Implementing your first DLP policy

I’ve recently started to dabble with Data loss prevention (DLP) policies and how beneficial they can be at protecting data within your organisation.

I thought it would be nice to blog a simple configuration, which can be implemented very quickly and start the ball rolling for other configurations and what if scenarios, which I hope to play with over the coming weeks.

With DLP, you can prevent the sharing of sensitive information, monitor and warn users that they are going to share some which is sensitive and help users to stay compliant.

I recommend taking a look at the Microsoft documentation on DLP which is located here.

The policy I am about to implement is pretty much an out of the box configuration. I’m not going to go into any advanced configuration at this stage. I just want to preview the feature for my end users.

In the Office 365 Security & Compliance Center

In the Office 365 Security & Compliance center, go to Data Loss Protection\Policy.

Note the grey box stating ‘Good news! Data loss prevention is now available as a solution in the Microsoft 365 compliance center. We recommend using this solution to take advantage of richer capabilities. Soon, you’ll be redirected automatically, but get a head start by trying it out now.’ – more on this later.

Click the Create a policy button.

We can now select a template or custom policy to apply to our users. I’m going to keep it simple and apply a Privacy template which checks for UK PII data – for example, data which could contain a UK passport or driving licence information. Click Next.

Enter a Name for the policy. Since we are using a template, this is named for us automatically but we can change the name. Enter an optional Description. Click Next.

Now we need to choose where we want to protect the data. I have gone with the default option to protection across all Microsoft solutions.

If I were to select Let me choose specific locations, I would have the option to toggle on or off specific locations of choice.

For the policy setting, I’m going to go with the default settings and find the PII content and detect when this is shared outside of my organisation. Click Next.

Now I have to configure what I want to do if sensitive data is detected. I have gone with the defaults here, except I have decided that I want to flag when 1 instance of the sensitive info type is detected. The rule will notify users and send them an email notification as well as sending a report to my global admin. Click Next.

It’s always recommended to trial these sort of configurations with your user base before pushing out into the environment but since this my test environment I just going to go gung-ho and turn on the policy. Click Next.

We finish up the wizard with a summary of the settings. Click Create to create the DLP policy.

The new policy will be listed in the console.

As I mentioned at the start, the grey box tells you that Data loss prevention is now available as a solution in the Microsoft 365 compliance center. You can go to https://compliance.microsoft.com to see this.

Under Policies is a link for Data loss protection.

If you click the link, you’ll see the newly created policy.

Note that when you create the DLP policy, it tells you that it can take up to an hour to take effect.

On the endpoints

With the DLP policy in effect, let’s see what happens when we email out some sensitive data.

First up we need to create some sensitive data. Since I have applied a UK PII policy I need to generate some information about passports to trigger the DLP policy. Have a Google and you’ll find a website which can do this for you.

With the fake data entered into an email, a Policy Tip has appeared in the email window telling the user that This item conflicts with a policy in your organization.

If the user hovers over the Policy Tip, they are informed of the sensitive information data type which has been detected and are able to click a Report button if they feel this information isn’t sensitive.

If they send the email, then they’ll receive a notification, based on the policy settings.

and receive an email informing them that what they have sent conflicts with policy set by the organisation.

As I mentioned, I’m going to be digging deeper with DLP over the coming weeks and I hope to blog some more about this method of protecting data within Microsoft 365.