Microsoft 365 Data Loss Prevention (DLP) Policies: Setup Guide

Microsoft 365 Data Loss Prevention (DLP) Policies: Setup Guide

Data loss is one of the greatest threats facing organizations today. Whether through accidental oversharing, malicious insiders, or compromised accounts, sensitive data can leak outside your organization in seconds. This is where Microsoft 365 Data Loss Prevention (DLP) policies become critical.

DLP policies monitor and control how sensitive information moves through your Microsoft 365 environment—preventing unauthorized sharing while maintaining user productivity. This comprehensive guide walks you through configuring DLP policies for maximum protection.

What DLP Policies Protect

Microsoft 365 DLP monitors sensitive data across:

• Email: Messages and attachments in Outlook and Exchange
• Teams: Chat messages, channel conversations, and shared files
• SharePoint and OneDrive: Document storage and sharing
• Endpoints: Documents accessed on Windows devices
• On-premises repositories: If connected to Microsoft Purview

DLP policies identify sensitive content using built-in rules, custom patterns, and machine learning. When sensitive content is detected, you define actions: blocking, notifying users, requiring justification, or simply logging for audit purposes.

Prerequisites for DLP Implementation

Before implementing DLP, ensure you have:

• Microsoft 365 Business Standard or higher (Pro/E3/E5 plans support DLP)
• Global Admin or Compliance Admin role in your tenant
• Compliance portal access: compliance.microsoft.com
• User communication plan: DLP can frustrate users if not properly explained
• Phased implementation timeline: Start restrictive, then relax based on false positive rates

Accessing the DLP Policy Interface

1. Navigate to compliance.microsoft.com
2. Sign in with your Global Admin credentials
3. In the left navigation, select Data Loss Prevention
4. Choose Policies
5. Click + Create policy

Step 1: Choose Your Policy Template

Microsoft provides pre-built templates for common regulations and data types:

• U.S. Personally Identifiable Information (PII): Social Security numbers, driver’s license numbers
• U.S. Health Insurance Portability and Accountability Act (HIPAA): Protected health information
• Payment Card Industry Data Security Standard (PCI-DSS): Credit card numbers
• U.S. State Breach Notification Laws: Sensitive state-specific data
• General Data Protection Regulation (GDPR): EU personal data
• Financial: Banking and financial account information

For this guide, we’ll start with the U.S. PII template, which detects:

• Social Security numbers
• Passport numbers
• Driver’s license numbers
• Bank account numbers

Alternatively, you can create a Custom Policy if you need specific configurations not covered by templates.

Step 2: Name and Describe Your Policy

Provide a clear name and description:

• Name: “PII Protection - All Locations”
• Description: “Blocks external sharing of documents containing U.S. PII (SSN, driver’s license, passport numbers) across Exchange, SharePoint, and Teams”

This documentation helps your team understand the policy’s purpose during audits.

Step 3: Select Content Scope

Choose where the DLP policy applies:

Recommended Configuration for MSPs

• Exchange Email: ON (protects email and attachments)
• SharePoint: ON (protects document libraries)
• OneDrive: ON (protects personal cloud storage)
• Teams: ON (protects Teams chat and channel messages)
• Devices: OFF initially (requires additional licensing and agent deployment)

Enable all locations by default. You can refine scope later based on false positive rates.

Step 4: Configure Sensitive Information Types

The policy you selected includes pre-configured sensitive information types (SITs). Review the default SITs:

• Social Security Number: Detects 9-digit format matching US SSN pattern
• Driver’s License Number: Detects US state driver’s license formats
• Passport Number: Detects passport number format
• Bank Account Number: Detects account number patterns

Each SIT has a confidence level:

• High confidence: 85-100% certainty it’s sensitive data
• Medium confidence: 75-84% certainty

Best practice: Start with High confidence only to reduce false positives. After 2-4 weeks of monitoring, review audit logs and increase to Medium confidence if needed.

To modify confidence levels:

1. Click the sensitive information type
2. Select Edit
3. Adjust Instance count and Confidence level thresholds
4. Save changes

Step 5: Define User Exceptions (Optional)

Allow specific users or groups to bypass DLP restrictions for legitimate business purposes.

Example: Allow HR managers to email documents containing SSNs to payroll vendors.

1. Click Exceptions
2. Select Add exception
3. Choose users or groups
4. Specify which sensitive information types they can send externally
5. Set expiration date (quarterly review recommended)

Use exceptions sparingly—each exception reduces your protection surface.

Step 6: Configure Policy Rules

Now define what happens when sensitive data is detected.

Rule 1: Block External Sharing (Recommended)

Applies to: Email, SharePoint, Teams

Condition: Content contains any of your sensitive information types

Action: Block unless user overrides with business justification

Configuration steps:

1. Click + Add rule
2. Name: “Block External PII Sharing”
3. When content contains: Select your sensitive information types
4. Action: “Restrict access”
5. Choose whether users can override: ON (enable with business justification)
6. Require business justification: ON
7. Notification text: “This document contains sensitive personal information and cannot be shared externally. If you have business justification to send this information, please explain in the prompt.”

Rule 2: Audit Internal Sharing (Optional)

Create a secondary rule to monitor internal sharing without blocking:

1. When content contains: PII
2. Action: “Send incident report to admin”
3. Notify users: ON
4. Notification text: “This document contains sensitive information. Ensure you’re sharing with appropriate recipients.”

This rule logs activity for compliance audits while allowing internal collaboration.

Step 7: Set Incident Report Details

Configure what happens when DLP violations occur:

1. Incident report recipient: Your compliance or security team email
2. Include details in alert: ON (includes file name, sender, detected content type)
3. How many incident reports: “Single report if sharing with 1-100 people”
4. Send email notification: ON
5. Email recipients: Security team distribution list

These incident reports alert your team to potential data loss attempts, enabling rapid response.

Step 8: Test the Policy in Audit Mode

Before enforcing actions, deploy the policy in Audit Mode for 2-4 weeks.

In audit mode, DLP:

• Detects sensitive information
• Records violations
• Does NOT block user actions
• Provides data to refine rules

Configuration:

1. Under Review your settings, find Action if content matches
2. Select Test it out (Report only)
3. Click Save

Monitoring During Audit Phase

1. Return to Policies in Compliance Portal
2. Select your policy
3. Review the Analytics tab
4. Monitor:
   • Detection rate: How often sensitive data is detected
   • False positives: Legitimate content flagged as sensitive
   • User locations: Where violations occur (helps identify at-risk departments)

If false positive rate exceeds 15%, adjust confidence levels or refine sensitive information types.

Step 9: Enable Policy Enforcement

After 2-4 weeks of audit data, enable enforcement:

1. Return to your policy
2. Click Edit
3. Under Action if content matches, select Turn it on
4. Choose enforcement level:
   • Block: Prevent action unless user overrides with justification
   • Notify and allow: Warn user but allow sharing with logging

Recommended: Use Block with override for 4 weeks, then evaluate override rates. High override rates suggest the policy is too restrictive.

Advanced DLP Configurations for MSPs

Fingerprinting (Custom Pattern Recognition)

Beyond pre-built sensitive information types, create custom patterns for your organization:

Example: Detect your proprietary financial model template

1. Compliance Portal > Data Loss Prevention > Sensitive Information Types
2. Click + Create
3. Define pattern:
   • File hash (exact document match)
   • Document fingerprint (variable content, consistent structure)
4. Name: “Proprietary Financial Model”
5. Apply to DLP policy rules

Exact Data Match (EDM)

For maximum precision, use Exact Data Match to identify specific values:

Example: Prevent sharing of specific customer records

1. Upload CSV containing sensitive customer IDs
2. Create EDM rule detecting exact matches to the list
3. Apply to DLP policies

This eliminates false positives from generic patterns.

Common DLP Implementation Challenges

Challenge 1: “False Positives Are Blocking Legitimate Work”

Solution:

• Reduce sensitivity to Medium confidence level
• Create exceptions for specific departments
• Implement user override with business justification (preferred)

Challenge 2: “Users Are Frustrated by DLP Notifications”

Solution:

• Communicate DLP purpose to users before implementation
• Provide clear justification fields
• Monitor override reasons; if legitimate, adjust policy
• Offer alternative secure sharing methods

Challenge 3: “We Don’t Know Which Sensitive Data We Have”

Solution:

• Use Content Search in Compliance Portal to discover sensitive data
• Deploy Microsoft Purview Information Protection to classify data
• Run DLP in audit mode to understand your data landscape
• Start with high-confidence sensitive information types

Challenge 4: “Our Legacy Applications Send Sensitive Data Outside M365”

Solution:

• Implement Endpoint DLP on Windows devices
• Monitor local file access and cloud upload
• Requires Microsoft 365 E5 licensing
• Protect data at the source before cloud upload

Measuring DLP Success

Track these metrics quarterly:

• Detection rate: Policies detecting 10-50 violations daily indicates active monitoring
• True positive rate: >85% of detections should be legitimate sensitive data
• User override rate: <5% suggests policy is appropriately restrictive
• Time to remediation: Median 24 hours from detection to user action
• Compliance audit results: Zero undetected data loss incidents

Maintenance and Review Schedule

Monthly: Review incident reports; adjust sensitivity if needed
Quarterly: Analyze trends; update policies based on new data types
Annually: Full policy audit; validate against updated compliance requirements

Next Steps

DLP policies form the foundation of data protection in Microsoft 365. Start with built-in templates for regulatory compliance, test in audit mode, then expand to custom rules protecting proprietary information.

Ready to implement comprehensive data protection? Schedule a consultation at 365securityassessment.com to develop a DLP strategy tailored to your organization’s data sensitivity levels and compliance requirements.