Intro & Overview
Data Loss Prevention Policies
Reporting, Alerts, & Labels
The course is part of these learning paths
This course is designed to give you a solid understanding of data loss prevention (DLP) in Microsoft 365. You will learn how data loss prevention works and why you as a Microsoft 365 administrator would want to implement it.
After a general DLP overview, you will be guided through a series of demonstrations that will show you how to create, test, and edit DLP policies, report on DLP and view alerts, and automatically apply labels based on data loss policy matches.
- Obtain a foundational understanding of data loss prevention
- Learn how to implement data loss prevention in Microsoft 365
- Learn how to report on data loss prevention policies
This course is intended for anyone preparing for the MS-101 or MS-500 exam or who simply wants to learn about data loss prevention in Microsoft 365.
To get the most out of this course, you should have some basic experience using Microsoft 365.
Microsoft Licensing Guide: https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance
Alright, so now what we're going to do is configure our first DLP policy. The idea of this policy is going to be that we want to block Australian financial data from being shared with people outside of our organiZation. So the first step is you want to go to the Microsoft 365 compliance manager, which is at compliance.microsoft.com. And if we click the show all, we can scroll down and find Data loss prevention. So this is the Data loss prevention page, which will show you the policy.
So you can see we're in the Policies section here. Basically what we're going to do is create a policy. So if we go and create policy, we just click on that. And now what happens is we have a bunch of different templates that are pre-made for us, that we can choose from. So if you can see we've got them categorized into financial, medical. You can see I've got like Australian financial data, and PCI data, and UK financial data. You can also see what we've got here in the medical data and under the privacy. So you may have things in there that are applicable to your business.
What we're going to choose is Australian financial data, because I'm in Australia. So you can see here what's protected under this. Protected in this information is tax file numbers, bank account numbers, credit card numbers, and SWIFT codes. So if you go next, we can now name the DLP policy that we're creating, and I'm just gonna leave it as the default name, and you can add a description if you want to. We hit Next and now we decide where we want this to apply.
So this is the locations part which we just talked about before. So you can see here, by default it's applied to all of these things. What we're going to do is just apply it on all and that's fine. You can choose all or you can filter it down to certain sites as well. So say you wanted SharePoint, you could choose just a certain site that you had in SharePoint by clicking that stuff. We're just gonna leave it as all. You can also do the same thing here, set exclusions or inclusions either either. We're just gonna apply this policy everywhere.
So now we get to the Define policy settings page where it asks you to decide if you want to use the default settings from the template you selected to quickly set up a policy or configure custom rules to refine your policy further. What we will do is just use the default for this template. It asks you what info you want to protect. We've got our content, which we selected in the policy template and then, we want to detect when the content is shared from Microsoft 365 with people outside or with people inside. We're gonna go with people outside. And then you've got these other options.
So the first one is do you want to add policy tips. Now, policy tips are really good. What they are, which we'll show you in a little while, is basically it pops up with a little message. So you can customize the policy tip if you want to. So you can click here and say notify these people. You can also customize the text. So I've just typed in, "You should not be sharing sensitive financial data." So then you'll be able to see what it is. So that's in the email text. And we can customize the email subject if we want. We can also customize the policy tip. We will add that same text in there so we can see both, and hit Save.
Then you can set the amount of sensitive info that is being shared to whether it tips it off or not. So we're just gonna set it to one because we want it to stop it whenever it's detected. And then you can do whether we send incident reports. And you can also choose what to include in those incident reports. So I'm just going to include my user, which is this administrator user. That way, I will get the incident report and also send any alerts.
So we're gonna do the same thing here. You can have it send an alert every time or send an alert when the volume of matched activities reaches the threshold. So let's say you wanted to only get alert after three. You could select in there, change that number to, turn down a bit, down to three in 60 minutes for all uses. So that's basically customizing the alert. You can just change those settings. We're gonna send an alert every time the rule matches. And you can also restrict access or encrypt the content, which we're not gonna do for now.
So here you can customize the access and override some settings. So you can restrict access or encrypt the content. You can also audit or restrict the activities on Windows devices. And you can restrict third party apps. We're not gonna do any of that because we don't have any third party apps or anything installed, but you get the gist of it. If you do want to find out more, you can just click the learn more button here. And it will take you to the Microsoft documentation site, which has all of the information on what each one of these things mean.
So then we go Next. And then, if you want to test it, which will basically just put it in auditing mode, it won't actually apply the policies, but what I'm gonna do is actually turn it on. So hit Next. In real life you should do a test first and watch it for a little while, and then see how many things you DLP policy catches, and then adjust it appropriately. You don't want it to be applying it and then it blocks 1000 users from doing their job. So just yeah, be careful because you can have some real impacts on your users. But once you have tested it and you've figured out that it's all fine, then you just turn it on and start using it and keep monitoring it and changing it from then.
So basically we just hit Submit here. And then it will start submitting. So what I've found with these DLP policies is once you've created them, sometimes it can take about 24 hours for them to come into effect. They don't always just work straight away. They will take a little while. So yeah, if you do make the policy and it doesn't appear to be working, it may just be that you need to leave it for a while. Leave it for 12 or 24 hours, come back and then test it then because yeah, it does seem to take a while to actually kick in.
Jake is an IT manager for a managed services company that works with small- to medium-size businesses and manages their IT. He mainly works with a Microsoft Stack, from Servers to Microsoft 365 & Azure. He also specializes in business process improvement helping businesses to leverage technology to speed up their workflows. Jake really enjoys testing out new technologies and seeing what they can do. Outside of work he enjoys kayak fishing, gardening, and going to the gym.