Microsoft Purview · Data Loss Prevention

DLP Compliance Management

Create, configure, and manage Data Loss Prevention policies to prevent unauthorized sharing of sensitive information across Microsoft 365 and endpoints.

Scope: Organization-wide DLP policy creation and management across all locations

Permissions

  • DLP Policies - Create and manage DLP policies across Exchange, SharePoint, OneDrive, Teams, Devices
  • Copilot DLP - Configure DLP policies for Microsoft 365 Copilot location
  • Policy Conditions - Configure policy conditions, actions, and user notifications
  • Sensitive Info Types - Manage sensitive information types and custom classifiers
  • Endpoint DLP - Configure Endpoint DLP settings and device onboarding
  • Fabric DLP - Configure DLP for Fabric and Power BI
  • Policy Matches - Review and manage DLP policy matches
  • Alert Dashboard - Access DLP alerts dashboard and management
  • Alert Configuration - Configure aggregate and single-event alerts
  • Reports - Access DLP reports and analytics
  • Policy Tips - Manage policy tips and user overrides
  • Administrative Units - Configure administrative units for scoped DLP management

Common use cases

  • Preventing accidental sharing of credit card or SSN data
  • Blocking upload of confidential documents to unauthorized cloud services
  • Restricting Microsoft 365 Copilot from processing highly confidential files
  • Preventing paste of sensitive content into third-party AI sites (ChatGPT, etc.)
  • Protecting intellectual property and trade secrets on corporate devices
  • Ensuring GDPR, HIPAA, or PCI-DSS compliance
  • Monitoring and controlling sensitive data on corporate devices
  • Preventing data loss via Teams, email, or removable devices
  • Protecting data in Fabric and Power BI workspaces

Best practices

  • Start policies in test mode before enabling enforcement
  • Use policy tips to educate users about policy violations
  • Implement incremental rollout starting with pilot groups
  • Use sensitive info types with confidence levels to reduce false positives
  • Create exception rules for legitimate business scenarios
  • Regular review of DLP alerts to tune policies
  • Document business justification for each policy
  • Coordinate with business units to understand workflows before blocking
  • For Copilot location: use sensitivity labels to exclude files from AI processing
  • For Endpoint DLP: test on pilot devices before enterprise-wide deployment
  • Configure aggregated alerts for high-volume scenarios to reduce alert fatigue
  • Use administrative units to scope policies to specific regions or departments

Security considerations

  • Overly restrictive policies can impact business productivity and AI assistance
  • Policy exceptions can create security gaps if not carefully managed
  • DLP can detect but may not prevent all data exfiltration methods
  • User override permissions should be granted sparingly and logged
  • Monitor for attempts to circumvent DLP controls
  • Consider privacy implications when scanning user content and communications
  • Coordinate with legal on employee monitoring and privacy laws (GDPR, CCPA)
  • Endpoint DLP requires device onboarding and may impact device performance
  • Copilot location policies affect AI productivity - balance security with usability
  • Alert retention depends on audit log retention policy configuration

Official Microsoft Learn documentation →

Open the interactive RBACMap →