DLP in Microsoft 365: How to protect your sensitive data with Microsoft Purview

The amount of confidential data that companies handle today It has skyrocketed: financial information, personal data, intellectual property… and all of it spread across email, Teams, SharePoint, devices, apps in the cloud and now also AI tools like CopilotIn this context, losing control over where that information circulates is just a matter of time if serious measures are not taken.

That's where the Data Loss Prevention (DLP) in Microsoft 365 using Microsoft PurviewIt's not just about blocking files from time to time, but about having a centralized system capable of detecting sensitive content, monitoring how it is used, and putting intelligent brakes on when someone tries to share it inappropriately, without destroying day-to-day productivity.

What is DLP in Microsoft 365 and why is it so critical?

When we talk about DLP in Microsoft 365, we are referring to a set of directives that help prevent sensitive information from leaving the wrong placeIt's integrated into Microsoft Purview, Microsoft's data governance and compliance platform, and it acts on almost everything your users use daily.

Organizations manage especially sensitive data such as credit card numbers, bank account details, medical records, social security numbers, employee data, trade secrets, or documentation protected by contracts and regulations (GDPR, HIPAA, PCI-DSS, etc.). An accidental transmission in an email, a file shared with external parties, or a copy-paste to the wrong site can lead to a breach with enormous legal and reputational repercussions.

With Microsoft Purview DLP you can define centralized policies that identify that sensitive content, monitor it wherever it is located, and apply automatic protection actions: from notifying the user to completely blocking an action or sending the file to quarantine.

The key is that DLP in Microsoft 365 doesn't just search for individual words, but performs a in-depth content analysis combining sensitive information types (SIT), regular expressions, keywords, internal validations and, in many cases, machine learning algorithms to reduce false positives.

Areas of protection: business applications, devices, and web traffic

One of the great strengths of Microsoft Purview DLP is that it covers both data at rest, in use, and in motion across different locations. It doesn't stop at Exchange or SharePoint, but extends to devices, Office applications, third-party cloud applications, web traffic, Copilot, and much more.

DLP in enterprise applications and devices

In the realm of applications and devices, DLP can Monitor and protect information in key Microsoft 365 workloads and in other additional sources that are configured from the Purview portal.

Among the latests Moravia's compositions supported locations Among others, we find the following:

• Exchange Online (corporate email).
• SharePoint Online (collaboration sites and document repositories).
• OneDrive for Business (users' personal folders).
• Microsoft Teams (chat messages, standard, shared and private channels).
• office apps (Word, Excel, PowerPoint, both desktop and web).
• Windows 10, Windows 11 and macOS devices (last three versions), including portable, compatible desktops and VDI systems.
• Non-Microsoft cloud applications, integrated through Defender for Cloud Apps.
• Local repositories such as shared file resources and SharePoint on-premises, using Information Protection analyzers.
• Fabric and Power BI workspaces, covering reports and datasets.
• Microsoft 365 Copilot (preview version in some scenarios) and Copilot chat.

For these origins you create DLP directives targeting “enterprise applications and devices”This allows for consistent control of rules across all these locations from a single panel.

DLP on unmanaged web traffic and cloud applications

Beyond "in-house" services, Purview DLP can also control the data leaving your network to unmanaged cloud applicationsespecially when users access with Microsoft Edge for businesses or through network controls.

This is where directives aimed at “inserted web traffic” and “network activity” (features in preview in some environments), which allow, for example, controlling what is pasted into:

• OpenAI ChatGPT.
• Google Gemini.
• DeepSeek.
• Microsoft Copilot in the web.
• And more than 34.000 cloud applications cataloged in Defender for Cloud Apps.

Thus, even if a user attempts to copy sensitive information from an internal document to an external app, the The DLP directive can detect the content and block or audit the action according to the configuration you have defined.

Key features of Microsoft Purview DLP

Purview DLP is not just a content filter: it's a central piece of the strategy of data protection and governance from Microsoft. It is designed to integrate with other Purview features and provide a consistent approach, from classification to incident response.

Among its main features include:

• Single policy administration center from the Microsoft Purview portal, to create, edit and deploy DLP policies on a global scale.
• Integration with Purview Information Protection, reusing ready-to-use, customized or advanced confidentiality labels and sensitive information types (including trainable classifiers).
• Unified alerts and corrections which can be seen both in the Purview DLP panel and in Microsoft Defender XDR or Microsoft Sentinel for SIEM/SOAR scenarios.
• start Speed Thanks to directive templates, there's no need to set up complex cloud infrastructures.
• Adaptive protection, with policies that change in rigor depending on the level of risk (high, moderate or low) and the context.
• Reduction of false positives through contextual content analysis and machine learning.

All of this makes Purview DLP a solution especially interesting for regulated sectors (healthcare, banking, public administration, education, technology) and for any organization that must comply with strict requirements such as GDPR or HIPAA.

DLP implementation lifecycle: from idea to production

Setting up DLP haphazardly is usually a perfect recipe for block critical processes and anger everyoneMicrosoft outlines a clear lifecycle that should be respected to ensure successful implementation and avoid headaches.

Planning phase

During the planning stage, you should think about both technology, as well as business processes and organizational cultureSome important milestones:

• Identify the concerned parties: security, legal, business, IT, HR, etc. managers.
• Define the categories of confidential information that you need to protect (personal data, financial data, IP, etc.).
• Decide objectives and strategy: what exactly do you want to avoid (external sending, copying to USBuploading to certain apps, etc.).
• Evaluate the locations where you will apply DLPMicrosoft 365 services, devices, local repositories, external cloud applications…

Furthermore, we must consider the impact on business processesDLP can block common actions (for example, sending certain reports by email to a supplier) and that involves negotiating exceptions, creating alternative workflows, or adapting habits.

Finally, don't forget the part about cultural change and trainingUsers need to understand why certain actions are blocked and how to work safely. In-app policy suggestions are a very useful tool for educating users without being overly restrictive.

Prepare the environment and prerequisites

Before activating policies that block things, you must ensure that All locations are properly prepared and connected to Purview:

• Exchange Online, SharePoint, OneDrive, and Teams only require defining policies that include them.
• Local file repositories and on-premises SharePoint need to deploy the Information Protection Analyzer.
• Windows devices, macOS, and virtualized environments are incorporated through specific onboarding procedures.
• Third-party cloud applications are managed through Microsoft Defender for Cloud Apps.

Once the locations are prepared, the recommended next step is Configure draft policies and test them extensively before they start blocking.

Incremental implementation: simulation, adjustments, and activation

The implementation of a DLP directive should follow a phased approach, using three control axes: status, scope and actions.

The major states The elements of a directive are:

• Keep it turned off: design and review, without real impact.
• Execute the directive in simulation modeEvents are logged, but no blocking actions are applied.
• Simulation with policy suggestionsIt is still not blocked, but users receive notices and emails (depending on the case) that train them.
• Activate it immediately: full compliance mode, all configured actions are applied.

During the simulation phases, you can adjust the scope of the directive: start with a small set of users or locations (pilot group) and expand as you refine conditions, exceptions and user messages.

As for the actionsIt's best to start with non-invasive options like "Allow" or "Audit only," gradually introduce notifications, and finally move on to block with possibility of invalidation and, in the most critical cases, to a permanent blockade.

Components of a DLP policy in Microsoft 365

All Microsoft Purview DLP directives share a logical structure: what is monitored, where, under what conditions, and what is done when it is detectedWhen creating it (from scratch or from a template) you will have to make decisions in each of these areas.

What to monitor: custom templates and policies

Purview offers ready-made DLP policy templates for common scenarios (by country, regulation, sector, etc.) that include types of confidential information typical of each regulation, including metadata in PDFsIf you prefer, you can also create your own custom policy and choose the SITs or conditions you want.

Administrative scope and administrative units

In large environments, it's common to delegate management to different areas. For this, you can use administrative units In Purview: an administrator assigned to a unit can only create and manage policies for users, groups, sites, and devices within their scope.

This works well when you want, for example, a region's security team to manage its own DLP policies without affecting the rest of the tenant.

Directive locations

The next step is to select where the board will monitorSome of the most common options are:

Location	Inclusion/exclusion criteria
Exchange Mail	Distribution groups
SharePoint sites	Specific sites
OneDrive accounts	Accounts or distribution groups
Teams chats and channels	Accounts or distribution groups
Windows and macOS devices	Users, groups, devices, and device groups
Cloud applications (Defender for Cloud Apps)	Instances
Local repositories	Folder paths
Fabric and Power BI	Workspaces
Microsoft 365 Copilot	Accounts or distribution groups

Matching conditions

The terms They define what must be met for a DLP rule to "trigger". Some typical examples:

• The content contains one or more types of confidential information (e.g., 95 social security numbers in an email to external recipients).
• The element has a confidentiality label specific (e.g. “Extremely confidential”).
• The content is sharing outside the organization from Microsoft 365.
• A sensitive file is being copied to a USB or network share.
• Confidential content is pasted into a Teams chat or an unmanaged cloud app.

Protection actions

Once the condition is met, the directive can execute different actions. protective actionsDepending on the location:

• En Exchange, SharePoint and OneDrive: prevent access by external users, block sharing, show a policy suggestion to the user, and send them a notification.
• En teams: block sensitive information from appearing in chat or channel messages; if shared, the message may be deleted or not displayed.
• En Windows and macOS devices: audit or restrict actions such as copying to USB, printing, copying to clipboard, upload to the Internet, synchronize with external clients, etc.
• En Office (Word, Excel, PowerPoint): display a pop-up warning, block saving or sending, allow invalidation with justification.
• En local repositories: move files to a secure quarantine folder when sensitive information is detected.

Furthermore, all supervised activities are recorded in the Microsoft 365 audit log and can be viewed in the DLP Activity Explorer.

DLP in Microsoft Teams: messages, documents, and scopes

Microsoft Teams has become the epicenter of collaboration, which means it's also a critical point for potential data leaksDLP in Teams extends Purview's policies to messages and files shared within the platform.

Protecting messages and documents in Teams

With Microsoft Purview DLP you can prevent a user from sharing confidential information in a chat or channelespecially when guests or external users are involved. Some common scenarios:

• If someone tries to post a social security number or credit card details, the message may be automatically blocked or deleted.
• If you share a document with sensitive information In a channel with guests, the DLP policy can prevent those guests from opening the file (thanks to the integration with SharePoint and OneDrive).
• En shared channelsThe host team's policy applies, even if the channel is shared with another internal team or with a different organization (different tenant).
• En chats with external users (external access), each person is governed by the DLP of their own tenant, but the end result is that your company's sensitive content is protected by your policies, even if the other side has different ones.

DLP protection areas in Teams

DLP coverage in Teams depends on the type of entity and scope of the directive. For example: uterine

• If you aim to individual user accounts For security groups, you can protect 1:1 or group chats, but not necessarily messages in standard or private channels.
• If you aim to Microsoft 365 groupsThe protection can cover both chats and messages from standard, shared and private channels associated with those groups.

To protect “everything that moves” in Teams, it is often recommended to configure the scope to all locations or ensure that Teams users are in groups that are well aligned with policies.

Teams policy suggestions

Instead of just blocking, DLP in Teams can show directive suggestions When someone does something potentially dangerous, such as sending regulated data, these suggestions explain the reason and offer the user options: correct the content, request a review, or, if the policy allows, override the rule with a justification.

These suggestions are highly customizable from the Purview portal: you can adapt the text, decide which services they are shown on and whether they will also be shown in simulation mode.

Endpoint DLP: Control in Windows, macOS, and virtual environments

Component DLP connection point It extends protection to the devices used by employees, both physical and virtual. It allows you to know what happens when a sensitive file is copied, printed, uploaded to the cloud, or transferred through "invisible" channels from the server side.

Endpoint DLP supports Windows 10 and 11, as well as macOS (the three latest versions). It also works on virtualized environments such as Azure Virtual Desktop, Windows 365, Citrix Virtual Apps and Desktops, Amazon Workspaces, or Hyper-V virtual machines, with some specific features. It can also be complemented with technologies such as Credential Guard in Windows to strengthen endpoint protection.

In VDI environments, the USB devices are typically treated as shared network resourcesTherefore, the policy should include the "Copy to network share" activity to cover the copy to USB. In the logs, these operations are reflected as copies to shared resources, even though in practice it's a USB drive.

There are also some known limitations, such as the inability to monitor certain clipboard copy activities via browser in Azure Virtual Desktop, although the same action is visible if done through an RDP session.

DLP and Microsoft 365 Copilot / Copilot Chat

With the arrival of Copilot, organizations have realized that sensitive data can also end up in requests and interactions with the IAMicrosoft has incorporated Copilot-specific DLP controls within Purview, so you can limit what information goes into requests and what data is used to formulate responses.

Block sensitive information types in messages to Copilot

In preview, you can create DLP directives intended for the location “Microsoft 365 Copilot and Copilot Chat” that block the use of certain types of sensitive information (SIT) in applications. For example:

• Prevent them from being included credit card numberspassport identifications or social security numbers at the prompts.
• Prevent the sending of postal addresses from a specific country or regulated financial identifiers.

When a match occurs, the rule can prevent Copilot from processing the contentso the user receives a message warning that their request contains data blocked by the organization and is not executed or used for internal or web searches.

Prevent tagged files and emails from being used in summaries

Another capability is to prevent that files or emails with certain confidentiality labels are used to generate the Copilot response summary, although they may still appear as quotes or references.

The directive, again focused on Copilot's location, uses the condition "Content contains > Sensitivity labels" to detect items labeled, for example, as "Personal" or "Highly confidential," and applies the action "Prevent Copilot from processing content." In practice, Copilot does not read the content of these items to construct the response, even though it indicates their existence.

DLP activity reports, alerts, and analysis

Setting up policies is only half the story: the other half is see what's happening and react in timePurview DLP sends all its telemetry to the Microsoft 365 audit log and from there it is distributed to different tools.

General information panel

The DLP overview page on the Purview portal offers a Quick view of the status of your policiesSynchronization, device status, main detected activities, and overall situation. From there you can jump to more detailed views.

DLP alerts

When a DLP rule is configured to generate incidents, activities that meet the criteria trigger them. alerts which are displayed in the Purview DLP alerts panel and also in the Microsoft Defender portal.

These alerts can group by user, time window, or rule typeDepending on your subscription, this helps detect risky behavior patterns. Purview typically offers 30 days of data, while Defender allows you to keep data for up to six months.

DLP Activity Explorer

The DLP Activity Explorer allows you to filter and analyze detailed events of the last 30 daysIt includes preconfigured views such as:

• DLP activities at connection points.
• Files that contain types of confidential information.
• Egress activities.
• Policies and rules that have detected activities.

It is also possible to see user invalidations (when someone has decided to break a permitted rule) or matches of specific rules. In the case of DLPRuleMatch events, a contextual summary of the text surrounding the matching content can even be viewed, respecting privacy policies and minimum system version requirements.

With this entire ecosystem of policies, alerts, activity explorers, and controls over applications, devices, Teams, Copilot, and web traffic, Microsoft Purview DLP becomes a key component for Keep sensitive data under control in Microsoft 365, reduce the risk of flight, comply with regulations and, at the same time, allow people to work with relative freedom without living in a constant state of lockdown.