In This Article

Office 365 Data Loss Prevention: Guide and Best Practices

Philip Robinson
| Read Time 9 min read| Updated On - October 14, 2024

Office 365 Data Loss Prevention

Over the past fifteen years, we’ve seen a relatively consistent increase in the number of annual data breaches. We’ve also seen an increase in the number of stringent data privacy laws being introduced across the globe, and a failure to comply with these laws may result in large fines being levied against the non-compliant organization.

That said, 2020 saw a decrease in the number of data breaches, which may come as a surprise to some. As increasingly more employees were working from home due to the pandemic, we might have expected an increase in the number of security incidents as the attack surface widens.

Fortunately, however, companies were on high alert, and took measures to protect themselves from phishing scams, and other forms of attack. Not only that, but increasingly more organizations have started to adopt cloud-based collaboration tools, such as Office 365, which, in many cases, have improved their security posture.

A shift towards a more distributed IT environment is forcing companies to adopt a more data-centric approach to cyber-security, which actually makes a lot more sense than the traditional perimeter-based approach, given that most data breaches are, in some way or another, the result of negligent or malicious insiders.

However, before we get the champagne out to celebrate the potentially short-lived fall in cyber-crime, we must remain vigilant and do everything we can to prevent our sensitive data from falling into the wrong hands, and this is where data loss prevention comes into the equation.

What is Data Loss Prevention in Office 365?

In simple terms, the purpose of data loss prevention (DLP) is to prevent the unauthorized sharing of sensitive data. There are numerous DLP solutions on the market that can automatically discover and classify sensitive data and use rules and policies to prevent this data from leaving the network.

For example, if sensitive information is sent to an email address or storage location outside of the company domain, it will be automatically blocked or quarantined. Administrators will be able to review all file shares that were flagged via a centralized dashboard and take further action if necessary.

How DLP in Microsoft Office 365 Works

The Microsoft Purview compliance portal provides users with a number of features that can help them improve their security posture, which includes features dedicated to data loss prevention.

The Office 365 DLP feature allows you to set up rules and policies, which determine what data should be protected, how it should be handled, and who should be notified, were it to be shared in a way that violates the rules and policies.

A DLP policy details the conditions the content must match before the rule is enforced, and the actions that you want the rule to take automatically when content matching the conditions is found.

DLP policies can be applied to a wide range of Microsoft products, such as Exchange Online, SharePoint sites, OneDrive accounts, and so on.

The O365 DLP tool can also identify sensitive data on-the-fly, and classify the data accordingly, to help prevent the data from being shared to an unauthorized location.

Microsoft Office 365 DLP Policies

Microsoft Office 365 DLP policies are preconfigured rules that allow you to monitor user activities and take appropriate action depending on the rules and policies set by your organization. The goal of implementing these policies and applying protective actions is to prevent the inadvertent sharing of critical files and subsequent data loss. Office 365 provides a number of pre-populated DLP policy templates designed around different data categories and geographical regions. For example, there are templates for UK Financial Data, US Financial Data, UK Access to Medical Reports Act, US Health Insurance Act (HIPAA) Enhanced and so on.

Microsoft Office 365 DLP allows you to:

  • Warn users when they try to share sensitive information inappropriately by displaying a pop-up policy tip
  • Block users from sharing sensitive items, or alternatively, by customizing the options you can allow access by overriding permissions and record the justification
  • Block the sharing of data which doesn’t include the ‘override permissions’ option
  • Lock and move sensitive items (for data at rest) to a secure location
  • Hide sensitive information

Microsoft 365 DLP policies allow you to identify, monitor and protect critical data across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint and OneDrive
  • Office applications such as Microsoft Word, Excel and PowerPoint
  • Windows 10 endpoints
  • Non-Microsoft cloud apps
  • On-premises file shares and on-premises SharePoint

How to Setup DLP in Office 365

The first thing you need to do when setting up DLP in Microsoft Office 365 is create a set of DLP policies in the Microsoft Purview compliance portal. You will need to specify how and where these policies should be applied. You can customize the rules which apply to your data, as you choose. For example, you can specify how many times a particular piece of information can be shared before an alert is triggered.

You can also customize the tips that are shown to users to help them understand what data they can share, how, and why. Once a policy has been created, it can be either disabled or enabled, so it can be active immediately.

The following steps explain how to set up DLP in Microsoft Office 365:

Step 1– Go to the Microsoft Purview Compliance Portal

Step 2– On the left, click Data loss prevention, and then choose Policies:

choose Policies

Step 3– From the main part of the screen, choose Create Policy

choose Create Policy

Office 365 provides a number of pre-populated DLP policy templates. For example, for UK organizations, there are templates for detecting the following:

  • Data Subject to the PCI Data Security Standard (PCI DSS)
  • Data subject to UK Access to Medical Reports Act
  • Data subject to the UK Data Protection Act
  • Data subject to the Gramm-Leach-Bliley Act (GLBA)
  • Data subject to the Payment Card Industry Data Security Standard (PCI-DSS)
  • United States personally identifiable information (U.S. PII)
  • Data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Step 4– For our example, click Financial and then Financial Data. Click Next

Create custom policy

Step 5– Give the policy a Name and Description. Click Next

Step 6– The Assign admin units screen is displayed:

Assign admin units

choose locations

Step 7– From the Choose locations to apply the policy page, select which parts of the Office 365 service this data loss prevention policy will be enforced in. For this example, let’s choose All locations. Then click Next.

Step 8– On the next screen, you can customize the types of information this policy will apply to. In most cases, you will want to accept the defaults. In this example, we’re looking for financial information such as credit card numbers, EU Debit Card Numbers and SWIFT code. We want to know when anyone attempts to share this content with people outside our company. Click Next.

define policy settings

Step 9– Here you can choose which information to protect:

choose which information to protect

Step 10– Click Edit to change the options and the following screen is displayed:

Edit to change the options

Step 11– Click Save to save any changes

Step 12– Click Next

protection actions

Step 13– Here, you’ll be asked what methods of enforcement you want to use.

You can choose to just show policy tips to the user, which will just inform the user that they’re working with sensitive information. Alternatively, you can select to notify certain people or block the actions. Click Next

customize aaccess

On the next page, you can choose to block certain people from accessing SharePoint and OneDrive and Teams files, and whether and how users can override the DLP policy. Click Next

policy mode

Step 14– Finally, you can choose whether to run the policy in test mode or begin enforcement immediately. It is recommended that you use test mode for a while to make sure you won’t adversely affect user workflows.

Step 15– Test mode flags policy matches but doesn’t actually prevent any content from being sent. It is similar to a what-if mode to show you which content would trigger a policy. Click Next

review policy

Step 16– Review your policy and then click Submit to create it.

Best Practices for DLP in Microsoft Office 365

Even though this article is centered around Office 365 data loss prevention, the tips below can be applied to any technologies you are using to store and process your sensitive data.

Data classification

As mentioned previously, Office 365 has features that can automatically identify and classify sensitive data. However, it’s worth noting that there are numerous third-party data classification tools available that may provide additional features.

Such tools are able to automatically scan your documents (and emails) for credit card numbers, Social Security numbers, passport numbers, protected health information, and more. In order to reduce the number of false positives, the O365 DLP tool uses a variety of methods to identify sensitive data. For example, to locate a credit card number, it will use regular expressions to find pattern matches, validate checksums, and examine other related content in an attempt to determine the context of the data.

Remove redundant data

Once you know what data you have, and where it is located, the next step is to remove any data that you don’t really need, as this will help to streamline your DLP strategy.

Restrict access to sensitive data

To ensure that your data loss prevention strategy is effective, it is imperative that you adhere to the Principle of Least Privilege (PoLP), which stipulates that employees must only be granted access to the data they really need to adequately carry out their role.

Monitor access to sensitive data

A crucial part of data loss prevention is the ability to determine who has access to what data and when. You can enable auditing in the Microsoft Purview compliance portal with your Microsoft 365 Admin account, which allows you to review a wide range of activities such as uploads to OneDrive or SharePoint Online or user password resets. You can also enable mailbox auditing.

Of course, there are dedicated third-party auditing solutions that will provide features that are not available with the native O365 auditing tools. You may want to consider using a third-party solution if you are using multiple cloud platforms or a hybrid solution, which includes on-premise environments.

How Lepide Helps Audit Office 365 Changes to Prevent Data Loss

Unauthorized configuration changes can potentially prevent Office 365 users from performing business-critical tasks, such as using documents on SharePoint Online or sending emails through Exchange Online.

Disruptions like these can result in severe financial losses.

To help prevent this from happening, the Lepide Data Security Platform enables you to audit Office 365 changes to give you full visibility on changes taking place. Lepide is easy to use, scalable, and allows you to overcome all manner of security, operations, and compliance challenges – all from a single console.

To see exactly how Lepide helps you keep your data secure in Office 365, schedule a demo with one of our engineers today.

Philip Robinson
Philip Robinson

Phil joined Lepide in 2016 after spending most of his career in B2B marketing roles for global organizations. Over the years, Phil has strived to create a brand that is consistent, fun and in keeping with what it’s like to do business with Lepide. Phil leads a large team of marketing professionals that share a common goal; to make Lepide a dominant force in the industry.

Popular Blog Posts