How to implement a DLP policy in Exchange Online - aaqibwani/M365 GitHub Wiki
What is a DLP Policy?
In an era where a single misdirected email can lead to a multi-million-dollar compliance fine, Data Loss Prevention (DLP) becomes a necessity. A DLP policy is an automated "digital compliance officer." It monitors outgoing and incoming emails for sensitive information (like credit card numbers or medical IDs) and takes action based on the rules you define.
The Anatomy of a Policy
Every policy consists of the following components:
| Rule Component | Detail | Strategic Application |
|---|---|---|
| Conditions | Sensitive Information Types (SITs), Sensitivity Labels, Recipient Domains, Sender Scope | Identifying PII, PHI, or internal-only markings in outbound traffic. |
| Actions | Block Email, Encrypt Message, Forward for Approval, Add Disclaimer | Preventing unauthorized data egress while allowing for management oversight. |
| Exceptions | Sender is member of specific group, Recipient domain is trusted partner | Reducing false positives for established business-to-business workflows. |
| User Notifications | Policy Tips, Email Notifications to Sender | Providing real-time education to users at the moment of data entry. |
| Alerting | Incident Reports, Admin Alerts | Enabling SOC teams to respond to potential data breaches immediately. |
The Exchange Online engine supports advanced mail-flow conditions that are unique to the email workload. These include evaluating the sender's IP address, checking for password-protected attachments, and identifying specific message headers. Furthermore, it also implements a "true file type" detection model, which evaluates the actual content (type/extension) of an attachment rather than relying on potentially misleading file extensions (like filename.exe.txt).
Licensing Tier Feature Comparison
| Feature Category | Microsoft 365 E5 / Purview Suite | Microsoft 365 E3 | Office 365 E5 | Office 365 E3 | Microsoft 365 Business Premium |
|---|---|---|---|---|---|
| Basic Exchange Online DLP | Supported | Supported | Supported | Supported | Supported |
| Manual Sensitivity Labeling | Supported | Supported | Supported | Supported | Supported |
| Automatic Sensitivity Labeling | Supported | Not Supported | Supported | Not Supported | Not Supported |
| Exact Data Match (EDM) | Supported | Requires Add-on | Supported | Requires Add-on | Not Supported |
| Endpoint DLP Actions | Supported | Not Supported | Not Supported | Not Supported | Supported |
| OCR for Image Inspection | Supported | Requires Add-on | Supported | Requires Add-on | Not Supported |
| Adaptive Protection Scopes | Supported | Not Supported | Not Supported | Not Supported | Not Supported |
| Trainable Classifiers | Supported | Not Supported | Supported | Not Supported | Not Supported |
Technical Limits, Caveats, and Known Issues
| Limit Description | Constraint Value | Administrative Impact |
|---|---|---|
| Max DLP Rules per Tenant | 600 | Requires strategic consolidation of rules to avoid hitting the ceiling. |
| Max Size of a DLP Policy | 100 KB | Restricts the number of complex regex patterns or large SIT lists in a single policy. |
| Max Text Scanned from File | 2,000,000 Characters | Extremely large attachments may result in partial scans and a "scanning incomplete" signal. |
| Max SITs per Rule (EXO/SPO) | 125 | Limits the breadth of detection types in a single rule object. |
| Max Regex Size (predicted) | 20 KB | High-complexity custom SITs may require optimization to fit within the memory limits. |
| Policy Name Length | 64 Characters | Demands a concise yet descriptive naming convention for organizational clarity. |
Additionally,
- S/MIME Conflicts: Because S/MIME encrypts the email on the client device before it reaches the Exchange server, the service-side DLP engine cannot "see" inside the encrypted packet. Consequently, S/MIME effectively bypasses service-side DLP scanning unless the policy is configured to block all S/MIME traffic.
- Purview Message Encryption (OME): This is the preferred method for DLP integration. The service can scan the plaintext message in the transport pipeline and then apply encryption as a DLP action, ensuring both protection and compliance.
- Password-Protected Files: Traditional DLP engines cannot scan the content of password-protected ZIP or Office files. Administrators should consider creating a specific rule to "Block" or "Audit" any attachment where the property Attachment is password protected is true.
- Mail Flow Bifurcation: When a single email is addressed to both internal and external recipients, the DLP engine may "bifurcate" the message. For example, the internal recipients might receive the email immediately, while the external copy is blocked or redirected based on policy actions. Exchange email won't be sent to recipients in the fork matching the rules. Use NonBifurcatingAccessScope to block all the recipients present in the original message.
Create a DLP policy for Exchange Online
- To get started, you’ll need Compliance Administrator or Global Admin permissions.
- Log in to the Microsoft Purview compliance portal.
- In the left-hand navigation pane, select Solution > Data loss prevention > Policies.
- Click + Create policy and Select Enterprise applications & devices
- Microsoft provides dozens of pre-configured templates (GDPR, HIPAA, PCI-DSS) that automatically look for the right data types. You can either start with a template or use custom.
- Select Custom > Custom Policy, then click Next
- Provide a relevant name as per your organizations naming standards and click Next. Optionally, you can add a description as well to document the use of the policy.
- If you want to scope the policy to specific Admin Units, select the Admin Unit or Skip to scope for Full Directory
- On the Locations page, you’ll see several toggles (SharePoint, OneDrive, Teams). * Turn On the status for Exchange email. You can choose to include or exclude specific distribution groups or users if you want to pilot the policy with a small group first.
- On the advanced DLP rules page, click +Create Rule and provide a name for the rule. A policy can contain several rules.
We will create 3 rules in this policy:
- To notify the user with a Policy tip and email notification when he sends an INTERNAL email containing 1 Sensitive Info Type (SIT) as defined in the rule but perform no other action.
- To notify the user with the tip and email AND also Encrypt the email when he sends an INTERNAL email containing more than 1 Sensitive Info Type (SIT) as defined in the rule.
- To notify the user with the tip and email AND also Block the email when he sends an EXTERNAL email containing 1 or more Sensitive Info Type (SIT) as defined in the rule.
Rule 1: Block any email with Sensitive Info - for External users
- Provide a name and description for the rule. Click "Add condition" and select Content contains. Choose Sensitive info types and select the data you want to protect (e.g., Credit Card Number).
- For each SIT select "Medium" or "High" Confidence and set the Instance count 1 to Any.
- Click "Add condition" again and select Content is shared from Microsoft 365. Choose with people outside my organization
- Click Add Action > Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email, or accessing ... > Block everyone
- Under User notifications check both "Email notifications" and "Policy tips" or as required. Customize the Email notifications and Policy tips if required.
- Under Incident Reports select High severity level for alerts and reports and enable Send an alert to admins when a rule match occurs.
- Under additional options, you can optionally select stop processing additional DLP rules
- Set the Rule priority to 0 > Save
Rule 2: Notify user and Encrypt emails containing high number of Sensitive Info - for Internal users
- Provide a name and description name for the rule. Click "Add condition" and select Content contains. Choose Sensitive info types and select the data you want to protect (e.g., Credit Card Number).
- For each SIT select "Medium" or "High" Confidence and set the Instance count 2 to Any.
- Click "Add condition" again and select Content is shared from Microsoft 365. Choose Only with people inside my organization
- Click Add Action > Restrict access or encrypt the content in Microsoft 365 locations > **Encrypt Email messages >> Select a built in or custom template example Encrypt
- Under User notifications check both "Email notifications" and "Policy tips" or as required. Customize the Email notifications and Policy tips if required.
- Under Incident Reports select Low to generate
- Set the Rule priority to 1 > Save
Rule 3: Notify user Only containing Sensitive Info - for Internal users
- Provide a name and description name for the rule. Click "Add condition" and select Content contains. Choose Sensitive info types and select the data you want to protect (e.g., Credit Card Number).
- For each SIT select "Medium" or "High" Confidence and set the Instance count 1 to 1.
- Click "Add condition" again and select Content is shared from Microsoft 365. Choose Only with people inside my organization
- We are not performing any action on these conditions
- Under User notifications check both "Email notifications" and "Policy tips" or as required. Customize the Email notifications and Policy tips if required.
- Set the Rule priority to 2 > Save
Note: Policy Tips: These are small banners that appear at the top of an Outlook email while the user is typing, alerting them to the sensitive content before they even hit "Send."
Below is how the rules will look like once you're done:
Behavior
Now, let us check the behavior when the conditions of each of the rule matches:
Rule 1: Block any email with Sensitive Info - for External users
If you still manage to send the email, you will receive the notification as below:
and since the rule is configured to generate a High severity alert and send email to admin, the admin will receive the below email, and an alert will be generated in the Purview and Defender Portal (see Alerts & Monitoring section)
Rule 2: Notify user and Encrypt emails containing high number of Sensitive Info - for Internal users
Rule 3: Notify user Only containing Sensitive Info - for Internal users
Alerts & Monitoring
Activity Explorer
Activity Explorer is a granular audit log that tracks how sensitive data is handled across the organization. It allows you to investigate specific policy matches, validate "Simulation" rules before they go live, and identify high-risk user behaviors across email, cloud storage, and physical devices.
- Below is the DLP rule matched activity captured in the Activity Explorer for the internal email that was sent containing sensitive info.
- We can see the type of SIT that was found in the email
- The Policy and Rule that matched for the activity
- The rule action that took place and other information like Sender, Subject, etc.
Alerts
While Activity Explorer is for deep forensic research, the Alerts option is your real-time "alarm system." It is designed to notify you immediately when a specific rule is broken so you can take quick action.
- Below is the alert that was generated when a user tried to send an email with sensitive info to an external recipient.
- Similar to Activity explorer, we can see the type of SIT that was found in the email, the Policy and Rule that matched for the activity in addition to other information like Sender, Subject, etc.
- However, it also enables you to triage events, assign owners for investigation, and track the status (Active, Investigating, or Resolved) of a data leak in real time.
- To See the "Context" (The actual SIT info), in Activity Explorer and Alerts, you must have the Data Classification Content Viewer role. Without this, the actual sensitive digits or text will be masked or unavailable for preview in Activity Explorer and Alerts.
- The Data Classification Content Viewer role is part of Content Explorer Content Viewer and Content Explorer List Viewer built-in roles. You can add the user to either of the Role groups or create a custom role group.
- After the user is added, we are able to see the sensitive information.
Note: Access to sensitive data should follow the Principle of Least Privilege. When required it should be provided to Privacy & Compliance Officers, Tier 2 or Tier 3 SOC analysts or Legal Counsel only.
Best Practices
- One of the biggest mistakes admins make is turning on a policy "Hot" on day one. This can lead to hundreds of blocked legitimate emails (false positives). Always choose "Run the policy in simulation mode" first. > Why? This allows you to see what would have been blocked in the Activity Explorer without actually stopping any mail flow. Run this for 1–2 weeks to fine-tune your rules.
- Use "Block with Override": Instead of a hard block, allow users to provide a business justification to bypass the policy. This empowers users and reduces IT support tickets.
- Watch the "High Volume" Threshold: Create two rules within one policy: one for "Low Volume" (1-9 items) that just warns the user, and one for "High Volume" (10+ items) that strictly blocks the email.
- Monitor Activity Explorer: Regularly check the DLP Activity Explorer to identify "top offenders" or common false positives that require rule adjustments.
- Implementing DLP is an iterative process. Start small, monitor the results, and gradually increase your enforcement.