5. Understanding Microsoft DLP
• DLP is a security solution offered by Microsoft that can identify sensitive information and then help prevent
unsafe or unauthorized sharing, transfer, or use of that data. DLP has many different locations that you can
target, which is based on your license level.
• Exchange Online
• SharePoint Online
• OneDrive for Business
• Microsoft Teams Chat and Channel Messages
• Devices
• 3rd-party apps through Microsoft Defender for Cloud Apps
• On-premises File Repositories
• Power BI
• DLP sets blocking (or auditing) actions on files and messages based on the conditions that you define. Each
DLP location has it's own set of conditions and actions specific to that location.
• If you select multiple locations, you will only see the options that are available for each location
9. Content Contains
Sensitive Information Types
Trainable Classifiers
§ Sample Content
§ Test
§ Validate
§ Publish
Out of Box
§ Credit Card
§ SSN
§ License
§ More
Custom
§ RegEx
§ Dictionary
§ Fingerprint
§ EDM
Sensitivity or Retention Labels
Cloud DLP (SharePoint/OneDrive)
Conditions
Content shared
internally/externally
Document name contains
words/phrases
Document name contains
matches patterns
Document property
Document size (equal to or
greater than)
Document created by
Document created by
member of
File Extensions
.tsv files
PDF files
Excel files
PowerPoint files
Word files
.csv files
.txt files
.rtf files
.c files
.class files
.cpp files
.cs files
.h files .java files
Additional Conditions
Actions
Block everyone Block only external
Block, allow
override
Conditions matched and user shares the file, you
may apply certain actions
When actions are taken, you may configure end-
user and admin notifications
Block “anyone with
the link” access
Notifications
§ Policy tips
§ User or Group
email notifications
§ Incident reports
Compliance Admins may investigate policy
matches in the Microsoft Purview Admin portal >
Data loss prevention > Activity explorer
Public
Confidential
Internal
Secret
7 Year Delete 5 Year Delete
Document is shared (OD4B
Exclusive)
10. 1
0
Conditions
Sensitive Information Types
Trainable Classifiers
§ Sample Content
§ Test
§ Validate
§ Publish
Out of Box
§ Credit Card
§ SSN
§ License
§ More
Custom
§ RegEx
§ Dictionary
§ Fingerprint
§ EDM
Sensitivity Labels
Content not
Labeled
Word
Processing
Spreadsheet
Presentation Archive
Mail
File Type File Extensions
.tsv files
PDF files
Excel files
PowerPoint files
Word files
.csv files
.txt files
.rtf files
.c files
.class files
.cpp files
.cs files
.h files .java files
Copy/Paste
USB Drive Network Share
Print
App Control
Cloud Upload
Create Item
(Audit)
Rename Item
(Audit)
User Activities
Notifications
§ Policy tips
§ User or Group
email notifications
§ Incident reports
When conditions are met and the following
activities are performed, you may enable certain
actions
Endpoint DLP
When actions are taken, you may configure end-
user and admin notifications
Actions
Block Action
Block, allow
override
Audit Activity
Compliance Admins may investigate policy
matches in the Microsoft Purview Admin portal >
Data loss prevention > Activity explorer
Conditions
Public
Confidential
Internal
Secret
Update
theme
11. 11
Teams Chat/Channel Message DLP
Content Contains
Sensitive Information Types
Trainable Classifiers
§ Sample Content
§ Test
§ Validate
§ Publish
Out of Box
§ Credit Card
§ SSN
§ License
§ More
Conditions
Sender is Sender domain is
Recipient is Recipient domain is
Content shared
internally/externally
Additional Conditions
Actions
Block message
from sending
Block only external
Block, allow
override
Conditions matched and user sends a Teams
chat or channel message, you may apply certain
actions
Notifications
§ Policy tips
§ User or Group
email notifications
§ Incident reports
Compliance Admins may investigate policy
matches in the Microsoft Purview Admin portal >
Data loss prevention > Activity explorer
Sender Notification
Recipient Notification
When actions are taken, you may configure end-
user and admin notifications
Update
theme
12. 12
Exchange DLP
Trainable Classifiers
§ Sample Content
§ Test
§ Validate
§ Publish
Out of Box
§ Credit Card
§ SSN
§ License
§ More
Custom
§ RegEx
§ Dictionary
§ Fingerprint
§ EDM
Public
Confidential
Internal
Secret
Conditions
Sensitive Information Types Sensitivity Labels
Content shared
internally/externally
Additional Conditions
Sender / Recipient is / is member
of distribution group
Sender / Recipient domain is
Sender IP Address is Sender has overridden policy
Content received
internally/externally
Sender / Recipient address
contains words
Sender / Recipient address
matches patterns
Sender / Recipient AD Attribute
contains words or phrases
Sender / Recipient AD Attribute
matches patterns
File Extensions
.tsv files
PDF files
Excel files
PowerPoint files
Word files
.csv files
.txt files
.rtf files
.c files
.class files
.cpp files
.cs files
.h files .java files
Attachments could not be
scanned / did not complete scan
Attachments is password
protected
Document name contains words
or phrases / matches patterns
Document property is
Document size equals or is
greater than
Document content contains words
or phrases / matches patterns
Subject contains words or
phrases / matches patterns
Subject or body contains words or
phrases / matches patterns
Content character set contains
words
Header contains words or
phrases / matches patterns
Message size equals or is greater
than
Message type is
Message importance is
Conditions matched and the email is
sent/received, you can apply the following
actions
Actions
Block everyone Block only external
Block, allow override
Restrict access or encrypt content
Encrypt message
(sensitivity label)
Additional Actions
Set / Remove
headers
Redirect to specific
users
Forward for approval
to manager / set user
Add recipient to the
To / Cc / Bcc box
Add sender’s
manager as recipient
Remove OME and
rights protection
Prepend email subject Add HTML disclaimer
Modify subject
Deliver message to
hosted quarantine
Notifications
§ Policy tips
§ User or Group
email notifications
§ Incident reports
When actions are taken, you may configure end-user
and admin notifications
Compliance Admins may
investigate policy matches in the
Microsoft Purview Admin portal >
Data loss prevention > Activity
explorer
Content is not labeled
Update
theme