Data Loss Prevention (DLP) is an essential concern for any organization. Microsoft Exchange Online offers several features to help you create and manage DLP policies to safeguard your organization’s sensitive data.
The process to configure a DLP policy in Exchange Online is as follows:
- Step 1: Navigate to the Compliance Center in Office 365.
- Step 2: Select “Data loss prevention” from the Solutions Catalog.
- Step 3: Click on “Policy” to create a new DLP policy.
- Step 4: Select from the available templates or create a custom policy. Define the content to be protected.
- Step 5: Define policy rules that trigger actions when conditions are met.
For example, the policy “Protect Credit Card Information” will help prevent shareholders from distributing sensitive information.
Configuring DLP Policies for Microsoft SharePoint Online and Microsoft OneDrive
Just like Microsoft Exchange Online, DLP policies can also be created for Microsoft SharePoint Online and Microsoft OneDrive through the Office 365 Compliance Center.
Below is the step-by-step process to configure DLP policies:
- Step 1: Navigate to the Compliance Center.
- Step 2: Click Policy > DLP > Create a Policy.
- Step 3: Choose the type of sensitive information you want to protect.
- Step 4: Set the protection rules and actions that will be taken when someone shares sensitive information.
For example, you can create a policy that prevents employees from sharing customer personal data outside the organization.
Configuring DLP Policies for Microsoft Teams
In Microsoft Teams, you can configure the DLP policy following the same steps as designed for SharePoint online and OneDrive for Business.
Moreover, you can specify particular policy actions that provide a user with an override and even a justification report for an override. Teams can tag sensitive information types across chat and channel messages.
Configuring DLP Policies for Microsoft PowerBI
Unlike the other apps, PowerBI establishes its DLP policies in the PowerBI portal.
- Step 1: Sign in to the Power BI admin portal.
- Step 2: In the left navigation pane, select Tenant settings > Data Loss Prevention (DLP).
- Step 3: For each policy type (Business and Non-Business), specify the services that you want to include. Click Apply.
For instance, you can define a business data policy for internal services and a non-business data policy for external services.
Configuring DLP Policies in On-premises repositories
Configuring DLP policies in on-premises repositories can be done using Azure Information Protection.
- Step 1: Navigate to the Azure Information Protection pane in the Azure portal.
- Step 2: In the policy pane, select your policy (Global or custom).
- Step 3: On the Configure policy pane, under “Conditions”, click “Add a new condition”.
- Step 4: Specify the condition properties.
For instance, you might create a condition that identifies “Confidential” data in a repository and configures a policy that restricts access to this data.
In conclusion, DLP policies are instrumental in preventing data loss across various Microsoft services. With the steps provided above, you can custom-tailor your DLP policies to accurately protect sensitive data based on the specific needs of your organization.
Practice Test
True/False: You can block access completely to OneDrive using DLP policies.
- True
- False
Answer: True.
Explanation: This can be done by creating a policy in the Security & Compliance center.
Multiple Select: Which of the following can you configure DLP policies for?
- a) Microsoft Exchange Online
- b) Microsoft PowerPoint
- c) Microsoft SharePoint Online
- d) Microsoft Teams
Answer: a, c, d.
Explanation: DLP policies can be configured for Exchange Online, SharePoint Online, and Microsoft Teams to help prevent data from being shared improperly.
True/False: You are unable to configure DLP policies for on-premises repositories.
- True
- False
Answer: False.
Explanation: Using a Server with Azure Information Protection, you can configure DLP policies for on-premises repositories.
Single Select: With which tool do you configure DLP policies?
- a) Microsoft 365 security center
- b) Microsoft Word
- c) Microsoft PowerBI
- d) Microsoft OneDrive
Answer: a) Microsoft 365 security center.
Explanation: DLP policies are configured through the Microsoft 365 security center which helps to protect sensitive information across various platforms.
True/False: DLP policies can help prevent sensitive information from being shared in Microsoft Teams.
- True
- False
Answer: True.
Explanation: You can create DLP policies in Teams to help prevent sensitive information from being shared or leaked during chats and channel conversations.
Multiple Select: Which of the following can a DLP policy do?
- a) Detect sensitive information
- b) Limit who can access certain files
- c) Block the sharing of sensitive information
- d) Translate documents
Answer: a, b, c.
Explanation: DLP policies can identify, monitor, and automatically protect sensitive information across Microsoft
Single Select: You are unable to configure DLP policies for which of these Microsoft platforms?
- a) Microsoft Exchange Online
- b) Microsoft SharePoint Online
- c) Microsoft PowerBI
- d) Microsoft Excel
Answer: d) Microsoft Excel.
Explanation: While DLP policies can be configured for Exchange, SharePoint and PowerBI, Excel is not directly supported.
True/False: It is possible to create a DLP policy that applies to both Microsoft Exchange Online and Microsoft SharePoint Online.
- True
- False
Answer: True.
Explanation: A single DLP policy can be applied across multiple platforms, so it could cover both Exchange Online and SharePoint Online.
Multiple Select: What can a DLP policy in PowerBI do?
- a) Prevent sharing of sensitive data in visuals
- b) Restrict download of sensitive data
- c) Allow for translation of any detected sensitive data
- d) Identify sensitive data in dashboards, reports, datasets, and dataflows
Answer: a, b, d.
Explanation: DLP policies in PowerBI can prevent sharing of sensitive data, restrict downloads, and identify where the data is located.
Single Select: In order to enforce a DLP policy across all locations in the Teams app, the policy should be applied to:
- a) Teams chat and channel messages
- b) Teams files in SharePoint
- c) Both a) and b)
- d) Neither a) or b)
Answer: c) Both a) and b)
Explanation: For a comprehensive application of DLP policy in Teams, it should be applied to both chats, channel messages and files in SharePoint.
True/False: You cannot modify the DLP policy priority.
- True
- False
Answer: False.
Explanation: You have the flexibility to modify the DLP policy priority depending on the sensitivity of the information you want to protect.
Single Select: Which of these cannot be identified by a DLP policy?
- a) Credit card information
- b) Health records
- c) Personal addresses
- d) Language in a document
Answer: d) Language in a document.
Explanation: DLP policies can identify and protect various types of sensitive information such as credit card details, health records, addresses but cannot determine the language in a document.
True/False: A DLP policy in SharePoint Online only applies to documents uploaded after the policy is created.
- True
- False
Answer: False.
Explanation: A DLP policy in SharePoint Online applies to all documents regardless of when they were uploaded.
Multiple Select: Which of the following actions can be done by DLP policies?
- a) Detect sensitive information
- b) Protect sensitive information
- c) Encrypt sensitive information
- d) Predict future data breaches
Answer: a, b, c.
Explanation: DLP policies are designed to detect, protect, and potentially encrypt sensitive information but cannot predict future data breaches.
Single Select: A DLP policy in Teams applied to chats and channel messages is enforced where?
- a) In Teams
- b) At the service level
- c) On the client device
- d) In the SharePoint Online
Answer: a) In Teams.
Explanation: DLP policies are applied at the level of each individual service, in this case, Teams itself.
Interview Questions
What does DLP in Microsoft 365 stand for and what is it used for?
DLP stands for Data Loss Prevention. It helps to identify, monitor, and protect sensitive information in your organization through deep content analysis.
Where can you create DLP policies in Microsoft 365?
You can create DLP policies in the Microsoft 365 compliance center.
Does Microsoft’s DLP feature extend to Exchange Online?
Yes, DLP policies can be applied to Exchange Online to prevent sensitive information from being sent out in emails.
As an administrator, how can I prevent the sharing of sensitive data in Microsoft OneDrive?
You can configure DLP rules in the Microsoft 365 compliance center that will detect and help prevent the sharing of sensitive information stored in OneDrive files.
Can Microsoft Teams chats and channel messages be covered by DLP policies?
Yes, by setting up DLP policies in the Teams settings through the Microsoft 365 compliance center, you can identify and prevent the sharing of sensitive information in Teams chats and channel messages.
How does DLP work for Power BI in Microsoft 365?
When DLP policies are applied, Power BI can help prevent the sharing of reports and dashboards that contain sensitive data outside of the organization.
Which on-premises repositories can be covered by Microsoft DLP policies?
The on-premises repositories that can be covered by Microsoft DLP policies using an on-premises data gateway are SharePoint servers and file share servers.
Can DLP policy tips be displayed for users in SharePoint Online and OneDrive for Business?
Yes, when a DLP rule is triggered in SharePoint Online or OneDrive for Business, a policy tip can appear to notify end users about the potential policy violation.
Can DLP policies be applied to Microsoft Business apps?
Yes, DLP policies can be extended to Microsoft business apps such as Excel, Outlook, and PowerPoint, etc.
How to apply DLP policies to Exchange Online stored mails?
You can add Exchange Online locations to your DLP policy under Locations in the policy settings.
What happens if data is modified in a way that violates a DLP policy?
If data is modified in a way that violates a DLP policy, users may be blocked from sharing the data, or administrators may receive notifications, depending on the settings of the DLP policy.
Can Cloud App Security be used with DLP?
Yes, Data Loss Prevention can integrate with Microsoft Cloud App Security to extend DLP policies to third party cloud apps.
Are there default DLP policies that can be used to quickly set parameters?
Yes, Microsoft provides several default DLP policy templates that you can use and customize according to your organization’s requirements.
What are some types of sensitive information you can protect with DLP policies?
Some examples include financial data, health information, personal identifiers like social security numbers, and more.
How do I test DLP policies without impacting my users?
You can set a DLP policy’s mode to “Test” first. This allows you to understand its impact without interfering with user activity.