Create a Data Loss Prevention (DLP) policy

Now lets get started, we will create a Data Loss Prevention policy in the Microsoft Purview portal to protect sensitive data from being shared by users.

In the Microsoft Purview portal, in the left navigation pane Click on Solutions, select Data loss prevention and select Policies.

On the Policies page, select + Create policy to start the wizard for creating a new data loss prevention policy
1. On the Start with a template or create a custom policy page, scroll down and select Custom under Categories and Custom policy under Regulations. By default, both options should already be selected, select Next.
I created a custom DLP policy instead of the default Financial PCI DSS policy to better fit our needs. While PCI DSS is a preconfigured template, a custom template allows for targeted protection, flexibility, and granular rule adjustments such as choosing monitored platforms, customizing alerts, and tailoring user notifications.
For strict industry compliance, PCI DSS works well, but for specific security needs and better control over the policies, going custom was the best choice in my opinion. Of course, you can customize the default Financial PCI DSS policy, but at that point, it essentially becomes a custom policy anyway.
1. On the Name your DLP policy page, type Credit card policy in the Name field and type Protect credit card numbers from being shared. Select Next.
1. On the Assign admin units page, click Next.
1. On the Choose where to apply the policy page, select only Exchange email and uncheck other option and click Next.
1. On the Define policy settings page, select Create or customize advanced DLP rules and select Next.
1. On the Customize advanced DLP rules page, select + Create rule.
1. On the Create rule page, type Credit card information in the Name field.
2. Under Conditions, select + Add Condition and then select Content contains from the drop-down menu.
1. In the new Content contains page, select Add and select Sensitive info types from the drop-down menu. On the Sensitive info types page, search Credit, select Credit Card Number and select Add.
1. Under Actions, click Add an actions and select Restrict access or encrypt the content in Microsoft 365 locations from the drop-down menu.
1. Under the Restrict access or encrypt the content in Microsoft 365 locations, select Block everyone.
1. Under User notifications select toggle for Use notifications to inform your user and help educate them on the proper use of sensitive information is On and enable the check box for Show the policy tip as a dialog for the end user before send.
1. Under Incident reports, select the severity level as Medium. Click on the toggle for under send an alert to admins when a rule match occurs and click on Save.
1. Back on the Customize advanced DLP rules page, click on Next.
1. On Policy mode select Turn the policy on immediately and click Next.
1. On the Review and Finish page, review the information and click on Submit. Select Done on the New policy created page.
Step summary: You have now created a DLP policy that scans for credit card numbers and prevents sharing this information in Microsoft Outlook.

Create an Alert Policy

Next we’ll create an Alert Policy
1. Navigate to the Microsoft Defender home page.
2. In the Microsoft Defender portal, in the left navigation pane, select Policies & rules > Alert policies.
1. On the Alert Policy window, select New Alert Policy.
1. On the Name your alert window, specify the following and click Next.
Settings Values

Name DLP-Alert-Policy

Severity Medium

Category Information governance

Following naming conventions for various processes, such as policy and alert names, is essential in enterprise organizations. However, since this is just a demo, we did not apply a naming convention. Depending on your organization’s standards, policies and alerts should be named accordingly to maintain a structured and customized approach that aligns with organizational practices
1. On the Create alert settings window, specify the following and click Next.
Settings Values

Activity is DLP policy match

How do you want the alert to be tiggered Every time an activity matches the rule
1. On the Set your recipients window, specify the following and click Next (2).
Settings Values

Email recipients (Compliance Officer for example)
1. On the Review your settings window, specify the following and click Submit.
Settings Values

Do you want to turn the policy on right away? Yes, turn on right away

Step summary: DLP match rule with email notification ensures key personnel are alerted immediately about potential data loss incidents, enabling quick response and compliance enforcement.

Add a user to Microsoft Purview built-in role group

In this step, we will add a user to a predefined role group within Microsoft Purview, granting hem the ability to check DLP alerts and perform additional tasks. You can still opt for the least privilege approach by creating a custom role group with view-only DLP alerts permissions. However, in this scenario, I will assign the Security Administrator role since the user needs access beyond just checking alerts.
1. In the Microsoft Purview portal, in the left navigation pane, click on Settings > Roles & scopes > Role groups
1. On Role groups for Microsoft Purview solutions window, search and select Security Administrator then at the top select Edit.
1. On the Edit members of the role group window, select Choose users then on Choose users blade select you security admin user then Select.
1. Click on Next > Save > Done.
Step summary: You have added a user to a predefined role group in Microsoft Purview, granting broader access beyond DLP alerts. While least privilege is a Must, the Security Administrator role was assigned to support additional tasks.

Demonstrating Data Loss Prevention (DLP) Policy

In this step, we’ll compose an email containing sensitive information that matches the conditions specified in the DLP policy. For example, include credit card numbers in the email body.

Open Outlook Select New Email from the top left corner of the screen.Enter your personal email address and provide the subject as Sending credit card number, enter multiple demo credit card numbers and click on Send.

Note: To complete this step, you need to use a fake credit card number. You can find one on this website and copy it. Then, paste it in the required field. Test Credit Card Numbers.

Observe that the email is blocked by the policy, and you will receive a notification, as shown below

If you take a minute or two to create the email, you will not even be able to send it, as Outlook scans the content and detects that it violates the policy, as shown below.

If you create and send the email too quickly before Outlook has scanned the content, the Send button will not be grayed out. As a result, the email will be sent, but it will be blocked, and the sender will receive the message shown below.

This is a common behavior in Outlook when a Data Loss Prevention (DLP) policy is in place. If you send the email quickly, the DLP system may only block it after detecting sensitive data post-sending. But if you take a minute or two, Outlook’s built-in content scanning can detect the sensitive information earlier and block Send button.

As an admin, you will receive the alert DLP message configured earlier if someone violates the policy. The admin can then check the alert in Microsoft Defender.

Note: Alerts can be sent every time an activity matches a rule, which can be noisy or they can be aggregated based on the number of matches or volume of items over a set period.

Step summary: In this step, you composed an email containing sensitive information that matches the DLP policy conditions in Outlook. If the email includes restricted data—like credit card numbers—the policy blocks the email and notifies the sender