Create and manage DLP policies

  • 15 minutes

Creating a data loss prevention (DLP) policy involves defining the types of data you want to protect and setting up rules for how that data can be used or shared. By carefully configuring DLP policies, you can prevent data breaches, accidental leaks, and ensure compliance with regulatory requirements.

Before you begin

Before you start creating DLP policies, ensure you have the right permissions and understand your licensing needs. DLP policies require specific roles within Microsoft Purview to configure and deploy.

Permissions

To create, manage, or deploy DLP policies, your account must be part of one or more of these role groups:

  • Compliance Administrator
  • Compliance Data Administrator
  • Information Protection Admin
  • Security Administrator

Be sure you also understand the difference between unrestricted administrators and administrative unit restricted administrators by reading Administrative units before you start.

Granular roles and role groups

There are roles and role groups that you can use to fine tune your access controls.

Here's a list of applicable roles.

  • DLP Compliance Management
  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Licensing requirements

To use DLP policies, your organization must have a Microsoft 365 subscription that includes DLP features. The necessary subscriptions are:

  • Microsoft 365 E3 or higher: Provides DLP for emails and files from Exchange Online, SharePoint, and OneDrive.
  • Microsoft 365 E5: Includes DLP for emails, files, and Microsoft Teams chats, along with advanced features like endpoint DLP for broader protection.

Ensure that your organization is using one of these subscriptions to create DLP policies.

Create a DLP policy

You can create DLP policies in two ways. You can either build a custom policy from scratch, where you define all the conditions and actions, or use a preconfigured template for common compliance scenarios. Custom policies allow you to address specific needs, while templates provide a ready made option that can be adjusted to fit your organization's requirements.

Steps to create a custom DLP policy

To create a custom DLP policy:

  1. Sign in to the Microsoft Purview portal, then navigate to Solutions > Data Loss Prevention > Policies.

  2. Select + Create policy.

  3. On the Start with a template or create a custom policy page, choose to create a Custom DLP policy, then select Next.

    Screenshot showing the option to create a DLP policy from template or create a custom policy.

  4. Name your DLP policy and provide a description. You can use the policy intent statement here if needed. Select Next.

  5. Assign admin units. If the policy applies to all users, leave the default settings, then select Next.

  6. Choose where to apply the policy, such as Exchange Online, SharePoint, or Teams, then select Next.

  7. On the Define policy settings page, ensure that Create or customize advanced DLP rules is selected, then select Next.

  8. On the Customize advanced DLP rules page, select Create rule to begin defining your advanced DLP rule.

  9. In the Create rule panel, start by naming and describing your rule.

  10. Under the Conditions section, select Add condition and choose the appropriate condition based on your organization's requirements. The available conditions depend on the locations you selected earlier in the policy.

  11. In the Actions section, choose the appropriate action for the policy, such as Allow, Audit only, Block with override, or Block.

  12. In the User notifications section, specify whether to notify users about policy matches and configure the policy tip message.

  13. In the User overrides section, decide whether to allow users to override the policy when a match is detected.

  14. In the Incident reports section, configure the severity level for alerts and determine who receives these alerts and reports.

  15. In the Additional options section, set whether the rule should stop processing further policies once it's triggered and define the priority order of the rule.

  16. Select Save at the bottom of the Create rule panel.

  17. After configuring the rule, review the summary of the advanced DLP rule you created on the Customize advanced DLP rules page, then select Next.

  18. On the Policy mode page, choose to either Run the policy in simulation mode, Turn the policy on immediately, or Leave the policy turned off for later activation.

  19. On the Review and finish page, review the policy details, then select Submit to create your custom DLP policy.

  20. After submission, on the New policy created confirmation page, select Done.

Steps to create a DLP policy from a template

To create a DLP policy from a template:

  1. In the Microsoft Purview portal, navigate to Solutions > Data Loss Prevention > Policies.

  2. Select + Create policy.

  3. On the Start with a template or create a custom policy page, select a relevant Category and Regulation to choose the appropriate policy template.

  4. On the Name your DLP policy policy page, modify the prefilled name and description as needed.

  5. Set Assign admin units if needed, then Choose where to apply the policy, such as Exchange Online, SharePoint, or Teams.

  6. Review and customize the Info to protect, Protection actions, and Customize access and override settings pages based on your organization's needs.

  7. Choose to either Run the policy in simulation mode, Turn the policy on immediately, or Leave the policy turned off for later activation.

  8. On the Review and finish page, review the policy details, then select Submit to create your custom DLP policy.

Edit a DLP policy

Edit a DLP policy when you need to change its conditions, actions, or scope to meet your organization's evolving needs. This can help reduce false positives or expand the policy to cover additional data. Use these steps to edit a DLP policy:

  1. In the Microsoft Purview portal, navigate to Solutions > Data Loss Prevention > Policies.

  2. Select the policy you want to edit, then select Edit policy.

  3. Modify conditions, actions, or scope as necessary.

  4. Save the changes and decide whether to rerun the policy in Simulation mode or Enforce it immediately.

Simulation mode allows you to test a DLP policy before fully enforcing it. This provides insights into which actions would trigger a policy match and how users might be affected without disrupting workflows.

  1. In the Microsoft Purview portal, navigate to Solutions > Data Loss Prevention > Policies.

  2. Select the policy look at and select View simulation.

  3. You'll be taken to the policy simulation page, where you can view simulation insights:

    • Simulation overview: A high-level summary of the policy's performance in simulation mode.
    • Items for review: A detailed list of flagged items during the simulation.
    • Alerts: Information on any triggered alerts, including severity and status.

  4. You can also perform these actions based on the simulation results:

    • Download a report: Export the simulation results for review or analysis.
    • Turn the policy on: Enforce the policy live, based on the insights gathered from the simulation.
    • Edit the policy: Modify the policy conditions or actions based on the simulation results.
    • Delete the policy: Remove the policy if it's no longer required.
    • Restart the simulation: Rerun the simulation to test the policy again with any updates.

Creating and managing DLP policies in Microsoft Purview is essential for protecting sensitive data and preventing accidental exposure. Running policies in simulation mode lets you evaluate how they work before enforcing them fully. This helps keep your organization's data secure while minimizing workflow disruptions.