How to Set Up a Data Loss Prevention (DLP) Policy in Microsoft Purview
Data Loss Prevention (DLP) helps organizations protect sensitive information from being shared accidentally or intentionally outside the organization. By setting up a DLP policy in Microsoft Purview, you can automatically detect, monitor, and restrict the sharing of sensitive data across Microsoft 365 services like Exchange, SharePoint, OneDrive, and Microsoft Teams.
Here’s how to create and configure a DLP policy.
Step 1: Sign in to Microsoft Purview
- Go to https://purview.microsoft.com.
- Sign in using an account with one of the following roles:
- Global Administrator
- Compliance Administrator
- Compliance Data Administrator
- From the homepage, select View all solutions.
Step 2: Open the Data Loss Prevention Solution
- Under Data Security, select Data Loss Prevention.
- Click Open solution.
This opens the DLP policy management page, where you can view existing policies or create new ones.
Step 3: Create a New DLP Policy
- Select Policies on the left navigation pane.
- Click + Create policy.
- Choose a starting point:
- Start with a template – Use prebuilt templates for data types such as financial information, healthcare records, or privacy data (e.g., GDPR, HIPAA).
- Custom policy – Build a policy from scratch based on your organization’s needs.
- Click Next.
Step 4: Name and Describe the Policy
Provide basic details to help identify your DLP policy:
- Name: For example, “Teams DLP Policy – Internal Sharing Control.”
- Description: Briefly describe the purpose (e.g., “Prevents sharing of confidential data in Teams messages and files”).
Click Next to continue.
Step 5: Choose the Locations to Apply the Policy
Select where this policy will monitor and protect data. DLP supports multiple locations:
- Exchange email
- SharePoint sites
- OneDrive accounts
- Microsoft Teams chat and channel messages
Tip: If you want to target only Teams chat and channel messages, uncheck other locations.
After selecting locations, click Next.
Step 6: Define the Policy Settings
Here’s where you decide what to protect and how to act when a rule is triggered.
You can:
- Select the type of content to detect — such as credit card numbers, Social Security numbers, or custom Sensitive Information Types (SITs).
- Specify protection actions:
- Block sharing with people outside the organization.
- Restrict access to files.
- Notify users with policy tips or email alerts.
- Decide whether to use default settings or create advanced rules with multiple conditions and exceptions.
Once you’ve configured the rules, click Next.
Step 7: Set up User Notifications and Alerts
You can customize how users are notified when a DLP policy is triggered.
Options include:
- Policy tips – Messages in Outlook, Teams, or Office apps that warn users before they share restricted data.
- Email alerts – Notify admins or compliance officers when sensitive data is shared.
- Incident reports – Log events for further review.
Click Next after setting your preferences.
Step 8: Review and Publish the Policy
- Review all settings in the summary page.
- Choose Turn it on right away or Test it out first to monitor behavior before enforcing actions.
- Click Submit to publish the DLP policy.
Your new DLP policy will now start scanning data across the selected workloads.
Step 9: Monitor the Policy
After deployment:
- Go to Reports → DLP Alerts or DLP Activity Explorer in Microsoft Purview.
- Review incidents and trends.
- Adjust the policy as needed to balance protection and usability.
Best Practices
- Start in test mode to avoid false positives.
- Educate users about policy tips and secure data handling.
- Use custom Sensitive Information Types to align policies with your organization’s data standards.
- Regularly review DLP reports to fine-tune rules.
