Data Loss Prevention (DLP) | Guided by A Guide to Cloud

What stops sensitive data from walking out the door?

Simple explanation

Think of airport security.

Before you board a plane, security scans your bags. Some items are completely banned (no liquids over 100ml). Some items trigger a warning (a laptop needs a second look). And some are fine (clothes, books).

Data Loss Prevention (DLP) works the same way for your data. When someone tries to share, email, or copy sensitive information, DLP scans the content and decides: block it, warn the user, or let it through with a note in the audit log.

Where DLP works

DLP isn’t limited to email. It monitors sensitive data across your entire digital workplace:

Location	What DLP Monitors
Exchange Online	Emails and attachments sent internally or externally
SharePoint Online	Documents stored in sites and libraries
OneDrive for Business	Files in personal cloud storage
Microsoft Teams	Chat messages and channel messages containing sensitive data
Endpoints (Windows/macOS)	Files copied to USB, printed, uploaded to personal cloud, or accessed by unallowed apps
Power BI	Dashboards and reports containing sensitive data
Third-party apps	Cloud apps connected through Microsoft Defender for Cloud Apps

Key exam concept: Endpoint DLP extends data protection to the device itself. Even if a user downloads a confidential file to their laptop, DLP can prevent them from copying it to a USB drive or printing it. This is a common exam topic.

How a DLP policy works

Every DLP policy has three components:

1. Conditions — what to look for

Conditions define what triggers the policy. They use the classification tools you learned in the previous module:

Sensitive information types — detect patterns like credit card numbers, SSNs
Sensitivity labels — match documents with specific labels
Both combined — a document labelled “Confidential” that also contains 5+ credit card numbers

2. Actions — what to do

When a condition is matched, DLP takes action:

DLP actions range from silent logging to hard blocks
Action	What Happens	When to Use
Block	Completely prevents the action (sharing, sending, copying)	High-risk data that must never leave — e.g., patient records to external recipients
Block with override	Blocks the action but the user can override with a business justification	Sensitive data that sometimes legitimately needs to be shared — e.g., financial reports to auditors
Warn (policy tip)	Shows the user a warning but lets them proceed	Educate users about data handling without blocking their work
Audit only	Logs the activity but takes no visible action	Testing a new policy before enforcement, or monitoring low-risk data

3. Notifications — who to tell

DLP can notify multiple people when a policy is triggered:

The user — via a policy tip in the app (Outlook, Teams, SharePoint)
The admin — via email alerts
The compliance team — via incident reports in the Purview portal
The user’s manager — optional escalation

Policy tips: educate, don’t just block

Policy tips are user-facing notifications that appear right where the user is working. They’re one of the most powerful features of DLP because they teach good habits.

For example, when a nurse at MedGuard pastes patient SSNs into a Teams message:

A yellow banner appears: “This message contains patient identifiers. External sharing is blocked by MedGuard’s data policy.”
The message isn’t sent until the sensitive data is removed — or the nurse provides a justification to override

Key exam concept: Policy tips are educational, not just punitive. They tell the user what they did wrong and what to do instead. This reduces repeat incidents and builds a data-aware culture.

Scenario: Nadia rolls out DLP at MedGuard

Nadia creates a phased DLP rollout for MedGuard:

Phase 1 — Audit only (Week 1-2):

Policy: Detect files containing patient SSN or medical record numbers
Action: Audit only — log everything, block nothing
Goal: Understand the scope of sensitive data sharing

Phase 2 — Warn (Week 3-4):

Action: Show policy tips when users share patient data externally
Goal: Educate staff about the new policy without disrupting work

Phase 3 — Block with override (Week 5+):

Action: Block external sharing of patient data, but allow overrides with a justification
Goal: Enforce protection while allowing legitimate exceptions

This phased approach avoids the “DLP disaster” where blocking everything on day one causes a flood of helpdesk tickets.

Endpoint DLP

Standard DLP protects data in the cloud (email, SharePoint, Teams). Endpoint DLP extends that protection to Windows and macOS devices.

What Endpoint DLP can monitor and restrict

Activity	Example
Copy to USB	Block copying a “Highly Confidential” file to a USB drive
Print	Prevent printing documents with patient data
Copy to clipboard	Block copy-paste of sensitive data into personal apps
Upload to personal cloud	Prevent uploading labelled files to Dropbox or personal OneDrive
Access by unallowed apps	Block Notepad from opening a DLP-protected file

Scenario: Liam worries about USB drives

Liam, MedGuard’s IT Director, discovers that staff sometimes copy patient reports to personal USB drives to “work from home.” This creates a huge compliance risk — those USBs could be lost or stolen.

Nadia configures Endpoint DLP:

Condition: File contains “Patient Medical Record” SIT OR has “Highly Confidential” label
Action: Block copy to removable media (USB), block upload to personal cloud services
Notification: User sees a policy tip: “This file contains patient data and cannot be copied to external devices. Use OneDrive or SharePoint instead.”

Staff can still access the files on managed devices and share through approved channels — but the data can’t leave on a USB stick.

DLP alerts and incident reports

When DLP policies are triggered, the system generates:

Alerts — appear in the Purview portal’s DLP alerts dashboard, showing policy matches in real time
Incident reports — detailed summaries sent via email to compliance officers, showing what was detected, who triggered it, and what action was taken

Nadia checks the DLP alerts dashboard every morning to spot trends — are certain departments triggering more alerts? Is a specific policy generating too many false positives?

How DLP works with labels and SITs

DLP doesn’t work in isolation. It builds on the classification layer:

SITs detect the sensitive data (pattern matching)
Sensitivity labels classify and protect the data (encryption, markings)
DLP policies prevent the data from being shared inappropriately (block, warn, audit)

Think of it as a pipeline: detect → classify → protect → prevent leakage.

Labels lock the data; DLP watches the doors
Feature	Sensitivity Labels	Data Loss Prevention
Primary purpose	Classify and protect data	Prevent data from being shared inappropriately
What it does	Encrypts, adds watermarks, restricts access — stays with the file	Monitors sharing actions and blocks/warns/audits based on policy
Where it works	Embedded in the document — protection travels everywhere	Monitors specific locations: email, SharePoint, Teams, endpoints
User experience	User applies a label (or auto-labelling does it)	User sees a policy tip when they try to share something sensitive
Analogy	A lock on the filing cabinet	A security guard watching the exit doors

Exam tip: DLP vs labels — the exam loves this comparison

When the exam asks “how do you prevent sensitive data from being emailed externally?” the answer is DLP, not sensitivity labels.

Labels protect the data itself (encryption, access control) — but they don’t stop someone from emailing the file
DLP monitors the action (sending an email) and can block it if the content matches a policy

Labels and DLP work together. A DLP policy can use sensitivity labels as conditions: “If a document has the ‘Highly Confidential’ label, block external email.”

🎬 Video walkthrough

🎬 Video coming soon

Data Loss Prevention — SC-900 Domain 4.3

~9 min

Flashcards

Question

What are the three components of a DLP policy?

Click or press Enter to reveal answer

Answer

1. Conditions — what to look for (SITs, labels, document properties). 2. Actions — what to do (block, block with override, warn, audit only). 3. Notifications — who to tell (user via policy tip, admin via email, compliance team via incident reports).

Click to flip back

Question

What is Endpoint DLP?

Click or press Enter to reveal answer

Answer

DLP that extends to Windows and macOS devices. It can monitor and restrict: copying to USB, printing, uploading to personal cloud, copy-paste to personal apps, and access by unallowed applications. Protects data even after it's downloaded to a device.

Click to flip back

Question

What is a DLP policy tip?

Click or press Enter to reveal answer

Answer

A user-facing notification that appears when a DLP policy is triggered — right where the user is working (Outlook, Teams, SharePoint). It educates the user about the violation and what to do instead. Can be configured to allow, warn, or block with override.

Click to flip back

Question

How is DLP different from sensitivity labels?

Click or press Enter to reveal answer

Answer

Labels classify and protect the DATA itself (encryption, watermarks, access control — protection travels with the file). DLP monitors ACTIONS (sharing, emailing, copying) and prevents inappropriate sharing. Labels are the lock on the cabinet; DLP is the guard at the door.

Click to flip back

Knowledge Check

Nadia wants to prevent staff from emailing documents containing patient SSNs to external recipients, but she wants to allow internal sharing. Which tool should she configure?

Knowledge Check

MedGuard is deploying DLP for the first time. Nadia is worried about disrupting clinical staff. Which approach should she take?

Knowledge Check

A doctor at MedGuard downloads a patient report (labelled 'Highly Confidential') to their laptop and tries to copy it to a USB drive. The copy is blocked and a notification appears. Which feature is responsible?