This chapter covers Data Loss Prevention (DLP) policies specifically for Microsoft Teams, a critical topic for the SC-900 exam under Compliance Solutions (Objective 4.3). DLP in Teams helps organizations prevent accidental or intentional sharing of sensitive information through chat, channel messages, and file sharing. Expect 5-10% of exam questions to touch DLP concepts, with at least one question directly about Teams DLP capabilities, limitations, and configuration.
Jump to a section
Imagine a corporate mailroom that handles all incoming and outgoing packages for a company. Every package must pass through this mailroom, where clerks inspect contents against a list of prohibited items (e.g., hazardous materials, confidential documents). If a package contains a prohibited item, the clerk either blocks it entirely or replaces the offending content with a warning sticker before delivery. For packages sent between departments, the mailroom also checks if the sender and receiver are allowed to exchange certain materials. In Microsoft Teams, DLP policies act as this mailroom: every message, file, or link shared in chats, channels, or meetings passes through the Microsoft 365 compliance boundary. The DLP engine inspects the content for sensitive information (like credit card numbers or health records) using built-in or custom rules. If a match occurs, the policy can block the message, notify the sender, or allow override with justification. The mailroom analogy is mechanistic because the inspection is automatic, policy-driven, and happens at a central point (the Teams service) before content reaches the recipient, just as physical mail is screened before delivery.
What is DLP for Microsoft Teams?
Data Loss Prevention (DLP) for Microsoft Teams is a compliance feature that monitors and controls the sharing of sensitive information within Teams chats, channel conversations, and private channels. It is part of the broader Microsoft 365 DLP suite, which also covers Exchange Online, SharePoint Online, OneDrive for Business, and third-party apps. The primary goal is to prevent data leaks by detecting sensitive content (e.g., credit card numbers, Social Security numbers, confidential documents) and taking automated actions such as blocking the message, blocking the share, or sending a policy tip to the user.
DLP for Teams was introduced in 2020 and has evolved to support both chat and channel messages, including file attachments. It does NOT cover meeting audio/video or live captions; those are out of scope for DLP. The exam expects you to know that DLP policies can be applied to Teams by selecting the location "Teams chat and channel messages" when creating a DLP policy in the Microsoft Purview compliance portal.
How DLP Works in Teams: Step-by-Step Mechanism
When a user sends a message or file in Teams, the content is first processed by the Teams service. The service evaluates the content against active DLP policies that include the Teams location. The evaluation involves: 1. Content Analysis: The DLP engine scans the message text and any attached files (e.g., Word, Excel, PDF) for sensitive information types (SITs) defined in the policy. Over 100 built-in SITs are available, such as U.S. Social Security Number (SSN), International Bank Account Number (IBAN), and Azure Storage Account Key. Custom SITs can also be created using regular expressions or keyword dictionaries. 2. Policy Matching: If the content matches a SIT with a confidence level above the policy threshold (default is high confidence, but adjustable), the policy's conditions are evaluated. Conditions can include: who sent the message, who received it, the channel type, or whether the message is shared with external users. 3. Action Execution: Based on the configured actions, the policy may: - Block the message from being sent (the message never reaches the recipient). - Block the message but allow the sender to override with a business justification. - Send a policy tip to the sender (a notification that sensitive content was detected, but the message is still delivered). - Log the incident for review by an admin. 4. User Notification: If a policy tip is enabled, the sender sees a warning in the Teams compose box before sending. If the message is blocked, the sender sees an error indicating the message was blocked by a DLP policy.
Key Components, Values, and Defaults
- Sensitive Information Types (SITs): Built-in patterns like "Credit Card Number" (pattern: 16 digits, checksum Luhn) and "U.S. Social Security Number" (pattern: 9 digits, format XXX-XX-XXXX). Each SIT has a confidence level (low, medium, high) that determines how likely a match is correct. Default confidence for many SITs is 75% (high).
- DLP Policy Priority: Policies are evaluated in order of priority. If multiple policies match, the most restrictive action is applied. Priority is set manually when creating policies.
- Action Types:
- Block – Prevents message delivery. For Teams, the message is not sent and the sender sees an error.
- Block with override – Same as block, but the sender can provide a justification to bypass the policy (audited).
- Notify – Sends a policy tip but does not block.
- Policy Tip: A yellow warning bar in Teams that says something like "This message contains sensitive information. Please remove it before sending." Policy tips are only shown for non-blocking actions.
- Incident Reports: When a DLP rule matches, an incident is logged in the Microsoft 365 Defender portal under Incidents. Admins can review and take action.
Configuration and Verification
To create a DLP policy for Teams: 1. Go to Microsoft Purview compliance portal (https://compliance.microsoft.com). 2. Navigate to Data loss prevention > Policies > Create policy. 3. Choose a template (e.g., Financial data, Medical and health data) or start from scratch. 4. On the Locations page, select Teams chat and channel messages. Note: You must also select Exchange, SharePoint, and OneDrive if you want the policy to cover those locations, but for Teams-only scenarios, only select Teams. 5. Define conditions (e.g., content contains SSN, or content shared with external users). 6. Define actions (e.g., block the message, notify sender). 7. Set policy mode to Turn it on immediately or test first.
Verification: Send a test message containing a known sensitive pattern (e.g., a fake SSN like 123-45-6789) in a Teams chat. Observe if the message is blocked or if a policy tip appears. Check the incident log in Purview > Data loss prevention > Incidents.
Interaction with Related Technologies
DLP for Teams works closely with:
- Microsoft Purview Information Protection: Sensitivity labels can be used to classify data, and DLP policies can detect labels. For example, a DLP policy can block messages containing files labeled "Highly Confidential."
- Microsoft Defender for Cloud Apps: Extends DLP to third-party apps (e.g., Slack, Zoom) but not directly Teams DLP.
- Microsoft 365 Audit Log: All DLP matches are logged in the unified audit log. You can search for DLP events using Search-UnifiedAuditLog -RecordType DataLossPrevention in Exchange Online PowerShell.
Important Exam Notes
DLP for Teams DOES NOT apply to meeting chats, private chats with external users (federation) unless the external user is in a tenant that also has DLP? Actually, DLP for Teams works for internal chats and external chats if the external user is in an organization that has DLP policies? The exam says DLP for Teams covers internal chats and channel messages, but for external chats, DLP only works if the external user is in a tenant that also has DLP? Not exactly: DLP for Teams can inspect messages sent to external users if the policy includes the condition "Content is shared with people outside my organization." However, the enforcement (blocking) only happens for the sending side. The external recipient may still see the message if the policy only blocks on the sender side? Actually, if the policy blocks, the message is not sent, so the external user never receives it. This is a common exam point.
DLP for Teams does NOT cover private messages in meetings? Actually, meeting chat is part of Teams chat, so it is covered. But meeting audio/video is not.
DLP policies require a license: Microsoft 365 E5/A5/G5, or Microsoft 365 E5 Compliance add-on. The exam may ask which licenses are required.
Common Exam Traps
Trap: DLP policies for Teams can be applied to all Teams messages by default. Reality: You must explicitly select the Teams location; no default policy exists.
Trap: DLP can prevent users from sharing files in Teams. Reality: DLP for Teams can block sharing of files that contain sensitive info, but it does not replace SharePoint DLP; it works in conjunction.
Trap: DLP for Teams works for all message types including urgent messages. Reality: It works for all chat and channel messages, but urgent messages are also text, so they are covered.
Conclusion
DLP for Teams is a powerful tool to prevent data leaks in collaboration. The exam focuses on understanding what it protects (chat and channel messages), how to configure it (via Purview), and its limitations (does not cover audio/video). Remember the key actions: block, block with override, and notify. Know that DLP policies are evaluated in priority order and that incident reports are generated.
User sends a message
A user composes a message in Teams chat or channel and clicks Send. The message content (text and any attachments) is transmitted to the Teams backend service. At this point, the message is not yet delivered to recipients. The Teams service triggers a DLP evaluation by sending the content to the Microsoft 365 compliance engine. The engine checks all active DLP policies that include the Teams location. This evaluation happens synchronously, meaning the sender experiences a slight delay (usually <1 second) before the message is either sent or blocked.
DLP engine scans content
The DLP engine parses the message text and any attached files (Word, Excel, PDF, etc.) for matches against sensitive information types (SITs) defined in the policies. Each SIT has a pattern and a confidence level. For example, a credit card number SIT requires 16 digits with Luhn checksum; if the text contains a 16-digit number that passes Luhn, the confidence is high (85%). The engine also checks for custom regex patterns or keyword dictionaries. Multiple SITs may be evaluated; if any match exceeds the minimum confidence threshold (default 75%), the policy condition is considered met.
Policy conditions evaluated
If a SIT match is found, the DLP engine evaluates additional conditions in the policy. Conditions can include: the sender's identity (e.g., user is part of a specific group), the recipient's identity (internal vs external), the channel type (public vs private channel), or the sensitivity label of any attached file. For example, a policy may block messages containing credit card numbers only if the recipient is external. Conditions are combined using AND/OR logic. If all conditions are met, the policy triggers its defined actions.
Action executed
Based on the policy configuration, the DLP engine executes one of several actions: Block – the message is discarded and never delivered; the sender sees an error message. Block with override – same as block, but the sender can choose to override by providing a business justification, which is logged. Notify – a policy tip is shown to the sender, but the message is delivered. If multiple policies match, the most restrictive action (block > block with override > notify) is applied. The action is applied immediately; there is no delay for user review.
Incident logged and reported
After the action is taken, an incident is created in the Microsoft 365 Defender portal. The incident includes details: time, user, message content (or a snippet), the SIT matched, and the action taken. Admins can review incidents and optionally escalate to eDiscovery or remediation. The incident is also recorded in the unified audit log. If the policy has an 'incident report' configuration, an email notification may be sent to the compliance admin. The incident remains visible for 30 days by default.
Scenario 1: Healthcare Provider Preventing PHI Leakage A large hospital uses Teams for clinician communication. They have a DLP policy that blocks any message containing a patient's medical record number (custom SIT) or diagnosis codes (ICD-10). The policy is configured with 'Block' action and a policy tip. When a nurse accidentally types a patient's SSN in a chat, the message is blocked, and the nurse sees 'This message contains sensitive health information and cannot be sent.' The nurse then removes the SSN and resends. The incident is logged and reviewed weekly by the compliance team. This prevents accidental PHI exposure, which could lead to HIPAA fines.
Scenario 2: Financial Firm Protecting Credit Card Data A financial services company uses Teams for internal collaboration. They have a DLP policy that detects credit card numbers (built-in SIT) and blocks messages sent to external users (e.g., partners). The policy is set to 'Block with override' so that if a legitimate business need exists, the user can justify the override. In production, this policy blocks hundreds of attempts per month, most of which are accidental. The override requests are audited and reviewed monthly. The company also uses DLP reports to identify users who frequently attempt to send sensitive data, leading to additional training.
Scenario 3: Government Agency Classified Data Protection A government agency uses sensitivity labels to classify documents as 'Confidential' or 'Top Secret'. Their DLP policy for Teams blocks any message that includes a file labeled 'Top Secret' from being shared in channels that contain external guest users. The policy uses a condition: 'Content contains sensitivity label Top Secret' AND 'Recipient includes people outside my organization'. This policy prevents accidental leaks of classified information to unauthorized parties. The policy also sends an incident report to the security operations center (SOC) for immediate investigation.
Common Misconfiguration: A common mistake is creating a DLP policy for Teams but forgetting to enable the Teams location. The policy then only applies to Exchange or SharePoint, leaving Teams unprotected. Another mistake is setting the action to 'Notify' only, which does not prevent data leakage; users may ignore the warning. Performance is generally not an issue because DLP evaluation happens server-side and is fast, but during peak usage, a slight delay may be noticeable.
What SC-900 Tests on DLP for Teams The SC-900 exam covers DLP for Teams under Objective 4.3: 'Describe the capabilities of data loss prevention.' Specifically, you need to know:
The locations that DLP policies can cover: Exchange, SharePoint, OneDrive, Teams chat and channel messages. (Note: Teams is NOT covered by default; you must select it.)
The types of content DLP can inspect: text messages and attachments (files) in chats and channels.
The actions: Block, Block with override, Notify.
The concept of policy tips and incident reports.
That DLP policies are created in the Microsoft Purview compliance portal.
Licensing requirement: Microsoft 365 E5 or E5 Compliance add-on.
Most Common Wrong Answers 1. DLP for Teams protects meeting audio/video. Wrong because DLP only inspects text and files; it does not analyze spoken content or video streams. 2. DLP policies apply to all Teams messages by default. Wrong; you must explicitly enable the Teams location when creating a policy. 3. DLP can prevent a user from joining a meeting. Wrong; DLP does not control meeting access; that is handled by Azure AD conditional access. 4. DLP policies are configured in Teams admin center. Wrong; they are configured in Microsoft Purview compliance portal.
Specific Numbers and Terms - The default confidence level for many SITs is 75% (high). - Over 100 built-in sensitive information types. - Policy priority order determines which action is taken when multiple policies match; the most restrictive wins. - Incident reports are stored for 30 days (default retention).
Edge Cases the Exam Loves - DLP for Teams works for internal chats and channels, but for external (federated) chats, the policy only applies if the external user's tenant also has DLP? Actually, the policy applies on the sender side regardless. But if the external user is in a tenant without DLP, the message can still be blocked by the sender's policy. The exam may test that DLP for Teams works for messages to external users only if the policy condition 'Content is shared with people outside my organization' is used. - DLP for Teams does not apply to private chats in meetings? Actually, meeting chat is covered; but the exam might mislead you to think meeting chat is excluded. - DLP for Teams does not cover messages sent by bots or webhooks? Actually, DLP inspects all user-generated messages; bot messages are not user-generated, so they are not covered.
How to Eliminate Wrong Answers If a question asks about DLP capabilities, eliminate any answer that mentions audio, video, or meeting recordings. Also eliminate answers that say DLP is configured in Teams admin center. If the question asks about default behavior, remember that no DLP policy exists by default. Focus on the fact that DLP for Teams is part of Microsoft Purview.
DLP for Teams covers chat and channel messages, including file attachments, but NOT meeting audio/video.
You must explicitly enable the Teams location when creating a DLP policy; no default policy exists.
The most restrictive action wins when multiple policies match; priority order is set by the admin.
Policy tips are only shown for non-blocking actions; blocked messages show an error instead.
DLP policies are created in Microsoft Purview compliance portal, not in Teams admin center.
Over 100 built-in sensitive information types are available, with default confidence threshold of 75%.
Incident reports are logged in the Microsoft 365 Defender portal and retained for 30 days.
These come up on the exam all the time. Here's how to tell them apart.
DLP for Teams
Applies to Teams chat and channel messages only.
Inspects message text and file attachments in real-time.
Actions include block, block with override, and notify.
Configured in Microsoft Purview compliance portal.
Requires Microsoft 365 E5 or E5 Compliance license.
DLP for Exchange Online
Applies to email messages in Exchange Online.
Inspects email body, subject, and attachments.
Actions include block, redirect, quarantine, and notify.
Configured in same Purview portal but with different location options.
Same licensing requirement but also available in Exchange Online Protection (EOP) basics.
Mistake
DLP for Teams automatically protects all Teams messages without any configuration.
Correct
No default DLP policy exists for Teams. You must create a policy and explicitly select the Teams location. Without configuration, no DLP enforcement occurs.
Mistake
DLP for Teams can block users from sharing files in Teams entirely.
Correct
DLP only blocks files that contain sensitive information matching a policy. It does not block all file sharing; it only enforces based on content inspection.
Mistake
DLP for Teams scans all meeting audio and video for sensitive information.
Correct
DLP only inspects text messages and file attachments. It does not analyze audio or video streams. Meeting recordings are stored in OneDrive/SharePoint and covered by DLP there.
Mistake
DLP policies for Teams are configured in the Teams admin center.
Correct
DLP policies are created and managed in the Microsoft Purview compliance portal (compliance.microsoft.com), not in the Teams admin center.
Mistake
DLP for Teams works the same for internal and external (federated) users.
Correct
DLP for Teams can inspect messages to external users, but the enforcement is only on the sending side. The recipient's tenant may not have DLP, but the message is still blocked if the sender's policy matches.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, DLP for Teams applies to all channel types, including standard, private, and shared channels. The policy inspects messages in those channels just like regular chats. However, note that private channels have their own SharePoint site, but DLP for Teams inspects the message content before it reaches the SharePoint storage. So, DLP blocks at the messaging layer, not the file layer.
Yes, DLP for Teams can inspect messages sent to external users if the policy includes a condition like 'Content is shared with people outside my organization.' The policy will block the message on the sender's side before it is sent. However, if the external user is in a tenant that also has DLP, the recipient's DLP may also apply, but that is separate. The exam expects you to know that DLP for Teams can apply to external sharing.
DLP for Teams requires a Microsoft 365 E5/A5/G5 license or the Microsoft 365 E5 Compliance add-on. Without these licenses, you cannot create or enforce DLP policies for Teams. The exam may ask which licenses include DLP capabilities.
No, DLP for Teams does not control clipboard operations. It only inspects content that is sent as a message or file attachment. To prevent copying, you would need endpoint DLP, which is a different feature. DLP for Teams operates at the service level, not the client level.
When creating a DLP policy, you can set the mode to 'Test it out first' instead of 'Turn it on immediately.' In test mode, the policy will detect matches but not block messages. You can then review the incident reports to see how many matches occur. This is useful to avoid accidentally blocking legitimate messages.
If the policy allows override with justification, the sender can click a link in the error message to provide a business justification. The message is then sent, and the override is logged in the incident report. Admins can review these overrides and adjust the policy if needed.
DLP for Teams primarily inspects messages sent by users. Messages from bots or connectors are generally not inspected because they are not user-generated. However, if a bot sends a message that includes user input, that input may be inspected? The official documentation states that DLP applies to messages and files added to chats and channels by users. Bot messages are not covered.
You've just covered DLP Policies for Microsoft Teams — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?