DLP & Conditional Access
Prevent sensitive data from leaking through Teams messages and control who can access Teams and under what conditions. Two powerful protection layers for the Teams admin.
Two layers of Teams protection
Think of DLP and Conditional Access as two different security checkpoints.
DLP is like a mail scanner at the office exit. It checks what’s leaving — if someone tries to send a credit card number or client SSN in a Teams message, DLP catches it, blocks it, or warns the sender.
Conditional Access is like the building entrance. Before you even get to your desk (Teams), it checks: Are you on a company device? Are you on a trusted network? Did you use MFA? If the conditions aren’t met, you’re turned away at the door.
Data Loss Prevention for Teams
How DLP works in Teams
DLP policies for Teams scan messages in real-time as they’re sent. When a message matches a DLP rule:
- The message is sent (briefly visible)
- DLP evaluates the message against policy rules
- Action is taken within seconds — message can be blocked, user warned, or admin notified
- Blocked messages show a “This message was blocked” notice to other participants
DLP locations for Teams
| Location | What It Scans | Notes |
|---|---|---|
| Teams chat and channel messages | Text in 1:1 chats, group chats, and channel posts | Scans message body text in real-time |
| Teams channel files | Files shared in channels (stored in SharePoint) | Covered by SharePoint DLP location |
| Teams chat files | Files shared in chats (stored in OneDrive) | Covered by OneDrive DLP location |
Exam point: To fully protect Teams, you need DLP policies targeting both the “Teams chat and channel messages” location (for message text) and SharePoint/OneDrive locations (for shared files). A single policy can include multiple locations.
Creating a DLP policy for Teams
- Microsoft Purview → Data loss prevention → Policies → Create policy
- Choose a template (e.g., “Financial — Credit Card Number”) or create custom
- Select locations: enable Teams chat and channel messages
- Define rules:
- Condition: Content contains sensitive info type (e.g., credit card number, confidence level high)
- Action: Block the message, or allow but notify user with a policy tip
- Override: Optionally allow users to override with business justification
- Set notifications: alert sender, alert admin, or both
- Enable the policy (test mode first recommended)
DLP actions in Teams
| Feature | User Experience | When to Use | Configuration |
|---|---|---|---|
| Policy tip (warn) | User sees a warning tooltip: 'This message may contain sensitive info' | Low-risk scenarios — educate users without disrupting work | Action: Notify user with policy tip |
| Block message | Message is blocked — recipients see 'This message was blocked.' Sender can override with justification (if allowed) | High-risk scenarios — credit cards, patient data, classified info | Action: Block content, optionally allow override |
| Block with no override | Message is blocked permanently — no override option | Maximum protection — regulatory requirements | Action: Block content, do not allow override |
Scenario: Nadia configures DLP at Sterling Financial
Sterling Financial processes credit card payments and must comply with PCI-DSS. Nadia creates a DLP policy:
Policy: “Block credit card numbers in Teams”
- Location: Teams chat and channel messages + SharePoint + OneDrive
- Rule 1: Content contains credit card number (high confidence, 1+ instance)
- Action: Block message with override allowed (business justification required)
- Notify: sender sees policy tip, compliance team gets email alert
- Rule 2: Content contains 5+ credit card numbers (any confidence)
- Action: Block message, no override (mass data leak = zero tolerance)
- Notify: sender + compliance team + Nadia (incident response)
When a customer service agent accidentally pastes a client’s credit card number in a Teams chat, the message is blocked within seconds. The agent sees: “This message was blocked because it contains sensitive information. You can override this block by providing a business justification.” The compliance team is notified regardless.
Conditional Access for Teams
How CA works with Teams
Conditional Access policies in Microsoft Entra ID evaluate access attempts based on signals:
| Signal | Examples | How It Applies to Teams |
|---|---|---|
| User/group | All users, specific groups, guest users | Apply stricter policies to guests or external users |
| Cloud app | Microsoft Teams | Target Teams specifically (or all M365 apps) |
| Device platform | iOS, Android, Windows, macOS | Block Teams on unmanaged mobile devices |
| Device compliance | Intune-managed, compliant, hybrid Entra-joined | Require managed devices for desktop Teams |
| Location | Named locations (office IP ranges), countries | Block Teams access from specific countries |
| Sign-in risk | Low, medium, high (Entra ID Protection) | Require MFA for risky sign-ins to Teams |
| Client app | Browser, mobile app, desktop app | Block legacy auth clients |
Common CA policies for Teams
| Policy | Signals | Grant Control | Scenario |
|---|---|---|---|
| Require MFA for Teams | All users + Teams app | Grant: require MFA | Baseline protection |
| Block Teams on unmanaged devices | All users + Teams + non-compliant devices | Block | Prevent data on personal devices |
| App protection on mobile | Mobile platforms + Teams | Grant: require approved client app or app protection policy | Allow mobile Teams but with data protection |
| Block guest access from risky locations | Guest users + Teams + non-trusted locations | Block | Prevent external access from untrusted countries |
| Require compliant device for downloads | All users + Teams + device filter | Grant: require compliant device | Allow browser Teams but block downloads on unmanaged devices |
Exam tip: CA targets Teams as a cloud app
When creating a CA policy for Teams, you select Microsoft Teams as the cloud app. But be aware:
- Teams relies on SharePoint Online and Exchange Online for files and calendar. If you block Teams access but not SharePoint, files shared in Teams may still be accessible via SharePoint directly.
- For comprehensive protection, consider targeting Office 365 (all apps) instead of just Teams.
- Report-only mode is recommended before enforcing — run the policy in audit mode for 7-14 days to check impact.
Scenario: Nadia's Conditional Access at Sterling Financial
Sterling Financial’s compliance team requires:
- All users must use MFA for Teams access (baseline)
- Traders can only access Teams from compliant, Intune-managed Windows devices (no personal devices)
- Guest users (auditors) can access Teams from any device but only from approved IP ranges (Sterling’s partner offices)
- High-risk sign-ins require re-authentication and password change
Nadia creates four CA policies targeting Microsoft Teams as the cloud app:
- Policy 1: All users → Require MFA → Grant
- Policy 2: Traders security group → Require device compliance → Grant (block non-compliant)
- Policy 3: Guest users → Non-trusted locations → Block
- Policy 4: All users → High sign-in risk → Require MFA + password change → Grant
Result: When a trader tries to access Teams from a personal laptop, they’re blocked. When an auditor tries to access Teams from a hotel Wi-Fi (untrusted location), they’re blocked. When a legitimate user signs in from a new country, they must re-authenticate.
DLP + CA: working together
DLP and Conditional Access complement each other:
| Layer | What It Protects | When It Acts |
|---|---|---|
| Conditional Access | Controls who can access Teams and how | Before the user gets in |
| DLP | Controls what can be shared inside Teams | After the user is in, when they send messages |
Both layers together = defence in depth. CA prevents untrusted access. DLP prevents data leaks from trusted users.
🎬 Video walkthrough
🎬 Video coming soon
DLP & Conditional Access — MS-700 Module 4
DLP & Conditional Access — MS-700 Module 4
~10 minFlashcards
Knowledge Check
A DLP policy at Sterling Financial blocks credit card numbers in Teams messages but allows users to override with business justification. An agent sends a credit card number in a Teams chat. What happens FIRST?
Nadia needs to ensure traders at Sterling Financial can ONLY access Teams from Intune-compliant Windows devices. Which Conditional Access configuration is correct?
A Teams admin wants to prevent sensitive data leaks from both Teams messages AND files shared in Teams channels. How many DLP policy locations are needed?
Next up: Information Barriers & Insider Risk — how to prevent specific groups from communicating in Teams and detect risky behaviour patterns.