Configuring DLP (Data Loss Prevention) on Microsoft Purview

Configuring DLP (Data Loss Prevention) on Microsoft Purview

04/01/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and implementing Data Loss Prevention (DLP) policies in Microsoft Purview. DLP is a strategy and set of tools that help organizations prevent the exposure, misuse, or loss of sensitive data, ensuring critical information remains secure and compliant with regulations [1].

Introduction

In an increasingly digital world with stricter data privacy regulations (such as GDPR, LGPD, HIPAA), protecting sensitive information is a top priority. Data loss, whether through accident, human error or malicious intent, can result in significant financial damages, regulatory fines and serious reputational damage. Microsoft Purview offers a comprehensive DLP solution that helps organizations identify, monitor, and protect sensitive data across Microsoft 365, Azure, endpoints, cloud applications, and other locations [2].

This practical guide will cover the essential steps for configuring DLP policies in Microsoft Purview, from identifying sensitive data to creating and deploying policies, validation, and best practices. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can implement an effective DLP strategy, protecting confidential information and ensuring regulatory compliance.

Why is Microsoft Purview DLP crucial?

  • Comprehensive Identification: Detects a wide range of sensitive information types (TIS) and can be extended with trainable classifiers.
  • Multi-site Coverage: Protects data at rest, in use, and in transit across Microsoft Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Windows/macOS devices, and cloud applications.
  • Granular Control: Allows you to define policies with specific conditions and actions for different types of data, users and locations.
  • Regulatory Compliance: Helps organizations comply with data privacy requirements and industry regulations.
  • Visibility and Reporting: Provides detailed reports on data activity and DLP policy detections.

Prerequisites

To configure DLP on Microsoft Purview, you will need the following items:

  1. Licensing: A license that includes Microsoft Purview DLP. This is often part of packages such as Microsoft 365 E5 Compliance, Microsoft 365 E5, or can be purchased as an add-on [3].
  2. Administrative Access: An account with Compliance Administrator, Compliance Data Administrator, or Global Administrator permissions on the Microsoft Purview compliance portal (https://compliance.microsoft.com).
  3. Data in Microsoft 365: To test policies, it is ideal to have some data (emails, documents) that contain sensitive information in your Microsoft 365 environment.

Step by Step: Configuring Data Loss Prevention Policies (DLP)

Let's create a DLP policy to detect and block sharing of credit card numbers to external users via email.

1. Accessing the Microsoft Purview Compliance Portal

  1. Open your browser and navigate to https://compliance.microsoft.com.
  2. Log in with an account that has the necessary permissions.

2. Identifying Sensitive Information

Microsoft Purview DLP uses Sensitive Information Types (TIS) to identify sensitive data. It comes with hundreds of pre-configured TIS, but you can also create your own.

  1. In the left navigation pane, select Data Classification > Sensitive Information Types.
  2. You can search for existing TIS (e.g. Credit Card Number) to see their definitions and how they are detected.

3. Creating a DLP Policy

Let's create a DLP policy using a predefined template and customize it.

  1. In the left navigation pane, select Data Loss Prevention > Policies.
  2. Click + Create policy.

Step 1: Choose a template or create a custom policy

  1. Categories: Select Financial.
  2. Templates: Select US Financial Data.
  3. Click Next.

Step 2: Name the policy

  1. Name: Block Credit Card for External Parties.
  2. Description: Detects and blocks the sending of credit card numbers to external recipients via email.
  3. Click Next.

Step 3: Choose locations to apply the policy

  1. Locations: For this example, we will focus on emails. Enable Exchange Mailboxes.
    • (Optional) You can enable other locations such as SharePoint Sites, OneDrive Accounts, Teams Messages and Devices (for Endpoint DLP) if you have the necessary licenses and configurations.
  2. Apply to: Select All users or Choose specific users, groups, or distribution groups for a more granular scope.
  3. Click Next.

Step 4: Customize policy settings

  1. Select Customize advanced policy settings.
  2. Click Next.

Step 5: Advanced Personalization Settings

You will see a default rule created by the template. Let's edit it.

  1. Click on the existing rule (e.g. Detect US financial content).
  2. Conditions: Make sure the Content contains condition is set to Credit Card Number (with a minimum count of 1 and precision of Any).
  3. Add condition: Click Add condition and select Recipient is > External.
  4. Actions: In the Actions section, configure:
    • Block access or encrypt content: Check Block users from accessing content (Block all).
    • User notifications: Check Notify users with a policy tip and customize the message if desired.
    • User Overrides: (Optional) Allows users to bypass blocking with a justification. For credit card data, it is generally not recommended.
    • Incident Reports: Check Send an alert to administrators and Send an incident report to administrators.
  5. Click Save.
  6. Click Next.

Step 6: Policy Settings

  1. Policy Mode: Select Test First (to monitor impact without blocking) or Activate Now (to apply actions immediately).
    • Tip: Always start with Test First to assess the impact and adjust the policy before applying the block.
  2. Click Next.

Step 7: Finish

  1. Review the policy summary.
  2. Click Create.

4. Configuring Endpoint DLP (Optional, but Recommended)

To protect data on Windows and macOS devices, you need to configure Endpoint DLP. This allows you to monitor and restrict actions like copying to USB, pasting into disallowed applications, uploading to cloud services, etc.

  1. In the Microsoft Purview compliance portal, go to Data Loss Prevention > Settings.
  2. Select Endpoint DLP Settings.
  3. Make sure Device Monitoring is On.
  4. Configure the Restrictions for disallowed domain groups and cloud services and Restrictions for disallowed applications.
  5. For devices to be monitored, they must be onboarded in Microsoft Defender for Endpoint and have the DLP connector enabled [4].

Validation and Testing

Validating DLP policies is critical to ensure they work as expected and do not cause false positives.

1. Testing the Email DLP Policy

  1. Create a test email: In an email client (Outlook Web App or Outlook Desktop), create a new email.
  2. Include sensitive information: In the body of the email, enter a valid credit card number (use a non-real test number, or a test number generator for simulation purposes, such as 4111-1111-1111-1111).
  3. Send to an external recipient: Address the email to an email address outside your organization.
  4. Note the policy tip: If the policy is in test mode, the user should see a policy tip stating that the email contains sensitive information.
  5. Check reports: In the Microsoft Purview compliance portal, go to Data Loss Prevention > Alerts or Reports.
    • Check whether an alert has been generated for DLP policy detection.
    • Review the DLP policy matches report to see thes details of the detected email.

2. Testing the Endpoint DLP Policy (if configured)

  1. On a Windows onboarded device for Endpoint DLP, create a document (e.g. Word, Notepad) and enter a test credit card number.
  2. Try copying the credit card number to a USB device or trying to paste it into a disallowed application.
  3. The Endpoint DLP policy must block the action and/or notify the user, depending on the settings.
  4. Check Endpoint DLP reports in the Microsoft Purview portal.

Security Tips and Best Practices

  • Gradual Implementation: Start with policies in audit mode (Test First) to understand the impact and refine rules before applying blocking.
  • User Education: Train users on what sensitive data is, why DLP policies exist, and how to prevent breaches. Policy tips are valuable tools for real-time education.
  • Data Classification: Combine DLP with data classification and labeling (Microsoft Information Protection) for more effective protection. DLP policies can be triggered by sensitivity labels.
  • Continuous Review and Adjustment: The data environment and regulations change. Review and adjust your DLP policies regularly to ensure they remain relevant and effective.
  • Incident Monitoring: Actively monitor DLP alerts and reports to identify breach patterns, high-risk users, and gaps in protection.
  • Policy Scope: Be granular in the policy scope. Apply more restrictive policies to high-risk user groups or data.

Common Troubleshooting

  • False Positives (Improper Blocks): If legitimate emails or actions are being blocked, review the policy conditions. Adjust instance count or TIS precision. Consider adding exceptions for trusted senders or domains (with caution).
  • False Negatives (Sensitive Data Passing): If sensitive data is not being detected, verify that the TIS is configured correctly and that the instance count and precision are adequate. Make sure the policy is applied to the correct locations and users.
  • Policy Tips Not Appearing: Check if user notifications are enabled in the policy. Make sure your email client (Outlook) is up to date and supports policy tips.
  • Endpoint DLP Not Working: Check that devices are onboarded in Microsoft Defender for Endpoint and that the Endpoint DLP connector is enabled in the Purview portal. Check the event logs on the device for errors.
  • Policy Enforcement Delays: It may take some time for DLP policies to propagate and apply across all services. Wait a few hours and test again.

Conclusion

Configuring Data Loss Prevention (DLP) policies in Microsoft Purview is a critical step in protecting an organization's sensitive information and ensuring regulatory compliance. By identifying, monitoring, and controlling the flow of sensitive data across multiple locations, Microsoft Purview DLP empowers companies to mitigate the risk of data leaks, whether accidental or intentional. Successfully implementing a DLP strategy requires careful planning, rigorous testing, and an ongoing commitment to user education and policy refinement. With the tools and guidance provided in this article, security teams can build a robust defense that protects the organization's most valuable information assets.

References:

[1] Microsoft Learn. Learn more about data loss prevention. Available at: https://learn.microsoft.com/pt-br/purview/dlp-learn-about-dlp [2] Microsoft Learn. What is Microsoft Purview?. Available at: https://learn.microsoft.com/pt-br/purview/overview [3] Microsoft Learn. Licensing requirements for data loss prevention. Available at: https://learn.microsoft.com/pt-br/purview/dlp-learn-about-dlp#licensing-requirements-for-data-loss-prevention [4] Microsoft Learn. Introduction to preventionProtect against endpoint data loss. Available at: https://learn.microsoft.com/pt-br/purview/endpoint-dlp-getting-started