Data Loss Prevention (DLP) Policies¶
DLP policies detect sensitive information and prevent it from being shared outside the organisation in violation of policy.
Purview portal → Data loss prevention → Policies
DLP Locations¶
| Location | What's covered |
|---|---|
| Exchange | |
| SharePoint | SharePoint sites |
| OneDrive | OneDrive accounts |
| Teams | Teams messages and channel posts |
| Devices (Endpoint DLP) | Files on Windows/macOS endpoints |
| On-premises repositories | File shares, SharePoint on-premises |
Recommended DLP Policies¶
1 — Block sharing of Personal Information (PII) Externally¶
Prevent Australian PII from being emailed or shared externally.
Purview portal → DLP → Create policy → Custom → Custom policy
| Setting | Value |
|---|---|
| Name | Protect Australian PII — External sharing |
| Locations | Exchange, SharePoint, OneDrive, Teams |
Rules:
Rule 1: High confidence — block external sharing
| Condition | Value |
|---|---|
| Content contains | Australian Driver's Licence Number, Australian Passport Number, Australian Tax File Number |
| Confidence level | High |
| Instance count | Min: 1 |
| Shared outside the organisation | Yes |
| Action | Value |
|---|---|
| Restrict or encrypt content | Block everyone |
| Notify users | Show policy tip |
| User can override | No |
| Incident report severity | High |
| Alert admin | Yes — notify security@domain.com |
Rule 2: Medium confidence — warn user
| Condition | Value |
|---|---|
| Content contains | (same sensitive types) |
| Confidence level | Medium |
| Shared outside the organisation | Yes |
| Action | Value |
|---|---|
| Notify users | Show policy tip: "This email may contain personal information. Are you sure you want to send this externally?" |
| User can override | Yes — require business justification |
2 — Block Credit Card Numbers¶
| Setting | Value |
|---|---|
| Name | Protect Financial Data — Credit Card Numbers |
| Locations | Exchange, SharePoint, OneDrive, Teams |
| Condition | Value |
|---|---|
| Content contains | Credit Card Number |
| Confidence level | High |
| Instance count | Min: 1 |
| Shared outside the organisation | Yes |
| Action | Block + notify |
3 — Endpoint DLP — Block USB Exfiltration (Requires E5 / Endpoint DLP)¶
Prevent sensitive files from being copied to USB drives on managed Windows devices.
| Setting | Value |
|---|---|
| Name | Endpoint DLP — Block USB transfer of sensitive data |
| Locations | Devices |
| Condition | Value |
|---|---|
| Content contains | Australian Tax File Number, Passport Number, Credit Card |
| Activity | Copy to USB / removable storage |
| Action | Value |
|---|---|
| Audit or restrict activities | Block |
| User notification | Show notification |
| Override | No |
Deployment Process¶
- Create policy in test mode (run for 7–14 days)
- Review DLP activity explorer (
Purview portal → Data loss prevention → Activity explorer) for false positives - Adjust sensitive info type confidence levels or add exceptions for known-good senders
- Switch to Turn on the policy (enforcement mode)
High-volume false positives
Patterns like credit card detection can fire on invoice numbers or order numbers. Use high-confidence level and test extensively before blocking.
DLP Alerts & Monitoring¶
Purview portal → Data loss prevention → Alerts
Configure alert policies within each DLP rule:
| Setting | Value |
|---|---|
| Alert when volume of matched activities is | Aggregated — 1 activity or more |
| Alert frequency | Every time an activity matches the rule (for critical data) |
| Send alert to | security@domain.com |
| Alert severity | High |
Useful PowerShell¶
Connect-IPPSSession -UserPrincipalName admin@domain.com
# List all DLP policies
Get-DlpCompliancePolicy | Select-Object Name, Mode, Enabled | Sort-Object Name
# List rules in a policy
Get-DlpComplianceRule -Policy "Protect Australian PII — External sharing" |
Select-Object Name, Disabled, BlockAccess
# Check DLP matches in the Activity Explorer (via Graph — requires custom reporting)
# Most detailed view is in the Purview portal Activity Explorer UI