Configuring data loss prevention for email from the Compliance Center in Microsoft 365

• Author
• Recent Posts

Vignesh Mudliar

Vignesh has been working in the IT industry for the past 10 years. His main areas of focus are Microsoft 365, Exchange Online, PowerShell, Teams, SharePoint, Microsoft 365 Security, and GoLang. Follow his weblog.

Latest posts by Vignesh Mudliar (see all)

• Whitelist a domain in Microsoft 365 - Wed, Nov 29 2023
• Anti-spam policies in Microsoft 365 (Office 365) - Thu, Nov 23 2023
• Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022

Why do you need DLP for email?

Microsoft provides several security mechanisms to protect data in email. However, DLP will help you further secure your data by allowing you to define policies based on regulatory requirements. For instance, you can block outgoing email that contains US credit card numbers, social security numbers, and other financial data. There are also templates to block email with private or medical information. See this link for a detailed list of available templates. In addition, you can create custom policies that contain many more confidential and sensitive data types that can be blocked.

Many organizations might want to shield data to be compliant with the mandatory rules or laws, such as GDPR, set by regulatory bodies. DLP proves immensely useful in handling such scenarios. Once you have the end goal in place, you can use the policies to reach that target.

Prerequisites

To follow along with this article, you must have the following:

• Microsoft 365 tenant.
• Organization Management or Compliance Management permissions in Exchange Online.
• One of the following licenses: Microsoft 365 E3/A3/Business Premium, Office 365 E3/A3, and Office 365 Data Loss Prevention and F5 Compliance and F5 Security & Compliance.

Create a new DLP policy for email with templates

Now that you know the relevance of DLP in Exchange Online, it's time to get into action. Once you have earmarked the type of data that needs to be regulated, you must create DLP policies. First, access the Compliance Center via this link or from the Microsoft 365 Admin Center home page. Here, click the Policies option and then select Data loss prevention.

On the DLP page, click the Policies tab, which displays a list of existing DLP policies.

The types of templates that are available

Click Create policy. On the next page, select the type of data you want to manage. Here, you see the Financial type selected. There are several templates here. In this example, we will select U.S. Financial Data and click Next. Each template displays the information that it provides to be handled. You can learn more about the various templates here.

The US Financial Data template is selected for the policy

On the following page, select the locations where this rule will be effective. Here, we will choose Exchange email for this article; however, you can choose to apply this policy in SharePoint, OneDrive, and Teams.

Choosing Exchange Online as the location where the policy will take effect

On the next page, you can decide whether to go with the default settings or configure advanced settings. For this example, we will go with the default settings and click Next. The advanced settings will be covered later in this article.

On the next page, you can add more sensitive information types if needed. Also, for this example, we want to demonstrate the behavior in Microsoft 365 apps; hence, you can keep the Detect… option checked. Another important point is to decide whether this policy will apply to emails shared with external people or only with internal ones. Since our aim is to restrict the data going out of the tenant, we will select with people outside my organization and click Next.

This policy is for data shared with external people via email

On the following page, you can decide on the actions to be taken for any email that matches the conditions you chose on the previous page. You can warn your users with policy tips. This may act as a deterrent and must be used; hence, you must keep this box checked. So, whenever content matches the conditions set in this policy, the users will see a policy tip. You can also choose to send a notification to an admin if the email is still sent.

Define the settings for the policy

If you click Customize the tip and email, you can choose who should see the policy tip and who needs to receive the notification email. You can also customize the policy tip text and the notification email details.

Customizing the policy tips and notification emails to users

It's essential to define the level of aggressiveness with which you want to enforce this policy. If you want to be notified every time an email contains sensitive data, you must choose 1 in the Detect when a specific amount of sensitive info is being shared at one time option. This is the recommended setting for keeping a close eye on what's being shared. Alternatively, you can choose an even higher count, if needed.

The next option, as shown in the screenshot below is to select what is to be included in the incident report and who is supposed to receive it. It is recommended to keep this checked. The screenshot below shows the details:

Details to be included in the incident report sent to admins

The next option is to further customize the path to receive DLP alerts. You can choose to receive alerts each time such data is shared or even based on the count of such instances. You can also decide whether Microsoft 365 should consider the duration of such instances. The last choice is to decide whether the timeframe applies to all users or to a single user. It's always better to have this set for all users.

An alert is sent for every policy breach

The last section of this window applies only to emails. You can encrypt emails with sensitive data or even disallow forwarding.

Restricting the blocked data or even encrypting it

The final window lets you choose between enabling the policy immediately or testing it first. The policy will not be effective in test mode; however, you can monitor its potential impact. This helps you to improve your policy settings and avoid any unwanted impact on users.

Testing the policy

To test, we will use a sample US credit card number. The email was sent via Outlook to an external address. You can see the policy tip warning us about the email breaching a policy; however, we will ignore it and send the email.

Email to test the US Financial Data policy

After the email is sent, the user receives an email warning them about the policy breach. The admin is also notified.

DLP policy breach notification sent to the user and admin

Apart from this, the admin also receives an email warning them about the high volume of sensitive content being shared. This setting can be tweaked, as explained in the policy creation section.

High volume notification sent to the admin

As per our policy, an alert was also sent to the admin.

Alert sent to the admin about the DLP policy breach

Create a new custom policy

In this section, you will explore the possibilities of custom policies in DLP. Despite the templates provided by Microsoft, you might want to further customize your DLP policy based on other conditions or regulations. For instance, if you want to block email containing sensitive information, such as Pan Card details from India, you will have to create custom policies.

In this example, you will see how to create a custom policy to block all email communications containing Indian Pan Card details. This is not available in the default templates. The first step is to select custom policy, as seen in the screenshot "The US Financial Data template is selected for the policy." The next steps remain the same as those mentioned in the previous section. The difference is when you define the policy settings, as seen here.

Custom policy selection

On the next page, create the rule. There are three major parts to this step. The first is to choose the conditions.

Select the appropriate conditions for the policy. Here, we have chosen Content contains to handle email with sensitive information.

List of conditions to choose from for the policy

Next, choose the sensitive information type. Here, we will select the Indian Permanent Account Number. Note that you can add more types of sensitive data by clicking Add again.

Choosing the sensitive information type

Other conditions can also be accommodated here. For example, you might want to block PAN card details shared by a specific group or user. For this, you can add another condition stating the sender group or other such combinations.

The next step is to add exceptions, if any.

The third step is to add the action. In this example, we have chosen to restrict access to the content. You can add more actions if needed.

Actions that can be taken when an email breaches the DLP policy

The next options are the same as those described in the previous section to notify users and allow overrides.

Conclusion

DLP is a vital tool in the effort to safeguard data in Microsoft 365. As you have seen in this article, there are several permutations and combinations that you can use as needed. As a system administrator, it's essential to acquire the knowledge of using DLP effectively, which you have achieved here. In the next post, you will learn how to use DLP in MS Teams.