Configure DLP for Microsoft Teams and Exchange

📋 Overview

About This Lab

DLP policies for Microsoft Teams and Exchange Online protect sensitive data shared through chat messages, channel posts, email, and attachments. Integrated with Defender XDR, these policies provide real-time alerts for data exfiltration attempts through collaboration and communication channels.

🏢 Enterprise Use Case

An organisation discovers employees sharing customer PII in Teams channels and sending unencrypted financial reports via email to external recipients. The security team must deploy DLP policies that block sensitive content in Teams messages, prevent external email transmission of financial data, and provide real-time coaching to users about data handling requirements.

🎯 What You Will Learn

Configure DLP for Microsoft Teams chat and channels
Create DLP policies for Exchange Online email
Set up policy tips for real-time user coaching
Configure DLP for shared channels and external collaboration
Create custom sensitive information types for Teams/Exchange
Handle DLP in Teams meetings and live events
Monitor Teams DLP alerts and investigate violations
Configure email DLP rules with transport rule integration
Build DLP incident management workflows
Generate DLP compliance reports for Teams and Exchange

🔑 Why This Matters

Teams and email are the primary collaboration channels in most organisations. They are also the most common channels for accidental data exposure. A single Teams message containing customer SSNs sent to the wrong channel can constitute a reportable data breach. DLP policies provide the safety net that prevents these costly mistakes.

⚙️ Prerequisites

Licensing: Microsoft 365 E5, E5 Compliance, or E5 Information Protection & Governance add-on
Portal Access: Compliance Administrator or Global Administrator role in compliance.microsoft.com
Teams DLP: Microsoft Teams must be enabled in the tenant; users must have Teams licences assigned
Exchange Online: Mailboxes hosted in Exchange Online (on-premises mailboxes are not supported for Purview DLP)
PowerShell: Security & Compliance PowerShell module (Connect-IPPSSession) and Exchange Online module (Connect-ExchangeOnline)
Defender XDR: Access to the Defender XDR portal for unified DLP alert investigation
Shared Channels: Azure AD B2B direct connect configured if testing DLP on Teams shared channels with external organisations
Test Accounts: At least two test user accounts with Teams and Exchange licences for policy validation

⚠️ Important: Teams DLP inspects messages after they are sent - there is a brief delay before a message is blocked and removed. Users may see the message momentarily before it is redacted. Plan your user communication accordingly so employees understand this expected behaviour.

Step 1 · Configure DLP for Teams Chat and Channels

Teams DLP policies intercept messages containing sensitive data in one-to-one chats, group chats, and channel conversations. When a policy match is detected, the message is blocked and replaced with a policy tip visible to the sender. Start by creating a policy scoped exclusively to Teams locations.

Navigate to Purview > DLP > Policies > + Create policy
Select template: Privacy > General Data Protection Regulation (GDPR)
Scope: Teams chat and channel messages
Content contains: personal data (name + SSN, name + passport, name + credit card)
Action: Block message from being sent with override option
Test in Simulation mode first before enforcing

Use PowerShell to create the same policy programmatically for repeatable deployments across tenants:

# Connect to Security & Compliance PowerShell
Connect-IPPSSession

# Create a DLP policy scoped to Teams
New-DlpCompliancePolicy -Name "Teams - Block PII Sharing" `
  -TeamsLocation All `
  -Mode TestWithNotifications `
  -Comment "Blocks SSN, passport, and credit card data in Teams messages"

# Create the detection rule
New-DlpComplianceRule -Name "Teams PII Detection Rule" `
  -Policy "Teams - Block PII Sharing" `
  -ContentContainsSensitiveInformation @(
    @{Name="U.S. Social Security Number (SSN)"; minCount="1"},
    @{Name="EU Passport Number"; minCount="1"},
    @{Name="Credit Card Number"; minCount="1"}
  ) `
  -BlockAccess $true `
  -BlockAccessScope All `
  -NotifyUser Owner `
  -NotifyPolicyTipCustomText "This message was blocked because it contains sensitive personal data. Remove the data and resend." `
  -GenerateAlert SiteAdmin

💡 Pro Tip: Always deploy Teams DLP policies in TestWithNotifications mode first. This simulates enforcement and generates alerts without actually blocking messages, giving you time to review matches and tune sensitivity thresholds before going live.

Step 2 · Create Exchange Online DLP Rules

Exchange DLP policies inspect both email body and attachments (including Office documents and PDFs) for sensitive content. Best practice is to create tiered rules: audit low-volume matches, warn on moderate matches, and hard-block high-volume or high-severity matches. This reduces user friction while still catching high-risk exfiltration.

Create a DLP policy scoped to Exchange email
Detect: financial data in email body and attachments
Rule 1: Block external email with 5+ credit card numbers (no override)
Rule 2: Warn on external email with 1–4 credit card numbers (allow override)
Rule 3: Audit internal email with sensitive data (no blocking)
Configure Incident reports sent to the compliance team

Deploy the tiered Exchange DLP policy via PowerShell:

# Create Exchange DLP policy
New-DlpCompliancePolicy -Name "Exchange - Financial Data Protection" `
  -ExchangeLocation All `
  -Mode Enable `
  -Comment "Tiered enforcement for credit card and financial data in email"

# Rule 1: Hard block - 5+ credit card numbers to external recipients
New-DlpComplianceRule -Name "Exchange Block High Volume CC" `
  -Policy "Exchange - Financial Data Protection" `
  -ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount="5"} `
  -ExceptIfRecipientDomainIs @("contoso.com") `
  -BlockAccess $true `
  -BlockAccessScope NotInOrganization `
  -GenerateIncidentReport SiteAdmin `
  -IncidentReportContent All `
  -NotifyUser Owner

# Rule 2: Warn with override - 1-4 credit card numbers externally
New-DlpComplianceRule -Name "Exchange Warn Low Volume CC" `
  -Policy "Exchange - Financial Data Protection" `
  -ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount="1"; maxCount="4"} `
  -ExceptIfRecipientDomainIs @("contoso.com") `
  -NotifyUser Owner `
  -NotifyPolicyTipCustomText "This email may contain credit card numbers. Verify before sending externally." `
  -SetHeader "X-DLP-Matched" "CreditCard-LowVolume"

# Rule 3: Audit only - internal email with any sensitive data
New-DlpComplianceRule -Name "Exchange Audit Internal Sensitive" `
  -Policy "Exchange - Financial Data Protection" `
  -ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount="1"} `
  -ReportSeverityLevel Low `
  -GenerateIncidentReport SiteAdmin

💡 Pro Tip: Use the -ExceptIfRecipientDomainIs parameter to exclude your own organisation's domain from external-only rules. This prevents internal communications from being blocked while still catching external exfiltration attempts.

Step 3 · Set Up Policy Tips for User Coaching

Policy tips are inline notifications displayed to users in Outlook and Teams when their message or email matches a DLP rule. Effective policy tips transform DLP from a blocking tool into a coaching mechanism - they explain what was detected, why it matters, and what alternatives the user has. Users can override with a business justification when appropriate.

Configure policy tips that appear inline in Outlook and Teams
Customise messages explaining: what was detected, why it matters, what to do instead
Enable Override with justification for medium-risk content
Test policy tips in both Outlook desktop and Outlook web

Configure custom policy tip text and user notification settings on your DLP rules:

# Update an existing rule with custom policy tip and override
Set-DlpComplianceRule -Identity "Exchange Warn Low Volume CC" `
  -NotifyUser Owner `
  -NotifyPolicyTipCustomText @"
This email contains data that appears to include credit card numbers.

If this is a legitimate business need:
  - Click 'Override' and provide a justification
  - Consider encrypting the email using the 'Encrypt' button

If this was unintentional:
  - Remove the sensitive data before resending
  - Contact the Data Protection team for guidance
"@ `
  -NotifyOverride WithJustification `
  -NotifyEmailCustomText "A DLP policy was triggered on an email you sent. Review the policy tip for details."

# Configure a Teams rule with user notification
Set-DlpComplianceRule -Identity "Teams PII Detection Rule" `
  -NotifyUser Owner `
  -NotifyPolicyTipCustomText "This message was blocked - it contains personal data (SSN, passport, or credit card). Remove the sensitive content and resend. Use a secure sharing method instead." `
  -NotifyOverride WithJustification

💡 Pro Tip: Policy tips in Teams appear as a system message only to the sender, not to other chat participants. In Outlook, policy tips appear as an info bar at the top of the compose window. Test in both clients - Outlook Web may render custom text slightly differently from Outlook Desktop.

Step 4 · DLP for Shared and External Channels

Teams shared channels allow cross-organisation collaboration using Azure AD B2B direct connect. DLP policies that apply to "Teams chat and channel messages" automatically cover shared channels - but you should consider stricter rules for external-facing channels. Messages in shared channels with external participants carry higher risk because data leaves your tenant boundary.

Configure DLP for Teams shared channels with external organisations
Apply stricter rules for messages in channels shared with guests
Block file sharing with external guests if files contain sensitive data
Monitor external collaboration patterns for data leakage risks

In the Purview portal, verify that your DLP policies cover shared channels by navigating to DLP > Policies, selecting your Teams policy, and confirming Teams chat and channel messages is listed as a location. Shared channels are included automatically when TeamsLocation is set to All. For more granular control, use adaptive scopes to target specific departments or user groups that participate in external shared channels.

💡 Pro Tip: Consider creating a separate, stricter DLP policy for teams that frequently collaborate externally (e.g., legal, finance). Use adaptive scopes based on department attributes to apply tighter thresholds - such as blocking any single credit card number in messages from Finance users, while allowing a warning-only approach for other departments.

Step 5 · Create Custom Sensitive Information Types

Built-in sensitive information types cover common patterns like credit cards and SSNs, but every organisation has unique data formats - internal project codes, customer account numbers, employee IDs, or proprietary identifiers. Custom SITs let you define regex-based patterns with optional keyword proximity checks and confidence levels, then use them in any DLP policy alongside built-in types.

Create custom SITs for organisation-specific data patterns
Examples: internal project codes, customer account numbers, employee IDs
Test custom SITs against sample data before deploying in policies
Combine custom SITs with built-in SITs for comprehensive coverage

Create a custom sensitive information type using PowerShell - in this example, an internal project code format like PROJ-2024-00001:

# Connect to Security & Compliance PowerShell
Connect-IPPSSession

# Define the regex pattern and keyword list
$pattern = @{
  "Pattern" = "PROJ-\d{4}-\d{5}"
  "Name"    = "Contoso Project Code Pattern"
}

$keywords = @{
  "Keywords" = @("project", "internal", "confidential", "proprietary")
  "Name"     = "Project Code Keywords"
}

# Create the custom sensitive information type
New-DlpSensitiveInformationType -Name "Contoso Project Code" `
  -Description "Matches internal project codes in format PROJ-YYYY-NNNNN" `
  -SensitiveInformationTypeRulePackage @{
    "Rules" = @(
      @{
        "Name"             = "Contoso Project Code Rule"
        "MatchPatterns"    = @($pattern)
        "SupportingKeywords" = @($keywords)
        "Confidence"       = 85
        "ProximityWindow"  = 300
      }
    )
  }

# Verify the custom SIT was created
Get-DlpSensitiveInformationType -Identity "Contoso Project Code" | Format-List Name, Description, Id

# Test against sample content
Test-DlpSensitiveInformationType -TextToMatch "Please review PROJ-2024-00142 - this is a confidential internal project." `
  -SensitiveInformationType "Contoso Project Code"

💡 Pro Tip: Always use the Test-DlpSensitiveInformationType cmdlet to validate your regex against sample data before deploying it in a policy. Set the confidence level appropriately - high confidence (85+) for precise patterns with supporting keywords, medium (75) for patterns alone. Use the proximity window to require keywords within N characters of the pattern match.

Step 6 · Handle DLP in Teams Meetings

Teams meetings generate multiple data surfaces that DLP must cover: the meeting chat (before, during, and after the meeting), files shared in the meeting chat, meeting recordings stored in OneDrive/SharePoint, and meeting transcripts. Your Teams DLP policy automatically covers the meeting chat because it is treated as a group chat. Files and recordings require separate SharePoint/OneDrive DLP policies.

Configure DLP for meeting chat messages - covered by your Teams DLP policy
Apply DLP to files shared during meetings - ensure OneDrive/SharePoint locations are included
Set policies for meeting recordings containing sensitive discussions
Monitor post-meeting transcript access for compliance

Meeting recordings are stored in the organiser's OneDrive (for non-channel meetings) or in the SharePoint site (for channel meetings). Apply sensitivity labels to recordings automatically by configuring auto-labelling policies in Purview Information Protection. For transcripts, consider using a DLP policy with content inspection on .vtt and .docx transcript files in OneDrive.

💡 Pro Tip: Meeting chat messages persist after the meeting ends and remain accessible in the Teams calendar entry. DLP continues to apply to these messages even post-meeting. If a meeting is recurring, the chat thread grows over time - consider this when reviewing DLP match volumes for meeting-related alerts.

Step 7 · Monitor and Investigate DLP Alerts

DLP alerts surface in both the Purview compliance portal and the Defender XDR portal. Defender XDR provides richer investigation capabilities by correlating DLP alerts with email, identity, and endpoint signals. For Teams DLP, you can see the exact message content that was blocked. For Exchange DLP, you can review the email, attachments, and delivery status.

Navigate to DLP > Alerts in the Purview portal
Review alerts by severity: High (blocked), Medium (warned), Low (audited)
In Defender XDR, filter incidents by DLP service source
Investigate: who sent what, to whom, was it intentional or accidental?
Take action: dismiss false positive, escalate, or create an incident

Use KQL in Advanced Hunting to query DLP-related email events and identify patterns:

// Find emails that triggered DLP rules in the last 7 days
EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction in ("Blocked", "Replaced")
| where isnotempty(DlpMatchInfo)
| extend DlpRules = parse_json(DlpMatchInfo)
| mv-expand DlpRule = DlpRules
| extend RuleName = tostring(DlpRule.RuleName),
         PolicyName = tostring(DlpRule.PolicyName),
         Actions = tostring(DlpRule.Actions),
         SITMatched = tostring(DlpRule.SensitiveInformationTypeName)
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          Subject, DeliveryAction, PolicyName, RuleName,
          SITMatched, Actions
| sort by Timestamp desc

// Identify repeat offenders
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DlpMatchInfo)
| summarize MatchCount = count(),
            UniqueRecipients = dcount(RecipientEmailAddress),
            Policies = make_set(tostring(parse_json(DlpMatchInfo)[0].PolicyName))
  by SenderFromAddress
| where MatchCount > 5
| sort by MatchCount desc

💡 Pro Tip: Cross-reference DLP alerts with the CloudAppEvents table to find users who are also sharing data through cloud apps. A user who triggers DLP in both Teams and Outlook may represent a patterns-of-behaviour risk worth escalating to Insider Risk Management.

Step 8 · Integrate with Exchange Transport Rules

Exchange transport rules (mail flow rules) complement DLP policies by providing additional actions that DLP rules alone cannot perform - such as adding disclaimers, BCC'ing compliance mailboxes, applying encryption, or modifying headers. You can create transport rules that trigger when a DLP policy match is detected, adding a second layer of protection and auditability.

Create transport rules that complement DLP policies
Add disclaimers to emails detected by DLP
Route DLP-matched emails through encryption gateway
BCC compliance mailbox for DLP incidents requiring review

Create a transport rule that applies encryption and BCC's compliance when a DLP policy match is found:

# Connect to Exchange Online
Connect-ExchangeOnline

# Transport rule: Encrypt emails matched by DLP and BCC compliance
New-TransportRule -Name "DLP Match - Encrypt and BCC Compliance" `
  -MessageContainsDataClassifications @(
    @{Name="Credit Card Number"; minCount="1"},
    @{Name="U.S. Social Security Number (SSN)"; minCount="1"}
  ) `
  -SentToScope NotInOrganization `
  -ApplyRightsProtectionTemplate "Encrypt" `
  -BlindCopyTo "dlp-review@contoso.com" `
  -SetHeaderName "X-DLP-Transport-Action" `
  -SetHeaderValue "Encrypted-and-BCC" `
  -Priority 0 `
  -Comments "Encrypts and copies to compliance when DLP-sensitive content is sent externally"

# Transport rule: Add disclaimer to DLP-matched emails
New-TransportRule -Name "DLP Match - Add Disclaimer" `
  -MessageContainsDataClassifications @(
    @{Name="Credit Card Number"; minCount="1"}
  ) `
  -ApplyHtmlDisclaimerLocation Prepend `
  -ApplyHtmlDisclaimerText "<p style='color:red;font-weight:bold'>⚠️ This email has been flagged by DLP. It may contain sensitive financial data. Handle accordingly.</p>" `
  -ApplyHtmlDisclaimerFallbackAction Wrap

💡 Pro Tip: Transport rules execute in priority order and can interact with DLP policies. Set your transport rule priority lower (higher number) than your DLP rules to ensure DLP processing happens first. Use the -MessageContainsDataClassifications condition to match the same SITs used in your DLP policy.

Step 9 · Build DLP Incident Workflows

An effective DLP programme requires automated incident workflows so high-severity alerts are never missed. Use Power Automate or Logic Apps to monitor the DLP alert webhook, enrich the alert with user and device context, notify the response team, and create a tracking ticket. This reduces mean time to respond (MTTR) from hours to minutes.

Define escalation procedures for DLP alert severities
Create Power Automate workflows for high-severity DLP alerts
Set up Teams notifications for the DLP response team
Document investigation and remediation procedures

Configure an alert-routing webhook for high-severity DLP events using PowerShell to send to a Logic App or Power Automate HTTP endpoint:

# PowerShell function to forward DLP alerts to a Logic App / Power Automate endpoint
$webhookUri = "https://prod-01.australiaeast.logic.azure.com:443/workflows/YOUR-WORKFLOW-ID/triggers/manual/paths/invoke"

function Send-DlpAlertToWorkflow {
    param(
        [string]$AlertId,
        [string]$PolicyName,
        [string]$UserPrincipalName,
        [string]$Severity,
        [string]$MatchedContent,
        [string]$Workload
    )

    $body = @{
        alertId         = $AlertId
        policyName      = $PolicyName
        user            = $UserPrincipalName
        severity        = $Severity
        matchedContent  = $MatchedContent
        workload        = $Workload
        timestamp       = (Get-Date -Format "o")
        action          = "Pending Review"
    } | ConvertTo-Json

    Invoke-RestMethod -Uri $webhookUri -Method POST `
        -ContentType "application/json" -Body $body
}

# Example: Route a high-severity DLP alert
Send-DlpAlertToWorkflow `
    -AlertId "DLP-2024-00847" `
    -PolicyName "Exchange - Financial Data Protection" `
    -UserPrincipalName "j.smith@contoso.com" `
    -Severity "High" `
    -MatchedContent "5 credit card numbers detected in attachment" `
    -Workload "Exchange"

💡 Pro Tip: In your Power Automate flow, add a condition that checks the severity level. For High alerts, post to a dedicated Teams channel and create a ServiceNow ticket. For Medium alerts, send an email summary to the compliance team. For Low alerts, log to a SharePoint list for weekly review. This tiered approach prevents alert fatigue.

Step 10 · Generate Teams/Exchange DLP Reports

Compliance reporting demonstrates the value of your DLP programme and provides evidence for auditors and regulators. Use Activity Explorer in Purview for interactive exploration, and Advanced Hunting in Defender XDR for custom KQL-based dashboards. Key metrics include: total matches by workload, matches by sensitive information type, top offending users, override usage, and trend analysis showing declining violation rates over time.

Export DLP match data from Activity Explorer
Create monthly reports: violations by channel, by user, by data type
Track policy override usage and justifications provided
Report on user behaviour changes after DLP deployment (declining violation rates)
Present compliance metrics to stakeholders

Use KQL queries in Advanced Hunting to build DLP reporting dashboards:

// DLP matches by workload - last 30 days
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DlpMatchInfo)
| extend Workload = "Exchange"
| union (
    CloudAppEvents
    | where Timestamp > ago(30d)
    | where ActionType has "Dlp"
    | extend Workload = "Teams"
)
| summarize MatchCount = count() by Workload
| render piechart

// Top 10 users by DLP violations - last 30 days
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DlpMatchInfo)
| summarize ViolationCount = count(),
            SITs = make_set(tostring(parse_json(DlpMatchInfo)[0].SensitiveInformationTypeName)),
            LastViolation = max(Timestamp)
  by SenderFromAddress
| top 10 by ViolationCount desc

// Weekly DLP trend - declining violations indicate user learning
EmailEvents
| where Timestamp > ago(90d)
| where isnotempty(DlpMatchInfo)
| summarize WeeklyCount = count() by Week = startofweek(Timestamp)
| sort by Week asc
| render timechart with (title="DLP Violation Trend - Email")

💡 Pro Tip: A declining trend in DLP violation counts is the strongest evidence that your DLP programme is working - it means users are learning from policy tips and changing behaviour. Include this trend chart in quarterly compliance reports to demonstrate ROI. If violations are not declining, increase user training and review whether policy tips are clear enough.

Summary

What You Accomplished

Configured DLP for Teams chat, channels, and shared channels
Created Exchange DLP policies with tiered enforcement
Set up policy tips for real-time user coaching
Monitored and investigated DLP alerts across Teams and Exchange
Built incident management workflows and compliance reports

Next Steps

Next Lab: Investigate DLP Incidents in the Unified XDR Portal
Extend DLP to PowerBI and Power Platform workloads

📚 Documentation Resources

Resource	Description
DLP for Teams Overview	Learn about DLP for Teams chat and channel messages, including shared channels
DLP for Exchange Online	Configure DLP policies for email body, attachments, and transport rules
Create a DLP Policy	Complete guide to creating and deploying DLP policies across workloads
DLP Policy Tips Reference	Configure policy tips for Outlook, Teams, and other Microsoft 365 apps
Custom Sensitive Info Types	Create custom SITs with regex patterns, keyword lists, and confidence levels
DLP PowerShell Cmdlets	PowerShell reference for New-DlpCompliancePolicy, New-DlpComplianceRule, and related cmdlets
DLP Alerts in Defender XDR	Investigate DLP alerts in the unified Defender XDR portal
Advanced Hunting for DLP	KQL queries for hunting DLP events in EmailEvents and CloudAppEvents tables