DLP Policies
Data Loss Prevention (DLP) policies help protect sensitive information from accidental sharing. Detect and protect credit card numbers, social security numbers, health records, and other sensitive data across Microsoft 365.
Note: DLP policies are essential for GDPR, HIPAA, PCI-DSS, and other regulatory compliance. Prevent unauthorized sharing of personal and financial data.
DLP Policy List
| Column | Description |
|---|---|
| Policy Name | Display name of the policy |
| Status | On, Off, or Test mode |
| Mode | Enforce, Test with tips, Test without tips |
| Locations | Exchange, SharePoint, OneDrive, Teams, Endpoints |
| Sensitive Info Types | Types of data being protected |
| Matches (30 days) | Number of policy matches |
Sensitive Information Types
Built-in classifiers for common sensitive data:
Financial
- Credit Card Number
- Bank Account Number
- SWIFT Code
- ABA Routing Number
Personal Identifiers
- Social Security Number (US)
- National ID (various countries)
- Passport Number
- Driver’s License Number
Health
- Health Insurance ID
- DEA Number
- Medical Record Number
- ICD-9/ICD-10 Codes
Custom
- Custom regex patterns
- Keyword dictionaries
- Trainable classifiers
- Fingerprinted documents
Creating a DLP Policy
1. Choose Template or Custom
Start from regulatory template (GDPR, HIPAA, PCI-DSS) or build custom policy.
2. Select Locations
Choose where policy applies:
- Exchange email (sent and received)
- SharePoint sites
- OneDrive accounts
- Teams chat and channels
- Endpoint devices
3. Define Conditions
Specify what triggers the policy:
- Content contains sensitive info type
- Content is shared externally
- Content has sensitivity label
- Instance count thresholds
4. Configure Actions
What happens when policy matches:
- Show policy tip to user
- Send notification to admin
- Block sharing/sending
- Encrypt content
- Restrict access to content
5. User Notifications
Configure how users are informed. Policy tips appear in Office apps warning users before they share sensitive content.
6. User Overrides
Allow users to override blocks with business justification. Overrides are logged for audit.
Policy Modes
- Enforce — Policy actively protects content. Blocks, notifications, and all actions are enforced.
- Test with Tips — Shows policy tips to users but doesn’t block. Use to educate users before enforcement.
- Test without Tips — Silently logs matches without user notification. Review matches before enabling tips.
Common Policy Templates
PCI-DSS
Protect credit card numbers. Detects card numbers and blocks sharing via email or external file sharing.
HIPAA
Protect health information. Detects medical record numbers, diagnosis codes, and health insurance IDs.
GDPR
Protect EU personal data. Detects national IDs, passport numbers, and other personal identifiers for EU residents.
Financial Data
Protect financial documents. Detects account numbers, SWIFT codes, and financial report keywords.
Policy Reports
Monitor DLP effectiveness with built-in reports:
- Policy matches — Content that triggered policies
- Override report — User overrides with justifications
- False positives — Items incorrectly flagged
- Incidents — Detailed view of each match
- DLP alerts — High-severity matches requiring review
API Reference
GET /api/security/dlp-policies— List all DLP policiesPOST /api/security/dlp-policies— Create DLP policyGET /api/security/dlp-policies/:id/matches— Get policy match incidentsPUT /api/security/dlp-policies/:id/mode— Change policy modeGET /api/security/dlp-policies/reports— Get DLP reports