Skip to content

New Data Loss Prevention Capabilities in Office 365

3 minute read

lt purp security

Over the past several years, Office 365 has expanded Data Loss Prevention (DLP) capabilities beyond email to documents, sites, and storage.

In the next few months, a public preview of new DLP policies in SharePoint Online, OneDrive for Business, and Office applications will be rolling out to eligible tenants, so we thought it would be a good time to recap DLP in O365 and look at what’s coming next.

DLP in Exchange email

Email is used to communicate critical information in every business, so it makes sense that DLP capabilities in Office 365 started with Exchange. The DLP features in Exchange allow admins to set transport rules, actions, and exceptions that they then activate to filter email messages and attachments. Pre-defined policy templates are available from Microsoft, and it’s also possible for admins to import pre-built policy files or create custim policies.

Policy tips can also be configured to warn users that they may be about to violate a policy even before an email is sent; for example, a user might include a credit card number in an email message to an external user, and a policy tip notifies them that they are in violation of the enterprise’s policy.

TechNet has a series of informative posts on DLP that can be found here.

DLP in Office applications

Data Loss Prevention will be at the core of Office 2016 applications, currently in preview. According to the Office blog, “Admins can easily set up policies for SharePoint Online/OneDrive for Business that will automatically apply to Word, Excel and PowerPoint 2016 applications. If users open a sensitive file from SharePoint Online/OneDrive for Business, they will be notified of the sensitive information in context within the Office application.”

The Office 365 tenant admin will be able to allow users to either ignore the policy or provide a business justification order to resolve the conflict and access the file.

DLP in SharePoint Online and OneDrive for Business

Admins can search for sensitive content in SharePoint Online and OneDrive for Business via the eDiscovery Center. With 51 built-in sensitive information types, such as Social Security numbers and bank account numbers, search queries are easy to set up. If you discover a document in violation of a policy, you can review it inline, in real time.

What’s next for DLP in SharePoint and ODfB?

New capabilities for DLP were announced last week, and now DLP in these areas goes beyond discovery and review. These new capabilities are available in the current public preview and include:

  • Simplified set up. Set policies from the Office 365 compliance center, using the built-in sensitive information types.
  • End user education. Configure policies that alert users to non-compliance within context. For example, if a document violates a policy by sharing with people outside your organization, the owner of the document would be notified with a Policy Tip and given options to resolve.
  • Effectiveness tracking. Track DLP policies using reporting built in to Office 365, including reports on specific incidents that can be reviewed by admins and/or security teams.

In Phase 3 of the preview, even more DLP capabilities will roll out, such as exceptions for locations and conditions. The roll out will continue throughout 2015, so if you don’t see these policies in your tenant yet and you know you’re eligible, keep checking. With the combination of the current and upcoming policies, organizations can stay compliant while allowing workers to remain productive and self-sufficient.


Sign up for our newsletter