Microsoft 365 Data Loss Prevention: Your Solution for Data Protection and Compliance


Organizations have much sensitive information that they need to control access to, use, and transmission. 

These can include financial data, health records, credit card numbers, proprietary data, or Social Security numbers. 

To protect them and reduce their risk of loss, inappropriate sharing, or unauthorized access, organizations need the support of dedicated data protection solutions. 

This practice, and the tools and activities associated with it, is called data loss prevention (DLP).

This article shares the three types of data loss prevention in Microsoft 365 and a step-by-step process for setting up Microsoft 365's DLP.


What Is Data Loss Prevention?

Also called data leak prevention, data loss prevention combines processes, technologies, strategies, tools, and techniques to prevent unauthorized access to an organization's sensitive data. 

This helps prevent staff from accessing or sending confidential data outside of an organization or into third-party storage like Google Drive.

DLP technologies provide data protection while at rest, in use, or in motion.

  • Data in Use: Authenticating and controlling user access to sensitive data in apps or endpoints actively processed.
  • Data in Motion: Encrypting sensitive data or using email/messaging security tools to protect it while it is transmitted across the organization's network.
  • Data at Rest: Using access control, data retention, or encryption to protect the organization's data stored in databases, the cloud, or other storage mediums and endpoint devices.


What Are The 3 Types of Data Loss Prevention?

The three types of data loss prevention to consider in your DLP strategy are: network DLP, endpoint DLP, and cloud DLP. 

Network Data Loss Prevention

Network DLP gives you visibility into the company's network, allowing monitoring and controlling information flow through the company's network, web, Internet service provider, Bluetooth, Wi-Fi, and/or email. 

You can analyze the network traffic through network DLP and use network security policies to prevent data loss risks. 

Network DLPs conduct certain preset network protection actions to protect the company from data loss. 

These may include allowing, auditing, blocking, flagging, quarantining, or encrypting suspicious activities that violate the company's data or information security policies.


Endpoint Data Loss Prevention

Endpoint DLP involves monitoring and protecting devices, such as phones, servers, desktops, printers, and laptops, used to access, move, or store a business's data and sensitive, personally identifiable information. 

Research shows that 76% of U.S. staff gain inappropriate access to company-sensitive apps and data. 

Endpoint DLP helps prevent sensitive data from being lost or misused by unauthorized persons.


Cloud Data Loss Prevention

Cloud DLP helps protect businesses' data and applications on the cloud from unauthorized access, leak, loss, or mishandling. 

It does this by encrypting the sensitive data and ensuring that it's only accessible or sent to cloud-authorized applications. 

Cloud DLP technologies can identify, classify, remove or modify confidential/sensitive data before sharing it to any cloud environment. 

This helps protect the data from malicious insiders, cyber threats, and unsafe/accidental exposure.


Data Loss Prevention Tool: Microsoft 365

Microsoft DLP is a component of the Microsoft 365 Compliance tools used to protect sensitive information at rest, in use, and in motion. 

Microsoft 365 Compliance includes Microsoft Information Protection (MIP) tools and capabilities that help companies know their data, protect it, and prevent data loss.

Microsoft 365 DPL allows users/organizations to create rules and policies that categorize data types, such as sensitive, confidential, or critical. 

You can customize Microsoft 365's integrated sensitive information types to protect specific company information. 

By implementing the Microsoft 365 DLP policies, you can control what actions need to be taken on sensitive information. 

For example, depending on your organization's defined policies, Microsoft 365 will block unauthorized access to sensitive data or send notifications when someone tries to access them or violate set rules. 

This way, you can protect the data from accidental dissemination or malicious actors as you comply with industry regulations.

In general, Microsoft DLP controls allow companies/users to:

  • Warn users from inappropriate information sharing by displaying a pop-up policy tip when they try to share sensitive company information
  • Block users from or allow them to share sensitive information through override customization and record justification
  • Lock and move the company's sensitive data (data at rest) to a secure, isolated location
  • Effectively hide sensitive information (in Teams chat)


Which Office 365 Plans Include Data Loss Prevention?

Office 365 DLP for SharePoint Online, Exchange Online, and OneDrive for Business is available for the following Microsoft 365 plans or licenses:

  • Microsoft 365 A1/E3/A3
  • Microsoft 365 Business
  • Microsoft 365 E5/A5/G5
  • Office 365 E3/A3
  • Office 365 E5/A5/G5

The availability also includes files shared through Teams because Teams uses OneDrive and SharePoint Online to share files. 

Also, support for DLP protection in Teams Chat requires Office 365 E5.


Step-By-Step Process To Setting Up DLP In Microsoft 365

Setting up DLP in Microsoft 365 is relatively simple, thanks to its built-in features and functionalities. 

Follow the below steps:


Step 1: Log in to Microsoft 365 admin center

Once you log in to the Microsoft 365 admin center, navigate to Security & Compliance Center. This is where all the DLP setup will take place.


Step 2:  Select DLP

In the  Security and Compliance Center, click the Data Loss Prevention Tab > then click Policy. 


Step 3:  Create and store DLP policy(s)

When you click Policy, a new screen pops up. 

In the new windows, click +Create a policy. A new window called New DLP policy will pop up.


Step 4: Templates

You'll be presented with various templates/wizards to help you create different policies, including privacy, medical, financial, and customized situations. 

Select from the list of predesigned policy templates to set up or choose to customize your own Policy.

For example, to create a HIPPA policy: Choose Medical & Health > U.S. Health Insurance Act > Click Next.

If you want to create financial data protection through one of the wizards, choose the specific template/standard/country relevant to your business and follow the guidelines.


Step 5: Name & Description

Under Name Your Policy, you can give the Policy a name and description that matches your needs. Once you're done, click the Next button.


Step 6: Choose Locations

Choose the locations where the new Policy will be active or specify where you want that Policy to be enforced. 

You can select all locations or a specific location "specify where you want that policy to be enforced." 

Specific locations can be Exchange Online, OneDrive, or Sharepoint.


Step 7: Policy settings — Customize the type of content you want to protect 

You can choose "Simple settings," which simply allows you to apply default/pre-existing Microsoft 365 rules. 

Alternatively, you can select the "Advanced settings" icon to create a new rule(s) to apply stricter rules to your policies. 

These rules include exceptions, user notifications, actions to take when conditions are met, user overrides, or incident reports.

You can get more granular with the settings in different aspects, such as content, actions, and staging. 

Once you're done, you'll review the settings/rules you've created and click Create.


Step 8: Turn on your Policy and Save settings

You can turn on your newly created Policy right away, test it first, or keep it turned off. 


Once everything is done to your satisfaction, click Save to save your settings. 


Step 9: Reporting 

After creating the DLP policies and turning them on, you'll want to check and verify that they're working as intended. 

Check the DLP reports to quickly view the total number of DLP policies and rule matches over time. 

You'll also see the number of overrides and false positives.

Here, you can set up recurring reports for the account admin.



Microsoft 365's DLP is a great first step for businesses seeking to implement more robust data security. 

With data loss prevention, a user cannot send sensitive information to an email address outside the company domain or to public cloud storage like Google Drive or Dropbox. 

It blocks and logs any attempt — accidental or malicious — to access or send this information out of the network. 

How prepared is your business for a cybersecurity incident such as data loss? 

If you're not sure of your business's current security posture, download this free data security checklist to understand your strengths and weaknesses.

New Call-to-action

Read On