Implement Cloud DLP Across SaaS Applications

About This Lab

Data Loss Prevention (DLP) in Defender for Cloud Apps extends your organisation’s data protection capabilities to SaaS applications beyond Microsoft 365. By creating file policies with content inspection, you can detect sensitive data stored in connected cloud apps, automatically apply sensitivity labels, quarantine files, and generate compliance reports. This lab covers building a comprehensive cloud DLP strategy that protects data across Microsoft 365, Box, Salesforce, and other connected SaaS platforms.

🏢 Enterprise Use Case

A healthcare organisation must comply with HIPAA regulations across all cloud platforms. They discover 2,300 files containing Protected Health Information (PHI) stored in SharePoint, Box, and Salesforce. many shared externally. They need automated DLP scanning across all connected SaaS apps, auto-labeling for files containing PHI, quarantine capability for critically exposed files, and monthly compliance reports demonstrating DLP coverage and remediation progress.

🎯 What You Will Learn

1. Understand MDA file policy architecture and content inspection methods
2. Configure built-in DLP content inspection with sensitive information types
3. Create custom sensitive information types for industry-specific data
4. Build file policies to detect externally shared sensitive files
5. Configure automatic sensitivity labeling for matched files
6. Set up quarantine policies for critically exposed content
7. Create file policies for specific SaaS apps (Box, Salesforce)
8. Configure governance actions: remove sharing, apply labels, notify owners
9. Set up alert workflows for DLP violations
10. Integrate MDA DLP with Microsoft Purview DLP for unified policies
11. Build file monitoring dashboards
12. Configure compliance reports for auditors
13. Handle DLP incidents and escalation procedures
14. Tune DLP policies to reduce false positives
15. Create user notification templates
16. Implement role-based access for DLP management
17. Schedule automated compliance reports
18. Build a cloud DLP maturity roadmap

• Licensing: Microsoft Defender for Cloud Apps with file scanning enabled
• App connectors: At least 2 connected apps with file-level API access (from Lab 02)
• Sensitivity labels: Published sensitivity labels in Microsoft Purview (from Purview Lab 01)
• Portal Access: Security Administrator or Compliance Administrator
• Test files: Sample documents containing sensitive data (credit card numbers, SSN, PHI) for testing

File policies in MDA scan files stored in connected SaaS apps using content inspection engines. They can detect sensitive information types (SITs), apply governance actions, and generate alerts.

1. Navigate to Cloud Apps > Policies > Policy management
2. Review existing file policies and their match counts
3. Understand the three content inspection methods: Built-in DLP (Microsoft sensitive info types), Data Classification Service (Purview), and Regex (custom patterns)
4. Review Cloud Apps > Files to see the file inventory from connected apps

1. Navigate to Settings > Cloud Apps > Files
2. Ensure Enable file monitoring is turned on
3. Review Content inspection settings: configure which file types to scan (documents, spreadsheets, presentations, PDFs)
4. Set the maximum file size for content inspection (default: 50 MB)
5. Enable Inspect files in quarantine if using quarantine governance actions

1. Click + Create policy > File policy
2. Name: Detect Credit Card Numbers in Cloud Files
3. Set Policy severity: High
4. Under Files matching all of the following: leave as All files (or scope to specific apps)
5. Enable Content inspection
6. Select Built-in DLP > include Credit Card Number
7. Set minimum confidence level: High
8. Set minimum instance count: 1
9. Under Governance actions: set Microsoft SharePoint Online > Apply sensitivity label > Confidential
10. Add governance action: Notify file owner
11. Set Alerts: create an alert for each matching file
12. Click Create

Create custom patterns to detect industry-specific data like patient IDs, internal project codes, or proprietary data formats.

1. In the file policy content inspection, select Regex as the inspection method
2. Create a regex pattern for your organisation’s data format (e.g., patient ID: PAT-\d{6}-[A-Z]{2})
3. Test the regex against sample data before activating the policy
4. For more complex patterns, use Microsoft Purview custom sensitive information types and select Data Classification Service

# ---------------------------------------------------------------
# PURPOSE: Create a custom sensitive information type (SIT) in
#          Microsoft Purview using an XML rule package.
# WHY: Built-in SITs cover common data (SSN, credit cards), but
#      organisations often have industry-specific data formats
#      (patient IDs, internal project codes, account numbers) that
#      need custom regex patterns for accurate DLP detection.
# HOW IT WORKS:
#   1. Connect to the Purview compliance PowerShell session
#   2. Define an XML rule package containing:
#      - A regex pattern (PAT-\d{6}-[A-Z]{2}) matching your data format
#      - A confidence level (85%) = high confidence match
#      - patternsProximity (300 chars) = how close supporting evidence must be
#   3. Upload the rule package to Purview
# OUTPUT: The custom SIT becomes available in DLP policies, file
#         policies, and auto-labeling rules within ~1 hour.
# EXAMPLE MATCHES: PAT-123456-AB, PAT-000001-ZZ, PAT-999999-XY
# ---------------------------------------------------------------
Connect-IPPSSession   # Connect to Purview compliance PowerShell

# Define the XML rule package. Each GUID must be unique per rule package.
$ruleXml = @"
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
  <RulePack id="$(New-Guid)">
    <Version major="1" minor="0" build="0" revision="0"/>
    <Publisher id="$(New-Guid)"/>
  </RulePack>
  <Rules>
    <Entity id="$(New-Guid)" patternsProximity="300" recommendedConfidence="85">
      <Pattern confidenceLevel="85">
        <IdMatch idRef="PatientId"/>
      </Pattern>
    </Entity>
    <Regex id="PatientId">PAT-\d{6}-[A-Z]{2}</Regex>
    <LocalizedStrings>
      <Resource idRef="PatientId">
        <Name default="true" langcode="en-us">Patient ID</Name>
      </Resource>
    </LocalizedStrings>
  </Rules>
</RulePackage>
"@

# Upload the XML rule package to Purview. The -FileData parameter
# expects a byte array, so we convert the XML string to UTF-8 bytes.
New-DlpSensitiveInformationTypeRulePackage -FileData ([System.Text.Encoding]::UTF8.GetBytes($ruleXml))

1. Create a new file policy: Block External Sharing of Sensitive Files
2. Under Files matching: set Access level equals External or Public
3. Enable Content inspection with multiple SITs: credit cards, SSN, passport numbers
4. Set Governance actions: Remove external sharing and Notify file owner
5. For SharePoint: add Remove direct shared links
6. For Box: add Put in admin quarantine
7. Set alert severity: High

1. Edit your credit card DLP policy or create a new one
2. Under Governance actions for each connected app, select Apply sensitivity label
3. Choose the appropriate label based on sensitivity: Confidential for PCI, Highly Confidential for PII
4. Enable Override existing label with lower priority (optional. use with caution)
5. Verify that the sensitivity label applies encryption and visual markings as configured in Purview

1. Navigate to Settings > Cloud Apps > Files > Admin quarantine
2. Configure the quarantine folder location for each connected app
3. For SharePoint: set a dedicated quarantine site or document library
4. Set the User notification template that appears when a file is quarantined
5. Create a file policy with Put in admin quarantine as the governance action for highest-risk matches
6. Define the process for reviewing and releasing quarantined files

Create targeted policies for specific SaaS apps with app-specific governance actions.

1. Box: Create a policy scanning Box for HR documents. governance: quarantine + notify HR manager
2. Salesforce: Scan Salesforce file attachments for payment data. governance: alert SOC + notify account owner
3. Google Workspace: Scan Google Drive for externally shared confidential docs. governance: remove sharing
4. Scope each policy to the specific connected app for accurate governance actions

1. Review all available governance actions per connected app
2. Configure Notify file owner with a custom email template explaining the DLP policy
3. Set Notify specific users (DLP team, compliance team) for high-severity matches
4. Configure Remove collaborators for externally shared files with critical data
5. For files in personal OneDrive: set Put in user quarantine to keep the file but remove sharing

1. Configure alert settings for each DLP file policy
2. Set daily alert limits to avoid alert fatigue (e.g., maximum 5 alerts per policy per day)
3. Configure Send alert as email to the DLP team distribution list
4. Send alerts to Microsoft Sentinel for SIEM integration and automated triage
5. Create a Microsoft Teams channel webhook for real-time DLP notifications

Unify your DLP policies by leveraging Microsoft Purview’s Data Classification Service within MDA file policies.

1. In the file policy content inspection, select Data Classification Service instead of Built-in DLP
2. This uses the same classification engine as Purview, providing consistent detection across endpoints, Exchange, SharePoint, and third-party SaaS apps
3. Select the sensitive information types or trainable classifiers defined in Purview
4. Review the unified DLP alerts in the Purview compliance portal > Data loss prevention > Alerts

1. Navigate to Cloud Apps > Files to review the file inventory
2. Use filters to identify files by: sharing status, sensitivity label, app, owner, and file type
3. Create saved queries for: externally shared labeled files, files in quarantine, unlabeled files with sensitive content
4. Export file listings for compliance reporting
5. Use Cloud Apps > Dashboard to monitor DLP trends over time

1. Navigate to Cloud Apps > Alerts and filter by DLP file policies
2. Triage each alert: review the file, the owner, the sensitive data type, and sharing status
3. For confirmed violations: apply governance actions (remove sharing, quarantine, notify)
4. For false positives: dismiss the alert and add the file or pattern to exclusions
5. For critical data exposure incidents: escalate to the privacy or compliance team
6. Document incident details for regulatory reporting requirements

1. Review policy match statistics after 1–2 weeks of operation
2. Identify common false positive patterns (e.g., test data, sample files, documentation)
3. Add exclusions: specific folders, file types, or users that generate false matches
4. Increase the minimum instance count (e.g., require 5+ credit card numbers instead of 1)
5. Increase the confidence level from Medium to High for noisy SIT patterns
6. Create a feedback loop with business users to continually improve accuracy

1. Design email templates for file owner notifications explaining: what was detected, why it matters, what action was taken, how to request an exception
2. Create separate templates for different severity levels: informational, warning, action required
3. Include a link to your organisation’s data handling policy
4. Configure the templates in the file policy governance action settings

1. Define roles: DLP Administrator (create/edit policies), DLP Analyst (review alerts), DLP Viewer (read-only dashboards)
2. Configure scoped access using Defender XDR RBAC custom roles
3. Assign users to appropriate roles based on their responsibilities
4. Ensure the privacy team can access DLP reports without seeing raw file content

1. Export current file policy match data for baseline reporting
2. Create a Power BI dashboard connecting to MDA data via API
3. Include metrics: total files scanned, files with sensitive data, files remediated, policy violations by type and app
4. Schedule monthly compliance reports to stakeholders: CISO, privacy officer, compliance team
5. Include trend analysis showing improvement over time

Define the progression from initial DLP deployment to a mature, enterprise-wide data protection program.

• Phase 1 (Month 1): Deploy DLP policies in monitor-only mode, establish baseline
• Phase 2 (Month 2-3): Enable enforcement for high-confidence matches, tune for false positives
• Phase 3 (Month 4-6): Expand to all connected apps, add custom SITs, integrate with Purview
• Phase 4 (Ongoing): Automated compliance reporting, continuous tuning, user education

What You Accomplished

• Created file policies with DLP content inspection for credit card data, PII, and custom patterns
• Configured automatic sensitivity labeling for files matched by DLP policies
• Set up quarantine and governance actions for critical data exposures
• Built app-specific DLP policies for Box, Salesforce, and other connected SaaS apps
• Integrated MDA DLP with Microsoft Purview for unified data protection
• Configured alert workflows, dashboards, and compliance reports
• Tuned policies for accuracy and established a DLP maturity roadmap

Next Steps

• Next Lab: AI App Discovery and Governance
• Extend DLP coverage to endpoints with Endpoint DLP
• Configure Purview DLP for Exchange, Teams, and endpoint protection (see Purview Lab 02)
• Integrate DLP alerts with Microsoft Sentinel for unified incident management