Create a DLP policy from a template

The easiest, most common way to get started with DLP policies is to use one of the templates included in the Microsoft 365 Compliance center. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.

Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. See; Policy templates for a complete list.

You can fine tune a template by modifying any of its existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.

You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.

Create the DLP policy from a template

  1. Sign in at https://compliance.microsoft.com.

  2. In the Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.

    Create a policy button.

  3. Choose the DLP policy template that protects the types of sensitive information that you need > Next.

  4. Name the policy > Next.

  1. To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, Locations for scoping options.

  2. Choose > Next.

  3. , do one of the following:
    • Choose All locations in Office 365 > Next.
    • Choose Let me choose specific locations > Next. For this example, choose this.

    To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.

    To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

    Options for locations where a DLP policy can be applied.

    In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the Status for both Exchange email and SharePoint sites, and leave the Status on for OneDrive accounts.-->

  4. Choose Review and customize default settings from the template > Next.

  5. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click Next.

    Rules expanded in US PII policy template.

  6. Choose to detect when this content is shared inside your organization or outside your organization if you have selected any of these locations:

    1. Exchange
    2. SharePoint
    3. OneDrive
    4. Teams Chat and Channel Messages
  7. Choose Next.

  8. On the Protection actions page if you want, you can customize the policy tip notifications and notification emails. Enable When content matches the policy conditions, show policy tips to users and send them an email notification, then choose Customize the tip and email.

  9. Choose Next.