top of page

Home / Products and Services / Security / Microsoft Security / Data Loss Prevention

Data Loss Prevention

In Microsoft 365, you implement data loss prevention by defining and applying DLP policies.

Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).

With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive

  • Office applications such as Word, Excel, and PowerPoint

  • Windows 10, Windows 11 and macOS (Catalina 10.15 and higher) endpoints

  • non-Microsoft cloud apps

  • on-premises file shares and on-premises SharePoint.

DLP Lifecycle

DLP is part of the larger Microsoft 365 Compliance offering

Microsoft 365 DLP is just one of the Microsoft 365 Compliance tools that you will use to help protect your sensitive items wherever they live or travel.

 

Protective actions of DLP policies

Microsoft 365 DLP policies are how you monitor the activities that users take on sensitive items at rest, sensitive items in transit, or sensitive items in use and take protective actions. For example, when a user attempts to take a prohibited action, like copying a sensitive item to an unapproved location or sharing medical information in an email or other conditions laid out in a policy, DLP can:

  • show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately

  • block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification

  • block the sharing without the override option

  • for data at rest, sensitive items can be locked and moved to a secure quarantine location

  • for Teams chat, the sensitive information will not be displayed

 

All DLP monitored activities are recorded to the Microsoft 365 Audit log by default and routed to Activity explorer. When a user performs an action that meets the criteria of a DLP policy, and you have alerts configured, DLP provides alerts in the DLP alert management dashboard.

Plan for DLP

Microsoft 365 DLP monitoring and protection are native to the applications that users use every day. This helps to protect your organizations' sensitive items from risky activities even if your users are unaccustomed to data loss prevention thinking and practices. If your organization and your users are new to data loss prevention practices, the adoption of DLP may require a change to your business processes and there will be a culture shift for your users. But, with proper planning, testing and tuning, your DLP policies will protect your sensitive items while minimizing any potential business process disruptions.

 

Prepare for DLP

You can apply DLP policies to data at rest, data in use, and data in motion in locations, such as:

  • Exchange Online email

  • SharePoint Online sites

  • OneDrive accounts

  • Teams chat and channel messages

  • Microsoft Cloud App Security

  • Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices

  • On-premises repositories

 

Deploy your policies in production

Design your policies

Implement policy in test mode

Monitor outcomes and fine-tune the policy

Enable the control and tune your policies

 

© 2022 CloudVitality

bottom of page