- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
Prerequisites
To follow this article, you must have the following:
- A Microsoft 365 tenant.
- One of the following licenses:
- Office 365 E5/A5/G5
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5 Information Protection and Governance
- Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
If you have an Office 365 E3 or Microsoft 365 E3 license, you can use DLP to protect Exchange Online, SharePoint Online, and OneDrive. However, for DLP in Teams chats, you still need E5 licenses. For specific roles, see this link.
- Aggregated alert configuration: To configure aggregated alert policies based on a threshold, you must use one of the following licensing configurations:
- An E5 or G5 subscription
- An E1, F1, or G1 subscription, or an E3 or G3 subscription that includes one of the following features:
- Office 365 Advanced Threat Protection Plan 2
- Microsoft 365 E5 Compliance
- Microsoft 365 eDiscovery and Audit add-on license
Why do we need data loss prevention in Teams?
Data loss prevention policies are critical to the security of your organization's content. Users may share sensitive information with other users, which may put your organization or the users at risk. Hence, DLP policies must be used. As an administrator, you must know how to manipulate DLP policies to control how content is shared by users through MS Teams.
Create a DLP Policy for Teams using custom templates
In this section, we explore the process of creating a new DLP policy using custom templates. You have several templates to choose from, depending on the nature of the restriction that you wish to apply. The creation of DLP policies using existing templates is covered in this article.
First, access the Compliance Center via this link or from the Microsoft 365 Admin Center home page.
Here, click Create Policy and choose Custom.
Here, we will configure a policy to detect and block the sharing of Indian Aadhaar card information with external users. The Aadhaar card is similar to the social security number used in the US.
On the next page, you can name the policy. I have named it the Indian Aadhaar Card Custom policy. On the following page, choose Teams chat and channel messages as the location and select the users or teams in the scope of this policy. You can choose multiple locations for a policy; however, for this demonstration, we will choose only Teams.
Choose customer policies on the next page. On the following page, you create your policy. The custom policy page shows all the settings we must configure to make this rule effective. Name the policy and choose its conditions.
In the following subsections, we review the meaning of each setting and offer recommendations.
Conditions
The Conditions section defines the trigger for your DLP policy. If you want to apply the policy to the entire contents, you must choose Content contains. However, if you want to apply the policy to a set of internal users, choose Recipient is or Recipient domain is. You can also define the policy on the basis of the sender address or domain.
For this test, we will choose Content contains, as seen here.
The next choice determines the type of policy. Once you click Add, you have the option to choose the type of sensitive information. Here, we have chosen the India Aadhaar Number.
Exceptions
In this portion, you can define exceptions, if any, on the basis of the content, sender, or recipient address.
Actions
Here, you must decide whether you want to block content from being shared with internal or external users. We chose external users.
User notifications
Users can also be notified with policy tips. In this example, we will use the message "Indian Aadhaar Card Policy Breach."
User overrides
We can allow users to override the DLP policy block on their content. However, it's not recommended, and we haven't checked that box.
Incident reports
In this section, you can outline the manner in which your admins and end users are notified of any DLP policy breaches. We selected the admin who will receive email about policy breaches with high severity. This section also defines the frequency of alerts.
Finally, you can also decide to include detailed emails regarding policy breaches, as seen here.
Policy mode
On this page, decide whether this policy needs to be enabled right away or if you want to test it first.
Testing the policy
I used an Indian Aadhaar card number for this test. As seen here, the message to the external user was blocked due to our new DLP policy.
The user is clearly notified that the message has been blocked. Clicking on the What can I do? link further explains the cause. We do not allow users to override such incidents. However, if we did, then they would see a slightly different message.
At the same time, the admin and end user are notified of this DLP policy breach through email. This is as per our policy settings and can be changed if needed.
The policy works as expected in the mobile version of Teams as well.
Time taken to be effective
Most of the time, after creating a new DLP policy, you will notice that the policy does not work immediately. It may take anywhere from 1 to 24 hours for the policy to be completely effective. In the demo tenant used in this article, it took roughly 2 hours every time a new policy was created.
Subscribe to 4sysops newsletter!
Conclusion
The use of DLP policies will greatly reduce the risk posed to your organization's data. Careful analysis of data and usage patterns, along with your organization's security requirements, will help you to design and implement data loss prevention policies effectively in your tenant.