How to: Configure a data loss prevention (DLP) policy in M365 compliance center

Organizations have sensitive information under their control such as credit card numbers or social security numbers. To help protect this sensitive data and reduce risk, organizations needs a way to prevent their users from sharing it with people who shouldn’t have it. This practice is called data loss prevention (DLP). In this post I will explain on how to configure this.

Sensitive information type entity definitions

At the time of writing, there are 209 sensitive info types we can select in a DLP policy. In this blog I will configure a DLP policy for social security numbers. But you can select any of the 209 available types or more types in one policy. I personally do not advice this, make a policy per information type based on the policy name.

Creating a DLP Policy

  1. Login into the Microsoft 365 Compliance center at https://compliance.microsoft.com/ and go to Data loss prevention (https://compliance.microsoft.com/datalossprevention)
  2. Click on ‘Policies’ and choose ‘Create policy’
  3. In ‘Choose the information to protect’, select ‘Custom Policy’
  4. Name your policy, like ‘COMPANY – Netherlands citizen’s service (BSN) number’
  5. Select the location to apply the policy, I recommend all locations.
    1. You could exclude a SharePoint site if your organization saved employees sensitive data to a secure SharePoint site.
  6. In ‘Policy settings’, ‘Advanced DLP rules’, choose ‘Create rule’
  7. On ‘Conditions’ choose ‘Add condition’ and select ‘Content contains’
  8. Here can you add any of the 209 available sensitive information types, in this ‘HOW TO’ I select ‘Netherlands citizen’s service (BSN) number’. But feel free to choose any other type.
  9. Set the type on ‘High confidence (recommended)’ and instance count on 1 to 500 (default)
  10. On ‘Actions’ choose ‘Add an action’, select ‘Restrict access or encrypt the content in Microsoft 365 locations’ and check ‘Block everyone’
    1. Exchange email won’t be sent to recipients inside or outside your organization and for files in SharePoint, OneDrive, and Teams, only the owner, last modifier, and site admin will have access
    2. This rule will be setup to block sensitive information type for internal and external sharing. If you only want to block external sharing, you can add a second condition ‘Content is shared from M365, with people outside my organization’ and set the action on ‘Block only people outside your organization’ under ‘Actions’
  11. On ‘User notifications’ turn on the ‘Use notification switch’ and set ‘Email notifications’ on ‘Notify the user who send, shared of last modified the content’
  12. I recommended to customize the policy tip on what the DLP policy is about, in this scenario a text like ‘Your content include one or more Netherlands citizen’s service (BSN) numbers, this is against company policy’
    1. To have policy tips working, you need to remove or disable all Transport rules that include the notify the sender with a Policy Tip action in EXO.
  13. Test or save your policy, it’ll take up to an hour for the policy take effect.

Test it yourself

You can test it yourself when the policy is active. The document must contain at least the following criteria’s:

  • citizen service number
  • Date of birth
  • The text citizen service number

For testing purposes do not use your own citizen service number or any other type of sensitive information. Search for an online generator as https://cyberwar.nl/elfproef.html to generate Netherlands citizen’s service (BSN) numbers.

Intended for creative testing, NOT abuse.

You can check all sensitive information types criteria’s on Microsoft Docs.


Share this: