Data loss prevention (DLP) is a handy feature in Microsoft 365 that shields data. In the previous article, you learned to configure data loss prevention in Exchange Online. The same feature is a useful addition to Microsoft Teams in terms of compliance. In this article, you will learn the techniques to create DLP policies to handle sensitive data in Teams.

Prerequisites

To follow this article, you must have the following:

  • A Microsoft 365 tenant.
  • One of the following licenses:
    • Office 365 E5/A5/G5
    • Microsoft 365 E5/A5/G5
    • Microsoft 365 E5/A5/G5 Information Protection and Governance
    • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

If you have an Office 365 E3 or Microsoft 365 E3 license, you can use DLP to protect Exchange Online, SharePoint Online, and OneDrive. However, for DLP in Teams chats, you still need E5 licenses. For specific roles, see this link.

  • Aggregated alert configuration: To configure aggregated alert policies based on a threshold, you must use one of the following licensing configurations:
    • An E5 or G5 subscription
    • An E1, F1, or G1 subscription, or an E3 or G3 subscription that includes one of the following features:
      • Office 365 Advanced Threat Protection Plan 2
      • Microsoft 365 E5 Compliance
      • Microsoft 365 eDiscovery and Audit add-on license

Why do we need data loss prevention in Teams?

Data loss prevention policies are critical to the security of your organization's content. Users may share sensitive information with other users, which may put your organization or the users at risk. Hence, DLP policies must be used. As an administrator, you must know how to manipulate DLP policies to control how content is shared by users through MS Teams.

Create a DLP Policy for Teams using custom templates

In this section, we explore the process of creating a new DLP policy using custom templates. You have several templates to choose from, depending on the nature of the restriction that you wish to apply. The creation of DLP policies using existing templates is covered in this article.

First, access the Compliance Center via this link or from the Microsoft 365 Admin Center home page.

Here, click Create Policy and choose Custom.

This section shows the major types of templates provided in DLP

This section shows the major types of templates provided in DLP

Here, we will configure a policy to detect and block the sharing of Indian Aadhaar card information with external users. The Aadhaar card is similar to the social security number used in the US.

On the next page, you can name the policy. I have named it the Indian Aadhaar Card Custom policy. On the following page, choose Teams chat and channel messages as the location and select the users or teams in the scope of this policy. You can choose multiple locations for a policy; however, for this demonstration, we will choose only Teams.

We chose Teams chat as the location where the new policy will take effect

We chose Teams chat as the location where the new policy will take effect

Choose customer policies on the next page. On the following page, you create your policy. The custom policy page shows all the settings we must configure to make this rule effective. Name the policy and choose its conditions.

In the following subsections, we review the meaning of each setting and offer recommendations.

Conditions

The Conditions section defines the trigger for your DLP policy. If you want to apply the policy to the entire contents, you must choose Content contains. However, if you want to apply the policy to a set of internal users, choose Recipient is or Recipient domain is. You can also define the policy on the basis of the sender address or domain.

For this test, we will choose Content contains, as seen here.

The different types of conditions are displayed in this section

The different types of conditions are displayed in this section

The next choice determines the type of policy. Once you click Add, you have the option to choose the type of sensitive information. Here, we have chosen the India Aadhaar Number.

Here you can choose the sensitive info type

Here you can choose the sensitive info type

Exceptions

In this portion, you can define exceptions, if any, on the basis of the content, sender, or recipient address.

Actions

Here, you must decide whether you want to block content from being shared with internal or external users. We chose external users.

The policy will be effective on content shared with external users

The policy will be effective on content shared with external users

User notifications

Users can also be notified with policy tips. In this example, we will use the message "Indian Aadhaar Card Policy Breach."

Users are notified with a message each time they breach a DLP policy

Users are notified with a message each time they breach a DLP policy

User overrides

We can allow users to override the DLP policy block on their content. However, it's not recommended, and we haven't checked that box.

In this part you can allow or disallow users from overriding your policy

In this part you can allow or disallow users from overriding your policy

Incident reports

In this section, you can outline the manner in which your admins and end users are notified of any DLP policy breaches. We selected the admin who will receive email about policy breaches with high severity. This section also defines the frequency of alerts.

Incident report and alert policies are defined here

Incident report and alert policies are defined here

Finally, you can also decide to include detailed emails regarding policy breaches, as seen here.

Detailed policy breach email notification is configured

Detailed policy breach email notification is configured

Policy mode

On this page, decide whether this policy needs to be enabled right away or if you want to test it first.

Testing the policy

I used an Indian Aadhaar card number for this test. As seen here, the message to the external user was blocked due to our new DLP policy.

Aadhaar card number was blocked

Aadhaar card number was blocked

The user is clearly notified that the message has been blocked. Clicking on the What can I do? link further explains the cause. We do not allow users to override such incidents. However, if we did, then they would see a slightly different message.

End user policy tip about the blocked message

End user policy tip about the blocked message

At the same time, the admin and end user are notified of this DLP policy breach through email. This is as per our policy settings and can be changed if needed.

Admin notification email displaying the details of the policy breach

Admin notification email displaying the details of the policy breach

The policy works as expected in the mobile version of Teams as well.

DLP policy works on Teams mobile app as well

DLP policy works on Teams mobile app as well

Time taken to be effective

Most of the time, after creating a new DLP policy, you will notice that the policy does not work immediately. It may take anywhere from 1 to 24 hours for the policy to be completely effective. In the demo tenant used in this article, it took roughly 2 hours every time a new policy was created.

Subscribe to 4sysops newsletter!

Conclusion

The use of DLP policies will greatly reduce the risk posed to your organization's data. Careful analysis of data and usage patterns, along with your organization's security requirements, will help you to design and implement data loss prevention policies effectively in your tenant.

avatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account