Data loss prevention (DLP) in Microsoft 365 is designed to allow administrators to protect users from accidentally sharing sensitive information from your organization. This is achieved by creating policies that can be applied to your users and groups across multiple Microsoft 365 services. These policies use built-in or custom sensitive information types (SITs) that can then be detected within the content that your users are working on. They can also be used to trigger user policy tips to provide guidance on sharing information. These policies can also block content more aggressively when a policy match is detected and alert and report on such instances. This chapter will show you how to effectively plan and implement your DLP policies. It will also demonstrate how you can manage the reporting features and alert settings available and create policies from built-in templates, or create custom policies to meet your requirements using simple...

In order to effectively plan for your Microsoft 365 DLP deployment, you need to understand any existing or potential data leakage within your organization. DLP can initially be configured with policies that run in test mode only. This is a good starting point for acquiring the information you need to determine your DLP strategy. But before you can create your test policies, it is important that you understand how DLP works, what sort of information can be detected, and which Microsoft 365 services can be protected.

A good starting point is to examine the SITs used by DLP policies. There are several built-in SITs available in Microsoft 365. You explored sensitive info types in more detail in Chapter 11, Managing Sensitive Information, but as a quick reminder, you can find these in the Microsoft Purview compliance center at https://compliance.microsoft.com under Data classification | Sensitive info types:

Figure 12.1: Sensitive...

Now that you understand the core components that make up a DLP policy, you can go ahead and work with an actual DLP policy.

Creating a DLP policy

To create a DLP policy, you can use a template and assign it to the chosen Microsoft 365 locations. To do this, complete the following steps:

1. Log in to the Microsoft Purview compliance center, which can be accessed by administrators at https://compliance.microsoft.com, and navigate to Data loss prevention | Policies, shown in the following screenshot. You will see a list of any existing DLP policies described by name, order of priority, last modified date, and the status of the policy. To create your new DLP policy, click on Create policy:

Figure 12.4: Policy

2. You have several options to create your policy. You can use a template or create your own custom policy. Templates are broken down into categories such as Enhanced, Financial, Medical...

There are several reporting and alerting capabilities for DLP available within the Microsoft Purview compliance center. Regularly reviewing these will give Microsoft 365 administrators valuable insights into how effectively DLP is configured and working. The reports that are available are as follows:

• DLP Policy Matches: This section shows a count of recent policy matches, all of which you can filter by date, location, policy, or action. Policy matches are shown in this report at a rule level, meaning that the report is better for identifying matches with specific rules and fine-tuning your DLP policies. Clicking into the tile will give you a broader view of the DLP policy match activity, along with related reports on DLP Incidents and DLP false positives and overrides.
• DLP Incidents: This report shows you policy matches over time at an item level. An example of this would be where an email matches different rules but the report shows...

Endpoint DLP enables you to protect sensitive content stored on your Windows 10, Windows 11, and macOS devices using DLP policies. In order to use DLP policies with devices, you must have those devices onboarded that you want your policies to target. To do this, complete the following steps:

1. From the Microsoft Purview compliance center, go to Settings | Device onboarding and click on Turn on device onboarding:

Figure 12.34: Turning on device onboarding in the Purview compliance center

2. You will be informed that when turning this feature on, any devices already onboarded to Microsoft Defender for Endpoint will appear in the list of devices. Click OK:

Figure 12.35: Turning on device onboarding

3. Be aware that it could take some time for device onboarding to be fully enabled. You will be warned of this, as shown in the following screenshot. Acknowledge the warning by clicking OK...

This chapter explained how DLP in Microsoft 365 can help create policies based on built-in and custom SITs. This prevents users in an organization from accidentally sharing sensitive information. We learned how to set up and modify a DLP policy and apply it to all or selected Microsoft 365 locations. We also learned how to effectively plan a DLP rollout by creating policies in test mode only, as well as how to view and interpret the reports that are available in the Microsoft Purview compliance center and also Windows PowerShell. Finally, we learned how Endpoint DLP is used to protect Windows 10 and 11 devices as well as macOS devices with device onboarding settings and DLP policies.

The next chapter will introduce the principles of data governance and retention. We will learn how to view and interpret data life cycle management reports and dashboards, configure retention labels and policies, configure retention within Microsoft 365 workloads, find and recover deleted Office...

1. What do you need to do before you can use Endpoint DLP in Microsoft Purview?
   1. Enable device synchronization
   2. Enable device onboarding
   3. Enable device scanning
   4. Enable Microsoft Defender for Cloud Apps
2. Which of the following device types can be protected using Endpoint DLP (select three)?
   1. Windows 11
   2. Linux
   3. Windows 10
   4. macOS
   5. iOS
   6. Android
3. Which of the following is not one of the possible settings for a DLP policy in Microsoft Purview?
   1. Test (with notifications)
   2. On
   3. Test (without notifications)
   4. Test in simulation mode
   5. Off
4. Which of the following are categories of templates that can be selected when setting up a DLP policy (choose two)?
   1. Legal
   2. Financial
   3. Government
   4. Medical and health
5. True or False? DLP policies can be applied to Teams chat and channel messages.
   1. True
   2. False
6. Where do you configure DLP policies?
   1. The Azure portal
   2. The Microsoft 365 Defender portal
   3. The Microsoft Purview compliance portal
   4. The Microsoft 365 admin center
7. True or False? When a DLP policy is set to test with policy...

Please refer to the following links for more information regarding what was covered in this chapter:

• Learn about data loss prevention: https://learn.microsoft.com/en-gb/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
• Viewing reports for DLP: https://learn.microsoft.com/en-gb/microsoft-365/compliance/view-the-dlp-reports?view=o365-worldwide
• Connecting to Security & Compliance PowerShell: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps
• DLP PowerShell commands: https://learn.microsoft.com/en-us/powershell/module/exchange/get-dlpcompliancepolicy?view=exchange-ps
• Get started with Endpoint data loss prevention: https://learn.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-worldwide
• Learn about Endpoint data loss prevention: https://learn.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-learn-about?WT.mc_id=M365-MVP-4039827&view...