Configure email notifications for DLP policies

  • 9 minutes

Organizations can use a Microsoft Purview Data Loss Prevention (DLP) policy to identify, monitor, and protect sensitive information across Microsoft 365. An organization wants its users who work with sensitive information to stay compliant with its DLP policies. However, it doesn't want to unnecessarily block them from getting their work done. Email notifications and policy tips can help with this situation.

Screenshot of an Excel spreadsheet with a social security number that displays a policy tip message with an Override button.

When an organization creates a DLP policy, it can configure the user notifications to:

  • Send an email notification that describes the issue to the people it chooses.
  • Display a policy tip for content that conflicts with the DLP policy:
    • For email in Outlook on the web and Outlook 2013 and later, the policy tip appears at the top of a message above the recipients. The system also displays the message while the user composes it.
    • For documents in a OneDrive for Business account or SharePoint Online site, the system displays a warning icon on the item to indicate the presence of a policy tip. To view more information, you can select an item and then choose Information in the upper-right corner of the page to open the details pane.
    • For Excel, PowerPoint, and Word documents that you store on a OneDrive for Business site or SharePoint Online site included in the DLP policy, the policy tip appears on the Message Bar and the Backstage view (select File menu, then Info).

Add user notifications to a DLP policy

You can enable user notifications at the time you create a DLP policy. When you enable th notification setting, Microsoft 365 sends out both email notifications and policy tips. You can customize who to send notification emails to, the email text, and the policy tip text.

The prior training unit provided step-by-step instruction on how to create a DLP policy from a policy template. If necessary, refer to those instructions if you need a refresher on how to create a policy.

Defining notifications occurs when you get to the step of defining the policy settings:

  1. On the Define policy settings page, select the Create or customize advanced DLP rules option, and then select Next.

  2. On the Customize advanced DLP rules page, select +Create rule on the menu bar.

  3. On the Create rule page, enter a name for the rule in the Name field.

  4. Under the User notifications section, set the toggle switch to On. Setting this option to On enables two more options.

    • Under the Endpoint devices section, you can select the option to Show users a policy tip notification when an activity is restricted.

    • Under the Microsoft 365 services section, you can select an option to Notify users in Office 365 service with a policy tip.

      Screenshot of the user notifications window that appears in the rule editor.

  5. Update any other settings that are applicable to this policy, and then select Save. The next section examines the Send email alerts to these people option.

Note

The system sends email notifications unprotected.

Options for configuring email notifications

For each rule in a DLP policy, you can:

  • Send the notification to the people you choose. These people can include the owner of the content, the person who last modified the content, the owner of the site that stores the content, or a specific user.
  • Customize the text that's included in the notification by using HTML or tokens. For more information, see the following section.

When configuring email notifications, keep in mind the following items:

  • You can only send email notifications to individual recipients. You can't send notifications to groups or distribution lists.
  • Only new content triggers an email notification. Editing existing content triggers policy tips, but not email notifications.
  • External senders don't receive notifications. Notifications go only to internal users.

Screenshot of the email notifications window with the Notify these people option selected.

Default email notification

Default email notifications have a Subject line that begins with the action taken. For example:

  • "Notification"
  • "Message Blocked" for email
  • "Access Blocked" for documents

If the notification is about a document, the notification message body includes a link that takes the user to the site that stores the document. It also opens the policy tip for the document. By doing so, the user can resolve any issues (see the next unit on policy tips). If the notification is about a message, the notification includes as an attachment the message that matches a DLP policy.

Screenshot of the default email notification window with a link to the site to fix the issues.

By default, notifications display text similar to the following for an item on a site. You configure the notification text separately for each rule. As a result, the text it displays differs depending on matching rule.

If the DLP policy rule does this action... Then the default notification for SharePoint or OneDrive for Business documents displays this text... Then the default notification for Outlook messages displays this text...
Sends a notification but doesn't allow override. This item conflicts with a policy in your organization. Your email message conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override. This item conflicts with a policy in your organization. If you don't resolve this conflict, the system might block access to this file. Your email message conflicts with a policy in your organization. The system didn't deliver the message to all recipients.
Blocks access and sends a notification. This item conflicts with a policy in your organization. The system blocks access to this item for everyone except its owner, last modifier, and the primary site collection administrator. Your email message conflicts with a policy in your organization. The system didn't deliver the message to all recipients.

Custom email notification

An organization can create a custom email notification instead of sending the default email notification to its end users or administrators. The custom email notification supports HTML and has a 5,000-character limit. HTML can include images, formatting, and other branding in the notification.

An organization can also use the following tokens to help customize the email notification. These tokens are variables that you must replace with specific information in the notification that you send.

Token Description
%%AppliedActions%% The actions applied to the content.
%%ContentURL%% The URL of the document on the SharePoint Online site or OneDrive for Business site.
%%MatchedConditions%% The conditions that matched the content. Use this token to inform people of possible issues with the content.

Screenshot of the custom email notification window with all the tokens highlighted.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

As the Microsoft 365 Administrator for World Wide Importers, Allan Deyoung wants to create a DLP policy to identify, monitor, and protect sensitive information across the company's Microsoft 365 tenant. As part of the DLP policy, Allan wants to configure it to send both user notifications and policy tips. Which of the following items is an action that Allan can configure when sending an email notification or a policy tip?