Texas A&M UniversityWork In Progress
Infrastructure & Devices
Endpoint ManagementCloud & Compute
Productivity & Collaboration
Microsoft 365Google Workspace
Security & Identity
IdentityCloud SecurityData Protection
Networking & Telecom
Core NetworkingTelecommunications
Development
Developer Tools
Arts & SciencesBush SchoolBusiness SupportCollege of ArchitectureCollege of EducationCollege of EngineeringExecutive SupportFacilitiesGalvestonHealthLawMays Business SchoolPerformance, Visualization & Fine ArtsStudent AffairsTransportationUniversity LibrariesVeterinary Medicine

Microsoft Purview DLP detects and prevents sensitive data from being shared inappropriately across Microsoft 365.

purviewdlpcomplianceemail

Data Loss Prevention

Microsoft Purview Data Loss Prevention (DLP) helps you detect, warn, and block sensitive information from leaving your organization inappropriately. DLP monitors content across email, files, chat, and endpoints—protecting against accidental exposure and intentional exfiltration.

What is DLP?

DLP policies scan content for sensitive information and take action:

LocationWhat DLP Monitors
Exchange OnlineEmail messages and attachments
SharePoint/OneDriveDocuments and file shares
TeamsChat messages and channel files
EndpointsWindows devices (copy to USB, print, upload)
Power PlatformPower BI, Power Apps data flows

How DLP Works

ActionWhen to UseUser Experience
AuditTesting policiesNo notification, logged only
WarnLow-risk matchesUser sees tip, can proceed
Block with OverrideMedium risk, justification neededUser provides reason
BlockHigh risk (SSN, credit cards)Hard stop, cannot proceed

What DLP Detects

Built-in Sensitive Information Types

  • Social Security Numbers
  • Credit card numbers
  • Passport numbers
  • Bank account numbers
  • Driver's license numbers

Regulatory Templates

  • FERPA — Student educational records
  • HIPAA — Health information
  • PCI-DSS — Payment card data
  • GDPR — Personal data (EU residents)

Custom Detection

  • Student UIN patterns
  • Employee ID formats
  • Research grant numbers
  • Custom keywords and phrases

DLP + Sensitivity Labels

DLP becomes more powerful when combined with Information Protection:

ConditionExample
Label = "Restricted" + External recipientBlock email
Label = "Confidential - FERPA" + USB copyBlock with override
Any sensitive data + Public sharing linkWarn user
Best Practice

Use sensitivity labels as DLP conditions whenever possible. Labels are more reliable than content scanning and reduce false positives.

Key Capabilities

Email Protection

Block or encrypt emails containing sensitive data before they leave your organization.

File Protection

Prevent sharing of sensitive documents to external users or public links.

Teams Protection

Monitor chat messages and channel posts for sensitive information.

Endpoint Protection (E5/A5)

Extend DLP to Windows devices—monitor USB copies, printing, and cloud uploads.

ResourceDescription
Purview DLPDLP policy management
DLP Policy ReferenceMicrosoft documentation
Email DLP & EncryptionDetailed email protection guide
Implementation GuideEnterprise deployment guide