DEMO: Testing DLP Policies
Start course

This course is designed to give you a solid understanding of data loss prevention (DLP) in Microsoft 365. You will learn how data loss prevention works and why you as a Microsoft 365 administrator would want to implement it.

After a general DLP overview, you will be guided through a series of demonstrations that will show you how to create, test, and edit DLP policies, report on DLP and view alerts, and automatically apply labels based on data loss policy matches.

Learning Objectives 

  • Obtain a foundational understanding of data loss prevention
  • Learn how to implement data loss prevention in Microsoft 365
  • Learn how to report on data loss prevention policies

Intended Audience

This course is intended for anyone preparing for the MS-101 or MS-500 exam or who simply wants to learn about data loss prevention in Microsoft 365.


To get the most out of this course, you should have some basic experience using Microsoft 365.

Additional Resources

Microsoft Licensing Guide: 


Okay. So this continues on from the last lecture where we created our first DLP policy to monitor Australian financial data. So, it's been a couple of days. You can see here, I created this DLP policy on January 31. It's now the 3rd of February. So, we've given it some time as discussed to let it kick in and let it propagate throughout our Office 365 tenant.

So the first thing I'm going to do is actually check if we had any alerts during the time since we made this to now. So in theory, any alerts that would have happened, if there was information that was detected, it should have sent an alert to our administrator like we set in that DLP policy. Which here we go. You can see here, Saturday at 9:51, which was about 24 hours after we created this policy, we've gotten two alerts.

So we've got an alert here that the credit card number has been detected inside of a document called Contoso Purchasing Permissions. And that we've had a match. So the DLP policy is active and we have actually got a match in a pre-existing document. This is not a document that I've created in that time. This is a document that was already there. We've just created the DLP policy and it is matched some information that already existed in our tenant and sent our administrator an email alert to let them know, which then we could view the alert details inside of the compliance center, if we wished. And there are the alert details. So now we know that our DLP policy was activated and it did actually find some information that was pre-existing.

So let's test it out. We will go into here, which I am currently logged in as Adele V. And what we'll do is we'll get Adele V to try and share some sensitive information with somebody outside of the organization. So we're gonna generate a credit card number. And we're gonna try and email it out and we will see what happens from the users point of view.

So if we go, new message. I have generated a fake email account that we can use, which is you can see this email account is an external account, not part of my tenant. And now I've generated a fake visa card account as well. So, if we put card number expiry. Let it be 23. And what should happen is you should get a policy tip up the top once it's detected. So you can say here outlook online has detected that we've had a match with our sensitive financial data policy. And it's put this policy tip, which we set inside of the policy. Which then you can show details.

If the recipient thinks that this is a false positive, they can click learn more and report it. Or they can remove the recipient. So it gives that policy tip to try and just tell users, this is what's going on. Because they might not realize that they shouldn't be sharing a credit card number with somebody outside of the organization. They might think, yes, we always you always send credit card numbers via email, why wouldn't you? But as I hope we all know, sending sensitive information via email may not be the safest way to send information.

So anyway, let's say the policy tip has come up and we're still gonna send it anyway. We're disregarding the policy tip. I am sending out this information. So, as the user hit send. DLP has detected it and it will do what we set it to do. So you can see here, it send notification to the user Adele Vance saying you should not be sharing sensitive financial data. So the user, if they hadn't seen that policy tip, they will get this email as well. And it will attach the email that's been detected.

As well as this, as well as the user getting notified, we should have a notification as the administrator as well. So the administrator, because we've set this in our DLP policy, the administrator also gets this email saying a match to one of your organization policy rules has been detected. Gives you a report ID, the severity, if it's a false positive, if it was overwritten, and what conditions matched.

So you can say here it is matched external recipients and that it contains sensitive information. It also attaches the original email. So the administrator gets that original email, which then they can act on it. If it was nefarious, they would have the ability to go, hey, this person is sharing information they should not be sharing. If it wasn't nefarious and it might be a false positive, then the administrator can act on it accordingly. 

So that's basically it. You've seen what happens when a DLP policy is matched and the notifications that the user gets and the administrator gets. We've also had a look at what a policy tip looks like at the top of the email, which was the thing that popped up when it actually detected it, while the email was getting written. And yeah, that's basically an overview of what happens from a user's perspective when they hit a DLP policy.

About the Author

Jake is an IT manager for a managed services company that works with small- to medium-size businesses and manages their IT. He mainly works with a Microsoft Stack, from Servers to Microsoft 365 & Azure. He also specializes in business process improvement helping businesses to leverage technology to speed up their workflows. Jake really enjoys testing out new technologies and seeing what they can do. Outside of work he enjoys kayak fishing, gardening, and going to the gym.