Summary: How to configure Data Loss Prevention in Office 365.
Date: Around 2018
Refactor: 8 March 2025: Checked links and formatting.

Data Loss Prevention is one of the powerful security and compliancy options within Office 365. In this post I'll configure two policies based on templates that are maintained by Microsoft. Please note that you need to take a few things in consideration when configuring data prevention:

• Privacy - All emails will be scanned and especially during testing and tuning phase it might be required you read (parts) of the emails that are being sent. You need to discuss these matters with you compliancy and privacy officers
• SOC mailbox - You need to place to which alerts need to be sent. This could be your compliancy mailbox or the mailbox of your SOC team but it needs to be accessible ONLY by authorized employees.
• Updates to the policy might take 24 hours to take into effect, but as far as I have seen 15 minutes is more common
• All configuration is done in the Security and Compliance portal found at: https://protection.office.com

This policy will trigger on financial data, more specifically credit card numbers. Follow these steps to create the policy:

• Go to protection.office.com → Data loss prevention → Policy → Create a policy
• Choose the template to start with:
  • Adjust the region to European Union and select Financial → PCI Data Security Standard
    • PCI Data Security Standard (PCI DSS)
    • Description: Helps detect the presence of information subject to PCI Data Security Standard (PCI DSS), including information like credit card or debit card numbers. Protects this information: Credit Card Number
• Click Next and Name your policy:
  • Name: NL - Financial Data - PCI Data Security Standard (PCI DSS)
  • Description: DLP voor Credit Card gegevens
• Click Next and choose the locations to apply the policy to:
  • Locations: All locations in Office 365. Includes content in Exchange email and OneDrive and SharePoint documents.
• Click Next
• In the Customize the type of content you want to protect setting select The “Use advanced settings” and click next:
  • Expand the rule: Low volume of content detected PCI DSS → Delete rule
  • Expand the rule: High volume of content detected PCI DSS → Edit Rule
    • Name: Any volume of content detected PCI DSS
    • Description: Trigger policy if any credit card number is found
    • Conditions:
      • Content contains: Credit Card Number; minimum 1; match accuracy 65 %
      • Content is shared with people outside my organization
    • No exceptions
    • Actions: Block people from sharing and restrict access to shared content (you could also select to have the emails encrypted. But you need Exchange Online - Message Encryption for that. )
      • Only people outside your organization. People inside your organization will continue to have access.
    • User Notifications
      • Notify these people: Notify the user who sent, shared, or last modified the content. Do not select the default options to also notify the owners or custom mailboxes if privacy is an issue for you.
      • Select to customize the email text and provide a descriptive text that will tell your users why the email was blocked and who to contact if they have questions:
        • Your email was blocked because a creditcard number was detected. If you believe this is a false positive or if you have any questions please contact mailbox.soc@getshifting.com.
      • Select to Customize the policy tip text, this outlook tooltip is shown before the email is sent, but in my experience it does not always work:
        • Your email contains a creditcard number. Please see Exchange Online - Message Encryption on how to sent sensitive data. If you believe this is a false positive or if you have any questions please contact mailbox.soc@getshifting.com.
    • User overrides: On
      • Require a business justification to override: enabled
    • Incident reports
      • Enable all notifications as high alert to:
      • mailbox.soc@getshifting.com
    • You can also include the following information in the report:
      • The name of the person who last modified the content: On
      • The types of sensitive content that matched the rule: On
      • The rule's severity level: On
      • The content that matched the rule, including the surrounding text: On
      • The item containing the content that matched the rule: Off
    • Click Save to return to the policy settings
    • Click Next and select to test the policy first with policy tips enabled
    • Click Next
  • Click Create

To test the policy you need to send an email with a credit card number. You can use these creditcard numbers to test.

Sometimes the tooltips do not work. Most common cause is that outlook tooltips are not enabled. You can also test the tooltips in https://outlook.office.com. It could also take some time for the tooltips to show. I also experiences the tooltips to randomly work for users.

The GDPR policy needs a little tweaking. By default only the EU confidential data is protected, but not the Dutch BSN Number.

All the steps are the same as above except for the following parts (and naming and description of course):

• Choose the template to start with:
  • Adjust the region to European Union and select Privacy → General Data Protection Regulation (GDPR)
• To add the BSN do the following steps in the Rule of the policy:
  • Go to conditions → Sensitive Info Types
    • Add → Sensitive info types
    • Add
    • Scroll down in the list and select Netherlands Citizen's Service (BSN) Number
    • Done

In my experience the EU GDPR data results in a large number of false positives. You could set the match percentage higher (see resources for what the sensitive types match on) or delete the info type from the sensitive info type list. That is a valid option if your company doesn't store these numbers from their customers.

https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-dlp-policy-from-a-template
https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies
https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-sensitive-information-types-look-for