Data loss prevention and Microsoft Teams

If your organization has data loss prevention (DLP), you can define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session. Here are some examples of how this protection works:

  • Example 1: Protecting sensitive information in messages. Suppose that someone attempts to share sensitive information in a Teams chat or channel with guests (external users). If you have a DLP policy defined to prevent this, messages with sensitive information that are sent to external users are deleted. This happens automatically, and within seconds, according to how your DLP policy is configured.

    Note

    DLP for Microsoft Teams blocks sensitive content when shared with Microsoft Teams users who have:
    - guest access in teams and channels; or
    - external access in meetings and chat sessions.

    DLP for external chat sessions will only work if both the sender and the receiver are in Teams Only mode and using Microsoft Teams native federation. DLP for Teams does not block messages in interop with Skype for Business or non-native federated chat sessions.

  • Example 2: Protecting sensitive information in documents. Suppose that someone attempts to share a document with guests in a Microsoft Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won't open for those users. Your DLP policy must include SharePoint and OneDrive in order for protection to be in place. This is an example of DLP for SharePoint that shows up in Microsoft Teams, and therefore requires that users are licensed for Office 365 DLP (included in Office 365 E3), but does not require users to be licensed for Office 365 Advanced Compliance.)

DLP Licensing for Microsoft Teams

Data loss prevention capabilities were extended to include Microsoft Teams chat and channel messages, including private channel messages for:

  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5 Information Protection and Governance
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online. This also includes files that are shared through Teams because Teams uses SharePoint Online and OneDrive to share files.

Support for DLP protection in Teams Chat requires E5.

To learn more about licensing requirements, see Microsoft 365 Tenant-Level Services Licensing Guidance.

Important

DLP applies only to the actual messages in the chat or channel thread. Activity notifications—which include a short message preview and appear based on a user's notification settings—are not included in Teams DLP. Any sensitive information present in the part of the message that appears in the preview will remain visible in the notification even after the DLP policy has been applied and removed sensitive information the message itself.

Scope of DLP protection

DLP protection is applied differently to Teams entities.

When policy is scoped by These Teams Entities Will have DLP protection available
Individual user accounts 1:1/n chats Yes
General chats No
private channels Yes
Security groups/distribution lists 1:1/n chats Yes
General chats No
private channels Yes
Microsoft 365 group 1:1/n chats No
General chats Yes
private channels No

Policy tips help educate users

Similar to how DLP works in Exchange, Outlook, Outlook on the web, SharePoint Online, OneDrive for Business sites, and Office desktop clients, policy tips appear when an action triggers with a DLP policy. Here's an example of a policy tip:

Blocked message notification in Teams.

Here, the sender attempted to share a social security number in a Microsoft Teams channel. The What can I do? link opens a dialog box that provides options for the sender to resolve the issue. Notice that, the sender can opt to override the policy, or notify an admin to review and resolve it.

Options to resolve blocked message.

In your organization, you can choose to allow users to override a DLP policy. When you configure your DLP policies, you can use the default policy tips, or customize policy tips for your organization.

Returning to our example, where a sender shared a social security number in a Teams channel, here's what the recipient saw:

Message blocked.

To customize policy tips

To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see Permissions.

  1. Go to the Compliance Center (https://compliance.microsoft.com) and sign in.

  2. Choose Data loss prevention > Policy.

  3. Select a policy, and next to Policy settings, choose Edit.

  4. Either create a new rule, or edit an existing rule for the policy.

    Editing a rule for a policy.

  5. On the User notifications tab, select Customize the email text and/or Customize the policy tip text options.

    Customize user notifications and policy tips.

  6. Specify the text you want to use for email notifications and/or policy tips, and then choose Save.

  7. On the Policy settings tab, choose Save.

Allow approximately one hour for your changes to work their way through your data center and sync to user accounts.

Add Microsoft Teams as a location to existing DLP policies

To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see Permissions.

  1. Go to the Compliance Center (https://compliance.microsoft.com) and sign in.

  2. Choose Data loss prevention > Policy.

  3. Select a policy, and look at the values under Locations. If you see Teams chat and channel messages, you're all set. If you don't, click Edit.

    Locations for existing policy.

  4. In the Status column, turn on the policy for Teams chat and channel messages.

    DLP for Teams chats and channels.

  5. On the Choose locations tab, keep the default setting of all accounts, or select Let me choose specific locations. You can specify:

    1. Up to 1000 individual accounts to include or exclude
    2. Distribution lists and security groups to include or exclude.
  6. Then choose Next.

  7. Click Save.

Allow approximately one hour for your changes to work their way through your data center and sync to user accounts.

Define a new DLP policy for Microsoft Teams

To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see Permissions.

  1. Go to the Compliance Center (https://compliance.microsoft.com) and sign in.

  2. Choose Data loss prevention > Policy > + Create a policy.

  3. Choose a template, and then choose Next.

    In our example, we chose the U.S. Personally Identifiable Information Data template.

    Privacy template for DLP policy.

  4. On the Name your policy tab, specify a name and description for the policy, and then choose Next.

  5. On the Choose locations tab, keep the default setting of all accounts, or select Let me choose specific locations. You can specify:

    1. Up to 1000 individual accounts to include or exclude
    2. Distribution lists and security groups to include or exclude. This is a public preview feature.

    DLP policy locations.

    Note

    If you want to make sure documents that contain sensitive information are not shared inappropriately in Teams, make sure SharePoint sites and OneDrive accounts are turned on, along with Teams chat and channel messages.

  6. On the Policy settings tab, under Customize the type of content you want to protect, keep the default simple settings, or choose Use advanced settings, and then choose Next. If you choose advanced settings, you can create or edit rules for your policy. To get help with this, see Simple settings vs. advanced settings.

  7. On the Policy settings tab, under What do you want to do if we detect sensitive info?, review the settings. Here's where you can choose to keep default policy tips and email notifications, or customize them.

    DLP policy settings with tips and notifications.

    When you're finished reviewing or editing settings, choose Next.

  8. On the Policy settings tab, under Do you want to turn on the policy or test things out first?, choose whether to turn on the policy, test it first, or keep it turned off for now, and then choose Next.

    Specify whether to turn the policy on.

  9. On the Review your settings tab, review the settings for your new policy. Choose Edit to make changes. When you're finished, choose Create.

Allow approximately one hour for your new policy to work its way through your data center and sync to user accounts.

Prevent external access to sensitive documents

To ensure that SharePoint documents that contain sensitive information cannot be accessed by external guests either from SharePoint or Teams by default, select the following:

  • You can ensure that documents are protected until DLP scans and marks them as safe to share by marking new files as sensitive by default.

  • Recommended DLP policy structure

    • Conditions

      • Content contains any of these sensitive information types: [Select all that apply]

      • Content is shared from Microsoft 365 with people outside my organization

        DLP conditions to detect external sharing of sensitive content.

    • Actions

      • Restrict access to the content for external users

      • Notify users with email and policy tips

      • Send incident reports to the Administrator

      DLP action to block external sharing of sensitive content.

DLP policy in action when attempting to share a document in SharePoint that contains sensitive information with an external guest:

External sharing blocked.

DLP policy in action when guest attempts to open a document in Teams with block external:

External access blocked.