Many workloads and services in the Microsoft 365 platform support DLP capabilities. DLP detects content based on a variety of mechanisms, such as keywords, built-in functions, and secondary matches that are located in proximity to the primary matched content. Microsoft Purview DLPcan also use document fingerprinting and machine learning algorithms to detect content.
Depending on the workload or application, DLP policies can take the following actions on detected content:
- Display a notification (called a policy tip) that warns the users about sensitive content
- Block sharing with or without the ability for the end user to override the block
- Move sensitive items to a quarantine location
- Prevent sensitive content from being displayed in a Teams chat
- Encrypt content
DLP, from the workload perspective, can be applied to data in transit, data at rest, and data in use. In the following sections, you’ll review configuring DLP settings for the Exchange Online, SharePoint, OneDrive for Business, Teams, and Power BI workloads, as well as an overview of protecting on-premises file shares with the Azure Information Protection (AIP) scanner.
Prerequisites
DLP has license subscription requirements. Depending on the workload to be protected, users need one of the following licenses:
- Microsoft 365 E3/A3/A5/E5/A5/G5
- Microsoft 365 Business Premium
- SharePoint Online Plan 2
- OneDrive for Business Plan 2
- Exchange Online Plan 2
• Microsoft 365 E5/A5/F5/G5 Compliance and F5 Security & Compliance • Microsoft 365 E5/A5/F5/G5 Information Protection & Governance
In addition, DLP for Microsoft Teams (chat and channel messages, in particular) and on-premises repositories requires one of the following licenses:
• Microsoft 365 E5/A5/G5
• Microsoft 365 E5/A5/F5/G5 Compliance or F5 Security & Compliance
• Microsoft 365 E5/A5/F5/G5 Information Protection & Governance
In order to configure DLP policies, you must be a member of one of these role groups:
- Compliance Administrator
- Compliance Data Administrator
- Information Protection
- Information Protection Admin
- Security Administrator
Organizations with any eligible subscription with DLP features (such as E1, F1, G1, A3, E3, G3, A5, E5, or G5) can create DLP alerts that are triggered on every matching activity.
Organizations with an A5, E5, or G5 subscription or an Office 365 Advanced Threat Protection Plan 2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on license can configure aggregated alerts—meaning that DLP alerts will only show up based on a certain threshold.
With that being said, let’s look at configuring some workload policies!
Configuring Workload Protection
In this section, you’ll walk through configuring workload protections at a high level using built-in templates.