Securing Information with DLP in Office 365

Cecil Du Toit

by Cecil du Toit on 11/13/2015

Share this:

Article Details

Date Revised:

Applies to:
compliance controls, Data Loss Prevention, DLP, Office 365, policy templates, security

Protecting and securing your business information is critical to your business survival and this article shows you how to do that in Office 365. What do you do to protect your organization from leaking or exposing private personal information and complying with governments’ laws?

Most people don’t have an answer or rely on an external audit company to ensure the organization complies with applicable laws, but they have no visibility on what and how information is shared across the organization. Microsoft Office 365 platform provides security, compliance, and privacy capabilities. Some of the capabilities are built-in and other capabilities the customer can control. This article focuses on the Data Loss Prevention (DLP) compliance capability in Office 365 that the customer can control.

What is DLP?

Data Loss Prevention is the capability to monitor potential data breaches inside your organization that must comply with a set of policies. It allows a system to control and block sensitive information from leaving an organization.

In Office 365, the platform helps you to identify, track and protect sensitive information in your organization through deep content analysis and makes it easy to setup the policies. The DLP capability applies to content in Exchange Online, SharePoint Online and OneDrive for Business services on Office 365.

How to use DLP in Office 365

In Office 365, the DLP capability is only available in the following subscription plans:

  • Enterprise E3
  • Enterprise E4
  • Government E3
  • Government E4
  • Nonprofit E3
  • Nonprofit E4

Setup of DLP policies

Administrators enable and manage this capability in the Admin portal of Office 365. In the Admin portal on the left navigation (figure 1), go to Admin and then select Compliance.

Office 365 Administration Portal Compliance
Figure 1: Office 365 Administration Portal Compliance Menu

Once the Compliance Center opens (figure 2), on the left menu select Data loss prevention to access the policies.

Configure Compliance Center Data loss prevention policies (DLP)
Figure 2: Compliance Center Data loss prevention policies configurations

On this page, you can manage DLP policies that must be applied in the organization. The policies applied in figure 2 are for SharePoint Online and OneDrive for business documents. You manage DLP policies for emails in the Exchange admin center page. I hope that in the future, the Exchange admin center will not be needed anymore to apply DLP policies to emails and everything can be managed from the Compliance Center.

On the current Compliance Center DLP page in the second paragraph, you will see a link to the Exchange admin center.

SharePoint Online and OneDrive for Business DLP

On the Compliance Center Data loss prevention policies page, you can click the plus sign button (figure 3) to add a new policy.

Create new DLP policy
Figure 3: Add new DLP policy

A new window appears (figure 4) where you can specify the policy you want to apply to you organization’s documents.

Create new DLP policy
Figure 4: New DLP policy information protection selection

In the New DLP policy window (figure 4), you will see that the available policies are categorized in four groups: Custom, Financial, Medical and Privacy. Once you have selected your policy to apply, like in this example of the article the policy PCI Data Security Standard (PCI DSS), then you can click Next. On the next page (figure 5), you can specify where to apply this policy. You can choose to protect all sites or you can choose specific sites in SharePoint Online or OneDrive for Business services.

DLP policy SharePoint Online, DLP policy OneDrive for Business
Figure 5: New DLP policy sites selection for SharePoint Online and OneDrive for Business

When you click Next, you get to the Customize rules page where you can customize specific rules of the policy. For this article, the default rules are correct so click Next to continue. On the last page (figure 6), you need to provide your name for the new DLP Policy and optionally a description if needed. You can specify if you first want to test the policy, which will not apply any of the actions set in the policy. The policy can still send notifications and policy tips to end users. Ultimately, you can turn on the policy that will execute the relevant actions for policies. Once you click the Create button, Office 365 will start applying the policy in your tenant.

Save new DLP policy
Figure 6: New DLP policy creation and enablement options

Exchange Online DLP

If you go to the Exchange admin center (figure 7), the experience to apply DLP policies on email information is a bit different. The concepts are the same as in the Compliance Center DLP setup.

Exchange Online Administration Center DLP configuration
Figure 7: Office 365 Exchange Online Administration Center DLP configuration

You can click on the plus button to add a new policy with the following options:

  • New DLP policy from template
  • Import DLP policy
  • New custom DLP policy

Office 365 comes with various government and industry standard policy templates (figure 8) that you can quickly apply in your organization. At the time of writing this article, there are 40 different templates available. The available templates include HRIP Act, PII, PIPA, PIPEDA, PCI DSS, HIPAA and more.

DLP policy templates built in Office 365
Figure 8: Office 365 DLP policy templates

The administrator can also enforce encryption on the private information or block the user from sending the private information like credit card number via email as shown in figure 9. The administrator can apply fine grain control on each policy. The DLP configuration options provide flexibility for administrators to provide the exact needs of an organization or industry.

Configure DLP policy rule Office 365
Figure 9: Office 365 DLP Policy rule configuration

End user experience

When an end user interacts with content that does not comply with a DLP policy, they will get a Policy Tip in the relevant Microsoft Office application on the desktop or online version. They will see the Policy Tip in the Outlook, Word, Excel or PowerPoint application. Based on the Policy Tip (figure 10) provided to the end user, the user can decide to override the policy or get more information on the policy for better guidance to comply with the policy.

DLP Policy Tip Outlook
Figure 10: Policy Tip notification to end user in Outlook

The end user can also report a false positive if the policy was triggered incorrectly. In addition, the end user can decide to break the policy and provide business feedback (figure 11) for the exception of non-compliance to the policy.

DLP policy override
Figure 11: End user DLP Policy Tip override business justification dialog

In SharePoint Online and OneDrive for Business, you also get notification (figure 12) of documents that contain sensitive information and does not comply with DLP policies.

Policy Tips SharePoint and OneDrive for Business
Figure 12: Office 365 SharePoint Online and OneDrive for Business DLP Policy Tip

(Note, figure 12 comes from the Office Blog article: Data Loss Prevention in OneDrive for Business, SharePoint Online and Office 2016 is rolling out.)


The Administrator can enable Incident Reports to run if a piece of information does not comply with a policy. The Incident Report can be mailed immediately to a particular user or sent to a ticket system where further actions can be taken.

The DLP also provides full audit data where the Administrators can export the data to another reporting system or use the available out-of-box reports. As figure 13 shows, the following reports are available in Office 365:

  • Top DLP policy matches for mail
  • DLP policy matches, overrides, and false positives for mail
  • Top DLP rule matches for mail
  • DLP policy matches by severity for mail
DLP reports in Office 365
Figure 13: Office 365 DLP reports

Benefits of DLP

The DLP offerings in Office 365 let businesses quickly and easily comply with various industry or government standards without making a big expensive investment. Which in the end puts you and your organization in a much better place. It provides easier control over auditing information exchange inside your organization. It will also keep the Security Officers more relaxed in your organization!

The DLP policies provide Policy Tips to your end users without affecting their productivity and allows users to get educated into being compliant with organizational policies. There are more benefits to list here, but you get the idea by now.


I believe that the expansion of the DLP across the Office 365 services provides great value to an organization. The new Compliance Center brings a central experience to manage and monitor policies across all services. The rate of innovation from Microsoft on security, privacy and compliance brings major benefits to everyone in Office 365 without needing to make a big investment.

One topic I did not write about that is part of the DLP capability is the Document Fingerprint capability. For now, I’ll let that be a little bit of homework for you to go and investigate. In a future article, I will explain the Document Fingerprint capability in detail.

Feel free to add a comment below (or in my original blog) to share your experience in using DLP or if you have any questions.



You can view Cecil’s original article here:

Topic: Security

Sign in with

Or register