SC-401 - Data Loss Prevention (DLP)
Quick Navigation
DLP Overview
Microsoft Purview Data Loss Prevention (DLP) prevents accidental oversharing and exfiltration of sensitive data. DLP policies monitor content in Microsoft 365 services, Windows endpoints, and third-party cloud apps, and can automatically apply protective actions (block, restrict, notify) when sensitive data is detected.
DLP policy locations:
| Location | What is Protected |
|---|---|
| Exchange Online | Emails (inbound and outbound), email attachments |
| SharePoint Online | Files in SharePoint document libraries and sites |
| OneDrive for Business | Files in user OneDrive accounts |
| Teams (chat and channel messages) | Sensitive content in Teams messages (requires E5 or DLP add-on for Teams) |
| Devices (Endpoint DLP) | File activities on Windows 10/11 devices onboarded to MDE |
| Microsoft Defender for Cloud Apps | Files and activities in connected third-party cloud apps |
| On-premises repositories | File shares and SharePoint Server (requires AIP scanner) |
| Power BI | Sensitive data in Power BI datasets and reports |
DLP Policy Design
DLP policies consist of one or more rules, each with conditions and actions. The policy mode controls whether rules are enforced or only simulated:
| Mode | Behavior |
|---|---|
| Test (simulation) | Policy runs but takes no enforcement action; alerts and reports generated for review |
| Test with policy tips | Policy runs, shows policy tips to users in Outlook/Office, but does not block |
| Enforce (On) | Full policy enforcement: blocks, restricts, notifies, as configured in rules |
Policy Priority
When multiple DLP policies match the same content, the rules are processed in priority order. The most restrictive policy action typically wins, but rule configuration determines exact behavior:
- Policies are ordered by priority (0 = highest priority)
- Within a policy, rules are ordered from most restrictive to least restrictive
- A rule with "Stop processing more rules" prevents lower-priority rules from applying to the same item
Rules, Conditions, and Actions
Rule Conditions
Conditions define what content triggers the rule:
- Content contains: SITs, sensitivity labels, retention labels, or trainable classifiers
- Content is shared: With people outside / inside the organization
- Sender/recipient conditions: Domain, user, group membership
- Document properties: File extension, size, SharePoint document properties
- Adaptive Protection condition: User's current IRM risk level (High/Elevated/Moderate)
Rule Actions
| Action | Available Locations |
|---|---|
| Block / Block with override | Exchange, SharePoint, OneDrive, Teams, Devices |
| Restrict access (remove external sharing) | SharePoint, OneDrive |
| Send incident report (email alert) | All locations |
| Notify user (policy tip) | Exchange (Outlook), SharePoint, OneDrive, Teams, Devices |
| Audit (log only, no action) | All locations |
| Apply sensitivity label / encrypt | Exchange (via mail flow integration) |
| Quarantine file | Devices (Endpoint DLP) |
User Notifications and Policy Tips
Policy tips appear in Outlook, Office apps, SharePoint, and Teams to inform users that their action may violate a DLP policy. They can be configured to:
- Allow the action with no override - user sees information tip only
- Allow override with business justification
- Allow override with false positive report
- Block (prevent the action from completing)
Adaptive Protection
Adaptive Protection integrates Microsoft Purview Insider Risk Management (IRM) with DLP, dynamically adjusting DLP policy strictness based on a user's real-time insider risk level.
How Adaptive Protection Works
- IRM assigns risk levels to users (Minor, Moderate, Elevated) based on behavioral signals
- DLP policies include conditions based on IRM risk level (e.g., "applies only to users at Elevated risk")
- When a user's IRM score changes, the DLP policy automatically adjusts which rules apply to them
- Users at elevated risk get stricter DLP enforcement; users at low risk get lighter-touch rules
Adaptive Protection Configuration
| Step | Action |
|---|---|
| 1. Enable Adaptive Protection | Turn on Adaptive Protection in IRM settings - this creates IRM risk-level signals for users |
| 2. Configure Quick Setup or Manual DLP rules | Quick Setup creates sample DLP policies with Adaptive Protection conditions; manual lets you add IRM risk-level conditions to existing policies |
| 3. Review and activate | Confirm the generated policies and turn them on; monitor in DLP reports and IRM alerts |
Endpoint DLP
Endpoint DLP extends DLP protection to Windows 10/11 devices managed by Microsoft Defender for Endpoint (MDE). It monitors and controls how sensitive files are used on the endpoint itself.
Endpoint DLP Activities Monitored
| Activity | Description |
|---|---|
| Copy to removable media | File copied to USB drive, SD card, or other removable storage |
| Copy to network share | File copied to an unallowed network share or mapped drive |
| Upload to cloud service | File uploaded via browser to SharePoint, OneDrive, Box, Google Drive, etc. |
| File sent to a local or network printer | |
| Copy to clipboard | Content copied from a sensitive file to clipboard (can restrict paste into non-approved apps) |
| Access by unallowed apps | Sensitive file accessed by a non-approved application (e.g., personal Notepad) |
| Screen capture | Screen captured while a sensitive file is open (requires additional sensor) |
Endpoint DLP Prerequisites
- Windows 10 1809+ or Windows 11 (Enterprise edition recommended)
- Device onboarded to Microsoft Defender for Endpoint
- Microsoft 365 E5, Information Protection add-on, or Compliance add-on
- Microsoft Purview DLP policy with "Devices" as a location
Allowlisted / Blocked Apps
Endpoint DLP uses app lists to control which applications are allowed to interact with sensitive content:
- Sensitive service domains: Browser upload destinations that are allowed (corporate SharePoint) vs. blocked (personal cloud storage)
- Unallowed apps: Applications blocked from opening or accessing files matching DLP policy conditions
- Allowed apps: Applications explicitly permitted - creates an exception to unallowed app restrictions
Just-In-Time Protection
Just-In-Time (JIT) protection is an Endpoint DLP feature that protects files before they have been classified or labeled. When a file is copied to removable media or uploaded to an unsanctioned location, JIT can temporarily protect the file until Purview can classify it.
JIT protection configuration:
- Configured in Endpoint DLP settings under "Just-in-time protection"
- When enabled, files matching the scope are temporarily restricted during the classification scan period
- If the file turns out to contain sensitive content, the DLP policy action applies
- If the file is not sensitive, the temporary restriction is lifted
Defender for Cloud Apps DLP
Microsoft Defender for Cloud Apps (MDCA) extends DLP to third-party cloud apps through two integration modes: API-based and proxy-based (session control).
API-Based File Policies
MDCA connects to cloud apps (Box, Google Drive, Salesforce, Dropbox, etc.) via API connectors and scans files at rest. DLP policies can:
- Detect files containing Purview SITs or custom patterns (using MDCA's built-in DLP engine or Purview SIT integration)
- Apply governance actions: quarantine, remove external sharing, notify file owner, apply sensitivity label
- Generate alerts for policy matches with file-level details
Session Control (Proxy-Based) DLP
When users access cloud apps via Conditional Access App Control (proxy mode):
- Real-time inspection of files being uploaded or downloaded
- Block download of files containing sensitive content or labeled as highly confidential
- Block upload of files with sensitive data to unsanctioned apps
- Apply watermarks to downloaded content in-session (visible in browser preview)