Admin365 Playbook: DLP Notifications, Safe Attachments, Intune Auto-Enrollment, and Compliance

Why this matters

These configuration areas appear repeatedly in MS-102 and MD-102 scenarios because they span data protection (Purview), email security (Defender for Office 365), and device governance (Intune + Entra ID).

Microsoft exam questions are rarely about how many clicks. They are about choosing the correct control plane first.

This playbook aligns each requirement with the correct portal, correct object, and correct starting point.

Scope

This playbook covers:

  • Microsoft Purview DLP (including Endpoint DLP notifications)
  • Defender for Office 365 Safe Attachments (Dynamic Delivery)
  • Entra ID MDM user scope for Intune auto-enrollment
  • Intune compliance policy configuration
  • Endpoint protection profile planning logic

Out of scope:

  • Full Conditional Access design
  • Advanced Insider Risk Management policies

Required roles and prerequisites

RBAC

  • Purview DLP: Compliance Administrator
  • Defender: Security Administrator
  • Intune: Intune Administrator
  • Entra ID: Role with access to Mobility (MDM and MAM)

Lab prerequisites

  • At least one test user with mailbox
  • One Windows test device enrolled or ready to enroll
  • Sample files matching intended Sensitive Information Types

Phase 1: DLP Foundation (Configure First)

Objective

Ensure DLP can identify the data you intend to protect.

Step: Confirm or create Sensitive Information Types (SITs)

Portal path
Microsoft Purview compliance portal โ†’ Data classification โ†’ Sensitive info types

Actions

  • Validate built-in SITs meet requirements
  • Create custom SITs only if required
  • Test detection accuracy

Why this comes first
DLP rules cannot function without a detection signal. SITs are the detection engine.

Exam anchor

โ€œCreate DLP policy. What do you configure first?โ€ โ†’ Sensitive info types

Phase 2: DLP Policy and Endpoint DLP Notifications

Objective

Create DLP enforcement and configure notifications in the correct portal.

Step 1: Create or update DLP policy

Portal path
Purview โ†’ Data loss prevention โ†’ Policies

Actions

  • Select correct workloads (Exchange, SharePoint, OneDrive, Teams, Endpoints)
  • Build rules using SITs
  • Start in Test or Test with policy tips

Step 2: Configure Endpoint DLP notifications

Portal path
Purview โ†’ Data loss prevention โ†’ Endpoint DLP settings

Actions

  • Enable endpoint DLP
  • Configure:
    • User notifications
    • Policy tips
    • Admin alerts

Why this is correct
Endpoint DLP notifications are not configured in Intune and not in Defender. They live in Purview.

Exam anchor

โ€œConfigure DLP notificationsโ€ โ†’ Microsoft 365 compliance center

Phase 3: Safe Attachments Policy (Dynamic Delivery)

Objective

Protect users from malicious attachments while minimizing disruption.

Step: Create Safe Attachments policy

Portal path
Microsoft Defender portal โ†’ Email & collaboration โ†’ Policies โ†’ Threat policies โ†’ Safe Attachments

Key setting

  • Action: Dynamic Delivery

Why Dynamic Delivery

  • Email body is delivered immediately
  • Attachments are scanned asynchronously
  • Best UX for most enterprise scenarios

Exam anchor

โ€œAllow users to read email while attachments are scannedโ€ โ†’ Dynamic Delivery

Phase 4: Intune Automatic Enrollment

Objective

Enable automatic device enrollment using the correct Entra ID control.

Step: Configure MDM user scope

Portal path
Microsoft Entra admin center โ†’ Mobility (MDM and MAM) โ†’ Microsoft Intune

Actions

  • Set MDM user scope to:
    • Some (recommended)
  • Assign a user group

Why user groups
Enrollment eligibility is evaluated when a user signs in, not when a device exists.

Exam anchor

Auto-enrollment = MDM user scope + user assignment

Phase 5: Compliance Policy Configuration

Objective

Define what โ€œcompliantโ€ means for devices.

Step: Modify compliance policy settings

Portal path
Intune admin center โ†’ Devices โ†’ Compliance policies

Actions

  • Configure required controls:
    • Encryption
    • OS version
    • Password requirements
  • Configure actions for noncompliance if required

Key distinction

  • Compliance rules define status
  • Notifications are secondary

Exam anchor

โ€œMeet compliance requirementsโ€ โ†’ Modify compliance policy settings

Phase 6: Endpoint Protection Profiles (Planning)

Objective

Determine how many profiles are required.

Rule

  • One profile per platform or requirement set
  • Do not create one profile per device unless explicitly required

Exam anchor

Count platforms, not devices

What to test in a lab (high-value)

DLP

  • Create a test file matching a SIT
  • Trigger an endpoint action (copy to USB or upload)
  • Confirm:
    • User notification appears
    • Alert appears in Purview

Safe Attachments

  • Send test email with benign attachment
  • Confirm body arrives immediately
  • Observe attachment scan behavior

Intune auto-enrollment

  • Add user to MDM user scope group
  • Sign in on a new or reset device
  • Confirm automatic Intune enrollment

Compliance

  • Intentionally break a compliance rule
  • Confirm device flips to Noncompliant
  • Confirm remediation behavior

Operational checklist

  • SITs validated
  • DLP policy created and scoped
  • Endpoint DLP notifications configured in Purview
  • Safe Attachments set to Dynamic Delivery
  • MDM user scope assigned to user group
  • Compliance policy settings defined
  • Profiles planned per platform
  • Pilot testing completed
  • Rollback documented

Exam mapping

ExamCovered domains
MS-102Purview DLP, Defender for Office 365, compliance workflows
MD-102Intune enrollment, compliance policies, endpoint protection

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *