- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
Why do you need DLP for email?
Microsoft provides several security mechanisms to protect data in email. However, DLP will help you further secure your data by allowing you to define policies based on regulatory requirements. For instance, you can block outgoing email that contains US credit card numbers, social security numbers, and other financial data. There are also templates to block email with private or medical information. See this link for a detailed list of available templates. In addition, you can create custom policies that contain many more confidential and sensitive data types that can be blocked.
Many organizations might want to shield data to be compliant with the mandatory rules or laws, such as GDPR, set by regulatory bodies. DLP proves immensely useful in handling such scenarios. Once you have the end goal in place, you can use the policies to reach that target.
Prerequisites
To follow along with this article, you must have the following:
- Microsoft 365 tenant.
- Organization Management or Compliance Management permissions in Exchange Online.
- One of the following licenses: Microsoft 365 E3/A3/Business Premium, Office 365 E3/A3, and Office 365 Data Loss Prevention and F5 Compliance and F5 Security & Compliance.
Create a new DLP policy for email with templates
Now that you know the relevance of DLP in Exchange Online, it's time to get into action. Once you have earmarked the type of data that needs to be regulated, you must create DLP policies. First, access the Compliance Center via this link or from the Microsoft 365 Admin Center home page. Here, click the Policies option and then select Data loss prevention.
On the DLP page, click the Policies tab, which displays a list of existing DLP policies.
The types of templates that are available
Click Create policy. On the next page, select the type of data you want to manage. Here, you see the Financial type selected. There are several templates here. In this example, we will select U.S. Financial Data and click Next. Each template displays the information that it provides to be handled. You can learn more about the various templates here.
The US Financial Data template is selected for the policy
On the following page, select the locations where this rule will be effective. Here, we will choose Exchange email for this article; however, you can choose to apply this policy in SharePoint, OneDrive, and Teams.
Choosing Exchange Online as the location where the policy will take effect
On the next page, you can decide whether to go with the default settings or configure advanced settings. For this example, we will go with the default settings and click Next. The advanced settings will be covered later in this article.
On the next page, you can add more sensitive information types if needed. Also, for this example, we want to demonstrate the behavior in Microsoft 365 apps; hence, you can keep the Detect… option checked. Another important point is to decide whether this policy will apply to emails shared with external people or only with internal ones. Since our aim is to restrict the data going out of the tenant, we will select with people outside my organization and click Next.
This policy is for data shared with external people via email
On the following page, you can decide on the actions to be taken for any email that matches the conditions you chose on the previous page. You can warn your users with policy tips. This may act as a deterrent and must be used; hence, you must keep this box checked. So, whenever content matches the conditions set in this policy, the users will see a policy tip. You can also choose to send a notification to an admin if the email is still sent.
Define the settings for the policy
If you click Customize the tip and email, you can choose who should see the policy tip and who needs to receive the notification email. You can also customize the policy tip text and the notification email details.
Customizing the policy tips and notification emails to users
It's essential to define the level of aggressiveness with which you want to enforce this policy. If you want to be notified every time an email contains sensitive data, you must choose 1 in the Detect when a specific amount of sensitive info is being shared at one time option. This is the recommended setting for keeping a close eye on what's being shared. Alternatively, you can choose an even higher count, if needed.
The next option, as shown in the screenshot below is to select what is to be included in the incident report and who is supposed to receive it. It is recommended to keep this checked. The screenshot below shows the details:
Details to be included in the incident report sent to admins
The next option is to further customize the path to receive DLP alerts. You can choose to receive alerts each time such data is shared or even based on the count of such instances. You can also decide whether Microsoft 365 should consider the duration of such instances. The last choice is to decide whether the timeframe applies to all users or to a single user. It's always better to have this set for all users.
An alert is sent for every policy breach
The last section of this window applies only to emails. You can encrypt emails with sensitive data or even disallow forwarding.
Restricting the blocked data or even encrypting it
The final window lets you choose between enabling the policy immediately or testing it first. The policy will not be effective in test mode; however, you can monitor its potential impact. This helps you to improve your policy settings and avoid any unwanted impact on users.
Testing the policy
To test, we will use a sample US credit card number. The email was sent via Outlook to an external address. You can see the policy tip warning us about the email breaching a policy; however, we will ignore it and send the email.
Email to test the US Financial Data policy
After the email is sent, the user receives an email warning them about the policy breach. The admin is also notified.
DLP policy breach notification sent to the user and admin
Apart from this, the admin also receives an email warning them about the high volume of sensitive content being shared. This setting can be tweaked, as explained in the policy creation section.
High volume notification sent to the admin
As per our policy, an alert was also sent to the admin.
Alert sent to the admin about the DLP policy breach
Create a new custom policy
In this section, you will explore the possibilities of custom policies in DLP. Despite the templates provided by Microsoft, you might want to further customize your DLP policy based on other conditions or regulations. For instance, if you want to block email containing sensitive information, such as Pan Card details from India, you will have to create custom policies.
In this example, you will see how to create a custom policy to block all email communications containing Indian Pan Card details. This is not available in the default templates. The first step is to select custom policy, as seen in the screenshot "The US Financial Data template is selected for the policy." The next steps remain the same as those mentioned in the previous section. The difference is when you define the policy settings, as seen here.
Custom policy selection
On the next page, create the rule. There are three major parts to this step. The first is to choose the conditions.
Select the appropriate conditions for the policy. Here, we have chosen Content contains to handle email with sensitive information.
List of conditions to choose from for the policy
Next, choose the sensitive information type. Here, we will select the Indian Permanent Account Number. Note that you can add more types of sensitive data by clicking Add again.
Choosing the sensitive information type
Other conditions can also be accommodated here. For example, you might want to block PAN card details shared by a specific group or user. For this, you can add another condition stating the sender group or other such combinations.
The next step is to add exceptions, if any.
The third step is to add the action. In this example, we have chosen to restrict access to the content. You can add more actions if needed.
Actions that can be taken when an email breaches the DLP policy
The next options are the same as those described in the previous section to notify users and allow overrides.
Subscribe to 4sysops newsletter!
Conclusion
DLP is a vital tool in the effort to safeguard data in Microsoft 365. As you have seen in this article, there are several permutations and combinations that you can use as needed. As a system administrator, it's essential to acquire the knowledge of using DLP effectively, which you have achieved here. In the next post, you will learn how to use DLP in MS Teams.
Hi,
Can we setup alerts for emails that breach our DLP policies?
Yes, alerts can be setup. You would see the option while creating the DLP policy.
Another aspect is the licensing and alert dashboard. As stated in this post you would require specific ;licenses to be able to set those.
Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/F5/G5 Information Protection and Governance, and Office 365 E5/A5/G5.
License requirements apply to all tenant user accounts or only for the user managing DLP policies?
License is required for all the users on whom you wish to apply these policies.
DLP alerts can be configured through the DLP page. And you can review them in the Alerts dashboard. It does notify specific admins if you configure it to do so.
we have set a rule to encrypt email only if it flags a DLP policy. However it is not encrypting the email, and just passing it through, and we are only getting the alerts.
Any ideas
Hi,
Are you using O365 message encryption? And is the rule setup via a transport rule?
We have E3 license. Are we supposed to upgrade to E5 just to get the exceptions tab? that sounds crazy.