Data Loss Prevention
DLP policies enforce the decisions that labels represent. A file labeled Confidential or Restricted (or CUI — Basic / CUI — Specified in GCC High) should be blocked from leaving via unauthorized channels — DLP is what does the blocking. Policies operate across Exchange, SharePoint, OneDrive, Teams, and Endpoint (Windows devices).
Policy Priority and Execution Order
Purview evaluates DLP policies in priority order, lowest number first. When a policy match triggers, evaluation continues unless the policy includes a Stop processing more policies rule. Assign priorities deliberately:
| Priority Range | Category |
|---|---|
| 0–3 | Credential protection — highest risk, always enforce |
| 4–8 | Restricted / CUI-Specified — encrypt, block, alert |
| 9–14 | Confidential / CUI-Basic — alert and policy tip |
| 15–20 | PII / Finance SIT-based alerts |
| 21–25 | Internal label alerts |
| 26+ | Endpoint controls and policy tips |
Credential Protection
Credentials (passwords, API keys, connection strings) shared externally represent an immediate breach risk. These policies operate independently of sensitivity labels.
| Priority | Policy | Workload | Rollout | Action |
|---|---|---|---|---|
| 0 | Exchange — AD Credential Alert | Exchange | Test group → All users | Alert + block send |
| 1 | OneDrive — AD Credential Alert | OneDrive | Test group → All users | Alert + restrict access |
| 2 | SharePoint — AD Credential Alert | SharePoint | Simulation → Enforced tenant-wide | Alert + restrict access |
| 3 | Teams — AD Credential Alert | Teams | Test group → All users | Alert only |
Rule condition: Content contains SIT → General Password OR Software Development Credentials OR Azure Active Directory Client Secret
Rule action (Exchange): Block the email from being sent; notify the user with a policy tip explaining why.
Rule action (OneDrive/SharePoint): Remove external sharing links; notify the site owner.
Exchange, OneDrive, and Teams DLP all support scoping a policy to a user or group of senders — deploy Enforced to a small test group, observe real friction, then expand. Test-group enforcement produces real user behavior data (override rates, policy-tip responses, helpdesk volume) that simulation mode cannot.
SharePoint DLP is the exception. SharePoint policies are site-scoped, not user-scoped — there is no way to enforce a SharePoint DLP policy against a subset of users. Use Simulation mode tenant-wide for 30 days to build a false-positive baseline without user impact, tune the policy, then promote to Enforced. This is the only Purview workload where simulation is the primary rollout mechanism rather than a last resort.
Restricted / CUI — External Sharing Alerts
Any external sharing of content at the highest classification tier should generate an alert and, optionally, block the action.
| Priority | Policy | Workload | Action |
|---|---|---|---|
| 4 | Exchange — Restricted External Sharing Alert | Exchange | Alert + override with justification |
| 5 | OneDrive — Restricted External Sharing Alert | OneDrive | Alert + restrict access |
| 6 | SharePoint — Restricted External Sharing Alert | SharePoint | Alert + restrict access |
Rule condition: Content is labeled → Restricted (or CUI — Specified in GCC High) AND Content is shared → With people outside the organization
Rule action: Generate an incident report to the compliance team; notify the user; require override justification.
- GCC High (CMMC)
- Commercial
CUI Authorized Transfer Controls
NIST SP 800-171 Rev. 3 3.1.3 requires controlling CUI flow to external parties. DLP's Allowed Domains feature restricts CUI sharing to pre-approved partner tenants, even if your tenant's general external sharing settings would otherwise permit it.
Configuring Allowed Domains for CUI
In the DLP rule for CUI — Basic or CUI — Specified external sharing:
- Set the action to Block external sharing.
- Add an exception: Recipient domain is one of → list the approved partner GCC High tenant domains (e.g.,
partner.onmicrosoft.us). - Require justification for any override — captured in the audit log.
This creates an allowlist: CUI can be sent to prime-contractor.onmicrosoft.us but blocked to gmail.com, hotmail.com, and any unknown tenant.
CMMC Control Mapping
| NIST Control | DLP Enforcement |
|---|---|
| 3.1.3 — Control CUI flow | Allowed Domains exception list on CUI policies |
| 3.13.1 — Monitor communications | Alert on all external CUI sharing |
| 3.13.8 — Implement cryptographic mechanisms | Encryption enforced by label; DLP blocks unencrypted external send |
| 3.3.1 — Audit log | Incident reports to compliance mailbox |
Sector-Specific External Sharing Controls
For commercial organizations, tailor the external sharing block by regulatory context.
GLBA / Financial Services
Block external sharing of Financial SIT content to non-business domains. Add exceptions for known external auditors, regulators (SEC, FDIC), and accounting firms by domain.
HIPAA / Healthcare
HIPAA requires authorization before sharing PHI externally. Configure the DLP rule with Block and require justification + manager approval using the Require business justification override option. Log all overrides to a dedicated audit mailbox.
FERPA / Higher Education
FERPA prohibits disclosing student PII without consent. Block Student PII SIT matches from Exchange to any external domain. Exception: configured partner institutions in dual-enrollment or transfer agreements.
Confidential / CUI-Basic — External Sharing Alerts
Content at the Confidential tier requires alerting but not automatic blocking during initial deployment (Foundational phase). Escalate to blocking in the Managed phase once false-positive rates are understood.
| Priority | Policy | Workload | Action |
|---|---|---|---|
| 7 | Exchange — Confidential Label External Sharing Alert | Exchange | Alert |
| 8 | OneDrive — Confidential Label External Sharing Alert | OneDrive | Alert |
| 9 | SharePoint — Confidential Label External Sharing Alert | SharePoint | Alert |
Copilot — Sensitive Label Enforcement
Microsoft 365 Copilot respects sensitivity labels when summarizing or referencing content. This DLP policy prevents Copilot from surfacing labeled content to users who lack access permissions — a prerequisite before deploying Copilot in any regulated environment.
| Priority | Policy | Workload | Action |
|---|---|---|---|
| 10 | Copilot Chat — Sensitive Label Enforcement | Microsoft 365 Copilot and Copilot Chat | Block |
Rule condition: Content is labeled → Confidential OR Restricted (OR CUI — Basic / CUI — Specified in GCC High)
Rule action: Block Copilot from accessing, processing, or referencing the content.
This policy must be deployed and verified before Microsoft 365 Copilot is enabled for any user. Without it, Copilot will summarize sensitive content for any user with Copilot access regardless of label.
PII SITs — External Sharing Alerts
These policies detect content containing PII SITs at the point of sharing and generate security team alerts.
| Priority | Policy | Workload | Confidence |
|---|---|---|---|
| 11 | Exchange — PII External Sharing Alert | Exchange | High + Medium |
| 12 | SharePoint — PII External Sharing Alert | SharePoint | High + Medium |
| 13 | OneDrive — PII External Sharing Alert | OneDrive | High + Medium |
Rule design (two rules per policy):
- High Confidence rule:
PII SIT group at High confidence+Shared externally→ Alert with High severity - Medium Confidence rule:
PII SIT group at Medium confidence+Shared externally→ Alert with Medium severity
Separate rules prevent High severity alerts from being suppressed when Medium confidence matches dominate.
Finance SITs — External Sharing Alerts
| Priority | Policy | Workload | Confidence |
|---|---|---|---|
| 14 | Exchange — Finance External Sharing Alert | Exchange | High + Medium |
| 15 | OneDrive — Finance External Sharing Alert | OneDrive | High + Medium |
| 16 | SharePoint — Finance External Sharing Alert | SharePoint | High + Medium |
Internal Label — External Sharing Alerts
Low-priority audit trail for content labeled Internal that is shared externally. These alerts are informational — Internal does not restrict sharing, but the alert provides a baseline for anomaly detection.
| Priority | Policy | Workload | Action |
|---|---|---|---|
| 17 | OneDrive — Internal Label External Sharing Alert | OneDrive | Alert (Low severity) |
| 18 | Exchange — Internal Label External Sharing Alert | Exchange | Alert (Low severity) |
| 19 | SharePoint — Internal Label External Sharing Alert | SharePoint | Alert (Low severity) |
Endpoint DLP
Endpoint DLP extends policy enforcement to Windows device actions: USB copy, Bluetooth transfer, browser upload, print, and RDP clipboard paste.
| Priority | Policy | Workload | Action |
|---|---|---|---|
| 20 | Endpoint — Block External Cloud Uploads | Devices (Intune-enrolled) | Block |
| 21 | Endpoint — Block USB Copy of Sensitive Files | Devices (Intune-enrolled) | Block |
Endpoint — Block External Cloud Uploads
- Condition:
Content is labeled→ Confidential OR Restricted - Action: Block upload to unapproved cloud storage (list approved services — SharePoint, OneDrive, approved line-of-business apps)
- User notification: Policy tip explaining the block; link to approved transfer method
Endpoint — Block USB Copy
- Condition:
Content is labeled→ Confidential OR Restricted - Action: Block copy to removable media; audit log entry
- Override: Require justification (written to Unified Audit Log)
- GCC High (CMMC)
- Commercial
CMMC Endpoint Requirements
NIST SP 800-171 Rev. 3 3.8.7 prohibits the use of removable media unless approved and limited to documented needs. Endpoint DLP implements this control technically:
- Block USB copy for all CUI-labeled content with no override option
- Block Bluetooth transfer for CUI content
- Block print of CUI content on non-organizationally-owned printers (use
Printer groupsto define approved printers) - Block RDP clipboard paste of CUI content to non-corporate remote sessions
Configure Printer Groups in Endpoint DLP settings to define corporate-approved print destinations. CUI — Specified policies should use Block always (no override); CUI — Basic may use Block with override during transition.
Commercial Endpoint Controls
For commercial organizations, USB and cloud upload controls apply to Restricted content. For Confidential content, use Override with justification rather than hard block during the initial deployment phase — this reduces help desk calls while still building an audit trail.
Set Block with override on USB copy for Confidential, and escalate to Block always for Restricted. Review endpoint DLP alerts weekly for the first 90 days to calibrate.
Policy Tips
Policy tips deliver just-in-time education at the point of risk — when the user is sending an email or uploading a file. They reduce false positives by allowing users to self-serve corrections before a DLP violation is logged.
PII Policy Tips
| Policy | Workload | Trigger |
|---|---|---|
| Exchange — Policy Tip — PII | Exchange | PII SIT at any confidence OR Confidential label detected in outbound email |
| OneDrive — Policy Tip — PII | OneDrive | PII SIT or Confidential label on a file being shared externally |
| SharePoint — Policy Tip — PII | SharePoint | Same as OneDrive |
Tip message example:
"This message appears to contain personal information (names, SSNs, or financial account numbers). Before sending, confirm the recipient is authorized to receive this data and that it is protected per your organization's data handling policy."
Finance Policy Tips
| Policy | Workload | Trigger |
|---|---|---|
| Exchange — Policy Tip — Finance | Exchange | Finance SIT at any confidence OR Confidential label |
| OneDrive — Policy Tip — Finance | OneDrive | Finance SIT or Confidential label on shared file |
| SharePoint — Policy Tip — Finance | SharePoint | Same as OneDrive |
Email CC List Warning
A lightweight policy tip that displays a banner on outbound messages with a large CC list — a common vector for accidental data disclosure.
| Policy | Workload | Trigger | Action |
|---|---|---|---|
| Exchange — CC List Warning | Exchange | CC recipient count > 10 | Display policy tip; allow send |
This policy has no SIT condition — it fires on recipient count alone. It does not block sending; it prompts the user to verify the CC list is intentional.
Alert Tuning
After initial deployment, tune DLP alerts weekly:
- Review the DLP Alerts dashboard in the Microsoft Purview compliance portal.
- For each false-positive alert category, identify the SIT or label condition causing the match.
- Adjust confidence level thresholds, add keyword exclusions, or scope the policy to exclude known-safe sites or distribution groups.
- Document tuning decisions in your DLP policy change log — this record serves as audit evidence for compliance assessments.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.