Browse all topics
All guidesGlossary

Microsoft Purview Data Loss Prevention — a deep dive

DLP policies detect and prevent sensitive data from leaving Microsoft 365. Here's the architecture and how to roll them out.

Microsoft Purview Data Loss Prevention (DLP) is the policy engine that detects when sensitive data — credit card numbers, government IDs, source code, custom-defined patterns — is shared in a way that could put it at risk, and takes action.

Where DLP applies

DLP policies span the Microsoft 365 surface:

  • Exchange Online — outgoing email containing sensitive content.
  • SharePoint and OneDrive — files at rest, files shared externally.
  • Teams — chat and channel messages.
  • Endpoint DLP — protected actions on managed Windows and Mac endpoints (USB copy, cloud sync upload, printing).
  • Power BI — dataset and report content.
  • Defender for Cloud Apps — sanctioned non-Microsoft SaaS apps.
  • Microsoft 365 Copilot — newer integration that limits Copilot's use of labelled sensitive data.

Sensitive Information Types (SITs)

DLP detects content via sensitive information types: regular expressions plus contextual scoring (a credit-card number is more likely real if it appears near words like "card," "expiry," "CVV"). Microsoft ships hundreds of built-in SITs covering most regulated data types globally. Custom SITs let you define your own — internal customer numbers, source code, project codenames.

Exact Data Match (EDM) SITs let you match against a known list (e.g., your actual customer SSNs uploaded as a hash), avoiding false positives common with generic SITs.

Trainable classifiers use ML to identify content types — IP, source code, legal documents — that don't fit regex patterns.

Policy actions

A DLP policy combines a location (which workload), a condition (which content), and an action:

  • Audit only — log, no user impact.
  • Notify — show a tip to the user.
  • Justify — require the user to provide business justification.
  • Block with override — prevent the action but let the user override with justification.
  • Block — hard block.
  • Encrypt — automatically encrypt the message (Exchange).
  • Remove sharing — strip external sharing links on a file (SharePoint).

The right action varies by data type and risk tolerance.

Rollout

A typical DLP rollout:

  1. Inventory regulated data types the organisation handles.
  2. Build policies in audit-only mode.
  3. Tune SITs and exclusions against the audit findings (false positives are common).
  4. Move highest-risk policies to notify, then block with override.
  5. Pair with sensitivity labels so user-applied labels are also a DLP signal.
  6. Add Endpoint DLP for managed devices.

Licensing

DLP for Exchange and Teams is included in Microsoft 365 E3. Endpoint DLP, advanced DLP capabilities, and the full Purview DLP feature set require E5 or Purview-specific add-ons.

Practical caveats

  • DLP is signal-driven; it can't read intent. Tune relentlessly.
  • Block-with-override is usually the right default; full block annoys users without much extra security.
  • Endpoint DLP is powerful but requires Defender for Endpoint onboarding.
  • DLP doesn't replace sensitivity labels — they work together.

Done well, DLP creates guardrails that catch the accidental exposures that make up most data-loss events, while staying out of the way for normal work.