Deploy Data Loss Prevention (DLP) Policies

About This Lab

Microsoft Purview Data Loss Prevention (DLP) protects sensitive information across your Microsoft 365 environment and endpoint devices. In this lab you will create DLP policies that detect and protect credit card numbers, Social Security numbers, health records, and custom sensitive data types. You will deploy policies to Exchange Online (email), SharePoint Online & OneDrive (documents), Microsoft Teams (chat and channels), and Windows endpoints (file copy, print, clipboard). By the end of this lab, you will have a comprehensive DLP framework that prevents accidental and intentional data exposure across all major channels.

🏢 Enterprise Use Case

A healthcare organisation with 8,000 employees processes patient health information (PHI) across email, SharePoint, and endpoint devices. They must comply with HIPAA, state privacy laws, and their own data handling policies. Recent audits revealed that employees routinely share patient records via email without encryption, save PHI to personal USB drives, and paste sensitive data into Teams chats. The CISO needs a DLP solution that prevents data loss across all channels while minimising disruption to legitimate business workflows.

🎯 What You Will Learn

1. Understand DLP policy components: sensitive information types, conditions, actions, and exceptions
2. Create and test DLP policies for Exchange Online email protection
3. Deploy DLP policies to SharePoint Online and OneDrive for Business
4. Configure DLP for Microsoft Teams chats and channel messages
5. Enable and configure Endpoint DLP for Windows devices
6. Create custom sensitive information types using keyword dictionaries and regex patterns
7. Configure policy tips (user notifications) that educate users in real-time
8. Set up DLP incident reports and alerts for the security team
9. Test policies in simulation mode before enforcing
10. Integrate DLP with Insider Risk Management for adaptive protection

🔑 Why This Matters

Data breaches cost organisations an average of $4.88 million per incident (IBM 2024). DLP is the primary control that prevents sensitive data from leaving your organisation through email, cloud storage, or endpoint devices. Without DLP, employees can accidentally (or intentionally) share customer PII, financial data, or intellectual property via unsecured channels. A well-deployed DLP framework reduces breach risk, demonstrates regulatory compliance (GDPR, HIPAA, PCI-DSS), and creates a culture of data awareness through real-time policy tips that educate users at the point of action.

• Completed Lab 01. sensitivity labels deployed and auto-labeling configured
• Compliance Administrator or DLP Compliance Management role. in the Microsoft Purview compliance portal
• Microsoft 365 E5 license. or E5 Compliance add-on (required for Endpoint DLP)
• Test mailboxes and SharePoint sites. with sample documents containing test sensitive data
• Windows 10/11 device onboarded to Microsoft Defender for Endpoint. required for Endpoint DLP
• Exchange Online PowerShell module. for policy automation

A DLP policy consists of rules that detect sensitive information and take protective actions. Understanding the components before creating policies ensures effective protection without over-blocking.

DLP Policy Components

1. Locations. where the policy applies: Exchange, SharePoint, OneDrive, Teams, Endpoints, Power BI
2. Conditions. what triggers the policy: sensitive information types (SITs), sensitivity labels, file extensions
3. Actions. what happens when a match is found: block, encrypt, notify, restrict access
4. User notifications. policy tips shown to users explaining why their action was blocked or flagged
5. User overrides. whether users can override a block with a business justification
6. Incident reports. alerts sent to compliance officers when policies trigger

Start by protecting the most common data loss channel: email. Create a DLP policy that detects sensitive information in emails and attachments.

Portal Instructions

1. Navigate to compliance.microsoft.com > Data loss prevention > Policies
2. Click Create policy
3. Select category: Financial, then template: U.S. Financial Data (detects credit card numbers, bank account numbers)
4. Name: DLP-Exchange-FinancialData
5. Locations: enable only Exchange email (we’ll add other locations in later steps)
6. Policy settings. Low volume rule:
   • Condition: Content contains 1–9 instances of credit card number
   • Action: Show policy tip to the user
   • User override: Allow with business justification
   • Incident report: Send to compliance-team@contoso.com
7. Policy settings. High volume rule:
   • Condition: Content contains 10+ instances of credit card number
   • Action: Block the email from being sent
   • User override: No override (requires admin intervention)
   • Incident report: Send with High severity
8. Set policy mode: Run the policy in simulation mode
9. Click Submit

PowerShell: Create DLP Policy

# Connect to Security & Compliance PowerShell
# WHY: Required session for all DLP, sensitivity label, and compliance cmdlets
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Create the DLP policy targeting Exchange email
# WHAT: Creates a DLP policy container scoped to all Exchange mailboxes
# -Mode TestWithNotifications: SIMULATION mode - shows policy tips to users
#   but does NOT block emails. Always start here before enforcing.
# OUTPUT: Policy appears in Purview portal under DLP > Policies
New-DlpCompliancePolicy -Name "DLP-Exchange-FinancialData" `
  -ExchangeLocation All `
  -Mode TestWithNotifications `
  -Comment "Protect financial data in email. simulation mode"

# Create the low-volume rule (1-9 credit card numbers)
# WHAT: Detects emails containing 1 to 9 credit card numbers at high confidence
# WHY: Low-volume matches suggest accidental inclusion - educate the user
#      rather than blocking, and log for compliance review
# -NotifyUser: Shows a policy tip to the site admin and last modifier
# -GenerateIncidentReport: Sends a detailed report to the admin for audit
# -IncidentReportContent "All": Includes full message content in the report
New-DlpComplianceRule -Name "DLP-Exchange-Financial-LowVolume" `
  -Policy "DLP-Exchange-FinancialData" `
  -ContentContainsSensitiveInformation @{
    Name = "Credit Card Number";
    minCount = 1;
    maxCount = 9;
    confidencelevel = "High"
  } `
  -NotifyUser "SiteAdmin","LastModifier" `
  -NotifyUserType "NotifyUser" `
  -GenerateIncidentReport "SiteAdmin" `
  -IncidentReportContent "All"

# Create the high-volume rule (10+ credit card numbers)
# WHAT: Detects bulk credit card data (10+ instances) - likely a data dump
# WHY: High volume = high risk of breach. Block immediately with no override.
# -BlockAccess $true: Prevents the email from being sent entirely
# -GenerateAlert: Creates a high-severity alert for immediate SOC investigation
# -AggregationType "None": Each match generates its own alert (no batching)
# CONCERN: 10+ credit cards in one email strongly suggests exfiltration or error
New-DlpComplianceRule -Name "DLP-Exchange-Financial-HighVolume" `
  -Policy "DLP-Exchange-FinancialData" `
  -ContentContainsSensitiveInformation @{
    Name = "Credit Card Number";
    minCount = 10;
    confidencelevel = "High"
  } `
  -BlockAccess $true `
  -GenerateAlert "SiteAdmin" `
  -AlertProperties @{AggregationType = "None"}

Built-in SITs cover common data types, but most organisations have custom sensitive data (employee IDs, project codes, internal account numbers). Create custom SITs to detect your organisation’s specific data patterns.

Portal Instructions

1. Navigate to Data classification > Classifiers > Sensitive info types
2. Click Create sensitive info type
3. Name: Contoso Employee ID
4. Description: Detects Contoso employee IDs in format EMP-XXXXXX
5. Click Create pattern:
   • Primary element: Regular expression
   • Pattern: EMP-[0-9]{6}
   • Confidence level: High (85%)
6. Add supporting element (keyword list): employee, staff, personnel
7. Set character proximity: 300 characters
8. Click Create

PowerShell: Create Custom SIT

# Create a custom sensitive information type (SIT) via PowerShell
# WHAT: Defines a custom SIT using XML rule pack format to detect organisation-specific
#       data patterns that built-in SITs don't cover (e.g., employee IDs)
# WHY: Every organisation has unique data formats. Custom SITs let DLP policies
#      protect your proprietary identifiers alongside standard PII.
$rulePackXml = @"
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
  <RulePack id="$(New-Guid)">
    <Version major="1" minor="0" build="0" revision="0"/>
    <Publisher id="$(New-Guid)"/>
    <Details defaultLangCode="en-us">
      <LocalizedDetails langcode="en-us">
        <PublisherName>Contoso Ltd</PublisherName>
        <Name>Contoso Custom SITs</Name>
        <Description>Custom sensitive information types for Contoso</Description>
      </LocalizedDetails>
    </Details>
  </RulePack>
  <Rules>
    <Entity id="$(New-Guid)" patternsProximity="300" recommendedConfidence="85">
      <Pattern confidenceLevel="85">
        <IdMatch idRef="EmployeeId"/>
        <Match idRef="EmployeeKeywords"/>
      </Pattern>
    </Entity>
    <Regex id="EmployeeId">EMP-[0-9]{6}</Regex>
    <Keyword id="EmployeeKeywords">
      <Group matchStyle="word">
        <Term>employee</Term>
        <Term>staff</Term>
        <Term>personnel</Term>
      </Group>
    </Keyword>
  </Rules>
</RulePackage>
"@
# Save the XML rule definition to a file
$rulePackXml | Out-File -FilePath "ContosoSIT.xml" -Encoding utf8
# Upload the custom SIT rule package to the compliance centre
# OUTPUT: The "Contoso Employee ID" SIT becomes available in DLP policy conditions
# PATTERN: Matches EMP- followed by exactly 6 digits (e.g., EMP-004521)
# SUPPORTING KEYWORDS: "employee", "staff", "personnel" within 300 chars boost confidence
New-DlpSensitiveInformationTypeRulePackage -FileData ([System.IO.File]::ReadAllBytes("ContosoSIT.xml"))

Protect documents stored in SharePoint Online and OneDrive for Business. DLP scans document content and blocks sharing when sensitive data is detected.

Portal Instructions

1. Navigate to DLP Policies > Create policy
2. Template: U.S. Personally Identifiable Information (PII)
3. Name: DLP-SharePoint-PII
4. Locations: enable SharePoint sites and OneDrive accounts
5. Configure the Low volume rule: detect 1–4 instances of SSN → show policy tip, allow override
6. Configure the High volume rule: detect 5+ instances of SSN → block external sharing, no override
7. Enable User notifications: show a policy tip on the document in SharePoint/OneDrive
8. Set mode: Simulation
9. Click Submit

PowerShell

# Create DLP policy for SharePoint and OneDrive document protection
# WHAT: Scans documents stored in SharePoint Online and OneDrive for sensitive data
# WHY: Documents containing PII must be protected from external sharing to comply
#      with GDPR, CCPA, and HIPAA regulations
# -Mode TestWithNotifications: Simulation mode - shows policy tips without blocking
New-DlpCompliancePolicy -Name "DLP-SharePoint-PII" `
  -SharePointLocation All `
  -OneDriveLocation All `
  -Mode TestWithNotifications

# Add rule to detect SSN and block external sharing
# WHAT: Triggers when 5+ SSNs are found in a single document (high confidence)
# WHY: 5+ SSNs suggests a data export or report - must not be shared externally
# -BlockAccess $true: Prevents the document from being shared
# -BlockAccessScope "SpecificExternalUsers": Blocks external users only; internal
#   users retain access. This prevents data leaks while allowing internal workflows.
# -GenerateIncidentReport: Sends alert details to the site administrator
New-DlpComplianceRule -Name "DLP-SP-PII-Block" `
  -Policy "DLP-SharePoint-PII" `
  -ContentContainsSensitiveInformation @{
    Name = "U.S. Social Security Number (SSN)";
    minCount = 5;
    confidencelevel = "High"
  } `
  -BlockAccess $true `
  -BlockAccessScope "SpecificExternalUsers" `
  -GenerateIncidentReport "SiteAdmin"

Teams DLP scans chat messages and channel messages for sensitive information. When a policy match is found, the message is blocked or a policy tip is shown to the sender.

Portal Instructions

1. Navigate to DLP Policies > Create policy
2. Template: U.S. Health Insurance Act (HIPAA)
3. Name: DLP-Teams-HealthData
4. Locations: enable Teams chat and channel messages
5. Configure rule: detect health-related SITs (DEA number, Drug names, ICD codes) → show policy tip and block message
6. Enable User override with justification for legitimate healthcare communications
7. Set mode: Simulation
8. Click Submit

Endpoint DLP extends data protection to Windows devices, controlling USB file copy, printing, clipboard operations, and uploads to cloud services. This requires devices onboarded to Microsoft Defender for Endpoint.

Enable Endpoint DLP

1. Navigate to Purview > Data loss prevention > Endpoint DLP settings
2. Verify Device onboarding status. devices must be onboarded to Defender for Endpoint
3. Configure Unallowed apps: add apps that should never access sensitive files (e.g., personal cloud sync clients like Dropbox, personal Google Drive)
4. Configure Unallowed Bluetooth apps: block Bluetooth file transfers for sensitive data
5. Configure Browser restrictions: add non-corporate browsers that should be blocked from uploading sensitive files
6. Configure Service domain restrictions: block uploads to non-corporate cloud services
7. Set File path exclusions for legitimate business directories (e.g., C:\Program Files\)

Create Endpoint DLP Policy

1. Navigate to DLP Policies > Create policy
2. Template: Custom policy
3. Name: DLP-Endpoint-SensitiveData
4. Locations: enable Devices
5. Add conditions: detect credit cards, SSN, and your custom SITs
6. Configure Endpoint DLP actions:
   • Copy to USB: Block with override
   • Copy to network share: Audit only
   • Print: Block with override
   • Copy to clipboard: Audit only
   • Upload to cloud service: Block (for unapproved services)
   • Access by unallowed apps: Block
7. Set mode: Simulation
8. Click Submit

# Create Endpoint DLP policy for Windows device protection
# WHAT: Creates a DLP policy scoped to Windows endpoints onboarded to Defender for Endpoint
# WHY: Protects data on the device itself - prevents USB copy, printing, clipboard,
#      and cloud upload of sensitive files. Covers the "last mile" of data protection.
# -EndpointDlpLocation All: Applies to all onboarded Windows devices
# -Mode TestWithNotifications: Audit mode first - log activity without blocking
New-DlpCompliancePolicy -Name "DLP-Endpoint-SensitiveData" `
  -EndpointDlpLocation All `
  -Mode TestWithNotifications

# Add rule with endpoint-specific actions for sensitive data
# WHAT: Detects credit cards or SSNs on endpoint devices and applies granular controls
# -ContentContainsSensitiveInformation: Matches EITHER credit cards OR SSNs (minCount=1)
# -EndpointDlpRestrictions: Endpoint-specific actions per data channel:
#   CopyToRemovableMedia=Block: Prevents copying to USB drives (top exfiltration vector)
#   Print=Warn: Shows a warning before printing (allows override with justification)
#   CopyToClipboard=Audit: Logs clipboard activity but doesn't block (minimises disruption)
#   UploadToCloudService=Block: Prevents upload to non-corporate cloud services (Dropbox, etc.)
#   AccessByUnallowedApps=Block: Prevents unapproved apps from opening sensitive files
New-DlpComplianceRule -Name "DLP-Endpoint-BlockUSB" `
  -Policy "DLP-Endpoint-SensitiveData" `
  -ContentContainsSensitiveInformation @{
    Name = "Credit Card Number";
    minCount = 1;
    confidencelevel = "High"
  },@{
    Name = "U.S. Social Security Number (SSN)";
    minCount = 1;
    confidencelevel = "High"
  } `
  -EndpointDlpRestrictions @(
    @{Setting="CopyToRemovableMedia";Value="Block"},
    @{Setting="Print";Value="Warn"},
    @{Setting="CopyToClipboard";Value="Audit"},
    @{Setting="UploadToCloudService";Value="Block"},
    @{Setting="AccessByUnallowedApps";Value="Block"}
  )

Policy tips are the user-facing component of DLP. They educate users in real-time when they are about to share sensitive data, reducing incidents by up to 80% according to Microsoft data.

Configure Policy Tips

1. Edit your DLP policy > navigate to User notifications
2. Enable Use notifications to inform users and educate them
3. Enable Show policy tips in: Outlook, SharePoint, OneDrive, Teams
4. Customise the policy tip text: “This content contains sensitive financial data (credit card numbers). If you need to share this externally, please encrypt the attachment or use the secure file sharing portal.”
5. Add a compliance URL: link to your organisation’s data handling policy
6. Configure User overrides: allow override with business justification (tracked for audit)

Configure alerts that notify the compliance team when DLP policies trigger. Set up incident reports for investigation and audit purposes.

Configure Alert Policies

1. Navigate to Data loss prevention > Alerts
2. Review the default alert policies. DLP creates alerts automatically for each policy
3. Custom alert: click Create alert policy for high-severity scenarios
4. Configure alert aggregation: Single event for high-severity, Aggregated (threshold-based) for low-severity
5. Configure alert recipients: dlp-alerts@contoso.com

PowerShell: Review DLP Alerts

# List all DLP policies and their current status
# WHAT: Shows every DLP policy in the tenant with its enforcement mode and scope
# OUTPUT: Name, Mode (Enable/TestWithNotifications/TestWithoutNotifications),
#         IsEnabled, and which locations (Exchange, SharePoint) are protected
# CONCERN: Any policy in "Enable" mode is actively blocking - verify this is intentional
Get-DlpCompliancePolicy | Format-Table Name, Mode, IsEnabled, ExchangeLocation, SharePointLocation

# View DLP policy rule details for the Exchange financial data policy
# WHAT: Shows the SIT conditions and actions for each rule in the policy
# OUTPUT: ContentContainsSensitiveInformation (which SITs trigger the rule),
#         BlockAccess (whether the rule blocks or just warns)
Get-DlpComplianceRule -Policy "DLP-Exchange-FinancialData" | 
  Format-List Name, ContentContainsSensitiveInformation, BlockAccess

# Search the unified audit log for DLP match events
# WHAT: Retrieves DLP policy match events from the last 7 days
# WHY: Review which policies are triggering, for which users, and how often
# -RecordType DLP: Filters to DLP-specific audit events only
# OUTPUT: Date, user who triggered the policy, and the operation (DLPRuleMatch)
# USE: Monitor daily to catch false positives early in the simulation phase
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) `
  -EndDate (Get-Date) `
  -RecordType DLP `
  -ResultSize 50 | 
  Select-Object CreationDate, UserIds, Operations | 
  Format-Table -AutoSize

Before enforcing DLP policies, run them in simulation mode for at least 1–2 weeks. Review the results to tune sensitivity thresholds and reduce false positives.

Test Workflow

1. Send test emails containing sample credit card numbers: 4111-1111-1111-1111 (standard test number)
2. Upload a test document with fake SSN data to SharePoint
3. Send a test Teams message containing test health data
4. Copy a file containing test sensitive data to a USB drive (endpoint DLP)
5. Navigate to Data loss prevention > Activity explorer
6. Review all detected activities: verify true positives and identify false positives
7. Adjust rules: increase confidence levels or add exceptions for false positives
8. When ready, switch policy mode from Simulation to Turn it on right away

PowerShell: Switch to Enforcement

# Switch policy from simulation to full enforcement
# WHAT: Changes the DLP policy from test mode to active blocking mode
# WHY: After validating simulation results (1-2 weeks, <5% false positive rate),
#      switch to enforcement so the policy actually blocks sensitive data sharing
# CAUTION: This immediately starts blocking emails matching the policy rules
Set-DlpCompliancePolicy -Identity "DLP-Exchange-FinancialData" -Mode Enable

# Verify the mode change was applied
# OUTPUT: Mode should now show "Enable" and IsEnabled should be "True"
# EXPECT: If Mode still shows "TestWithNotifications", the change may need a few minutes
Get-DlpCompliancePolicy -Identity "DLP-Exchange-FinancialData" | 
  Select-Object Name, Mode, IsEnabled

Adaptive Protection connects DLP with Insider Risk Management to automatically adjust DLP policy strictness based on a user’s risk level. High-risk users get stricter controls; low-risk users get lighter enforcement.

Portal Instructions

1. Navigate to Insider risk management > Adaptive protection
2. Click Turn on adaptive protection
3. Configure risk levels: define which insider risk levels (Elevated, Minor, Moderate) map to which DLP policy strictness
4. Create a DLP policy that uses Adaptive protection as a condition
5. Example: for Elevated risk users, block all external sharing; for Minor risk, show policy tip only

Use Activity Explorer and DLP reports to monitor policy effectiveness, identify trends, and report to leadership.

Key Dashboards to Review

1. Activity Explorer: real-time view of all DLP activities (matched, overridden, blocked)
2. DLP Alerts dashboard: active alerts requiring investigation
3. DLP Reports: policy match trends over time, top matched SITs, top users triggering policies
4. Content Explorer: browse content that matches sensitive information types across your tenant

PowerShell: Generate DLP Report

# Export DLP policy match data from the audit log for the past 30 days
# WHAT: Retrieves all DLP events for monthly compliance reporting
# WHY: Monthly DLP reports demonstrate regulatory compliance and help tune policies
# -ResultSize 5000: Maximum per call; use paging for larger tenants
$dlpEvents = Search-UnifiedAuditLog `
  -StartDate (Get-Date).AddDays(-30) `
  -EndDate (Get-Date) `
  -RecordType DLP `
  -ResultSize 5000

# Summarise matches by policy name
# WHAT: Groups all DLP events by which policy triggered them
# OUTPUT: Policy name and match count - shows which policies are most active
# CONCERN: A single policy with very high counts may be too broad (false positives)
# CONCERN: A policy with zero counts may have misconfigured conditions
$dlpEvents | 
  ForEach-Object { ($_.AuditData | ConvertFrom-Json).PolicyDetails.PolicyName } | 
  Group-Object | 
  Sort-Object Count -Descending | 
  Format-Table Name, Count

# Export raw event data to CSV for detailed analysis in Excel or Power BI
$dlpEvents | 
  Select-Object CreationDate, UserIds, Operations, AuditData | 
  Export-Csv -Path "DLP-Report-30Days.csv" -NoTypeInformation

Review your DLP deployment and plan ongoing operations.

What You Accomplished

1. Exchange Online DLP. financial data protection
2. SharePoint/OneDrive DLP. PII and document protection
3. Microsoft Teams DLP. chat and channel message protection
4. Endpoint DLP. USB, print, clipboard, cloud upload controls
5. Custom sensitive information types. organisation-specific data patterns
6. Policy tips. user education at point of action
7. Adaptive Protection. risk-based policy enforcement

Next Steps

• Next Lab: Set Up Insider Risk Management
• Create DLP policies for Power BI reports containing sensitive data
• Deploy Exact Data Match (EDM) classifiers for your customer database
• Implement Trainable classifiers for unstructured sensitive data (resumes, contracts)
• Schedule monthly DLP policy reviews: tune thresholds, add new SITs, address user feedback