Examine DLP policies

Completed

A Microsoft Purview DLP policy combines different search patterns to look for, locations to protect or exclude, conditions, and actions.

  • A condition might apply to content containing confidential information that a user shared with someone outside the organization. For example, a credit card number, social security number, health ID, and so on.
  • An action might include blocking access to the document and then displaying a policy tip, or sending both the user and the compliance officer an email notification.

A DLP policy can find and protect sensitive information across Microsoft 365. It doesn't matter where the data is located. You can apply DLP policies to data at rest, data in use, and data in motion in locations such as:

  • Exchange Online email
  • SharePoint sites
  • OneDrive accounts
  • Teams chat and channel messages
  • Microsoft Defender for Cloud Apps (Instances)
  • Windows 10, Windows 11, and macOS (three latest released versions) devices
  • On-premises file repositories
  • Power BI sites

Each location has different prerequisites. Sensitive items in some locations, like Exchange Online, can be brought under the DLP umbrella by just configuring a policy that applies to them. Others, such as on-premises file repositories, require a deployment of Microsoft Purview Information Protection scanner. Given the different location prerequisites, you should prepare your environment, code draft policies, and test them thoroughly before activating any blocking actions. You can easily choose to protect all locations, exclude different services, or even exclude elements from services.

Rules, conditions, and actions

Rules are what enforce an organization's business requirements on the information that it stores. A policy can contain one or more rules, and each rule consists of conditions and actions. When the system verifies the conditions for a rule were met, it automatically performs the actions.

Conditions

Conditions focus on content and context. An example of content is the type of sensitive information you’re looking for. An example of context is the person the user shared the document with.

You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might have a lower risk and require fewer actions than sensitive content shared with people outside the organization.

Conditions can determine if:

  • Content contains any of the 80+ built-in types of sensitive information.
  • A user shared content with people outside or inside the organization.
  • Document properties contain specific values. For example, documents uploaded to Microsoft 365 from a Windows Server–based file server might have Files Classification Infrastructure (FCI) properties applied to them. For email, this condition works for documents attached to messages.

Actions

When content matches a condition in a rule, the system automatically completes the actions assigned to the rule. The purpose of the actions is generally to protect the document or content. You can complete actions such as:

  • Block access to the content. For site content, the system restricts permissions to the document for everyone except the primary site collection administrator, document owner, and person who last modified the document. For email content, this action blocks users from sending the message. Depending on how you configure the DLP rule, the sender sees either a Non-Delivery Report (NDR), or if the rule uses the Send a notification action, a policy tip, and an email notification.
  • Send a notification. You can have notifications sent to the person who shared, emailed, or last modified the content. For site content, you can also send notifications to the site collection administrator and document owner. Besides sending an email notification, you can also display a policy tip in the following scenarios:
    • In Outlook 2013 and later, and in Outlook on the web.
    • For the document on a SharePoint Online or OneDrive site.
    • In Excel, PowerPoint, and Word (2016 or later), when a user stores the document on a site included in a DLP policy.

You can also allow users to override the configured action. Doing so can minimize the business impact of a possible false positive hit of the configured conditions. In this case, the system logs the override with an optional override justification of the users.

DLP policy configuration overview

Organizations have flexibility in how they create and configure their DLP policies. They can start from a predefined template and create a policy in just a few clicks. Or, they can design their own custom policy from the ground up. No matter which method they choose, all DLP policies require the same information.

  1. Choose what you want to monitor. DLP comes with many predefined policy templates to help you get started. You can also create a custom policy.

    • Predefined policy templates include financial data, medical and health data, and privacy data. All templates are for various countries and regions.
    • A custom policy uses the available sensitive information types, retention labels, and sensitivity labels.
  2. Choose administrative scoping. DLP supports assigning Administrative Units to policies. Administrators who are assigned to an administrative unit can only create and manage policies for the users, groups, distribution groups, and accounts that they're assigned to. So, policies can be applied to all users and groups by an unrestricted administrator, or they can be scoped to administrative units. See, Policy Scoping for more DLP specific details. See, Administrative units for the details on administrative units across Microsoft Purview Information Protection.

  3. Choose where you want to monitor. Organizations can pick one or more locations they want DLP to monitor for sensitive information. The following table displays the list of locations that you can monitor.

    Location Include/Exclude by:
    Exchange email distribution groups
    SharePoint sites sites
    OneDrive accounts accounts or distribution groups
    Teams chat and channel messages account or distribution group
    Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices user or group
    Microsoft Cloud App Security instance
    On-premises repositories repository file path
    Power BI (preview) workspaces
  4. Choose the conditions that must match for Microsoft Purview to apply a policy to an item. Organizations can accept preconfigured conditions or define custom conditions. Some examples are:

    • The Item contains sensitive information used in a certain context. For example, 95 social security numbers that a user emailed to a recipient outside the organization.
    • The item has a specified sensitivity label.
    • A user shared the item with sensitive information either internally or externally.
  5. Choose the action to take when you meet the policy conditions. The actions depend on the location where the activity is happening. Some examples include:

    • SharePoint/Exchange/OneDrive. Block people who are outside your organization from accessing the content. Show the user a tip and send them an email notification. The notification should indicate a DLP policy prohibits the action they took.
    • Teams Chat and Channel. Block users from sharing sensitive information in the chat or channel.
    • Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices. Audit or restrict copying a sensitive item to a removeable USB device.
    • Office apps. Show a popup message notifying the user they're engaging in a risky behavior. Then either block the action or block the action but allow the user to override the block.
    • On-premises file shares. Move the file from its current storage location to a quarantine folder.

When you create a DLP policy in the Microsoft Purview compliance portal, the system stores the policy in a central policy store. The system then syncs the policy to the various content sources, including:

  • Exchange Online, and from there to Outlook on the web and Outlook.
  • OneDrive sites.
  • SharePoint Online sites.
  • Office desktop programs (Excel, PowerPoint, and Word).
  • Microsoft Teams channels and chat messages.

After the system syncs the policy to the right locations, it starts to evaluate content and enforce actions.

Run a DLP policy in simulation mode

When an organization creates a DLP policy, it can choose to either run it in Enforce mode or Simulation mode. Enforce mode activates the policy to start running immediately. However, when a policy is in Simulation mode, it's run as if it were being enforced, without any actual enforcement. All matched items and alerts are reported in a separate dashboard. This design makes it easy to see the impact of the policy before you enforce it by keeping all the simulation results separate from the results of policies that are being enforced.

Simulation mode provides:

  • An isolated experience to run and assess policies.
  • A summary dashboard that gives you visibility into the impact of the policies across different locations and shows which items were matched.
  • A flat list of matched items at a policy level.

Simulation mode for DLP policies is a tool you can use for tuning your data loss prevention policies at any time. Microsoft recommends that you incorporate it into your policy creation and deployment process. Using Simulation mode to tune a police reduces false positives without impact to your users or business processes. You can use it as part of your deployment process for new policies, or to test changes to existing policies before enforcing those changes in production.

Simulation mode enables you to monitor the outcomes of a policy. In doing so, you can fine-tune the policy so that it meets your control objectives while ensuring you aren't adversely or inadvertently impacting valid user workflows and productivity. Here are some examples of things to fine-tune:

  • Adjusting the locations and people/places that are in or out of scope
  • Tune the conditions that are used to determine if an item and what is being done with it matches the policy
  • The sensitive information definitions
  • Add new controls
  • Add new people
  • Add new restricted apps
  • Add new restricted sites

Consider the following example:

Contoso's Microsoft 365 Security Administrator, Holly Dickson, created a DLP policy titled Protect financial data v1. After Holly activated the policy, she noticed through the DLP false positive and override report that the policy was throwing too many false positives At first Holly thought she knew what was wrong. However, she didn't want to experiment with changes to a policy in production to verify her suspicions. Holly instead made a copy of the Protect financial data v1 policy, titled it Protect financial data v2, made tuning changes, and then ran the v2 policy in Simulation mode. Holly noticed the changes had the desired result, so she turned off the v1 policy and changed the v2 policy from Simulation mode to Enforce mode.

Important

Simulations can run for up to 15 days so the results aren't a point in time snapshot. For SharePoint Online and OneDrive locations, all existing and new/changed items are evaluated. For Exchange, Teams, and Devices locations, only items that are new during simulation are evaluated. Data from a simulation run is kept for 30 days.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

A DLP policy contains one or more of which item?