-party encryption (like PGP), the DLP engine cannot see inside it. In those cases, you can create a DLP rule that blocks any password-protected or unscanable file from being sent externally.
Q: Can I use DLP to protect data on mobile phones? A: Standard Microsoft Purview DLP focuses on the Office apps on mobile (Outlook, Word, etc.) via App Protection Policies (MAM) in Intune. For example, you can prevent a user from copying data from the corporate Outlook app and pasting it into the personal Twitter app on their iPhone.
Q: How long does it take for a new DLP policy to take effect? A: Generally, it takes about 15 minutes to an hour for a policy to propagate across the service. However, it can occasionally take up to 24 hours for full synchronization across all global data centers. Always wait at least an hour before testing a new policy.
Q: Does DLP work on Linux? A: Currently, Microsoft Purview Endpoint DLP supports Windows and macOS. For Linux servers or workstations, you would typically use different methods or rely on the "Defender for Cloud Apps" integration if they are accessing cloud-based resources.
Key Takeaways
To master Data Loss Prevention within Microsoft Purview, keep these core principles in mind:
- DLP is an "If/Then" Logic Engine: It identifies sensitive data (SITs, Classifiers, EDM), checks the location (Exchange, Teams, Endpoint), and applies an action (Audit, Block, Encrypt).
- Start Small and Test: Always use "Test Mode" first. Deploying a "Block" policy on day one is a recipe for a support desk nightmare and frustrated employees.
- User Education is Protection: Use Policy Tips to turn security incidents into "teachable moments." A user who understands why they shouldn't share data is a smaller risk than one who is just blocked without explanation.
- Reach Beyond the Cloud: Use Endpoint DLP to protect data on physical devices, preventing leaks via USB drives, printing, and unapproved web browsers.
- Tuning is an Ongoing Process: No DLP policy is perfect. Regularly review your Activity Explorer and Alerts to reduce false positives and ensure your rules are keeping up with the business.
- Integration is Key: DLP works best when integrated with Sensitivity Labels. Labels classify the data, and DLP enforces the movement rules based on those classifications.
- Focus on Egress: Prioritize the points where data leaves your control—external emails, guest sharing in SharePoint, and physical hardware exports.
By following these guidelines and understanding the deep technical capabilities of Microsoft Purview, you can move from a reactive security posture to a proactive one, ensuring that your organization's most sensitive information remains exactly where it belongs.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons