Create a DLP policy from a template


Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.

The easiest, most common way to get started with DLP policies is to use one of the templates included in the Microsoft Purview compliance portal. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.

Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. See; Policy templates for a complete list.

You can fine tune a template by modifying any of its existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.

You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.


Members of your compliance team who will create DLP policies need permissions to the Compliance Center. By default, your tenant admin will have access can give compliance officers and other people access. Follow these steps:

  1. Create a group in Microsoft 365 and add compliance officers to it.

  2. Create a role group on the Permissions page of the Microsoft Purview compliance portal.

  3. While creating the role group, use the Choose Roles section to add the following role to the role group: DLP Compliance Management.

  4. Use the Choose Members section to add the Microsoft 365 group you created before to the role group.

Use the View-Only DLP Compliance Management role to create role group with view-only privileges to the DLP policies and DLP reports.

For more information, see Permissions in the Microsoft Purview compliance portal.

These permissions are required to create and apply a DLP policy not to enforce policies.

Roles and Role Groups in preview

There are roles and role groups in preview that you can test out to fine tune your access controls.

Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups. To learn more about the, see Permissions in the Microsoft Purview compliance portal

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Create the DLP policy from a template

  1. Sign in to the Microsoft Purview compliance portal.

  2. In the Microsoft Purview compliance portal > left navigation > Solutions > Data loss prevention > Policies > + Create policy.

  3. Choose the DLP policy template that protects the types of sensitive information that you need > Next.

  4. Name the policy > Next.

  1. To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, Locations for scoping options.

  2. Choose > Next.

  3. Do one of the following:

    • Choose All locations in Office 365 > Next.
    • Choose Let me choose specific locations > Next. For this example, choose this.

    To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.

    To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

    Options for locations where a DLP policy can be applied.

    In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the Status for both Exchange email and SharePoint sites, and leave the Status on for OneDrive accounts.

  4. Choose Review and customize default settings from the template > Next.

  5. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click Next.

    Rules expanded in US PII policy template.

  6. Choose to detect when this content is shared inside your organization or outside your organization if you have selected any of these locations:

    1. Exchange
    2. SharePoint
    3. OneDrive
    4. Teams Chat and Channel Messages
  7. Choose Next.

  8. On the Protection actions page if you want, you can customize the policy tip notifications and notification emails. Enable When content matches the policy conditions, show policy tips to users and send them an email notification, then choose Customize the tip and email.

  9. Choose Next.