Data Loss Prevention (DLP)
DLP is the safety net that catches sensitive data before it leaves your organisation. Credit card numbers in an email? Confidential files shared on Teams? DLP blocks it and alerts the admin.
What is DLP?
DLP is the airport security scanner for your data.
Before anything leaves your organisation (via email, Teams, SharePoint sharing, or even copy-paste), DLP scans it. If it contains something sensitive — credit card numbers, health records, confidential labels — DLP can block it, warn the user, or alert an admin.
The user might not even realise they’re about to share something sensitive. DLP catches it anyway.
How DLP policies work
A DLP policy has three parts:
| Part | What It Defines | Example |
|---|---|---|
| Conditions | What to look for | ”Documents containing credit card numbers” or “files with Confidential label” |
| Actions | What to do when detected | Block sharing, restrict access, warn user, audit only |
| Notifications | Who to tell | Warn the user (policy tip), alert the admin, send incident report |
DLP actions — what happens when a rule triggers
| Feature | Impact Level | What Users See |
|---|---|---|
| Audit only | Low — logging only | Nothing — activity is logged but not blocked |
| Warn | Medium — user sees a tip | Policy tip: 'This email contains sensitive data. Are you sure?' |
| Block with override | High — blocked but user can justify | 'This action is blocked. Provide a business justification to proceed.' |
| Block | Highest — hard block | 'You cannot share this content externally.' No override possible. |
Scenario: Maya handles a DLP alert
Maya receives a DLP alert:
Alert: “Sam (Marketing) attempted to email a spreadsheet containing 47 credit card numbers to an external email address”
What happened:
- Sam prepared a report with customer payment data (didn’t realise it had raw card numbers)
- DLP scanned the email attachment → detected credit card pattern (SIT match)
- DLP blocked the email and showed Sam a policy tip: “This email contains credit card information and cannot be sent externally”
- DLP sent an alert to Maya with full details
Maya’s response:
- Reviews the alert in Purview → DLP → Alerts
- Contacts Sam → explains why it was blocked
- Sam redacts the card numbers → resends successfully
- Maya marks the alert as resolved
Without DLP: Those 47 credit card numbers would have been emailed to an external address. Data breach, regulatory fine, customer trust destroyed.
Where DLP applies
DLP isn’t just for email — it covers multiple channels:
| Location | What DLP Monitors |
|---|---|
| Exchange Online | Email body and attachments |
| SharePoint Online | Files in document libraries |
| OneDrive | Personal file storage |
| Teams | Chat messages and channel messages |
| Endpoints | Files copied to USB, printed, or uploaded to cloud |
| Power BI | Dashboards and reports containing sensitive data |
Exam tip: DLP in Teams monitors MESSAGES — not just files. If someone types a credit card number in a Teams chat, DLP can catch it.
DLP alerts and investigation
When DLP triggers, admins investigate in Microsoft Purview → DLP → Alerts:
- Alert details: What was detected, who triggered it, when, which policy matched
- Activity explorer: See the full timeline of DLP events
- False positive handling: Dismiss alerts that aren’t real issues, tune policies to reduce noise
🎬 Video walkthrough
🎬 Video coming soon
Data Loss Prevention — AB-900 Module 13
Data Loss Prevention — AB-900 Module 13
~9 minFlashcards
Knowledge Check
Northwave's DLP policy blocks external sharing of documents with credit card numbers. Sam in Marketing needs to send a report with payment data to an external auditor for a legitimate audit. What's the BEST configuration?
Next up: Insider Risk & Communication Compliance — detecting suspicious behaviour and monitoring for policy violations.