Data Loss Prevention for Office 365

Data loss prevention (DLP) is an important issue for enterprise message systems because of the extensive use of email for business critical communication that includes sensitive data. In order to enforce compliance requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP features make managing sensitive data easier than ever before. For a conceptual overview of DLP, watch the following video.

First, sign into your Office 365 Enterprise subscription with an administrator at the Office 365 login page. On the upper left hand side of your screen, choose Admin

Then click Exchange:

On the left side of the screen, select compliance management:  Click data loss prevention, located in the middle of the tabs above your information.

Currently, there are not any DLP policies set, so we need to select the + sign below to get started:

After selecting +, there will be 3 options to choose from. The options are detailed below, and for this example, we’ll use the “New DLP policy from template” option.

  • The first option, “New DLP policy from template”, allows you to create a policy based upon the Acts outlined in the section below.
  • The second option, “Import DLP Policy”, allows you to use templates of Microsoft partners instead of the ones provided with Office 365.
  • The last option, “New custom DLP Policy”, is what you’ll use to create a custom policy that suits the needs of your organization.

For OIG “New DLP policy from template” was selected, first provide name and description for this new policy:

Scroll down and choose the appropriate template. In this case, for MVPLATAM 4 template were used and additional transport rules were created satisfy customer needs:

  • S. Health Insurance Act (HIPAA).
  • S. Financial
  • S. PII Data
  • S. SSN

Check enable button to activate the template and it is also available 3 modes for the DLP:  Some of these modes

  • EnforceRules within the policy are evaluated for all messages and supported file types. Mail flow can be disrupted if data is detected that meets the conditions of the policy. All actions described within the policy are taken.
  • Test DLP policy with Policy TipsRules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are shown to users.

Test DLP policy without Policy Tips   Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are not shown to users.

Click Save


After the policy is created, it will automatically be put into testing mode which can be seen on the right side of the policy and is shown below:

Note: This enables the policy, but puts it in a detection-based mode so that you can evaluate detections to make sure this is the right policy for your organization.

For MVPLATAM the DLP created were:

Edit DLP

Double click on the DLP created and Click Rules.

When you create a DLP from template it will bring all the transport rules associated and pre-configured.  It is recommendable validates if the actions comply in what you need.  Double click on one of the transport rules to validate:

For MVPLATAM the rule was configured like:

Which means:

U.S. Financial: Scan email sent outside – high count

If the message…

Is sent to ‘Outside the organization’
and the message contains these sensitive information types: ‘Credit Card Number’ or ‘U.S. Bank Account Number’ or ‘ABA Routing Number’

Do the following…

Set audit severity level to ‘High’
and Notify the sender that the message can’t be sent, but allow the sender to override and provide justification. Include the explanation ‘Unable to deliver your message. You can override this policy by adding the word ‘override’ to the subject line.’ with status code ‘5.7.1’
and Send the incident report to jrivero@UEDISON.COM, include these message properties in the report: sender, recipients, subject, severity, sender override information, matching rules, false positive reports, detected data classifications, matching content, original mail.

To comply with OIG requirements, additional Transport Rules were created and associated to the DLP’s already created.

Create new Transport Rules

On the same menu, Click on Mail Flow -> Rules -> + -> Create New Rule

And create new rule according your needs:

Notes:  If you create a rule that checks patterns or words on the body and subject some actions on “Do the following” area gets disable.  For example you cannot notify the sender with policy tips you have to reject, blocked, encrypt the message.  For MVPLatam example in the action of “Do the following”: reject the message and include the explanation ‘Social Security is considered Sensitive Data’ with the status code: ‘5.7.1’

If this one of the three rules created for OIG is activated:

The email will be blocked and the sender will be notify:

How to create Policy Tips

Policy Tips are a way to notify your email users before they send a message about possible non-compliant information in their message. You can configure a policy tip to notify the sender, allow the sender to override, block the message, or redirect them to a compliance URL. I this case we will go through how to create policy tip to block the message from sending.

From within the same Office 365 Exchange Online section we have been working in above, go to data loss prevention again.

Click Manage policy tips:

Create a Policy Tip to block the message as shown below and then click Save in the bottom right-hand corner:

The Policy Tip has been added. Click Save and Close to complete and return to the mail screen for DLP configuration:

For MVPLATAM the Policy Created were:

On the rules that accepts “Notify the sender with Policy Tips” action, the user will see on Outlook a message of notification:

Note: Currently, DLP works only with Outlook 2013 for Policy Tips; OWA in On-premises or Office 365 cannot process DLP Policy Tips. Obviously, this is a crucial point to make. To ensure that DLP Policy Tips are available to users, make sure you have deployed Office/Outlook 2013.

Encryption of emails with Sensitive Data

Encryption of emails can be configured with a new Transport Rule or configuring an action of encryption in a DLP rule on the “Do the following” action.

On the upper left hand side of your screen, choose Admin

Select Service Settings from the left pane -> Click Rights Management

From within Rights Management click Manage

You’ll be redirected to the management page -> Click Activate

Click Activate again on the popup asking if you are sure you want to activate Rights Management

Connect to Exchange Online with PowerShell -> Open PowerShell as Administrator

Enter the following commands to connect and import the session

  • Set-ExecutionPolicy RemoteSigned
  • $cred = Get-Credential
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session

Verify your IRM isn’t configured already

  • Get-IRMConfiguration

Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations

Set-IRMConfiguration -RMSOnlineKeySharingLocation

For OIG is important to validate if they apply for Office 365 for Government Location

Location RMS key sharing location
Office 365 for Government

Import the Trusted Publishing Domain (TPD) from RMS Online

  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Verify successful setup of IRM in Exchange Online

  • Test-IRMConfiguration –sender


It can be configured on each rule a generation of an incident report and send it to a group or persons for auditing.


Leave a Reply

Your email address will not be published.

five + 1 =