DLP Policies: Build, Manage & Extend

Building a DLP policy step by step

Simple explanation

Think of DLP policies as security rules for a building.

Rule 1: “If someone carries a laptop bag out of the building after hours → stop them and check.” Rule 2: “If someone badges into the server room without clearance → block entry and alert security.”

Each rule has a condition (what triggers it) and an action (what happens). DLP policies work the same way — you define what sensitive data looks like (conditions using SITs and labels) and what to do when it’s detected (block, warn, audit).

This module also covers extending DLP to third-party cloud apps using Defender for Cloud Apps file policies — because your data does not stay only in Microsoft 365.

DLP policy creation wizard

Step	What You Configure
1. Template or custom	Start from a regulatory template (GDPR, HIPAA, PCI-DSS, etc.) or a blank custom policy
2. Name and description	Policy name visible to admins, plus a description of its purpose
3. Locations	Which services to monitor — Exchange, SharePoint, OneDrive, Teams, endpoints, Power BI, third-party apps
4. Rules	One or more rules, each with conditions, actions, and exceptions
5. Notifications	Policy tips for users, email notifications to admins, incident reports
6. Test or enforce	Start in test mode (recommended) or enable enforcement immediately

Policy templates vs custom policies

Templates get you started fast; custom policies handle unique requirements
Feature	Template-based Policies	Custom Policies
Starting point	Pre-built rules for specific regulations	Blank — you define everything
Examples	GDPR, HIPAA, PCI-DSS, Australia Privacy Act	Custom account numbers, internal project codes, organisation-specific rules
SITs included	Pre-configured for the regulation	You choose which SITs and labels to use
Customisable?	Yes — edit after creation	Fully custom from the start
Best for	Quick compliance with known regulations	Organisation-specific data that no template covers

Conditions — what triggers a DLP rule

Each rule in a DLP policy defines conditions:

Condition Type	What It Detects
SIT match	Content contains a specific sensitive info type (e.g., credit card number)
Sensitivity label	Content has a specific sensitivity label applied
Instance count	Number of SIT matches (e.g., “5 or more credit card numbers”)
Confidence level	Minimum confidence for SIT detection (low, medium, high)
File extension	Specific file types (.xlsx, .pdf, .zip)
Document property	Metadata values on files
Shared with	Content shared externally, with specific domains, or with “Anyone” links

Instance count thresholds

Instance counts help differentiate between a single mention (possibly legitimate) and bulk data exposure:

Instance Count	Typical Use
1+	Any occurrence — high sensitivity data like patient IDs
5+	Bulk data indicators — multiple credit cards in one document
10+	Large-scale exposure — likely a data export or dump

Actions and user notifications

Action	Description
Audit	Log the event in DLP reports without any user-visible action
Show policy tip	Display a notification in the app explaining the policy
Block access / sharing	Prevent external sharing or restrict access to the content
Block with override	Block but allow user to justify and proceed
Encrypt	Apply encryption to email messages

User notifications and policy tips

DLP policy tips appear directly in the app where the user is working — in Outlook, Word, Teams, or the browser. They can include:

A custom message explaining why the action was flagged
A link to your organisation’s data handling policy
An option to override (if configured) with a justification

Scenario: Dr. Liam configures DLP for patient data

Dr. Liam creates a DLP policy at St. Harbour Health:

Policy: “Protect Patient Health Information” Locations: Exchange, SharePoint, OneDrive, Teams, Endpoints

Rule 1 — Low volume (1-4 matches):

Condition: 1-4 patient health identifier SIT matches, medium confidence
Action: Warn with policy tip — “This content may contain patient information. Ensure sharing is appropriate.”
Notification: Log only

Rule 2 — High volume (5+ matches):

Condition: 5+ patient health identifier matches, high confidence
Action: Block external sharing, notify user and compliance team
Override: Block with override — require business justification

Rule 3 — Bulk export:

Condition: 50+ matches in a single item
Action: Hard block — no override. Alert incident response team immediately.

DLP in Defender for Cloud Apps

For data in third-party cloud apps, create file policies in Defender for Cloud Apps:

How it works

Connect cloud apps — Defender for Cloud Apps connects to Box, Google Drive, Dropbox, Salesforce, etc.
Create a file policy — define the condition (references your DLP SITs or content inspection)
Select governance action — quarantine, apply label, remove sharing, notify admin

File policy options

Setting	What It Does
Content inspection	Scan files for SIT matches (uses the same SITs as Purview DLP)
Apply to	Specific apps, specific file types, or all connected apps
Governance actions	Quarantine file, remove external sharing, apply sensitivity label, notify owner
Alert	Generate an alert when the policy matches

Scenario: Marcus extends DLP to Google Drive

NovaTech uses Google Drive for some client projects. Marcus creates a file policy in Defender for Cloud Apps:

Condition: Files in Google Drive containing source code (pre-trained classifier) or NovaTech project codes (custom SIT)
Action: Apply “Confidential — NovaTech IP” sensitivity label + remove external sharing links
Alert: Notify Marcus when more than 10 files match in a single day

Now NovaTech’s IP protection extends beyond M365 to Google Drive — with the same SITs and labels.

Question

What is the difference between a DLP policy template and a custom DLP policy?

Click or press Enter to reveal answer

Answer

Templates are pre-built for specific regulations (GDPR, HIPAA, PCI-DSS) with pre-configured SITs and rules — ideal for quick compliance. Custom policies are built from scratch with your own SITs, labels, and conditions — needed for organisation-specific data formats.

Click to flip back

Question

How do instance count thresholds help DLP policy design?

Click or press Enter to reveal answer

Answer

Instance counts differentiate severity. 1 credit card number in an email may be a legitimate transaction reference. 50+ credit card numbers likely indicates a data dump. Lower counts trigger warnings; higher counts trigger blocks. This reduces false positives for legitimate single-item sharing.

Click to flip back

Question

How does DLP extend to third-party cloud apps like Google Drive?

Click or press Enter to reveal answer

Answer

Through Microsoft Defender for Cloud Apps. You connect the cloud app, create a file policy with content inspection (using the same SITs as Purview DLP), and configure governance actions — quarantine, remove sharing, apply labels, or alert admins.

Click to flip back

Knowledge Check

Zara at Atlas Global needs DLP to protect employee personal data across M365 AND Google Drive (used by some regional offices). She already has DLP policies for Exchange and SharePoint. How should she extend protection to Google Drive?

Knowledge Check

Dr. Liam's DLP policy at St. Harbour Health is generating alerts for emails that contain a single patient identifier sent to known referral partners. These are legitimate clinical communications. How should he reduce these false positives without removing protection?

Next up: DLP: Precedence & Adaptive Protection — understand how multiple DLP rules and policies interact, and how Insider Risk levels dynamically adjust DLP enforcement.