This content is part of the Essential Guide: What data loss prevention systems and tactics can do now
Problem solve Get help with specific problems with your technologies, process and projects.

Span multiple services with Office 365 data loss prevention policies

Microsoft bolstered the data loss prevention features in Office 365 to protect more than just email. Learn how to expand DLP protection to SharePoint and OneDrive.

As Office 365 gains more traction among organizations of all sizes, Microsoft refines the collaboration platform's security features to help administrators secure their perimeters. Office 365 now includes a data loss prevention feature that works across multiple services.

Administrators can enlist data loss prevention policies to scan both message text and message attachments for sensitive data, such as social security numbers or credit card numbers. These policies can now extend into Microsoft Office attachments and scan files in SharePoint and OneDrive for Business.

Build the data loss prevention policies

In the Exchange admin center, administrators can choose to build a single data loss prevention (DLP) policy (Figure 1) in the Office 365 Security and Compliance Center to guard data and messages in SharePoint, OneDrive and Exchange, or stick with the existing DLP option.

Office 365 DLP policy
Figure 1. Administrators can create unified data loss prevention policies through the Office 365 Security and Compliance Center.

Administrators develop data loss prevention policies from rules. Each rule has a condition and an action. Administrators can apply the policy to specific locations within Office 365.

To create a DLP policy, open the Office 365 Security & Compliance Admin Center, expand the Data loss prevention container and click on the Policy container. Then click on the Create a policy button.

Now choose the information to protect. As is the case in Exchange Server, the Security & Compliance Center in Office 365 contains DLP templates to assist with regulatory compliance. For example, there are templates designed for the financial services industry (Figure 2) as well as templates meant for healthcare providers. Administrators can always create a custom policy to fit organizational needs.

DLP policy templates
Figure 2. Administrators can use templates in the Office 365 Security & Compliance portal or choose the custom setting to build their own data loss prevention policies.

Name the policy

Naming the policy also means adding a description to it. In some cases, Office 365 automatically assigns a policy name, which the administrator can modify if necessary.

Choose the locations to apply the policy. By default, data loss prevention policies extend to all locations within Office 365, but administrators can also specify policy locations. In Figure 3, manual location assignments allow for finer control. Administrators can choose which Office 365 services to apply the policy to and whether to include or exclude specific SharePoint sites or OneDrive accounts. For example, it may be permissible for members of the legal team to transmit sensitive information, but not a sales person.

DLP locations
Figure 3. An administrator can choose which services to apply the new policy to and make adjustments.

While this wizard does not expose the individual rules that make up a policy, the Advanced Settings option allows the administrator to edit the policy rules and create additional ones.

Hybrid setup considerations

For businesses that use a hybrid Exchange Server deployment -- where some mailboxes reside on Exchange 2016 servers in the on-premises data center while others reside in Office 365 -- DLP policies will only apply to Exchange Online in Office 365. If you create a DLP policy within the Exchange admin center, that policy just applies to Exchange Server. Conversely, a DLP policy created in the Office 365 admin center applies to mailboxes in Exchange Online.

Refine the policy settings

Next, customize the types of sensitive information to protect with DLP policies. Figure 4 shows one policy that detects when a worker sends a message that shares credit card numbers outside of the organization. The administrator can configure the policy to monitor the use of other data types. Data loss prevention policies can also monitor when sensitive information gets shared within the organization.

DLP policy wizard
Figure 4. The DLP policy wizard allows administrators to customize the types of sensitive information to protect.

The wizard allows the administrator to choose an action to take when sensitive information is shared, such as display a policy tip, block the content from being shared, or send a report to someone in the organization.

After the configuration process, the wizard will ask whether to enable the policy right away or test it.

The last step in the process is to review your selections and, if everything appears to be correct, click the Create button to generate the data loss prevention policy.

Next Steps

How to craft the best DLP policies

Choose the right DLP template in Exchange 2013 SP1

The top email security gateways on the market

Dig Deeper on Exchange Server setup and troubleshooting