DLP Policies Across M365 Workloads
Configure Data Loss Prevention policies for Exchange Online, SharePoint, OneDrive, Teams, Power BI, and Microsoft 365 Copilot to prevent sensitive data leaks.
Stopping sensitive data from leaving
DLP is the exit scanner at the airport — it checks everything leaving your organisation for items that shouldn’t leave.
When someone tries to email a spreadsheet with patient IDs, share a SharePoint document containing credit card numbers, or paste sensitive data into a Teams chat — DLP detects it and takes action: warn the user, block the action, or alert compliance. It works across ALL M365 workloads, including the newer additions like Power BI and Copilot.
DLP across workloads
| Workload | What DLP Monitors | Typical Actions |
|---|---|---|
| Exchange Online | Email body, attachments, subject line | Block send, encrypt, add disclaimer, notify sender |
| SharePoint Online | Documents in libraries | Block external sharing, show policy tip, restrict access |
| OneDrive | User files synced/stored | Block sharing, show policy tip |
| Teams | Chat messages, channel messages, shared files | Block message, show policy tip (message redacted) |
| Power BI | Reports, dashboards, datasets | Block export, restrict sharing |
| Microsoft 365 Copilot | Content processed by Copilot for summarisation/generation | Prevent Copilot from referencing DLP-protected content |
Exam tip: DLP for Copilot is new and testable
DLP for Microsoft 365 Copilot is a newer addition to the exam. Key points:
- DLP policies can prevent Copilot from surfacing or summarising content that matches DLP conditions
- This means if a document contains patient IDs and a DLP policy protects that data, Copilot won’t include it in generated responses
- DLP for Copilot requires a separate, dedicated DLP policy — when you select the Copilot location, all other locations are disabled
- You cannot combine Copilot with Exchange/SharePoint/Teams in the same policy
- The exam may ask: “How does Elena prevent Copilot from summarising patient records?” → Apply DLP policy with Copilot location enabled
This is where DLP and AI governance intersect — a frequently tested modern topic.
DLP policy components
Conditions (what triggers the policy)
| Condition Type | Example |
|---|---|
| Content contains SITs | Credit card numbers, patient IDs, passport numbers |
| Content has sensitivity label | ”Confidential” or higher |
| Content is shared with | External users, specific domains |
| File extension | .xlsx, .csv, .pdf |
| Document property | Custom metadata values |
Actions (what the policy does)
| Action | Exchange | SharePoint/OD | Teams |
|---|---|---|---|
| Restrict access | Block send to external | Block external sharing | Block message |
| Encrypt | Auto-encrypt email | Apply encryption | N/A |
| Show policy tip | Warning banner in Outlook | Policy tip in document library | Warning in compose box |
| Notify | Email to compliance officer | Alert in DLP dashboard | Alert in dashboard |
| Override with justification | User provides business reason to send anyway | User provides reason to share | User provides reason |
Policy tips vs blocking
DLP supports a graduated enforcement model:
- Audit only — log but don’t restrict (use during testing)
- Policy tip — warn the user (“This email contains patient data. Are you sure?”)
- Block with override — block by default but let users justify and override
- Block — prevent the action entirely with no override
Elena starts MedGuard Health DLP policies in audit mode, reviews false positive rates, then upgrades to block with override for most users and block (no override) for contractors.
Designing DLP policies for MedGuard Health
Policy 1: Protect patient data
| Setting | Configuration |
|---|---|
| Name | ”Protect Patient Data — External Sharing” |
| Conditions | Content contains: Patient ID SIT (High confidence) OR Sensitivity label = “Confidential / Patient Data” |
| Locations | Exchange, SharePoint, OneDrive, Teams (separate policy for Copilot) |
| Actions | Block external sharing. Encrypt email. Show policy tip. Notify compliance officer. |
| Override | Users can override with justification for business-critical scenarios |
Policy 2: Protect financial data
| Setting | Configuration |
|---|---|
| Name | ”Protect Financial Data — Prevent Export” |
| Conditions | Content contains: Credit card numbers or bank account numbers (Medium+ confidence) |
| Locations | Exchange, SharePoint, Power BI |
| Actions | Block sharing with external. Block Power BI export. Notify finance compliance officer. |
| Override | CFO group can override |
Deep dive: DLP policy priority and rule ordering
When multiple DLP policies apply to the same content:
- Most restrictive action wins — if Policy A warns and Policy B blocks, the content is blocked
- Policy priority — lower priority number = higher priority (0 is highest)
- Rule ordering within a policy — all matching rules are evaluated; the most restrictive action across all matching rules is applied
If Elena has a “block external sharing” policy and a “warn on internal sharing” policy, external sharing is blocked while internal sharing shows a warning. The policies complement each other.
Key concepts to remember
Knowledge check
Elena needs to prevent Copilot from summarising documents containing patient data when users ask it to generate reports. Which approach should she use?
Dev configures a DLP policy for a client that blocks external email containing credit card numbers. The CFO complains that she can't send financial reports to the company's bank. What is the best solution?
🎬 Video coming soon
Next up: Endpoint DLP and Alert Response — extending data protection to devices and responding to DLP incidents.