DATA LOSS PREVENTION

Microsoft Purview fully handles Data Loss Prevention (DLP). In fact, it is the central platform for DLP in Microsoft 365 environments as of 2026.

Microsoft Purview DLP is a unified, cloud-native solution that lets you detect, monitor, and protect sensitive data across many locations — including the exact areas in your managed services scope (email, files, and network security).


What Purview DLP Can Protect

Purview DLP works across these key workloads:

  • Email — Exchange Online (including attachments and message content).
  • Files — OneDrive for Business, SharePoint Online (including files in Teams), and sensitivity labels.
  • Network Security / Endpoints — Endpoint DLP (Windows 10/11, macOS) for actions like copy to USB, print, upload to browsers, or sharing. It also includes newer network data security for HTTP/HTTPS traffic (e.g., blocking uploads to unsanctioned cloud apps, Gmail, Dropbox, etc.).
  • Additional coverage — Teams chats/channels, Microsoft 365 Copilot (prompts and sensitive files), browsers (Edge), and more.

It uses deep content inspection (not just keywords): sensitive information types (SITs like credit cards, SSNs, health data), regular expressions, proximity checks, machine learning, and sensitivity labels.


How Purview DLP Works

  1. Detection — Scans content in real time or at rest for sensitive data.
  2. Actions — When a match occurs, it can:
    • Show a policy tip (user notification with justification option).
    • Block the action (e.g., prevent sending email or sharing file externally).
    • Block with override allowed.
    • Audit/log the event only.
    • Restrict access or encrypt.
  3. Central Management — All policies are created and enforced from the Microsoft Purview portal (compliance.microsoft.com or purview.microsoft.com).


Step-by-Step: How to Set Up DLP in Purview (High-Level)

Here’s the typical process (admins do this in the Purview portal):

  1. Go to the Purview portal → Data loss prevention → Policies → Create policy.
  2. Choose a template (recommended for starters) — e.g., Financial data, Health (HIPAA), Privacy (GDPR), or Custom.
  3. Name the policy and add a description.
  4. Select locations to apply it to:
    • Exchange email
    • SharePoint sites
    • OneDrive accounts
    • Teams
    • Devices (Endpoint DLP)
    • (Newer) Network / browser traffic
  5. Define rules/conditions — What sensitive info to detect (built-in SITs or custom) and any exceptions (e.g., specific users/groups).
  6. Set actions — Notify user, block, audit, etc.
  7. Choose mode (very important for rollout):
    • Test mode (simulation) — logs only, no enforcement.
    • Test with policy tips.
    • Turn on fully (enforce).
  8. Review, save, and monitor — Use DLP alerts, Activity explorer, and reports to tune the policy.


Start in simulation mode for 1–2 weeks to avoid disrupting users, then gradually enforce.


Licensing Notes (Important for Your Setup)

  • Basic DLP for Exchange, SharePoint, and OneDrive is available in Microsoft 365 Business Premium, E3, and equivalents.
  • Full features (Endpoint DLP, Teams, advanced network protection, Copilot DLP, Adaptive Protection) typically require E5, E5 Compliance, Microsoft Purview Suite, or add-ons.
  • If your current M365 plan is lower-tier, you may need to upgrade licenses for comprehensive coverage (especially network/endpoint).

 


Phone: 925-293-2222

Email: [email protected]

Client Portal: www.support.bizcare.com

Website: www.bizcare.com/contact-us