Data loss prevention (DLP) in Microsoft 365 can help you achieve your compliance goals. In this article, you will learn how to effectively use DLP to safeguard your data in Exchange Online (email). You will be introduced to the basics of creating DLP policies and best practices.

Why do you need DLP for email?

Microsoft provides several security mechanisms to protect data in email. However, DLP will help you further secure your data by allowing you to define policies based on regulatory requirements. For instance, you can block outgoing email that contains US credit card numbers, social security numbers, and other financial data. There are also templates to block email with private or medical information. See this link for a detailed list of available templates. In addition, you can create custom policies that contain many more confidential and sensitive data types that can be blocked.

Many organizations might want to shield data to be compliant with the mandatory rules or laws, such as GDPR, set by regulatory bodies. DLP proves immensely useful in handling such scenarios. Once you have the end goal in place, you can use the policies to reach that target.

Prerequisites

To follow along with this article, you must have the following:

  • Microsoft 365 tenant.
  • Organization Management or Compliance Management permissions in Exchange Online.
  • One of the following licenses: Microsoft 365 E3/A3/Business Premium, Office 365 E3/A3, and Office 365 Data Loss Prevention and F5 Compliance and F5 Security & Compliance.

Create a new DLP policy for email with templates

Now that you know the relevance of DLP in Exchange Online, it's time to get into action. Once you have earmarked the type of data that needs to be regulated, you must create DLP policies. First, access the Compliance Center via this link or from the Microsoft 365 Admin Center home page. Here, click the Policies option and then select Data loss prevention.

On the DLP page, click the Policies tab, which displays a list of existing DLP policies.

The types of templates that are available

The types of templates that are available

Click Create policy. On the next page, select the type of data you want to manage. Here, you see the Financial type selected. There are several templates here. In this example, we will select U.S. Financial Data and click Next. Each template displays the information that it provides to be handled. You can learn more about the various templates here.

The US Financial Data template is selected for the policy

The US Financial Data template is selected for the policy

On the following page, select the locations where this rule will be effective. Here, we will choose Exchange email for this article; however, you can choose to apply this policy in SharePoint, OneDrive, and Teams.

Choosing Exchange Online as the location where the policy will take effect

Choosing Exchange Online as the location where the policy will take effect

On the next page, you can decide whether to go with the default settings or configure advanced settings. For this example, we will go with the default settings and click Next. The advanced settings will be covered later in this article.

On the next page, you can add more sensitive information types if needed. Also, for this example, we want to demonstrate the behavior in Microsoft 365 apps; hence, you can keep the Detect… option checked. Another important point is to decide whether this policy will apply to emails shared with external people or only with internal ones. Since our aim is to restrict the data going out of the tenant, we will select with people outside my organization and click Next.

This policy is for data shared with external people via email

This policy is for data shared with external people via email

On the following page, you can decide on the actions to be taken for any email that matches the conditions you chose on the previous page. You can warn your users with policy tips. This may act as a deterrent and must be used; hence, you must keep this box checked. So, whenever content matches the conditions set in this policy, the users will see a policy tip. You can also choose to send a notification to an admin if the email is still sent.

Define the settings for the policy

Define the settings for the policy

If you click Customize the tip and email, you can choose who should see the policy tip and who needs to receive the notification email. You can also customize the policy tip text and the notification email details.

Customizing the policy tips and notification emails to users

Customizing the policy tips and notification emails to users

It's essential to define the level of aggressiveness with which you want to enforce this policy. If you want to be notified every time an email contains sensitive data, you must choose 1 in the Detect when a specific amount of sensitive info is being shared at one time option. This is the recommended setting for keeping a close eye on what's being shared. Alternatively, you can choose an even higher count, if needed.

The next option, as shown in the screenshot below is to select what is to be included in the incident report and who is supposed to receive it. It is recommended to keep this checked. The screenshot below shows the details:

Details to be included in the incident report sent to admins

Details to be included in the incident report sent to admins

The next option is to further customize the path to receive DLP alerts. You can choose to receive alerts each time such data is shared or even based on the count of such instances. You can also decide whether Microsoft 365 should consider the duration of such instances. The last choice is to decide whether the timeframe applies to all users or to a single user. It's always better to have this set for all users.

An alert is sent for every policy breach

An alert is sent for every policy breach

The last section of this window applies only to emails. You can encrypt emails with sensitive data or even disallow forwarding.

Restricting the blocked data or even encrypting it

Restricting the blocked data or even encrypting it

The final window lets you choose between enabling the policy immediately or testing it first. The policy will not be effective in test mode; however, you can monitor its potential impact. This helps you to improve your policy settings and avoid any unwanted impact on users.

Testing the policy

To test, we will use a sample US credit card number. The email was sent via Outlook to an external address. You can see the policy tip warning us about the email breaching a policy; however, we will ignore it and send the email.

Email to test the US Financial Data policy

Email to test the US Financial Data policy

After the email is sent, the user receives an email warning them about the policy breach. The admin is also notified.

DLP policy breach notification sent to the user and admin

DLP policy breach notification sent to the user and admin

Apart from this, the admin also receives an email warning them about the high volume of sensitive content being shared. This setting can be tweaked, as explained in the policy creation section.

High volume notification sent to the admin

High volume notification sent to the admin

As per our policy, an alert was also sent to the admin.

Alert sent to the admin about the DLP policy breach

Alert sent to the admin about the DLP policy breach

Create a new custom policy

In this section, you will explore the possibilities of custom policies in DLP. Despite the templates provided by Microsoft, you might want to further customize your DLP policy based on other conditions or regulations. For instance, if you want to block email containing sensitive information, such as Pan Card details from India, you will have to create custom policies.

In this example, you will see how to create a custom policy to block all email communications containing Indian Pan Card details. This is not available in the default templates. The first step is to select custom policy, as seen in the screenshot "The US Financial Data template is selected for the policy." The next steps remain the same as those mentioned in the previous section. The difference is when you define the policy settings, as seen here.

Custom policy selection

Custom policy selection

On the next page, create the rule. There are three major parts to this step. The first is to choose the conditions.

Select the appropriate conditions for the policy. Here, we have chosen Content contains to handle email with sensitive information.

List of conditions to choose from for the policy

List of conditions to choose from for the policy

Next, choose the sensitive information type. Here, we will select the Indian Permanent Account Number. Note that you can add more types of sensitive data by clicking Add again.

Choosing the sensitive information type

Choosing the sensitive information type

Other conditions can also be accommodated here. For example, you might want to block PAN card details shared by a specific group or user. For this, you can add another condition stating the sender group or other such combinations.

The next step is to add exceptions, if any.

The third step is to add the action. In this example, we have chosen to restrict access to the content. You can add more actions if needed.

Actions that can be taken when an email breaches the DLP policy

Actions that can be taken when an email breaches the DLP policy

The next options are the same as those described in the previous section to notify users and allow overrides.

Subscribe to 4sysops newsletter!

Conclusion

DLP is a vital tool in the effort to safeguard data in Microsoft 365. As you have seen in this article, there are several permutations and combinations that you can use as needed. As a system administrator, it's essential to acquire the knowledge of using DLP effectively, which you have achieved here. In the next post, you will learn how to use DLP in MS Teams.

9 Comments
  1. Mohammad Usama 11 months ago

    Hi,

    Can we setup alerts for emails that breach our DLP policies?

    • Author
      Vignesh Mudliar (Rank 3) 11 months ago

      Yes, alerts can be setup. You would see the option while creating the DLP policy.

    • Author
      Vignesh Mudliar (Rank 3) 11 months ago

      Another aspect is the licensing and alert dashboard. As stated in this post you would require specific ;licenses to be able to set those.
      Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance, and Office 365 E5/A5/G5.

      • Steve Tim 11 months ago

        License requirements apply to all tenant user accounts or only for the user managing DLP policies?

    • Author
      Vignesh Mudliar (Rank 3) 11 months ago

      DLP alerts can be configured through the DLP page. And you can review them in the Alerts dashboard. It does notify specific admins if you configure it to do so.

  2. JR 11 months ago

    we have set a rule to encrypt email only if it flags a DLP policy. However it is not encrypting the email, and just passing it through, and we are only getting the alerts.

    Any ideas

  3. Dimitri Robin 4 months ago

    We have E3 license. Are we supposed to upgrade to E5 just to get the exceptions tab? that sounds crazy.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account