Back to Capabilities of Microsoft Compliance Solutions

Data Loss Prevention (DLP)

5 minutes 5 Questions

Data Loss Prevention (DLP) is a critical compliance capability within Microsoft's suite of security solutions designed to help organizations identify, monitor, and protect sensitive information across their digital environment. DLP works by detecting and preventing the unauthorized sharing, transfe…

Data Loss Prevention (DLP) – Microsoft Compliance Solutions

Data Loss Prevention (DLP) is a critical component of Microsoft's compliance solutions, and understanding it thoroughly is essential for the SC-900 exam. This guide covers what DLP is, why it matters, how it works, and how to approach exam questions on this topic.

Why is Data Loss Prevention Important?

Organizations handle vast amounts of sensitive data every day, including financial records, personal identifiable information (PII), health records, intellectual property, and credit card numbers. Without proper controls, this data can be accidentally or intentionally shared with unauthorized individuals, leading to:

- Regulatory violations (e.g., GDPR, HIPAA, PCI DSS) resulting in heavy fines
- Reputational damage and loss of customer trust
- Financial losses from data breaches
- Legal liability from mishandling sensitive information

DLP helps organizations identify, monitor, and protect sensitive information across their digital estate, ensuring that data doesn't leave the organization in unauthorized ways.

What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) is a set of tools, policies, and processes designed to detect and prevent the unauthorized sharing, transfer, or use of sensitive data. In the Microsoft ecosystem, DLP is part of Microsoft Purview (formerly Microsoft 365 Compliance).

Microsoft Purview DLP allows administrators to:

- Define DLP policies that identify, monitor, and automatically protect sensitive information
- Apply protection across Microsoft 365 services including Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams
- Extend DLP to endpoints (Windows 10/11 and macOS devices) through Endpoint DLP
- Monitor and protect data in on-premises repositories and non-Microsoft cloud apps (via integration with Microsoft Defender for Cloud Apps)
- Provide policy tips to educate users when they are about to violate a policy

How Does DLP Work?

DLP in Microsoft Purview works through a series of well-defined steps and components:

1. Sensitive Information Types (SITs)
DLP policies rely on sensitive information types to detect sensitive data. Microsoft provides over 300 built-in SITs, such as:
- Credit card numbers
- Social Security numbers
- Passport numbers
- Medical record identifiers

Organizations can also create custom sensitive information types using regular expressions, keyword lists, or exact data match (EDM).

2. DLP Policies
A DLP policy consists of:
- Conditions: What to look for (e.g., content containing credit card numbers)
- Actions: What to do when a match is found (e.g., block sharing, encrypt, notify the user)
- Locations: Where to apply the policy (e.g., Exchange, SharePoint, OneDrive, Teams, Endpoints, Power BI)
- User notifications and policy tips: Inform users that they are handling sensitive data and may be violating a policy
- User overrides: Optionally allow users to override a block with a business justification
- Incident reports: Notify administrators or compliance officers when a policy is matched

3. Policy Evaluation and Enforcement
When a user creates, modifies, or shares content, DLP evaluates the content against active policies. If a policy match is found, the configured action is taken:
- Audit only: Log the event without blocking (useful for testing policies)
- Block with override: Block the action but allow the user to override with justification
- Block: Prevent the action entirely
- Notify: Send an email notification or display a policy tip

4. Policy Tips
Policy tips are real-time notifications displayed to users in applications like Outlook, SharePoint, and OneDrive when they attempt to share sensitive information. These tips educate users and help them make informed decisions, reducing accidental data leaks.

5. DLP Reports and Activity Explorer
Microsoft Purview provides DLP reports and the Activity Explorer to help administrators:
- View DLP policy matches over time
- Identify trends in data sharing behavior
- Investigate specific incidents
- Refine policies based on actual usage patterns

6. Endpoint DLP
Endpoint DLP extends data loss prevention capabilities to Windows 10/11 and macOS devices. It can monitor and restrict activities such as:
- Copying sensitive files to USB drives
- Copying sensitive content to the clipboard
- Uploading sensitive files to cloud services via a browser
- Printing documents containing sensitive information
- Accessing sensitive files through unallowed apps

Endpoint DLP requires devices to be onboarded to Microsoft Purview and does not require any additional agent if the device is already onboarded to Microsoft Defender for Endpoint.

Key Concepts to Remember for the SC-900 Exam

- DLP is part of Microsoft Purview
- DLP policies can be applied across multiple locations: Exchange Online, SharePoint Online, OneDrive, Teams, Endpoints, Power BI, and on-premises repositories
- Sensitive information types are the foundation of DLP detection
- Policy tips provide real-time guidance to users
- Endpoint DLP extends protection to devices
- DLP can work in conjunction with sensitivity labels and retention labels
- DLP is a preventive control — it stops data from leaving the organization in unauthorized ways
- Activity Explorer helps monitor and investigate DLP events
- DLP policies can be tested in audit mode before enforcement

Exam Tips: Answering Questions on Data Loss Prevention (DLP)

Tip 1: Understand the Purpose
DLP is about preventing sensitive data from being shared inappropriately. If a question asks about protecting sensitive data from being emailed externally or shared on SharePoint, DLP is likely the answer.

Tip 2: Know the Locations
DLP policies can be applied to Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams chat and channel messages, Windows 10/11 and macOS endpoints, Power BI, and on-premises repositories. If a question mentions any of these locations in the context of protecting sensitive data, think DLP.

Tip 3: Distinguish DLP from Other Solutions
- DLP vs. Sensitivity Labels: Sensitivity labels classify and protect documents (encryption, visual markings). DLP policies detect and prevent sharing of sensitive content. They can work together — a DLP policy can use sensitivity labels as a condition.
- DLP vs. Information Barriers: Information barriers prevent specific groups from communicating with each other. DLP prevents sensitive data from being shared inappropriately.
- DLP vs. Insider Risk Management: Insider Risk Management identifies risky user behavior patterns over time. DLP enforces rules on specific content in real time.
- DLP vs. Azure Information Protection (AIP): AIP focuses on classification and labeling. DLP focuses on monitoring and preventing data loss.

Tip 4: Remember Policy Tips
If a question describes a scenario where users need to be educated or warned about handling sensitive data in real time, the answer likely involves DLP policy tips.

Tip 5: Endpoint DLP Scenarios
If a question mentions preventing users from copying sensitive files to USB drives, printing sensitive documents, or uploading sensitive data via a browser on their device, the answer is Endpoint DLP.

Tip 6: Know the Testing Approach
Microsoft recommends starting DLP policies in test mode (audit only) before turning on enforcement. This allows organizations to see the impact without disrupting users. If a question asks about deploying DLP safely, look for options involving testing or simulation mode.

Tip 7: Focus on the Key Terminology
The exam may use terms like sensitive information types, DLP policies, policy tips, user overrides, incident reports, and Activity Explorer. Be comfortable with what each term means and how they fit together.

Tip 8: Read Questions Carefully
DLP questions may present scenarios with multiple compliance features. Always look for keywords like prevent sharing, block external access, detect sensitive data, or protect sensitive information from being leaked — these are strong indicators that DLP is the correct answer.

Summary

Data Loss Prevention in Microsoft Purview is a powerful compliance solution that helps organizations identify, monitor, and protect sensitive information across Microsoft 365 services, endpoints, and beyond. It uses sensitive information types to detect data, applies policies to enforce protection, provides policy tips to educate users, and offers reporting tools for ongoing monitoring. For the SC-900 exam, focus on understanding DLP's purpose, how it works, where it applies, and how it differs from related compliance solutions like sensitivity labels, information barriers, and insider risk management.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Security, Compliance, and Identity Fundamentals + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3043 Superior-grade Microsoft Security, Compliance, and Identity Fundamentals practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-900: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Data Loss Prevention (DLP) questions

59 questions (total)

Start 59 question test