Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.2. Data Loss Prevention (DLP)

šŸ’” First Principle: DLP policies watch for sensitive information being shared in ways that violate your rules ā€” and then take action: warn the user, require justification, or block the action entirely. DLP doesn't prevent users from creating sensitive content; it prevents inappropriate sharing of that content.

Without DLP, a user can accidentally paste 50 social security numbers into a Teams chat, email a spreadsheet of customer credit card data to a personal email, or upload a document containing healthcare records to a public SharePoint site ā€” and nothing stops it. DLP is the automated policy enforcement layer that catches these in real time.

A DLP policy has three parts:

1. Sensitive information types (what to look for):
  • Built-in types: credit card numbers, SSNs, passport numbers, IBAN codes, health record IDs
  • Custom types: patterns you define (e.g., your internal employee ID format)
  • Trainable classifiers: ML models that recognize content like "financial reports" or "source code"
2. Locations (where to watch):
  • Exchange Online (email)
  • SharePoint and OneDrive (files)
  • Teams chat and channel messages
  • Endpoint devices (files being copied to USB or printed)
  • Microsoft 365 Copilot interactions
3. Actions (what to do when a match is found):
  • Notify the user with a policy tip (visible in the app, e.g., "This email may contain sensitive information")
  • Require override justification (user can override with a business reason, which is logged)
  • Block the action (prevent sending/sharing)
  • Alert administrators in the Defender or Purview portal

āš ļø Exam Trap: DLP policies operate inside the organization too ā€” not just on external sharing. A DLP policy can block sharing of credit card data in a Teams chat between two internal employees. "Data Loss Prevention" implies only outbound protection, but the scope is broader.

Reflection Question: A financial services firm wants to prevent employees from sending emails containing account numbers to external recipients, but allow internal sharing with a warning. How many DLP policies are needed, and what are the key differences between them?

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications