January 3, 2023 | Reading time 12 minutes

Microsoft 365 Data Loss Prevention (DLP): A complete guide

Data Loss Prevention (DLP) is one of many essential security functions in Microsoft 365. This guide for enterprises explains in detail what Microsoft 365 Data Loss Prevention and policies are and what tools your business should use to improve them.

What Is Data Loss Prevention (DLP)?

Data loss is one of the most significant challenges in modern cybersecurity. It happens for many reasons, ranging from human errors to hardware malfunctioning to cyber attacks. Modern IT teams use various methods and tools to prevent these incidents and keep corporate data intact. The combination of these methods and tools is called Data Loss Prevention (DLP).

SaaS environments like Microsoft 365 are vulnerable to data loss just as much as on-prem systems. Although Microsoft 365 is less prone to cyberattacks or hardware malfunction, it’s not 100% protected from these incidents. Furthermore, human errors and man-in-the-middle attacks happen regularly. So, how to protect your MSO 365 from data loss?

What are the best practices of Office 365 Data Loss Prevention?

We can divide the practices of DLP Office 365 into two main categories:

Data Loss Prevention Methods used after the incident occurred

These methods are a remedy for a data loss incident. When it occurs, a company can recover its data if its copy is stored elsewhere and is thus beyond the impact of the said incident.

  • Backup

In the case of Microsoft 365, a backup is a copy of corporate data stored in a separate location by a third-party backup tool. Its key advantage is the ability to retain multiple versions of data. The key disadvantage is the recovery speed in large data loss incidents.

  • Data retention policy

Microsoft 365 enables companies to set up policies that prevent the permanent loss of certain types of files. Whenever such a file is edited or deleted, the policy creates its copy in a separate location. Later, the Admins can retrieve it.

  • Archiving

Companies can archive such a user when an employee leaves, but their data is subject to storage. Both Microsoft 365 and third-party tools have archive functionality.

Data loss prevention methods used to prevent the incident

These methods are applied to prevent data loss incidents.

  • DLP policies
  • Ransomware protection
  • Sharing control
  • Login control
  • Shadow IT control

Microsoft 365 Data Loss Prevention

Microsoft information protection is robust, but it’s not enough to meet the needs of the modern enterprise and address all the risks to data. That’s why you need third-party data loss prevention tools to ensure your data is safe.

Is DLP Included in Microsoft 365?

As mentioned above, some DLP tools are included in Microsoft 365—for example, data retention or DLP policies. The functionality also consists of the tool that enables businesses to discover Shadow IT, but it lacks the instruments of control.

Backup, login control, and ransomware protection are not part of the offer. Office 365 does have functionality that spots phishing emails or emails containing malicious files. However, practice shows that it doesn’t filter out all such emails. That’s why additional ransomware protection is needed. Similarly, companies need additional control of abnormal logins to take timely actions in case hackers manage to get hold of credentials. Experts suggest using third-party tools to meet the needs of modern businesses.

How Does Microsoft 365 DLP Work?

As mentioned, Microsoft 365 data loss prevention comprises DLP policies and data retention. How do they work?

A data loss prevention policy is a set of rules triggered by a certain event. For example, Microsoft 365 DLP policy can detect when a particular type of sensitive data appears in a OneDrive file or an email. It then can limit access to this sensitive information for unauthorized users inside or outside the organization.

What Are Microsoft 365 DLP Policies?

Microsoft 365 DLP Policy is a set of rules that are automatically applied when a certain event takes place. They primarily govern creating content containing a specific type of sensitive information (e.g., an email in Exchange Online).

Office 365 DLP Policies help Admins to automate security monitoring and control. Each policy consists of several conditions and actions that Office 365 makes when these conditions occur.

What Can Microsoft 365 DLP Policies Be Applied To?

Office 365 DLP policies can be applied to the following types of sensitive data:

  • Financial data of Australia, Canada, France, Germany, Israel, Japan, Saudi Arabia, the UK, the US, and other countries.
  • Medical sensitive data of Australia, Canada, the UK, the US, and other countries.
  • Privacy data of Australia, Canada, the EU (GDPR), France, Germany, Israel, Japan, Saudi Arabia, the UK, the US, and other countries.
  • Custom sensitive information.

Note that one country can have multiple laws and regulations governing sensitive data. For example, the US has Federal Trade Commission (FTC) Consumer Rules and Gramm-Leach-Bliley Act (GLBA) for financial data.

Office 365 DLP policy is applied to the sensitive data stored on the following ‘locations’:

  • Exchange Online
  • SharePoint
  • OneDrive
  • Teams
  • On-prem repositories

When making a DLP policy in the Compliance center, Admin can check for various rules options.

Office 365 DLP Policies FAQ:

  • What are Microsoft 365 DLP reports?

In the Reports Section of the Compliance Center, you can see the report on Data Loss Prevention Policy matches.

  • How can I know that a DLP Policy has been triggered?

You will get an email notification. You can also check Microsoft 365 DLP Alerts Dashboard for any policy matches.

  • What are the limitations of Office 365 DLP?

As mentioned above, Office 365 DLP is a limited tool, and it doesn’t help in case of deletions or accidental data edits. It also cannot help in case of ransomware, zero data, or man-in-the-middle attacks.

How to create an Office 365 DLP policy?

Creating DLP policies for Office 365 can first seem hard as there are a lot of configurations. You can create two types of DLP policies: Default and Custom. We’ll explain both options step by step.

How to Setup a Default DLP Policy?

Step 1.

Go to the Policies section of Microsoft 365 Compliance Center and click on Data Loss Prevention. You will be redirected to the DLP page. Click on the Policies tab.

Step 2.

In the Policies tab, click on Create policy. On the page, choose one of four categories of DLP policies: Financial, Medical and Health, Privacy, and Custom.

Microsoft 365 Data Loss Prevention Policies
Microsoft 365 DLP

Then select a Template. For example, you need to protect sensitive data from complying with HIPAA. Pick Medical and Health, then scroll to the US Health Insurance Act. When you click on it, the information about the protected data will appear:

Click next.

Step 3.

Pick the name and description of your DLP policy. Micsofot 365 will generate a default text, but you can change it.

Next, pick the Admin Unit. Only certain Office 365 licenses enable you to assign this policy to an Admin Unit.

Step 4.

Choose the services (called locations in the Compliance Center) subject to your DLP Policy.

Step 5.

Next, you will be presented with two options for DLP Policy settings: Default or Custom. Click on default and proceed to the next step.

Now you can tweak the DLP policy settings:

  • Sensitive information protected by Microsoft 365.

Read carefully the default data and click Edit if you want to add more. For example, HIPAA will look for PII Identifiers (SSN and DEA number) and Medical Terms (ICD-9 and ICD-10). You can add more types of sensitive information to both categories.

  • Protection Actions

There will be several default actions like sending an email notification to the respective user and notifying Admins of the event.

  • Access settings

Choose the change of access settings for the document or email that contains this sensitive information.

Step 6.

Choose the policy mode: immediate implementation, test, or save for later. Next, you will be able to review your DLP policy. If you need to change anything, e.g., the type of sensitive information to protect, click Back. If you are satisfied, click Submit.

How to Create a Custom DLP Policy?

Creating a custom DLP policy matches the creation process of the default one in some steps.

Step 1.

Go to the Policies tab of the Data Loss Prevention section of Microsoft 365 Compliance Center. Click Create Policy. Choose Custom from the Categories and Templates.

Step 2.

Pick Name and Description, Assign Admin Units, and select the locations similar to the Default DLP policy process (Steps 3-4 of the previous section).

Step 3.

In the Policy settings, you will only have the Custom option. Click next and get to the Customize advanced DLP rules section.

Click Create Rule. Write down its name and Description and press Add Condition.

You will have two options here: Content Contains and Content is Shared outside Microsoft 365. You can pick both.

For Content Contains, you can create groups of sensitive information linked by And or Or condition. Click Add under your first group and pick one or more data types. Add another group if necessary by clicking Create Group. You can also configure the group operator: any or all of these.

For Content sharing, you have two options: inside and outside your organization.

You can also set exceptions. They are configured similarly to Conditions.

Set Actions that Microsoft 365 will take to protect the sensitive information you outlined. You will have the two options as shown in the picture below:

Microsoft 365 Data Loss Prevention
Creating rules for Custom DLP Policy in Microsoft 365

Set the Notification rules. By default, it is set to no notification. You can send a message to the user who triggered the Office 365 DLP Policy and other users of your choice. You can also customize the text of your notification and policy tips for the user.

Set the rules for overrides in case of legitimate business justification for sharing sensitive information or false positives.

Сonfigure Incident Reports by assigning severity level, Admin notifications, and alerts to a group of people.

Set the Additional Options if necessary and click Save.

You will be redirected to the page where you can review the rules you’ve just set.

Step 4.

Choose the policy Mode, Review the Policy, and click Submit to create it.

Boost Microsoft 365 Data Loss Prevention with SpinOne

SpinOne is a SaaS Security Posture Management platform that provides additional data loss prevention functionality to close the Microsoft 365 security gaps:

  • 24/7 behavior-based AI ransomware protection that detects and stops ransomware within the first minutes after the attack
  • User-friendly Data Access Monitoring functionality with the option of file takeover.
  • 24/7 monitoring of abnormal data behavior (e.g., downloads) with Admins’ alerts
  • Application Detection and Risk Assessment and control with user requests functionality
  • Monitoring of abnormal logins with immediate notifications to the Admins
  • Backup for Exchange Online, OneDrive, Sharepoint, Teams, and People.

Was this helpful?

Thanks for your feedback!
Avatar photo

Director of Support

About Author

Nick Harrahill is the Director of Support at Spin.AI, where he leads customer support, success, and engagement processes.

He is an experienced cybersecurity and business leader. Nick’s industry experience includes leading security teams at enterprise companies (PayPal, eBay) as well as building programs, processes, and operations at cyber security start-ups (Synack, Elevate Security, and Spin.AI).

Credentialed in both cyber security (CISSP) and privacy (CIPP/US), Nick has managed teams focused on vulnerability management, application security, third-party risk, insider threat, incident response, privacy, and various facets of security operations.

In his spare time, Nick enjoys trail running and competing in ultra-marathons, camping, hiking, and enjoying the outdoors.


Featured Work:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Expert Insights: Salesforce SaaS Data Security Fundamentals

Salesforce provides a rich and deep set of tools to allow data and metadata to be exposed selectively to your […]

why you need an extra layer of protection in salesforce

Why you need an extra layer of protection in Salesforce

Salesforce is a leading customer relationship management (CRM) platform many organizations use today. While it is a SaaS platform, it […]

Microsoft 365 Security Best Practices and Recommendations 2024

Microsoft 365 Security Best Practices and Recommendations 2024

Micorosft 365 is a business-critical cloud environment that contains terabytes of sensitive information. Protecting this environment from multiple threats is […]