Data security is a top priority for businesses of every size. Whether it’s safeguarding customers’ personal data, or organization’s own proprietary data, data loss prevention (DLP) is an essential practice in the digital world. The legal, financial, and reputational damage that can result from data loss can prove devastating for many businesses.
DLP is concerned with finding sensitive information like financial data (credit card numbers), social security numbers, and proprietary data controlled by organizations and preventing it from being overshared or maliciously modified.

Microsoft 365 DLP is one of the Microsoft 365 Compliance tools that leverages the power of the synergy created by strong framework, technologies, strategies, tools and processes to create rules and policies and, thus protect confidential, critical or sensitive data.

A simple, yet a powerful framework:

  • Know your data: Understand your data landscape and identify sensitive data across your hybrid environment
  • Protect your data: Apply flexible protection actions that include encryption, access restrictions, and visual markings
  • Prevent data loss: Detect risky behavior and prevent accidental oversharing of sensitive information
  • Govern your data: Automatically retain, delete, and store data and records in a compliant manner

Microsoft 365 Data Loss Prevention (DLP)

Microsoft 365 provides several resources to help the administrators maintain awareness of the organization’s data.
The most common causes for the data loss are:

  • Knowing the root – cause helps organizations to device a potent policy.
  • External threats – Cybercriminals are constantly devising new ways to exploit cybersecurity defenses. To minimize the risk and fallout of malicious actors, organizations need to control access to sensitive data and monitor user activity in real-time. Organizations need to have policies in place to catch the exploit while it’s hot, and to act as soon as anomalous behavior is spotted.
  • Accidental mistakes – Human error is a common cause of data loss and leakage. Whether it’s not recognizing a malicious phishing email or misplacing devices containing sensitive data in public places, organizations need to put measures in place to be as proactive as possible and safeguard data at all times.
  • Internal people – Many data leaks arise from intentional acts or malicious intent from an organization’s own employees. Zero trust policies often form the backbone of data loss prevention, because organizations must protect their data assets from complex and unpredictable scenarios.

The Scope of DLP in Microsoft 365 includes and not limited to:

  • Microsoft 365 services including Exchange, Teams, SharePoint, and OneDrive
  • Office apps like Word, Excel, and PowerPoint
  • Windows 10/11 endpoints
  • Non-Microsoft cloud apps
  • On-premises SharePoint and on-premises file shares

Fig 1: The Scope of DLP in Microsoft 365

Key features

Here are some of the most important features of DLP in Microsoft 365.

  • Admins can be alerted when sensitive data is being shared on platforms such as SharePoint, OneDrive, Exchange, or Teams
  • A pop-up warning that sensitive data is at risk
  • Users can be prevented from inadvertently sharing sensitive data by blocking the ability for the user to share (with or without the ability to override)
  • Sensitive data can be monitored on desktop applications, such as PowerPoint, Excel, and Word, available in the Office Suite
  • Locking sensitive data and moving it to a secure location
  • Team members can be educated about maintaining compliance. The policies can be set up such that workflows are not disrupted
  • The sensitive information will not be displayed to users
  • Advanced reports aligning with the company’s custom-made DLP protocols can be generated

Data Loss Prevention Policy

A sound DLP policy ensures that an organization is protected from data breaches and thus its loss.
By applying a DLP policy, organization can enforce rules to help oversee what sensitive information the it has, where it’s located, and how it’s being utilized by the users. A policy has rules which consist of conditions and actions that define how users can utilize the sensitive data:

  • Monitor – If the organization only want to audit behavior around your content but still allow users to access
  • Block – Restrict the activity completely
  • Override – Restrict activity but allow users to override when certain conditions are met

To determine what data to protect, organization first have to identify the apps and solutions to conduct the sensitive data scans on. To make things easier, DLP’s File Path Exclusions Section can help by letting you exclude specific paths from DLP monitoring.

Once the data that needs to be protect is defined, organization now have to think about how to handle access. You can exclude certain apps that you don’t trust to access the data through these features:

  • Add unallowed apps – Define specific applications, whether sync type or another line of business applications
  • Browser and domain restrictions for sensitive data – Construct specific authorized or unauthorized browsers, service domains like Dropbox, and third-party cloud apps to prevent unwanted access, uploading, or modifications


The following simple steps help in making the policy function:

  • Start creating a new policy in the Microsoft compliance Center Name the policy and add a helpful description so other teams can understand your DLP policy and its purpose
  • Specify where the organization would like the DLP policies to be enforced
  • Define policy settings by choosing the type of content organization would like to protect
  • Test your policy and fine tune accordingly
  • Finally, review your setting

DLP configuration is a vital element carried out using Industry best practices. The proven steps are as below:

  • Monitor Target: In the first place, organization need to decide what it want to monitor. The DLP policy templates are in-built with many predefined areas including privacy data for various countries and regions, financial data, as well as medical and health data.
    As for custom policy, it uses the available sensitive info types, retention labels, and sensitivity labels.
  • Monitor Location: Then, you should select where to monitor with Microsoft 365 data loss prevention policy. Just pick one or multiple locations from the below list
  1. Microsoft Teams chat and channel messages
  2. Windows 10/11 devices
  3. On-premises repositories
  4. Exchange Online emails
  5. SharePoint Online sites
  6. OneDrive accounts
  7. Microsoft Cloud App Security
  • Policy Application Condition: Thirdly, choose the conditions that must be matched for a policy to be implemented to an item. You can accept the pre-configured conditions or configure your own ones. Some of the pre-configured conditions are listed below.
  1. Item has a specified sensitivity label.
  2. An item with sensitive info is shared internally or externally.
  3. An item containing a specified type of sensitive info is being used in an unallowed situation.
  • Action to Take When the Policy Conditions are Met: Please note that the actions can be taken when the specified conditions are met but depending on the location where the activity is happening.
    In Teams Chat and Channel, you can block sensitive information from being shared in the chat or channel.

In Exchange, SharePoint, or OneDrive, you are allowed to block people outside your organization from accessing the content while showing the users a tip and send them a mail notice telling them that they are performing an action prohibited by the DLP policy.

In the Office apps, you are enabled to show a pop-up notification informing the user that they are engaging in risky behavior. Meanwhile, block them while allowing with override or without.

In Windows 10/11 devices, you are able to audit or restrict copying a sensitive item to a removable USB device.
While in on-premises file shares, you can move the file from its origination to a quarantine place.

Next Steps

Once the data loss prevention policy is configured, the data is secured and synced to various content sources including:

  • From Exchange Online to Outlook and Outlook on the web Office desktop apps: Word, Excel, and PowerPoint
  • Microsoft Teams chat and channel
  • SharePoint Online sites
  • OneDrive for Business sites

Eventually, when the policy is synced to the right locations, it will begin to evaluate the contents and enforce actions.
However, the ongoing data generated, continues to be vulnerable; the patterns and the data sets defined in the earlier phase may soon become obsolete if sustainable and continuous upgradation plans aren’t in place. An organization needs a specialist to define, configure, deploy, implement and provide an ongoing support with continuous upgrades.

In conclusion, as more organizations encourage employees to work from anywhere, on any device, data loss prevention (DLP) has turned out to be a must-have to secure the ever growing sensitive data and thereby ensure success to the organization.

Written By:


Softlanding is a long-established IT services provider of transformation, professional services and managed IT services that helps organizations boost innovation and drive business value. We are a multi-award-winning Microsoft Gold Partner with 13 Gold Competencies and we use our experience and expertise to be a trusted advisor to our clients. Headquartered in Vancouver, BC, we have staff and offices in Toronto, Montreal and Calgary to serve clients across Canada.

More By This Author