Texas A&M UniversityWork In Progress
Infrastructure & Devices
Endpoint ManagementCloud & Compute
Productivity & Collaboration
Microsoft 365Google Workspace
Security & Identity
IdentityCloud SecurityData Protection
Networking & Telecom
Core NetworkingTelecommunications
Development
Developer Tools
Arts & SciencesBush SchoolBusiness SupportCollege of ArchitectureCollege of EducationCollege of EngineeringExecutive SupportFacilitiesGalvestonHealthLawMays Business SchoolPerformance, Visualization & Fine ArtsStudent AffairsTransportationUniversity LibrariesVeterinary Medicine

Implement Data Loss Prevention, Data Lifecycle Management, retention policies, and Communication Compliance.

purviewimplementationdlppreventionretentionlifecyclecommunication-compliance

Prevention & Enforcement

With the foundation in place and oversharing remediated, this section implements proactive controls to prevent data loss, manage data lifecycle, and enforce policy compliance.

Data Loss Prevention (DLP) {#dlp}

Objective

Deploy DLP policies across Exchange, SharePoint, Teams, and endpoints to detect and prevent sensitive data exposure.

DLP Enforcement Actions

ActionWhen to UseUser Experience
AuditTesting policiesNo notification
WarnLow-risk matchesUser sees tip, can proceed
Block with OverrideMedium riskUser provides justification
BlockHigh risk (SSN, credit cards)Hard stop

DLP Locations

LocationCoverage
Exchange OnlineEmail messages and attachments
SharePoint/OneDriveDocuments and file shares
TeamsChat messages and channel files
Endpoints (E5/A5)USB copies, print, cloud uploads
Power PlatformPower BI, Power Apps
Step 1 – Create DLP Policy for SSN

Click-Ops:

  1. Navigate to Microsoft Purview portalSolutionsData Loss PreventionPolicies
  2. Click + Create policy
  3. Select template: U.S. PII Data
  4. Configure locations (Exchange, SharePoint, Teams)
  5. Set actions:
    • Low volume (1-9): Warn user
    • High volume (10+): Block with override
  6. Policy mode: Select Run the policy in simulation mode
  7. Monitor DLP reports for false positives before switching to enforcement
Step 2 – Create DLP for Sensitivity Labels

Goal: Use labels as DLP conditions for more reliable detection.

Example Policy:

  • Condition: Label = "Restricted" AND recipient is external
  • Action: Block email
Label-Based DLP

Using labels as conditions reduces false positives compared to content scanning alone.

Step 3 – Enable Endpoint DLP (E5/A5)

Goal: Extend DLP to Windows and macOS devices.

Platform Support
  • Windows 10/11: Full feature support (Defender for Endpoint required)
  • macOS: Supported since late 2021 (macOS 11+ with Defender for Endpoint)
  • Linux: Limited support for specific distributions

Protected Activities:

  • Copy to USB drive
  • Print sensitive documents
  • Upload to cloud services (browser and app)
  • Copy to network shares
  • Paste to clipboard (Windows only)

Prerequisites:

  1. Devices onboarded to Defender for Endpoint
  2. Enable device onboarding in SettingsDevice onboarding
  3. Configure Endpoint DLP settings

Data Lifecycle Management {#data-lifecycle}

Objective

Establish retention policies and records management to control data lifecycle and meet regulatory requirements.

Why Lifecycle Comes After Remediation

With oversharing addressed and access controls in place, you can now implement retention policies that:

  • Reduce storage costs by deleting transient content
  • Meet compliance requirements (Texas Records Retention, FERPA)
  • Simplify eDiscovery by reducing noise from old content

Retention Strategy for Higher Ed

Content TypeRetentionRationale
Teams Chat1 year, then deleteTransient communication
Email7 years, then reviewState records requirement
SharePoint DocumentsRetain until deletedOwner-managed
Student Records7 years after graduationFERPA
Research DataPer grant requirementsVariable (often 3-10 years)
Step 1 – Create Retention Policy for Teams Chat

Goal: Treat Teams chat as ephemeral—retain for 1 year, then delete.

Click-Ops:

  1. Navigate to Microsoft Purview portalData lifecycle managementRetention policies
  2. Click + Create retention policy
  3. Name: "Teams Chat - 1 Year Retention"
  4. Locations: Select Teams channel messages and Teams chats
  5. Retention settings:
    • Retain items for: 1 year
    • After retention period: Delete items automatically
  6. Review and create
Step 2 – Create Retention Labels for Records

Goal: Create labels that declare content as official records with specific retention.

Recommended Labels:

LabelRetentionAction
Official Record - 7 Year7 yearsDelete
Student Record7 years after eventReview
Research Record10 yearsReview
Permanent RecordRetain foreverNone

Power Platform DLP {#power-platform-dlp}

Objective

Control data flow between Power Platform connectors to prevent data leakage through Power Apps and Power Automate.

Connector Classification

CategoryExamplesPolicy
BusinessSharePoint, Dynamics, SQLCan connect together
Non-BusinessTwitter, Dropbox, GmailCan connect together
BlockedHigh-risk connectorsCannot be used
Step 1 – Create Data Policy

Click-Ops:

  1. Navigate to Power Platform Admin Center > Data policies
  2. Click + New policy
  3. Classify connectors:
    • Business: SharePoint, OneDrive, Teams
    • Non-Business: Social media, consumer cloud
    • Blocked: Anonymous file sharing services
  4. Apply to environments

Communication Compliance {#communication-compliance}

Objective

Monitor messages for policy violations, harassment, and sensitive information.

Policy Templates

TemplatePurpose
Detect inappropriate textHarassment, profanity, threats
Detect sensitive informationPII in messages
Detect financial regulatory complianceSOX, FINRA requirements
Custom policyBuild your own rules
Step 1 – Create Communication Compliance Policy

Click-Ops:

  1. Navigate to Microsoft Purview portalSolutionsCommunication Compliance
  2. Click + Create policy
  3. Select template or create custom
  4. Configure:
    • Users to monitor
    • Channels (Teams, Exchange)
    • Detection conditions
    • Reviewers
  5. Enable pseudonymization for privacy

Privacy Considerations

FeaturePurpose
PseudonymizationHide user identities from reviewers
Role-based accessLimit who reviews which policies
Audit loggingTrack all reviewer actions

Validation Checklist

#ItemSuccess Criteria
1DLP policiesActive for SSN at minimum
2Endpoint DLPDeployed to managed devices
3Power PlatformConnector classification complete
4Communication ComplianceAt least one policy active

Next Steps

With prevention and lifecycle controls in place, proceed to Extensions for additional integrations and advanced scenarios.

Continue to Extensions →