Data Loss Prevention policy reference

Data loss prevention (DLP) policies have many components that can be configured. In order to create an effective policy, you need to understand what the purpose of each component is and how its configuration alters the behavior of the policy. This article provides a detailed anatomy of a DLP policy.

Policy templates

DLP policy templates are pre-sorted into four categories:

  • ones that can detect and protect types of Financial information
  • ones that can detect and protect types of Medical and health information
  • ones that can detect and protect types of Privacy information
  • a Custom template that you can use to build your own policy if one of the others doesn't meet your organizations needs.

This table lists all policy templates and the sensitive information types (SIT) that they cover.

Current as of 6/23/2021

Category Template SIT
Financial Australia Financial Data - SWIFT code
- Australia tax file number
- Australia bank account number
- Credit card number
Financial Canada Financial data - Credit card number
- Canada bank account number
Financial France Financial data - Credit card number
- EU debit card number
Financial Germany Financial Data - Credit card number
- EU debit card number
Financial Israel Financial Data - Israel bank account number
- SWIFT code
- Credit card number
Financial Japan Financial Data - Japan bank account number
- Credit card number
Financial PCI Data Security Standard (PCI DSS) - Credit card number
Financial Saudi Arabia Anti-Cyber Crime Law - SWIFT code
- International banking account number (IBAN)
Financial Saudi Arabia Financial Data - Credit card number
- SWIFT code
- International banking account number (IBAN)
Financial UK Financial Data - Credit card number
- EU debit card number
- SWIFT code
Financial US Financial Data - Credit card number
- U.S. bank account number
- ABA Routing Number
Financial U.S. Federal Trade Commission (FTC) Consumer Rules - Credit card number
- U.S. bank account number
- ABA Routing Number
Financial U.S. Gramm-Leach-Bliley Act (GLBA) Enhanced - Credit card number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
- U.S. / U.K. passport number
-U.S. driver's license number
Financial U.S. Gramm-Leach-Bliley Act (GLBA) - Credit card number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
Medical and health Australia Health Records Act (HRIP Act) Enhanced - Australia tax file number
- Australia medical account number
Medical and health Australia Health Records Act (HRIP Act) - Australia tax file number
- Australia medical account number
Medical and health Canada Health Information Act (HIA) - Canada passport number
- Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Medical and health Canada Personal Health Information Act (PHIA) Manitoba - Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Medical and health Canada Personal Health Act (PHIPA) Ontario - Canada passport number
- Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Medical and health U.K. Access to Medical Reports Act - U.K. national health service number
- U.K. national insurance number (NINO)
Medical and health U.S. Health Insurance Act (HIPAA) Enhanced
- International classification of diseases (ICD-9-CM)
- International classification of diseases (ICD-10-CM)
Medical and health U.S. Health Insurance Act (HIPAA) - International classification of diseases (ICD-9-CM)
- International classification of diseases (ICD-10-CM)
Privacy Australia Privacy Act Enhanced - Australia driver's license number
- Australia passport number
Privacy Australia Privacy Act - Australia driver's license number
- Australia passport number
Privacy Australia Personally Identifiable Information (PII) Data - Australia tax file number
- Australia driver's license number
Privacy Canada Personally Identifiable Information (PII) Data - Canada driver's license number
- Canada bank account number
- Canada passport number
- Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Privacy Canada Personal Information Protection Act (PIPA) - Canada passport number
- Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Privacy Canada Personal Information Protection Act (PIPEDA) - Australia passport number
Canada driver's license number
- Canada bank account number
- Canada passport number
- Canada social insurance number
- Canada health service number
- Canada Personal Health Identification Number
Privacy France Data Protection Act - France national id card (CNI)
- France social security number (INSEE)
Privacy France Personally Identifiable Information (PII) Data - France social security number (INSEE)
- France driver's license number
- France passport number
- France national id card (CNI)
Privacy General Data Protection Regulation (GDPR) Enhanced - EU debit card number
- EU driver's license number
- EU national identification number
- EU passport number
- EU social security number or equivalent identification
- EU Tax identification number
Privacy General Data Protection Regulation (GDPR) - EU debit card number
- EU driver's license number
- EU national identification number
- EU passport number
- EU social security number or equivalent identification
- EU Tax identification number
Privacy Germany Personally Identifiable Information (PII) Data - Germany driver's license number
- Germany passport number
Privacy Israel Personally Identifiable Information (PII) Data - Israel national identification number
Privacy Israel Protection of Privacy - Israel national identification number
- Israel bank account number
Privacy Japan Personally Identifiable Information (PII) Data enhanced - Japan Social Insurance Number (SIN)
- Japan My Number - Personal
- Japan passport number
- Japan driver's license number
Privacy Japan Personally Identifiable Information (PII) Data - Japan resident registration number
- Japan Social Insurance Number (SIN)
Privacy Japan Protection of Personal Information Enhanced - Japan Social Insurance Number (SIN)
- Japan My Number - Personal
- Japan passport number
- Japan driver's license number
Privacy Japan Protection of Personal Information - Japan resident registration number
- Japan Social Insurance Number (SIN)
Privacy Saudi Arabia Personally Identifiable (PII) Data - Saudi Arabia National ID
Privacy U.K. Data Protection Act - U.K. national insurance number (NINO)
- U.S. / U.K. passport number
- SWIFT code
Privacy U.K. Privacy and Electronic Communications Regulations - SWIFT code
Privacy U.K. Personally Identifiable Information (PII) Data - U.K. national insurance number (NINO)
- U.S. / U.K. passport number
Privacy U.K. Personal Information Online Code of Practice (PIOCP) - U.K. national insurance number (NINO)
- U.K. national health service number
- SWIFT code
Privacy U.S Patriot Act Enhanced - Credit card number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
Privacy U.S. Patriot Act - Credit card number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
Privacy U.S. Personally Identifiable Information (PII) Data Enhanced - U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
- U.S. / U.K. passport number
Privacy U.S. Personally Identifiable Information (PII) Data - U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. social security number (SSN)
- U.S. / U.K. passport number
Privacy U.S. State Breach Notification Laws Enhanced - Credit card number
- U.S. bank account number
-U.S. driver's license number
- U.S. social security number (SSN)
- U.S. / U.K. passport number
Privacy U.S. State Breach Notification Laws - Credit card number
- U.S. bank account number
-U.S. driver's license number
- U.S. social security number (SSN)
Privacy U.S. State Social Security Number Confidentiality Laws - U.S. social security number (SSN)

Locations

A DLP policy can find and protect items that contain sensitive information across multiple locations.

Location Include/Exclude scope data state additional pre-requisites
Exchange email online distribution group data-in-motion no
SharePoint online sites sites data-at-rest
data-in-use
no
OneDrive for Business accounts account or distribution group data-at-rest
data-in-use
no
Teams chat and channel messages account or distribution group data-in-motion
data-in-use
no
Microsoft Cloud App Security (MCAS) cloud app instance data-at-rest - Use data loss prevention policies for non-Microsoft cloud apps
Devices user or group data-at-rest
data-in-use
data-in-motion
- Learn about Microsoft 365 Endpoint data loss prevention
- Get started with Endpoint data loss prevention
- Configure device proxy and internet connection settings for Endpoint DLP
On-premises repositories (file shares and SharePoint) repository data-at-rest - Learn about the Microsoft 365 data loss prevention on-premises scanner
- Get started with the data loss prevention on-premises scanner

If you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the members of that group. Similarly excluding a distribution group will exclude all the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.

If you choose to include or exclude specific SharePoint sites or OneDrive accounts, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations.

If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion.

Location support for how content can be defined

DLP policies detect sensitive items by matching them to a sensitive information type (SIT), to a sensitivity label, or a retention label. Each location supports different methods of defining sensitive content. Additionally, when you combine locations in a policy, how the content can be defined can change from how it can be defined by a single location.

Important

When you select multiple locations for a policy, a "no" value for a content definition category takes precedence over "yes" value. For example, when you select SharePoint sites only, the policy will support detecting sensitive items by one or more of SIT, by sensitivity label, or by retention label. But, when you select SharePoint sites and Teams chat and channel messages locations, the policy will only support detecting sensitive items by SIT.

location content can be defined by SIT content can be defined sensitivity label content can be defined by retention label
Exchange email online yes yes no
SharePoint online sites yes yes yes
OneDrive for Business accounts yes yes yes
Teams Chat and Channel messages yes no no
Devices yes yes no
Microsoft Cloud App Security yes yes yes
On-Premises repositories yes yes no

Note

DLP supports detecting sensitivity labels on emails and attachemnets See, Use sensitivity labels as conditions in DLP policies

Rules

Rules are the business logic of DLP policies. They consist of:

  • Conditions that when matched, trigger the policy
  • Exceptions to the conditions
  • Actions to take when the policy is triggered
  • User notifications to inform your users when they are doing something that triggers a policy and help educate them on how your org wants sensitive information treated
  • User Overrides when configured by an admin, allow users to selectively override a blocking action
  • Incident Reports that notify admins and other key stakeholders when a rule match occurs
  • Additional Options which define the priority for rule evaluation and can stop further rule and policy processing.

A policy contains one or more rules. Rules are executed sequentially, starting with the highest-priority rule in each policy.

The priority by which rules are processed

Each rule is assigned a priority in the order in which it's created — meaning, the rule created first has first priority, the rule created second has second priority, and so on.

Rules in priority order

When content is evaluated against rules, the rules are processed in priority order. If content matches multiple rules, the first rule evaluated that has the most restrictive action is enforced. For example, if content matches all of the following rules, Rule 3 is enforced because it's the highest priority, most restrictive rule:

  • Rule 1: only notifies users
  • Rule 2: notifies users, restricts access, and allows user overrides
  • Rule 3: notifies users, restricts access, and does not allow user overrides
  • Rule 4: restricts access

Rules 1, 2, and 4 would be evaluated, but not applied. In this example, matches for all of the rules are recorded in the audit logs and shown in the DLP reports, even though only the most restrictive rule is applied.

You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.

For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that's shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

Diagram shows that DLP policy contains locations and rules

Conditions

Conditions are inclusive and are where you define what you want the rule to look for and context in which those items are being used. They tell the rule — when you find an item that looks like this and is being used like that — it's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

Note

Users who have non-guest accounts in a host organization's Active Directory or Azure Active Directory tenant are considered as people inside the organization.

Content contains

All locations support the Content contains contains condition. You can select multiple instances of each content type and further refine the conditions by using the Any of these (logical OR) or All of these (logical AND) operators:

depending on the location(s) you choose to apply the policy to.

SITs have a pre-defined confidence level which you can alter if needed. For more information, see More on confidence levels. SITs also have a pre-defined range of occurrences of a SIT that must be found to match the rule, for example, if the Instance count range is set from one to nine, the SIT must occur at least once and up to nine times for the rule to match.

The rule will only look for the presence of any sensitivity labels and retention labels you pick.

Condition context

The available context options change depending on which location you choose. If you select multiple locations, only the conditions that the locations have in common are available.

Conditions Exchange supports:
  • Content contains
  • Content is shared from Microsoft 365
  • Content is received from
  • Sender IP address is
  • Has sender overridden the policy tip
  • Sender is
  • Sender domain is
  • Sender address contains words
  • Sender address contains patterns
  • Sender AD Attribute contains words or phrases
  • Sender AD Attribute matches patterns
  • Sender is a member of
  • Any email attachment's content could not be scanned
  • Any email attachment's content didn't complete scanning
  • Attachment is password protected
  • File extension is
  • Recipient is member of
  • Recipient domain is
  • Recipient is
  • Recipient address contains words
  • Recipient address matches patterns
  • Recipient AD Attribute contains words or phrases
  • Recipient AD Attribute matches patterns
  • Document name contains words or phrases
  • Document name matches patterns
  • Document property is
  • Document size equals or is greater than
  • Document content contains words or phrases
  • Document content matches patterns
  • Subject contains words or phrases
  • Subject matches patterns
  • Subject or Body contains words or phrases
  • Subject or body matches patterns
  • Content character set contains words
  • Header contains words or phrases
  • Header matches patterns
  • Message size equals or is greater than
  • Message type is
  • Message importance is
Conditions SharePoint supports
  • Content contains
  • Content is shared from Microsoft 365
  • File extension is
  • Document property is
Conditions OneDrive accounts supports
  • Content contains
  • Content is shared from Microsoft 365
  • File extension is
  • Document property is
Conditions Teams chat and channel messages support
  • Content contains
  • Content is shared from Microsoft 365
  • Sender is (Preview)
  • Sender domain is (Preview)
  • Recipient domain is (Preview)
  • Recipient is (Preview)
Conditions Devices supports
Conditions Microsoft Cloud App Security support
  • Content contains
  • Content is shared from Microsoft 365
On-premises repositories
  • Content contains
  • File extension is
  • Document property is

Condition groups

Sometimes you need a rule to only identify one thing, like all content that contains a U.S. Social Security Number, which is defined by a single SIT. But in many scenarios, where the types of items you are trying to identify are more complex and therefore harder to define, more flexibility in defining conditions is required.

For example, to identify content subject to the U.S. Health Insurance Act (HIPAA), you need to look for:

  • Content that contains specific types of sensitive information, such as a U.S. Social Security Number or Drug Enforcement Agency (DEA) Number.

    AND

  • Content that's more difficult to identify, such as communications about a patient's care or descriptions of medical services provided. Identifying this content requires matching keywords from very large keyword lists, such as the International Classification of Diseases (ICD-9-CM or ICD-10-CM).

You can identify this type of data by grouping conditions and using logical operators (AND, OR) between the groups.

For the U.S. Health Insurance Act (HIPPA), conditions are grouped like this:

HIPPA policy conditions

The first group contains the SITs that identify and individual and the second group contains the SITs that identify medical diagnosis.

Exceptions

In rules, exceptions define conditions that are used to exclude an item from the policy. Logically, exclusive conditions that are evaluated after the inclusive conditions and context. They tell the rule — when you find an item that looks like this and is being used like that its a match and the rest of the actions in the policy should be taken on it except if... —

For example, keeping with the HIPPA policy, we could modify the rule to exclude any item that contains a Belgium drivers license number, like this:

HIPPA policy with exclusions

The exceptions conditions that are supported by location are identical to all the inclusion conditions with the only difference being the prepending of "Except if" to each supported condition.

Just as all locations support the inclusive condition:

  • Content contains

the exception would be:

  • Except if content contains

Actions

Any item that makes it through the inclusive conditions and exclusive exceptions filters will have any actions that are defined in the rule applied to it. You'll have to configure the required options to support the action. For example, if you select Exchange with the Restrict access or encrypt the content in Microsoft 365 locations action you need to choose from these options:

  • Block users from accessing shared SharePoint, OneDrive, and Teams content
    • Block everyone. Only the content owner, last modifier, and site admin will continue to have access
    • Block only people from outside your organization. Users inside your organization will continue to have access.
  • Encrypt email messages (applies only to content in Exchange)

The actions that are available in a rule are dependent on the locations that have been selected. If you select only one location for the policy to be applied to, the available actions are listed below.

Important

For SharePoint Online and OneDrive for Business locations documents will be proactively blocked right after detection of sensitive information, irrespective of whether the document is shared or not, for all external users, while internal users will continue to have access to the document.

Exchange location actions:

  • Restrict access or encrypt the content in Microsoft 365 locations
  • Set headers
  • Remove header
  • Redirect the message to specific users
  • Forward the message for approval to sender's manager
  • Forward the message for approval to specific approvers
  • Add recipient to the To box
  • Add recipient to the Cc box
  • Add recipient to the Bcc box
  • Add the sender's manager as recipient
  • Removed O365 Message Encryption and rights protection
  • Prepend Email Subject
  • Add HTML Disclaimer

SharePoint sites location actions:

  • Restrict access or encrypt the content in Microsoft 365 locations

OneDrive account locations:

  • Restrict access or encrypt the content in Microsoft 365 locations

Teams Chat and Channel Messages

  • Restrict access or encrypt the content in Microsoft 365 locations

Devices:

  • Audit or restrict activities on Windows devices

Note

Devices gives the option to Audit an activity, Block an activity, or Block with override an activity.

The devices location provide a number of sub-activities (conditions) and actions. To learn more, see Endpoint activities you can monitor and take action on.

Microsoft Cloud App Security:

  • Restrict access or encrypt the content in Microsoft 365 locations
  • Restrict Third Party Apps

On-premises repositories:

  • Restrict access or remove on-premises files

Actions available when you combine locations

If you select Exchange and any other single location for the policy to be applied to, the

  • Restrict access or encrypt the content in Microsoft 365 locations

and

  • all actions for the non-Exchange location

actions will be available.

If you select two or more non-Exchange locations for the policy to be applied to, the

  • Restrict access or encrypt the content in Microsoft 365 locations

AND

  • all actions for non-Exchange locations

actions will be available.

For example, if you select Exchange and Devices as locations, these actions will be available:

  • Restrict access or encrypt the content in Microsoft 365 locations
  • Audit or restrict activities on Windows devices

If you select Devices and Microsoft Cloud App Security, these actions will be available:

  • Restrict access or encrypt the content in Microsoft 365 locations
  • Audit or restrict activities on Windows devices
  • Restrict Third Party Apps

Whether actions take effect or not depends on how you configure the mode of the policy. You can choose to run the policy in test mode with or without showing policy tip by selecting the Test it out first option. You choose to run the policy as soon as an hour after it is created by selecting the Turn it on right away option, or you can choose to just save it and come back to it later by selecting the Keep it off option.

User notifications and policy tips

When a user attempts an action on a sensitive item in a context that meets the conditions and exceptions of a rule, you can let them know about it through user notification emails and in context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

For example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.

Message bar shows policy tip in Excel 2016

Note

Notification emails are sent unprotected.

You can also give people the option to override the policy, so that they're not blocked if they have a valid business need or if the policy is detecting a false positive.

The user notifications and policy tips configuration options vary depending on the monitoring locations you selected. If you selected:

  • Exchange
  • SharePoint
  • OneDrive
  • Teams Chat and Channel
  • MCAS

You can enable/disable user notifications for various Microsoft apps, see Data Loss Prevention policy tips reference

  • You can enable/disable Notifying users in Office 365 service with a policy tip.
    • email notifications to the user who sent, shared, or last modified the content OR
    • notify specific people

as well as choosing to customize the email text, subject and the policy tip text.

User notification and policy tip configuration options that are available for Exchange, SharePoint, OneDrive, Teams Chat and Channel, and MCAS

If you selected Devices only, you will get all the same options that are available for Exchange, SharePoint, OneDrive, Teams Chat and Channel and MCAS plus the option to customize the notification title and content that appears on the Windows 10 device.

User notification and policy tip configuration options that are available for Devices

You can customize the title and body of text with using these parameters. The body text supports these:

common name parameter example
file name %%FileName%% Contoso doc 1
process name %%ProcessName%% Word
policy name %%PolicyName%% Contoso highly confidential
action %%AppliedActions%% pasting document content from the clipboard to another app

%%AppliedActions%% substitutes these values into the message body:

action common name value substituted in for %%AppliedActions%% parameter
copy to removeable storage writing to removable storage
copy to network share writing to a network share
print printing
paste from clipboard pasting from the clipboard
copy via bluetooth transferring via Bluetooth
open with an unallowed app opening with this app
copy to a remote desktop (RDP) transferring to remote desktop
uploading to an unallowed website uploading to this site
accessing the item via an unallowed browser opening with this browser

Using this customized text

%%AppliedActions%% File name %%FileName%% via %%ProcessName%% is not allowed by your organization. Click 'Allow' if you want to bypass the policy %%PolicyName%%

produces this text in the customized notification:

pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE is not allowed by your organization. Click 'Allow' button if you want to bypass the policy Contoso highly confidential

Note

User notifications and policy tips are not available for the On-premises location

Note

Only the policy tip from the highest priority, most restrictive rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.

To learn more about user notification and policy tip configuration and use, including how to customize the notification and tip text, see

User overrides

The intent of User overrides is to give users a way to bypass, with justification, DLP policy blocking actions on sensitive items in Exchange, SharePoint, OneDrive or Teams so that they can continue their work. User overrides are enabled only when Notify users in Office 365 services with a policy tip is enabled, so user overrides go hand-in-hand with Notifications and Policy tips.

User override options for a DLP policy

Note

User overrides are not available for the On-premises repositories location.

Typically, user overrides are useful when your organization is first rolling out a policy. The feedback that you get from any override justifications and identifying false positives helps in tuning the policy.

  • If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.

To learn more about user overrides, see:

Incident reports

When a rule is matched, you can send an incident report to your compliance officer (or any people you choose) with details of the event. This report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes as an attachment the original message that matches a DLP policy.

DLP feeds incident information to other Microsoft 365 information protection services, like Insider Risk management in Microsoft 365. In order to get incident information to insider risk managment, you must set the Incident reports severity level to High.

You can choose between having an alert sent every time an activity matches a rule, which can be very noisy or you can aggregate incidents into fewer alerts based on number of matches or volume of items over a set period of time.

send an alert every time a rule matches or aggregate over time into fewer reports

DLP scans email differently from items in SharePoint Online or OneDrive for Business. In SharePoint Online and OneDrive for Business, DLP scans existing items as well as new ones and generates an incident report whenever a match is found. In Exchange Online, DLP only scans new email messages and generates a report if there is a policy match. DLP does not scan or match previously existing email items that are stored in a mailbox or archive.

Additional options

If you have multiple rules in a policy, you can use the Additional options to control further rule processing if there is a match to the rule you are editing as well as setting the priority for evaluation of the rule.

See also