{
	"id": "1c2283ab-7d63-4b2d-806f-90e06e5071fa",
	"created_at": "2026-04-06T00:08:27.863995Z",
	"updated_at": "2026-04-10T13:11:37.684969Z",
	"deleted_at": null,
	"sha1_hash": "016f2388189045828cc0539d7594af7234636322",
	"title": "Learn about data loss prevention",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 478528,
	"plain_text": "Learn about data loss prevention\r\nBy chrfox\r\nArchived: 2026-04-05 23:20:46 UTC\r\nOrganizations control sensitive information like:\r\nfinancial data\r\nproprietary data\r\ncredit card numbers\r\nhealth records\r\nSocial Security numbers\r\nTo help protect this sensitive data, and to reduce the risk from oversharing, they need a way to help prevent their\r\nusers from inappropriately sharing sensitive data with people who shouldn't have it. This practice is called data\r\nloss prevention (DLP).\r\nIn Microsoft Purview, you implement data loss prevention by defining and applying DLP policies. A DLP policy\r\ncan help you identify, monitor, and automatically protect sensitive in Enterprise applications \u0026 devices and\r\nInline web traffic data. DLP policies act on a variety of locations, methods of data transmission, and types of user\r\nactivities.\r\nDLP uses deep content analysis—not a simple text scan. It analyzes content:\r\nFor primary data matches to keywords\r\nBy the evaluation of regular expressions\r\nBy internal function validation\r\nBy secondary data matches that are in proximity to the primary data match\r\nDLP also uses machine learning algorithms and other methods to detect content that matches your DLP\r\npolicies\r\nInline by Microsoft Edge for business for Windows devices that haven't been onboarded into Microsoft\r\nPurview (preview) and Use Network Data Security to help prevent sharing sensitive information with\r\nunmanaged AI (preview)\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 1 of 11\n\nDLP monitors and protects against oversharing in enterprise apps and on devices. It targets Microsoft 365\r\nlocations, like Exchange and SharePoint, and locations you add, like on-premises file shares, endpoint devices,\r\nand non-Microsoft cloud apps. These locations and sources include:\r\nMicrosoft 365 services, like Exchange, SharePoint, OneDrive accounts, and Teams chat and channel\r\nmessages\r\nOffice applications, such as Word, Excel, and PowerPoint\r\nDevices running Windows 10, Windows 11, and the three most recent versions of macOS\r\nNon-Microsoft cloud apps\r\nOn-premises file shares and on-premises SharePoint\r\nMicrosoft Fabric and Power BI workspaces\r\nMicrosoft 365 Copilot and Copilot chat (preview)\r\nManaged cloud apps\r\nCreate DLP policies for Enterprise applications \u0026 devices to cover these locations.\r\nDLP, with collection policies, monitors and protects against oversharing to Unmanaged cloud apps by targeting\r\ndata transmitted on your network and in Microsoft Edge for Business. Create policies that target Inline web traffic\r\n(preview) and Network activity (preview) to cover locations like:\r\nOpenAI ChatGPT—for Edge for Business and Network options\r\nGoogle Gemini—for Edge for Business and Network options\r\nDeepSeek—for Edge for Business and Network options\r\nMicrosoft Copilot—for Edge for Business and Network options\r\nOver 34,000 cloud apps in the Microsoft Defender for Cloud Apps cloud app catalog—Network option\r\nonly\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 2 of 11\n\n1. Administrative units\r\n2. Learn about Microsoft Purview Data Loss Prevention\r\n3. Plan for data loss prevention (DLP) - by working through this article you will:\r\n1. Identify stakeholders\r\n2. Describe the categories of sensitive information to protect\r\n3. Set goals and strategy\r\n4. Collection Policies solution overview\r\n5. Collection policy reference\r\n6. Data Loss Prevention policy reference - this article introduces all the components of a DLP policy and how\r\neach one influences the behavior of a policy\r\n7. Design a DLP policy - this article walks you through creating a policy intent statement and mapping it to a\r\nspecific policy configuration.\r\n8. Create and Deploy data loss prevention policies - This article presents some common policy intent\r\nscenarios that you map to configuration options, then it walks you through configuring those options.\r\n9. Learn about investigating data loss prevention alerts - This article introduces you to the lifecycle of alerts\r\nfrom creation, through final remediation and policy tuning. It also introduces you to the tools you use to\r\ninvestigate alerts.\r\nFor information on licensing, see\r\nMicrosoft 365 Enterprise Plans\r\nMicrosoft 365 Service Descriptions\r\nDLP is just one of the Microsoft Purview tools that you use to help protect your sensitive items wherever they live\r\nor travel. You should understand the other tools in the Microsoft Purview tool set, how they interrelate, and work\r\nbetter together. See, Microsoft Purview tools to learn more about the information protection process.\r\nDLP policies monitor the activities that users take on sensitive items and, if the policy conditions are met, take\r\nprotective actions. For example, when a user attempts a prohibited action, like copying a sensitive item to an\r\nunapproved location or sharing medical information in an email, DLP can:\r\nshow a pop-up policy tip to the user that warns them that they might be trying to share a sensitive item\r\ninappropriately\r\nblock the sharing and, via a policy tip, allow the user to override the block and capture the users'\r\njustification\r\nblock the sharing without the override option\r\nfor data at rest, sensitive items can be locked and moved to a secure quarantine location\r\nfor Teams chat, the sensitive information won't be displayed\r\nAll DLP monitored activities are recorded to the Microsoft 365 Audit log by default and routed to Activity\r\nexplorer.\r\nA DLP implementation typically follows these major phases.\r\nPlan for DLP\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 3 of 11\n\nPrepare for DLP\r\nDeploy your policies in production\r\nDLP monitoring and protection are native to the applications that users use every day. This helps to protect your\r\norganization's sensitive items from risky activities, even if your users are unaccustomed to data loss prevention\r\nthinking and practices. If your organization and your users are new to data loss prevention practices, the adoption\r\nof DLP might require a change to your business processes, and there will be a culture shift for your users. But,\r\nwith proper planning, testing and tuning, your DLP policies protect your sensitive items while minimizing any\r\npotential business process disruptions.\r\nKeep in mind that DLP as a technology can monitor and protect your data at rest, data in use and data in motion\r\nacross Microsoft 365 services, Windows 10, Windows 11, and macOS (three latest released versions) devices, on-premises file shares, and on-premises SharePoint. There are planning implications for the different locations, the\r\ntype of data you want to monitor and protect, and the actions to be taken when a policy match occurs.\r\nDLP policies can block users from performing prohibited activities, like inappropriate sharing of sensitive\r\ninformation via email. As you plan your DLP policies, you must identify the business processes that touch your\r\nsensitive items. The business process owners can help you identify appropriate user behaviors that should be\r\nallowed and inappropriate user behaviors that should be protected against. You should plan your policies and\r\ndeploy them in simulation mode, and evaluate their impact, before running them in more restrictive modes.\r\nA successful DLP implementation is as much dependent on getting your users trained and acclimated to data loss\r\nprevention practices as it is on well planned and tuned policies. Since your users are heavily involved, be sure to\r\nplan for training for them too. You can strategically use policy tips to raise awareness with your users before\r\nchanging the policy status from simulation mode to more restrictive modes.\r\nYou can apply DLP policies to data at rest, data in use, and data in motion in locations such as:\r\nExchange Online email\r\nSharePoint sites\r\nOneDrive accounts\r\nTeams chat and channel messages\r\nInstances: Microsoft Defender for Cloud Apps\r\nDevices: Windows 10, Windows 11, and macOS (three latest released versions)\r\nOn-premises repositories\r\nFabric and Power BI workspaces\r\nMicrosoft 365 Copilot (preview)\r\nEach one has different prerequisites. Sensitive items in some locations, like Exchange online, can be brought\r\nunder the DLP umbrella by just configuring a policy that applies to them. Others, such as on-premises file\r\nrepositories, require a deployment of Microsoft Purview Information Protection scanner. You'll need to prepare\r\nyour environment, code draft policies, and test them thoroughly before activating any blocking actions.\r\nStart by defining your control objectives, and how they apply across each respective workload. Draft a policy that\r\nembodies your objectives. Feel free to start with one workload at a time, or across all workloads - there's no\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 4 of 11\n\nimpact yet. For more information, see Create and deploy data loss prevention policies.\r\nEvaluate the impact of the controls by implementing them with a DLP policy in simulation mode. Actions defined\r\nin a policy aren't applied while the policy is in simulation mode. It's ok to apply the policy to all workloads in\r\nsimulation mode, so that you can get the full breadth of results, but you can start with one workload if you need to.\r\nFor more information, see Policy Deployment.\r\nWhile in simulation mode, monitor the outcomes of the policy and fine-tune it so that it meets your control\r\nobjectives while ensuring you aren't adversely or inadvertently impacting valid user workflows and productivity.\r\nHere are some examples of things to fine-tune:\r\nAdjust the locations and people/places that are in or out of scope\r\nTune the conditions that are used to determine if an item and what is being done with it matches the policy\r\nRefine the sensitive information definitions\r\nAdd new controls\r\nAdd new people\r\nAdd new restricted apps\r\nAdd new restricted sites\r\nNote\r\nStop processing more rules doesn't work in simulation mode, even when it's turned on.\r\nOnce the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application\r\nand tune as needed.\r\nNote\r\nIn general, policies take effect about an hour after being turned on.\r\nYou have flexibility in how you create and configure your DLP policies. You can start from a predefined template\r\nand create a policy in just a few clicks or you can design your own from the ground up. No matter which you\r\nchoose, all DLP policies require the same information from you.\r\n1. Choose what you want to monitor - DLP comes with many predefined policy templates to help you get\r\nstarted or you can create a custom policy.\r\nA predefined policy template, such as Financial data, Medical and health data, Privacy data all for\r\nvarious countries and regions.\r\nA custom policy that uses the available sensitive information types (SIT), retention labels, and\r\nsensitivity labels.\r\n2. Choose administrative scoping - DLP supports assigning Administrative Units to some Enterprise\r\napplications \u0026 devices policies. Administrators who are assigned to an administrative unit can only create\r\nand manage policies for the users, groups, distribution groups, accounts, and sites that they're assigned to.\r\nSo, policies can be applied to all users, groups, and sites by an unrestricted administrator, or they can be\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 5 of 11\n\nscoped to administrative units. See, Policy Scoping for more DLP specific details. See, Administrative\r\nunits for the details on administrative units across Microsoft Purview Information Protection.\r\n3. Choose where you want to monitor - You pick one or more locations that you want DLP to monitor for\r\nsensitive information. You can monitor:\r\nlocation include/exclude by\r\nExchange email distribution groups\r\nSharePoint sites sites\r\nOneDrive accounts accounts or distribution groups\r\nTeams chat and channel messages account or distribution group\r\nWindows 10, Windows 11, and macOS (three latest released\r\nversions) devices\r\nusers and groups + devices and device\r\ngroups\r\nMicrosoft Cloud App Security instance\r\nOn-premises repositories repository file path\r\nFabric and Power BI workspaces\r\nMicrosoft 365 Copilot (preview) account or distribution group\r\nNote\r\nThe users and groups mentioned above should be Online users and M365, Exchange online, and Microsoft Entra\r\ngroups\r\n4. Choose the conditions that must be matched for a policy to be applied to an item - You can accept\r\npreconfigured conditions or you can define custom conditions. Some examples are:\r\nitem contains a specified type of sensitive information that is being used in a certain context. For\r\nexample, 95 social security numbers being emailed to recipient outside your org.\r\nitem has a specified sensitivity label\r\nitem with sensitive information is shared either internally or externally\r\n5. Choose the action to take when the policy conditions are met - The actions depend on the location\r\nwhere the activity is happening. Some examples are:\r\nSharePoint/Exchange/OneDrive: Block people who are outside your organization from accessing\r\nthe content. Show the user a tip and send them an email notification that they're taking an action that\r\nis prohibited by the DLP policy.\r\nTeams Chat and Channel: Block sensitive information from being shared in the chat or channel.\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 6 of 11\n\nWindows 10, Windows 11, and macOS (three latest released versions) Devices: Audit or restrict\r\ncopying a sensitive item to a removable USB device.\r\nOffice Apps: Show a popup notifying the user that they're engaging in a risky behavior and block or\r\nblock but allow override.\r\nOn-premises file shares: move the file from where it's stored to a quarantine folder.\r\nNote\r\nThe conditions and the actions to take are defined in an object called a rule.\r\nAll DLP policies are created and maintained in the Microsoft Purview portal. See, Create and Deploy data loss\r\nprevention policies for more information.\r\nAfter you create a DLP policy, it's stored in a central policy store, and then synced to the various content sources,\r\nincluding:\r\nExchange, and from there to Outlook on the web and Outlook\r\nOneDrive\r\nSharePoint sites\r\nOffice desktop programs (Excel, PowerPoint, and Word)\r\nMicrosoft Teams channels and chat messages\r\nAfter the policy is synced to the right locations, it starts to evaluate content and enforce actions.\r\nDLP reports a vast amount of information to Microsoft Purview from monitoring policy matches and actions, to\r\nuser activities. You need to consume and act on that information to tune your policies and triage actions taken on\r\nsensitive items. The telemetry goes into the Microsoft 365 audit Logs first, is processed, and makes its way to\r\ndifferent reporting tools. Each reporting tool has a different purpose.\r\nThe DLP Overview page gives you quick access to important information about your DLP policies, including:\r\nPolicy sync status\r\nDevice status\r\nTop activites detected\r\nDevice overall health\r\nYou can investigate incidents for Microsoft Purview Data Loss Prevention (DLP) from the Microsoft Defender\r\nportal Incidents \u0026 alerts \u003e Incidents. See Investigate data loss incidents with Microsoft Defender XDR and\r\nInvestigate alerts in Microsoft Defender XDR.\r\nDLP can generate alerts when a user(s) performs an activity that meets the criteria of a rule in a DLP policy, and\r\nyou have incident reports configured to generate alerts. Depending on your subscription level, alerts can be\r\naggregated on a time window/rule basis or on a time windows/user basis(preview).\r\nDLP posts the alert for investigation in the DLP Alerts dashboard. Use the DLP Alerts dashboard to view alerts,\r\ntriage them, set investigation status, and track resolution. Alerts are also routed to Microsoft Defender portal\r\nwhere you can do all the alert dashboard tasks plus more.\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 7 of 11\n\nDLP alerts are available in the Microsoft Defender portal for six months. They're only available in the Microsoft\r\nPurview DLP alerts dashboard for 30 days.\r\nIf you're an administrative unit restricted admin, you'll only see the DLP alerts for your administrative unit.\r\nHere's an example of alerts generated by policy matches and activities from Windows 10 devices.\r\nYou can also view details of the associated event with rich metadata in the same dashboard.\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 8 of 11\n\nNote\r\nAlerts are generated differently for emails than they are for SharePoint or OneDrive items. In SharePoint and\r\nOneDrive, DLP scans existing items as well as new ones and generates an alert whenever a match is found. In\r\nExchange, new email messages are scanned and an alert is generated if there's a policy match. DLP does not scan\r\nor match previously existing email items that are stored in a mailbox or archive.\r\nFor more information on Alerts, see:\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 9 of 11\n\nAlerts in DLP policies: Describes alerts in the context of a DLP policy.\r\nGet started with data loss prevention alerts: Covers the necessary liscensing, permissions, and prerequisites\r\nfor DLP alerts and alert reference details.\r\nCreate and deploy data loss prevention policies: Includes guidance on alert configuration in the context of\r\ncreating a DLP policy.\r\nLearn about investigating data loss prevention alerts: Covers the various methods for investigating of DLP\r\nalerts.\r\nInvestigate data loss incidents with Microsoft Defender XDR: How to investigate DLP alerts in Microsoft\r\nDefender portal.\r\nThe Activity explorer tab on the DLP page has multiple filters you can use to view DLP events. Use this tool to\r\nreview activity related to content that contains sensitive info or has labels applied, such as what labels were\r\nchanged, files were modified, and matched a rule.\r\nYou can view the last 30 days of DLP information in Activity Explorer using these preconfigured filters:\r\nEndpoint DLP activities\r\nFiles containing sensitive info types\r\nEgress activities\r\nDLP policies that detected activities\r\nDLP policy rules that detected activities\r\nTo see this information Select this activity\r\nUser overrides DLP rule undo\r\nItems that match a DLP rule DLP rule matched\r\nYou can also access DLP report using via these cmdlets in the Security \u0026 Compliance PowerShell.\r\n1. Connect to Security \u0026 Compliance PowerShell\r\nUse these cmdlets:\r\nGet-DlpDetailReport\r\nGet-DlpDetectionsReport\r\nGet-DlpSiDetectionsReport\r\nHowever, DLP reports need to pull data from across Microsoft 365, including Exchange. For this reason, the\r\nfollowing cmdlets for DLP reports are available in Exchange PowerShell. To use the cmdlets for these DLP\r\nreports, take the following steps:\r\n1. Connect to Exchange PowerShell\r\nUse these cmdlets:\r\nGet-DlpDetailReport\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 10 of 11\n\nGet-MailDetailDlpPolicyReport\r\nYou can see the text that surrounds the matched content, like a credit card number in a DLPRuleMatch event in\r\nActivity explorer.\r\nDLPRuleMatch events are paired with user egress activities such as \"CopyToClipboard\" or \"CloudEgress\". They\r\nshould be right next to (or at least very close to) each other in Activity explorer. You want to look at both because\r\nthe user activity contains details about the matched policy and the DLPRuleMatch event contains the details\r\nabout the text that surrounds the matched content.\r\nFor endpoint, be sure that you have applied KB5016688 for Windows 10 devices and KB5016691 for Windows 11\r\ndevices or above.\r\nFor more information, see Get started with activity explorer.\r\nTo learn more about Microsoft Purview DLP, see:\r\nLearn about Endpoint data loss prevention\r\nLearn about the default data loss prevention policy in Microsoft Teams (preview)\r\nLearn about data loss prevention on-premises scanner\r\nLearn about the Microsoft Compliance Extension\r\nGet started with the data loss prevention Alerts dashboard\r\nTo learn how to use data loss prevention to comply with data privacy regulations, see Deploy information\r\nprotection for data privacy regulations with Microsoft Purview (aka.ms/m365dataprivacy).\r\nSource: https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nhttps://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp"
	],
	"report_names": [
		"dlp-learn-about-dlp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/016f2388189045828cc0539d7594af7234636322.pdf",
		"text": "https://archive.orkl.eu/016f2388189045828cc0539d7594af7234636322.txt",
		"img": "https://archive.orkl.eu/016f2388189045828cc0539d7594af7234636322.jpg"
	}
}