Create a DLP policy from a template
The easiest, most common way to get started with DLP policies is to use one of the templates included in the Microsoft Purview compliance portal. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.
Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. See; Policy templates for a complete list.
You can fine tune a template by modifying any of its existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.
You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.
If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Members of your compliance team who will create DLP policies need permissions to the Compliance Center. By default, your tenant admin will have access can give compliance officers and other people access. Follow these steps:
Create a group in Microsoft 365 and add compliance officers to it.
Create a role group on the Permissions page of the Microsoft Purview compliance portal.
While creating the role group, use the Choose Roles section to add the following role to the role group: DLP Compliance Management.
Use the Choose Members section to add the Microsoft 365 group you created before to the role group.
Use the View-Only DLP Compliance Management role to create role group with view-only privileges to the DLP policies and DLP reports.
For more information, see Permissions in the Microsoft Purview compliance portal.
These permissions are required to create and apply a DLP policy not to enforce policies.
Roles and Role Groups
There are roles and role groups that you can use to fine tune your access controls.
Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal
- Information Protection Admin
- Information Protection Analyst
- Information Protection Investigator
- Information Protection Reader
Here's a list of applicable role groups. To learn more about the, see Permissions in the Microsoft Purview compliance portal
- Information Protection
- Information Protection Admins
- Information Protection Analysts
- Information Protection Investigators
- Information Protection Readers
Create the DLP policy from a template
Sign in to the Microsoft Purview compliance portal.
In the Microsoft Purview compliance portal > left navigation > Solutions > Data loss prevention > Policies > + Create policy.
Choose the DLP policy template that protects the types of sensitive information that you need > Next.
Name the policy > Next.
To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, Locations for scoping options.
Choose > Next.
Do one of the following:
- Choose All locations in Office 365 > Next.
- Choose Let me choose specific locations > Next. For this example, choose this.
To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.
To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.
In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the Status for both Exchange email and SharePoint sites, and leave the Status on for OneDrive accounts.
Choose Review and customize default settings from the template > Next.
A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click Next.
Choose to detect when this content is shared inside your organization or outside your organization if you have selected any of these locations:
- Teams Chat and Channel Messages
On the Protection actions page if you want, you can customize the policy tip notifications and notification emails. Enable When content matches the policy conditions, show policy tips to users and send them an email notification, then choose Customize the tip and email.
Submit and view feedback for