This chapter covers Data Loss Prevention (DLP) in Microsoft 365, a critical security feature that helps organizations detect and prevent accidental or intentional exposure of sensitive information. For the MS-900 exam, DLP is part of Domain 3: Microsoft 365 Security (Objective 3.4), and typically appears in 5-10% of exam questions. Understanding DLP policies, sensitive information types, actions, and integration with other compliance features is essential for the exam. We'll cover the mechanics, configuration, and common exam traps.
Jump to a section
Imagine a corporate office building with a single entrance staffed by a security guard. The guard has a policy book that lists exactly what types of items are not allowed to leave the building: confidential documents, USB drives containing sensitive data, laptops with classified files, etc. When an employee tries to exit, the guard inspects their bag and any items they carry. If the guard finds a prohibited item, they can either block the exit and confiscate the item (block action) or allow the employee to leave but immediately notify the security team (alert action). The guard also has a list of exceptions: senior executives can take certain documents with prior approval, and IT staff can take laptops for repairs. This mirrors Microsoft 365 DLP: content is inspected when it's shared or sent, policies define what is sensitive, actions can block or alert, and exceptions can be configured via overrides or allowlists. Just as the guard must check every item against the policy book in real time, DLP engines scan content against sensitive information types and conditions before applying actions.
What is Data Loss Prevention (DLP)?
Data Loss Prevention (DLP) in Microsoft 365 is a compliance solution that helps organizations identify, monitor, and protect sensitive information across Microsoft 365 services such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and endpoints. DLP policies contain rules that inspect content for sensitive data (e.g., credit card numbers, social security numbers) and automatically take actions like blocking transmission, alerting users, or logging incidents.
Why DLP Exists
Organizations handle vast amounts of sensitive data—financial records, personally identifiable information (PII), intellectual property, health records (HIPAA), etc. Accidental or malicious leaks can lead to regulatory fines, reputational damage, and legal liability. DLP provides a proactive defense by enforcing policies at the point of use (e.g., when an email is sent or a file is shared).
How DLP Works Internally
DLP operates through a combination of content analysis, policy evaluation, and action enforcement. The process:
1. Content Inspection: When a user attempts to share or send content (e.g., email attachment, file upload to SharePoint, Teams message), the DLP engine scans the content using sensitive information types (SITs). SITs are predefined or custom patterns that identify data like credit card numbers (regex: \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})\b with checksum validation).
2. Policy Matching: The scanned content is evaluated against DLP policies. A policy consists of conditions (e.g., content contains SITs, content is shared with external users) and actions (e.g., block, notify, allow override). Policies are evaluated in order of priority (highest priority number = highest priority).
3. Action Execution: If conditions are met, the DLP engine triggers the configured action. Actions include:
- Block: Prevents the action (e.g., email is not sent, file upload is denied). The user sees a policy tip.
- Allow but notify: Allows the action but logs an incident and sends an alert to admin.
- Allow with override: Allows the user to override the block by providing a business justification, which is logged.
4. Incident Reporting: All DLP policy matches generate an incident in the Microsoft 365 compliance center (under Data loss prevention > Alerts or Activity explorer). Admins can review, investigate, and remediate.
Key Components, Defaults, and Timers
Sensitive Information Types (SITs): Microsoft provides over 200 built-in SITs (e.g., Credit Card Number, U.S. Social Security Number, Azure SQL Connection String). Each SIT has a defined confidence level (high, medium, low) based on pattern accuracy and proximity keywords.
Policy Priority: Policies have a numeric priority (1-1000). Higher number = higher priority. When multiple policies match, the highest priority policy's actions are applied.
Policy Tips: Notifications shown to users when an action is blocked or requires override. They can include a customizable message and a link to a compliance webpage.
Action Timers: There are no explicit timers; DLP actions are instantaneous upon content inspection.
Default Policy: Microsoft 365 includes a default DLP policy for financial and medical data (e.g., U.S. Patriot Act, HIPAA). It is in test mode by default (non-intrusive).
Configuration and Verification
DLP policies are created in the Microsoft 365 compliance center (https://compliance.microsoft.com) under Data loss prevention > Policies > Create policy. Steps:
1. Choose a template (e.g., Financial data, Custom).
2. Name the policy and set priority.
3. Choose locations: Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages, devices (endpoints).
4. Define conditions: e.g., Content contains Credit Card Number and Content is shared with people outside my organization.
5. Define actions: e.g., Block people from sharing and restrict access, or Allow them to override.
6. Set user notifications (policy tips) and incident reports.
7. Test the policy first (test mode with or without notifications) before enabling.
To verify DLP is working, use the Activity explorer (under Data loss prevention) to view events. For Exchange, you can also use message trace to see if DLP rules blocked emails.
Interaction with Related Technologies
Microsoft Purview Compliance Portal: DLP is part of the broader compliance suite, which includes Information Protection (sensitivity labels) and Records Management. Sensitivity labels can be used as conditions in DLP policies (e.g., block content labeled 'Confidential').
Microsoft Defender for Cloud Apps: Integrates with DLP to extend protection to third-party SaaS apps (e.g., Box, Dropbox) via session controls.
Endpoint DLP: Extends DLP to Windows 10/11 devices, monitoring file activities (e.g., copying to USB, printing). Requires Microsoft 365 E5 or Compliance add-on.
Teams DLP: Covers chat and channel messages (including shared files). Policies can block messages containing sensitive data.
Common Exam Traps
DLP vs. Information Barriers: DLP prevents data loss; Information Barriers restrict communication between certain groups (e.g., prevent traders from talking to analysts). They are different.
DLP vs. Retention Policies: DLP protects data from being shared; Retention policies preserve data for compliance or legal hold. They are complementary.
Policy Priority: Candidates often assume lower number = higher priority, but the opposite is true: higher number = higher priority.
DLP for emails vs. SharePoint: DLP can block emails from being sent, but for SharePoint it can block file uploads or restrict access to shared files.
Create a DLP Policy
In the Microsoft 365 compliance center, navigate to Data loss prevention > Policies > Create policy. Choose a template (e.g., Financial data) or start with a custom policy. Name the policy and set a priority (higher number = higher priority). Select the locations where the policy applies: Exchange email, SharePoint sites, OneDrive accounts, Teams chat/channel messages, and/or devices (endpoints). For endpoints, you need Windows 10/11 devices enrolled in Microsoft 365. The policy will be in test mode initially—you can choose to show policy tips or not during testing.
Define Conditions for Sensitive Data
Add conditions that trigger the policy. Common conditions include: 'Content contains' (select sensitive information types like U.S. Social Security Number (SSN)), 'Content is shared with' (choose 'people outside my organization' or 'people inside my organization'), and 'Content is accessed from' (for endpoints). You can also add conditions based on sensitivity labels (e.g., 'Confidential' label). Each condition can be set to 'All of these' or 'Any of these'. For SSN, the confidence level can be adjusted (high, medium, low). You can also set instance count (e.g., at least 1 instance).
Configure Actions and User Notifications
Specify what happens when content matches conditions. Actions include: Block people from sharing and restrict access (for SharePoint/OneDrive), Block but allow override (users can provide business justification), or Send an alert to admin (for Exchange). For Exchange, you can also encrypt the email. User notifications (policy tips) can be turned on to inform users why the action was taken. You can customize the tip text and include a link to a compliance webpage. For overrides, you can allow users to override with a business justification, which is logged.
Test and Enable the Policy
Before full enforcement, run the policy in test mode. This allows you to see how many matches occur without blocking actions. You can choose to show policy tips during test mode (to let users see what would be blocked) or hide them. After testing, review the Activity explorer to see matched events. If the policy works as expected, change the mode to 'Turn it on immediately'. You can also schedule enforcement for a future date. Remember that policy changes may take up to 30 minutes to propagate across all locations.
Monitor and Respond to DLP Alerts
After enforcement, monitor DLP alerts in the compliance center under Data loss prevention > Alerts. Each alert shows the policy name, location, user, and details of the matched content. You can review the incident, take remediation actions (e.g., remove sharing, notify user), or dismiss the alert if it's a false positive. The Activity explorer provides a detailed log of all DLP events, including user overrides. For advanced analysis, you can export logs to Microsoft Sentinel or use Power Automate to automate responses.
Enterprise Scenario 1: Financial Services Company Protecting Client Data
A large financial services firm must comply with SOX and PCI DSS. They use DLP to prevent credit card numbers and bank account details from being emailed outside the organization. They create a policy that scans all outbound emails for credit card numbers (using the built-in SIT) and blocks the email if sent to an external domain. They also allow overrides for legitimate business needs (e.g., sending encrypted statements). The policy covers Exchange Online and includes a policy tip that says 'This email contains credit card data and cannot be sent externally unless you provide a business justification.' The compliance team monitors alerts daily. A common issue is false positives from emails containing sample credit card numbers used in testing; they create an exception list for internal test domains.
Enterprise Scenario 2: Healthcare Organization Protecting PHI
A hospital network must comply with HIPAA. They use DLP to protect Protected Health Information (PHI) such as patient records and social security numbers. They configure a DLP policy that blocks sharing of files containing PHI in SharePoint Online and OneDrive for Business with external users. They also apply endpoint DLP to prevent copying PHI to USB drives on Windows 10 devices. The policy uses the U.S. Social Security Number SIT and a custom SIT for medical record numbers. They set up alerts for any block or override. A challenge is that some clinical staff need to share PHI with external partners; they use the override feature with a business justification and a manager approval workflow via Power Automate. Performance: DLP scanning adds negligible latency (milliseconds) for most operations; endpoint DLP may cause slight delay when copying large files.
Scenario 3: Technology Company Protecting Intellectual Property
A tech startup uses DLP to prevent source code and trade secrets from leaking via Teams chat. They create a DLP policy that scans Teams messages for keywords like 'confidential' and 'proprietary' combined with code snippets (using a custom SIT for source code patterns). The policy blocks the message from being sent and notifies the user. They also integrate with Microsoft Defender for Cloud Apps to monitor third-party apps like Slack. A misconfiguration example: Initially they set the policy to block all external sharing in SharePoint, which blocked legitimate vendor collaboration. They had to create an exception for a specific site collection. They learned to test policies thoroughly in test mode before enforcement.
What MS-900 Tests on DLP
MS-900 Objective 3.4: 'Describe the capabilities of Microsoft 365 security and compliance solutions.' Specifically, you need to know:
The purpose of DLP and what it protects (sensitive data at rest, in transit, in use).
The key components: DLP policies, sensitive information types, actions (block, allow, notify), policy tips.
The locations DLP can cover: Exchange Online, SharePoint Online, OneDrive for Business, Teams, and endpoints (Windows 10/11).
The difference between DLP and Information Protection (sensitivity labels).
The concept of test mode vs. enforcement.
Common Wrong Answers and Why
'DLP prevents data loss by encrypting all files.' Encryption is part of Information Protection (sensitivity labels) or Azure Information Protection. DLP does not encrypt; it blocks or alerts on sharing.
'DLP policies apply to all Microsoft 365 services automatically.' You must select specific locations (Exchange, SharePoint, etc.) when creating a policy. It does not apply to all services by default.
'DLP can block printing of documents.' This is only possible with Endpoint DLP (Windows 10/11) and requires specific configuration. Not all DLP policies include endpoint actions.
'DLP policies are evaluated in alphabetical order.' Priority is numeric (higher number = higher priority), not alphabetical.
Specific Numbers and Terms to Memorize
DLP is part of Microsoft Purview (formerly Microsoft 365 Compliance Center).
Over 200 built-in sensitive information types.
Policy priority: 1-1000, higher number = higher priority.
Default DLP policy for financial/medical data exists but is in test mode.
DLP for Teams covers chat and channel messages (including shared files).
Endpoint DLP requires Windows 10/11 and Microsoft 365 E5 or Compliance add-on.
Edge Cases and Exceptions
DLP does not apply to private chat messages in Teams unless the user is in a meeting? Actually, DLP does cover private chats (1:1 and group) in Teams. Exam may test that.
DLP can be configured to allow overrides with a business justification, which is logged.
Policy tips appear in Outlook, SharePoint, OneDrive, Teams, and Office apps (Word, Excel, PowerPoint).
Test mode can show policy tips or not; this is configurable.
How to Eliminate Wrong Answers
If a question asks about preventing data leaks via USB, the answer must involve Endpoint DLP (not general DLP). If a question mentions 'sensitivity labels', it's about Information Protection, not DLP. For 'blocking emails with credit card numbers', DLP is correct. For 'preserving data for legal hold', it's retention policy or eDiscovery, not DLP.
DLP prevents accidental or intentional sharing of sensitive data across Microsoft 365 services.
DLP policies consist of conditions (sensitive info types, sharing scope) and actions (block, allow, notify).
Policy priority: higher number = higher priority; range 1-1000.
DLP covers Exchange, SharePoint, OneDrive, Teams, and Windows 10/11 endpoints (E5 required for endpoints).
Over 200 built-in sensitive information types are available; custom types can be created.
DLP policies can be tested in test mode before enforcement.
Policy tips inform users when an action is blocked or requires override.
DLP is part of Microsoft Purview Compliance Portal.
DLP does not encrypt data; encryption is handled by Information Protection.
DLP for Teams covers both channel messages and private chats.
These come up on the exam all the time. Here's how to tell them apart.
DLP (Data Loss Prevention)
Focuses on preventing data loss by blocking or alerting on sharing of sensitive data.
Uses sensitive information types (SITs) to detect patterns like credit card numbers.
Actions include block, allow with override, notify, and encrypt (only for Exchange).
Applies to Exchange, SharePoint, OneDrive, Teams, and endpoints.
Policies are priority-based (higher number = higher priority).
Information Protection (Sensitivity Labels)
Focuses on classifying and protecting data at rest, in use, and in transit via labels.
Uses sensitivity labels that can be manually or automatically applied to files/emails.
Actions include encryption, visual markings (headers/footers), and access restrictions.
Applies across Office apps, SharePoint, OneDrive, Exchange, and endpoints.
Labels can be used as conditions in DLP policies.
Mistake
DLP policies automatically apply to all Microsoft 365 services once enabled.
Correct
DLP policies must be configured to apply to specific locations: Exchange Online, SharePoint, OneDrive, Teams, and/or endpoints. They do not blanket-apply to all services.
Mistake
DLP can encrypt sensitive data.
Correct
DLP does not encrypt data. Encryption is handled by Information Protection (sensitivity labels) or Azure Information Protection. DLP can block sharing or send alerts, but encryption is a separate action.
Mistake
DLP policies are evaluated in order of creation (oldest first).
Correct
DLP policies have a numeric priority (1-1000). Higher number = higher priority. The order of creation does not matter.
Mistake
DLP for Teams covers only channel messages, not private chats.
Correct
DLP for Teams covers both channel messages and private chats (1:1 and group chats). It also covers shared files in chats.
Mistake
Once a DLP policy is enforced, it takes effect immediately everywhere.
Correct
Policy changes can take up to 30 minutes to propagate across all locations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft 365 includes a default DLP policy for financial and medical data (e.g., U.S. Patriot Act, HIPAA). It is in test mode initially, meaning it logs matches but does not enforce actions. You can edit or enable it. There is no default policy for other data types; you must create custom policies.
Yes. Create a DLP policy for Exchange Online that uses the 'Credit Card Number' sensitive information type. Set the action to 'Block the message from being sent' or 'Block but allow override'. The sender will see a policy tip explaining why the email was blocked.
DLP policies for Exchange and SharePoint apply to mobile devices accessing those services via Outlook mobile or browser. However, endpoint DLP (for file activities on devices) only works on Windows 10/11. For iOS/Android, you can use Microsoft Defender for Cloud Apps to monitor app usage.
When configuring the DLP policy action, choose 'Block but allow override'. You can require users to provide a business justification, which is logged. You can also set up a manager approval workflow via Power Automate. The override option is available for Exchange, SharePoint, and OneDrive.
DLP prevents data loss by blocking or alerting on sharing of sensitive data. Retention policies preserve data for a specified period (e.g., 7 years) for compliance or legal hold. They are complementary: DLP protects against leaks, retention ensures data is not prematurely deleted.
Yes, but only with Endpoint DLP, which requires Windows 10/11 devices and a Microsoft 365 E5 license (or Compliance add-on). You can create a DLP policy that includes endpoint locations and define actions like 'Block copying to removable media'.
When creating or editing a DLP policy, set the mode to 'Test it out first' (test mode). You can choose to show policy tips during test mode or not. Review the Activity explorer to see matched events. If satisfied, change the mode to 'Turn it on immediately'.
You've just covered Data Loss Prevention (DLP) in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?