This chapter covers Data Loss Prevention (DLP) policies in Microsoft 365, a critical topic for the MS-102 exam. DLP helps organizations prevent accidental or intentional leakage of sensitive information through email, documents, and other communication channels. Expect approximately 10-15% of exam questions in the 'Security Threats' domain to touch on DLP, focusing on policy configuration, sensitive information types, and remediation actions. Mastering DLP is essential for the Information Protection and Governance section of the exam.
Jump to a section
Imagine a postal service that inspects every letter and package sent by employees of a large corporation. The inspection service has a set of rules: it can scan for specific keywords (like 'confidential' or 'SSN'), detect patterns (like credit card numbers), and recognize sensitive document types (like tax forms). When a letter is handed to the postal clerk, the clerk first checks the destination and sender. Then, the clerk opens the letter (if policy allows) and scans the content against the rules. If the letter contains sensitive data and is addressed to an unauthorized external address, the clerk can either block delivery entirely, notify the sender with a warning, or encrypt the letter before sending. The clerk also logs every inspection and action for audit. This is exactly how Microsoft 365 DLP works: it inspects content in Exchange Online, SharePoint, OneDrive, Teams, and endpoints, applying policies that define sensitive information types, actions, and conditions. The 'postal clerk' is the DLP engine, rules are policies, and the actions are the enforcement mechanisms.
What is Data Loss Prevention (DLP)?
Data Loss Prevention (DLP) in Microsoft 365 is a security solution that detects and prevents the unauthorized sharing of sensitive information across Microsoft 365 services, including Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and endpoints. DLP policies are rule-based: they define conditions (what sensitive content to look for), actions (what to do when content is found), and exceptions (when not to apply the action). The goal is to protect data at rest, in transit, and in use.
Why DLP Exists
Organizations handle sensitive data like personally identifiable information (PII), financial records, health information, intellectual property, and trade secrets. Without DLP, employees might accidentally share this data via email, store it in unsecured locations, or copy it to removable media. DLP provides automated enforcement of data protection policies, helping meet compliance requirements (GDPR, HIPAA, PCI-DSS) and reducing the risk of data breaches.
How DLP Works Internally
DLP operates through a pipeline: content is created or transmitted → content is inspected by the DLP engine → conditions are evaluated → actions are applied. The inspection uses sensitive information types (SITs) – predefined or custom patterns that detect specific data like credit card numbers, social security numbers, or passport numbers. SITs are defined by regular expressions, keyword lists, proximity rules, and confidence levels.
Step-by-Step Mechanism
Content Creation/Transmission: A user sends an email, saves a document to SharePoint, or uploads a file to OneDrive.
Content Inspection: The DLP engine scans the content. For Exchange Online, scanning occurs during transport (after the message is submitted but before delivery). For SharePoint and OneDrive, scanning occurs when a document is created, modified, or shared. For Teams, scanning occurs in chat and channel messages.
Condition Evaluation: The engine checks if the content matches any DLP policy rules. Conditions include:
- Content contains a specific SIT (e.g., credit card number) - Content is shared with external users (for SharePoint/OneDrive) - Content is sent to a specific domain (for Exchange) - Content size exceeds a threshold 4. Action Execution: If conditions are met, the policy triggers actions like:
- Block access or send (with or without override) - Notify user or admin via policy tips or email - Encrypt the content (for email) - Apply a sensitivity label - Log the event for reporting 5. Audit and Reporting: All DLP events are logged in the Microsoft 365 Compliance Center and can be viewed in DLP reports or via Audit Log.
Key Components, Values, Defaults, and Timers
Sensitive Information Types (SITs)
Predefined SITs: Over 200 built-in types covering global regions (e.g., Credit Card Number, U.S. Social Security Number, International Bank Account Number (IBAN)). Each has a defined confidence level (high, medium, low) based on the number of matches and proximity.
Custom SITs: Administrators can create custom SITs using regular expressions, keyword lists, and proximity rules. Custom SITs can be based on exact data match (EDM) or document fingerprinting.
Confidence Levels: Each SIT has a confidence level from 1 to 100. Higher confidence means the engine is more certain it found the sensitive data. Policies can specify minimum confidence level to trigger actions.
Policy Components
Rules: Each policy contains one or more rules. A rule has conditions, actions, and exceptions.
Conditions: Where the content is (location), what it contains (SITs), who it's shared with (internal/external), etc.
Actions: Block, notify, encrypt, label, etc.
Exceptions: Exclude specific users, groups, or sites from policy enforcement.
Priority: Policies are evaluated in order of priority (lowest number = highest priority). The first matching rule with a blocking action stops further processing.
Defaults and Timers
Default DLP Policy: Microsoft 365 includes a default DLP policy for financial and medical data (e.g., HIPAA, PCI-DSS) but it is not enabled by default.
Policy Tip: Users see a policy tip in Outlook, SharePoint, or OneDrive when their action violates a policy. The tip can include a brief explanation and optional override link.
Override Timer: If a user overrides a policy (e.g., by providing a business justification), the action is allowed but logged. The override is valid for the specific instance; future similar actions will trigger the policy again.
Inspection Time: For Exchange, DLP inspection occurs during transport (SMTP). For SharePoint/OneDrive, inspection occurs within minutes of content change. For Teams, inspection is near real-time for chat messages.
Configuration and Verification Commands
PowerShell for DLP
Get-DlpCompliancePolicy: Lists all DLP policies.
New-DlpCompliancePolicy: Creates a new DLP policy.
Set-DlpCompliancePolicy: Modifies an existing policy.
Get-DlpComplianceRule: Lists rules within a policy.
New-DlpComplianceRule: Creates a new rule.
Test-DlpPolicy: Tests a policy against sample content without affecting production.
Example: Create a basic DLP policy for Exchange that blocks emails containing credit card numbers.
New-DlpCompliancePolicy -Name "Block Credit Card in Email" -ExchangeLocation All
New-DlpComplianceRule -Name "Credit Card Rule" -Policy "Block Credit Card in Email" -ContentContainsSensitiveInformation @{Name="Credit Card Number"; minCount="1"} -BlockAccess $trueVerification
DLP Reports: In Compliance Center > Data loss prevention > Reports, view DLP policy matches, false positives, and overrides.
Audit Log: Search for DLP actions using Search-UnifiedAuditLog -Operations DlpRuleMatch, DlpRuleOverride.
Test the Policy: Send a test email with a dummy credit card number (e.g., 4111111111111111) to an external address and verify it is blocked.
Interaction with Related Technologies
Microsoft Information Protection (MIP): DLP can apply sensitivity labels to documents that match policies. Labels can then enforce encryption, watermarking, and access restrictions.
Microsoft Defender for Cloud Apps: DLP policies can extend to third-party cloud apps via Defender for Cloud Apps integration (e.g., enforce DLP on Dropbox, Salesforce).
Endpoint DLP: Extends DLP to Windows 10/11 devices, monitoring actions like copying to USB, printing, or uploading to unauthorized cloud apps.
Teams DLP: DLP policies can be applied to Teams chat and channel messages, scanning for sensitive content in real-time.
Retention Policies: DLP and retention policies can work together, but DLP focuses on preventing leaks, while retention focuses on preserving or deleting data.
Define sensitive information types
Identify the sensitive data your organization needs to protect. Use built-in SITs or create custom ones via the Compliance Center or PowerShell. For custom SITs, define the pattern (regex), keyword lists, and confidence threshold. For example, a custom SIT for employee IDs might use a regex like 'EMP\d{6}' with a confidence level of 75. Test with sample data to ensure accuracy and avoid false positives.
Create a DLP policy
In the Compliance Center, navigate to Data loss prevention > Policies > Create policy. Choose a template (e.g., Financial, Medical) or start from scratch. Specify the locations: Exchange, SharePoint, OneDrive, Teams chat/channel, and/or endpoints. Each location can be scoped to specific users, groups, or sites. For example, apply to all Exchange recipients but only a specific SharePoint site collection.
Define rules with conditions and actions
Inside the policy, create rules. Each rule has conditions (e.g., content contains a SIT, shared with external users) and actions (e.g., block, notify, encrypt). Set exceptions (e.g., exempt the legal team). Configure user notifications: policy tips appear in Outlook or SharePoint, and email notifications can be sent to the user and/or admin. Set the action to block with the ability to override (user provides justification) or block without override.
Test the policy in simulation mode
Before enforcing, run the policy in simulation mode (Test mode). This allows you to see what actions would be taken without actually blocking content. Monitor the DLP reports for matches, false positives, and user feedback. Adjust rules as needed to reduce false positives. For example, increase the minimum confidence level or add exceptions for legitimate use cases.
Enable the policy and monitor
After testing, turn on the policy (enforcement mode). Monitor DLP reports and audit logs for ongoing activity. Watch for policy overrides – frequent overrides may indicate the policy is too restrictive. Use the DLP alert dashboard to review incidents. Adjust rules based on evolving business needs and new sensitive data types. Regularly review false positives and refine SITs.
Scenario 1: Healthcare Provider Protecting PHI
A large hospital uses Microsoft 365 to manage patient records and communicate with staff. They need to comply with HIPAA by preventing Protected Health Information (PHI) from being emailed externally. They create a DLP policy that scans Exchange Online for SITs like U.S. Social Security Number, Medical Record Number, and Health Plan Beneficiary Number. The policy blocks emails containing PHI sent to external domains (e.g., gmail.com) with a policy tip explaining the block. They also allow override with a business justification (e.g., sending to a specialist). In production, they monitor the DLP reports weekly, adjusting the confidence threshold to reduce false positives from medical reference numbers. Misconfiguration: Initially, they forgot to exclude internal emails, causing false blocks when doctors emailed each other. They added an exception for internal recipients.
Scenario 2: Financial Firm Preventing Credit Card Leaks
A financial services firm must comply with PCI-DSS. They deploy DLP across SharePoint Online and OneDrive for Business to detect credit card numbers stored in documents. The policy blocks access to files containing credit card numbers and notifies the file owner and compliance team. They also use Endpoint DLP to prevent employees from copying such files to USB drives. At scale, they have 10,000 users; DLP processing is handled by Microsoft's infrastructure, but they need to ensure policy rules are not too broad to avoid performance impact on search indexing. Misconfiguration: They applied the policy to all SharePoint sites, including a site used for testing with dummy credit card numbers. They added an exception for the test site.
Scenario 3: Education Institution Protecting Student Data
A university uses Microsoft Teams for student collaboration. They need to protect student IDs and grades from being shared in chat. They create a Teams DLP policy that scans chat and channel messages for custom SITs (e.g., student ID pattern) and blocks the message with a policy tip. The policy also sends an email alert to the IT security team. They test in simulation mode for a week, discovering that the custom SIT was too broad (matching library card numbers). They refined the regex and added a keyword list. Misconfiguration: They initially set the policy to block without override, causing frustration when students tried to share their own IDs for group projects. They changed to allow override with justification.
MS-102 Exam Focus on DLP
This topic falls under Exam Domain: Security Threats, Objective 3.3: Implement and manage data loss prevention (DLP) policies. The exam tests your ability to configure, manage, and troubleshoot DLP policies in Microsoft 365.
Common Wrong Answers and Why
Wrong: DLP policies can be applied to all Microsoft 365 services by default. Reality: DLP policies must be explicitly scoped to specific locations (Exchange, SharePoint, OneDrive, Teams, Endpoint). The default policy is not enabled.
Wrong: DLP in Exchange Online scans emails before they are sent. Reality: Scanning occurs during transport (after submission but before delivery). The user may see a policy tip before sending if using Outlook, but actual enforcement happens during transport.
Wrong: DLP can automatically delete sensitive data. Reality: DLP actions include blocking, encryption, notification, and logging, but not automatic deletion. Retention policies handle deletion.
Wrong: Custom sensitive information types are not supported. Reality: Custom SITs are fully supported via the Compliance Center or PowerShell using regex, keywords, and EDM.
Specific Numbers and Terms
Confidence level: Range 1-100. Exam may ask what value to set for high confidence (e.g., 85).
Minimum count: The rule condition ContentContainsSensitiveInformation includes a minCount parameter (default 1).
Policy priority: Lower number = higher priority. The first matching rule with a blocking action stops evaluation.
Simulation mode: Also called "Test mode".
Policy tip: The notification shown to users in Outlook, SharePoint, or Teams.
Override: Users can override a block with a business justification if the policy allows.
Edge Cases and Exceptions
DLP policies for Teams chat/channel messages only apply to text content, not images or file attachments. Attachments are covered by SharePoint/OneDrive DLP.
DLP for on-premises Exchange is not supported; only Exchange Online.
DLP policies in SharePoint/OneDrive only scan documents that are shared with external users unless the policy is configured to scan all documents (via advanced settings).
Endpoint DLP requires Windows 10/11 devices to be enrolled in device management (Intune or co-management) and have the Microsoft 365 endpoint DLP client installed.
How to Eliminate Wrong Answers
If a question mentions "automatically delete" or "quarantine", eliminate that answer – DLP does not delete or quarantine.
If a question implies DLP works on-premises, eliminate unless it mentions integration with Defender for Cloud Apps.
If a question says DLP policies are applied globally without scope, eliminate – policies must be scoped to locations.
If a question about overriding says "not possible", check if the policy allows override – it's a configurable option.
DLP policies must be explicitly scoped to Exchange, SharePoint, OneDrive, Teams, and/or Endpoint locations.
Sensitive Information Types (SITs) have a confidence level (1-100); policies can specify a minimum confidence threshold.
DLP actions include Block, Notify, Encrypt, Apply label, and Log; deletion is not a DLP action.
Policy priority: lower number = higher priority; first matching blocking rule stops evaluation.
Simulation mode (Test mode) allows testing without enforcement.
Override with business justification is configurable per rule.
Teams DLP scans only text messages, not images or file attachments.
Endpoint DLP requires Windows 10/11 devices enrolled in Intune with the DLP client.
Custom SITs can be created using regex, keywords, and exact data match (EDM).
DLP reports and audit logs are essential for monitoring and tuning policies.
These come up on the exam all the time. Here's how to tell them apart.
Exchange Online DLP
Scans emails during transport (SMTP).
Actions: block delivery, encrypt, notify with policy tip.
Can be scoped to specific domains or recipients.
Supports attachments and body text scanning.
User sees policy tip in Outlook before sending (client-side).
SharePoint/OneDrive DLP
Scans documents at rest (after creation/modification) and when shared.
Actions: block access, notify, apply sensitivity label.
Can be scoped to specific sites, site collections, or users.
Scans document content, metadata, and file names.
User sees policy tip in SharePoint/OneDrive when sharing or accessing.
Mistake
DLP policies automatically apply to all Microsoft 365 services when created.
Correct
DLP policies must be explicitly scoped to specific locations (Exchange, SharePoint, OneDrive, Teams, Endpoint). The default policy is not enabled and must be activated.
Mistake
DLP can scan and block content in real-time before the user sends it.
Correct
For Exchange, scanning occurs during transport (after submission). Users may see a policy tip in Outlook before sending, but the actual block happens after submission. For SharePoint/OneDrive, scanning occurs after document creation or modification.
Mistake
DLP policies can only use built-in sensitive information types.
Correct
Custom sensitive information types can be created using regular expressions, keyword lists, and exact data match (EDM). They are fully supported in policies.
Mistake
DLP in Microsoft Teams scans images and file attachments.
Correct
Teams DLP scans only text content in chat and channel messages. File attachments in Teams are covered by SharePoint/OneDrive DLP policies.
Mistake
DLP policies can delete sensitive content automatically.
Correct
DLP actions include block, notify, encrypt, and log, but not deletion. Retention policies handle deletion based on retention rules.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. Create a DLP policy scoped to Exchange Online. Add a rule with condition 'Content contains sensitive information type' and select 'Credit Card Number'. Set action to 'Block the message' and optionally allow override. For external recipients, add condition 'Recipient is external' if needed. Test in simulation mode first.
DLP prevents data leakage by blocking or encrypting sensitive content. Retention policies preserve or delete data after a specified period. DLP is proactive, retention is lifecycle management. They can work together but serve different purposes.
Use simulation mode (Test mode) when creating the policy. This logs matches but does not take action. Monitor DLP reports to see what would have been blocked. Adjust rules as needed before switching to enforcement mode.
No. DLP policies in Microsoft 365 only apply to Exchange Online, SharePoint Online, OneDrive for Business, Teams, and endpoints. For on-premises Exchange, use Exchange Server DLP features or integrate with Microsoft 365 via hybrid deployment.
If the policy allows override, the user can provide a business justification. The action is allowed, but the event is logged in the audit log and DLP reports. The override applies only to that specific instance; future similar actions will trigger the policy again.
In Compliance Center > Data classification > Sensitive info types > Create. Define a name, description, and pattern using regex, keywords, and proximity. Set confidence level. Alternatively, use PowerShell with New-DlpSensitiveInformationType. Test with sample data.
Yes. DLP policies can be applied to Teams chat and channel messages. They scan text content for sensitive information. Attachments are not scanned by Teams DLP; they are covered by SharePoint/OneDrive DLP.
You've just covered Data Loss Prevention Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?