Examine DLP policies

  • 7 minutes

A Microsoft Purview DLP policy combines different search patterns to look for, locations to protect or exclude, conditions, and actions.

  • A condition might apply to content containing confidential information that a user shared with someone outside the organization. For example, a credit card number, social security number, health ID, and so on.
  • An action might include blocking access to the document and then displaying a policy tip, or sending both the user and the compliance officer an email notification.

After an organization creates DLP policies, it can activate them to examine different locations, such as:

  • Exchange email
  • SharePoint sites
  • OneDrive accounts

An organization can also create a DLP policy and choose not to activate it. Instead, it might choose to run it in test mode. Test mode enables an organization to review the reports for any possible activity without interfering with the company's production environment. You can configure Test mode to display policy tips for user training.

A DLP policy can find and protect sensitive information across Microsoft 365. It doesn't matter if the information is in Exchange Online, SharePoint Online, or OneDrive for Business. You can easily choose to protect all locations, exclude different services, or even exclude elements from services.

For organizations to monitor and audit their DLP policies, there are two predefined reports available that show “DLP policy matches” and “DLP false positive and override.” Organizations can also request those reports through email, or they can create custom schedules for recurring reports.

Rules, conditions, and actions

Rules are what enforce an organization's business requirements on the information that it stores. A policy can contain one or more rules, and each rule consists of conditions and actions. When the system verifies the conditions for a rule were met, it automatically performs the actions.

Conditions

Conditions focus on content and context. An example of content is the type of sensitive information you’re looking for. An example of context is the person the user shared the document with.

You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might have a lower risk and require fewer actions than sensitive content shared with people outside the organization.

Conditions can determine if:

  • Content contains any of the 80+ built-in types of sensitive information.
  • A user shared content with people outside or inside the organization.
  • Document properties contain specific values. For example, documents uploaded to Microsoft 365 from a Windows Server–based file server might have Files Classification Infrastructure (FCI) properties applied to them. For email, this condition works for documents attached to messages.

Actions

When content matches a condition in a rule, the system automatically completes the actions assigned to the rule. The purpose of the actions is generally to protect the document or content. You can complete actions such as:

  • Block access to the content. For site content, the system restricts permissions to the document for everyone except the primary site collection administrator, document owner, and person who last modified the document. For email content, this action blocks users from sending the message. Depending on how you configure the DLP rule, the sender sees either a Non-Delivery Report (NDR), or if the rule uses the Send a notification action, a policy tip, and an email notification.
  • Send a notification. You can have notifications sent to the person who shared, emailed, or last modified the content. For site content, you can also send notifications to the site collection administrator and document owner. Besides sending an email notification, you can also display a policy tip in the following scenarios:
    • In Outlook 2013 and later, and in Outlook on the web.
    • For the document on a SharePoint Online or OneDrive for Business site.
    • In Excel, PowerPoint, and Word (2016 or later), when a user stores the document on a site included in a DLP policy.

You can also allow users to override the configured action. Doing so can minimize the business impact of a possible false positive hit of the configured conditions. In this case, the system logs the override with an optional override justification of the users.

DLP policy configuration overview

Organizations have flexibility in how they create and configure their DLP policies. They can start from a predefined template and create a policy in just a few clicks. Or, they can design their own custom policy from the ground up. No matter which method they choose, all DLP policies require the same information.

  1. Choose what you want to monitor. DLP comes with many predefined policy templates to help you get started. You can also create a custom policy.

    • Predefined policy templates include financial data, medical and health data, and privacy data. All templates are for various countries and regions.
    • A custom policy uses the available sensitive information types, retention labels, and sensitivity labels.

  2. Choose where you want to monitor. Organizations can pick one or more locations they want DLP to monitor for sensitive information. The following table displays the list of locations that you can monitor.

    Location Include/Exclude by:
    Exchange email distribution groups
    SharePoint sites sites
    OneDrive accounts accounts or distribution groups
    Teams chat and channel messages account or distribution group
    Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices user or group
    Microsoft Cloud App Security instance
    On-premises repositories repository file path

  3. Choose the conditions that must match for Microsoft Purview to apply a policy to an item. Organizations can accept preconfigured conditions or define custom conditions. Some examples are:

    • The Item contains sensitive information used in a certain context. For example, 95 social security numbers that a user emailed to a recipient outside the organization.
    • The item has a specified sensitivity label.
    • A user shared the item with sensitive information either internally or externally.

  4. Choose the action to take when you meet the policy conditions. The actions depend on the location where the activity is happening. Some examples include:

    • SharePoint/Exchange/OneDrive. Block people who are outside your organization from accessing the content. Show the user a tip and send them an email notification. The notification should indicate a DLP policy prohibits the action they took.
    • Teams Chat and Channel. Block users from sharing sensitive information in the chat or channel.
    • Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices. Audit or restrict copying a sensitive item to a removeable USB device.
    • Office apps. Show a popup message notifying the user they're engaging in a risky behavior. Then either block the action or block the action but allow the user to override the block.
    • On-premises file shares. Move the file from its current storage location to a quarantine folder.

When you create a DLP policy in the Microsoft Purview compliance portal, the system stores the policy in a central policy store. The system then syncs the policy to the various content sources, including:

  • Exchange Online, and from there to Outlook on the web and Outlook.
  • OneDrive for Business sites.
  • SharePoint Online sites.
  • Office desktop programs (Excel, PowerPoint, and Word).
  • Microsoft Teams channels and chat messages.

After the system syncs the policy to the right locations, it starts to evaluate content and enforce actions.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

A DLP policy contains one or more of which item?