Data Loss Prevention (DLP) stops sensitive information from being shared where it shouldn't be. Credit card numbers emailed externally. Client tax file numbers uploaded to a public SharePoint site. Confidential documents attached to a Teams message to someone outside the organisation.

If you're on Business Premium, E3, or E5, you already have DLP. Here's how to set it up.

What DLP does

DLP policies scan content in email, SharePoint, OneDrive, and Teams for sensitive information. When they find a match, they can warn the user, block the action, or notify an admin.

It uses pattern matching — things like credit card number formats, Australian Business Numbers, tax file numbers, and Medicare numbers. You can also create custom patterns for your own data.

Creating your first policy

Go to compliance.microsoft.com → Data loss prevention → Policies → Create policy.

Start with a template. Microsoft provides templates for Australian regulations including the Privacy Act 1988 and financial data. Select 'Australia Financial Data' or 'Australia Privacy Act' as a starting point.

Choose where the policy applies: Exchange (email), SharePoint, OneDrive, Teams. Start with all of them.

Set the action to 'Show a policy tip' first — this warns users without blocking them. Once you're confident the policy isn't catching false positives, change it to block.

Useful policies for Australian businesses

Australian Tax File Numbers — detect and block TFNs being shared externally.

Credit card numbers — prevent card numbers appearing in emails or shared documents.

Australian Business Numbers and Medicare numbers — if you handle these, protect them.

Custom keywords — add your own terms like 'confidential', 'internal only', or specific project names that shouldn't leave the business.

Testing and tuning

Run the policy in test mode first. DLP policies can generate false positives — for example, a phone number that looks like a credit card number.

Check the DLP reports under Reports → DLP policy matches. Review what's being flagged and adjust sensitivity levels or add exceptions where needed.

Users can override some policies with a business justification — this is configurable per policy.

DLP is part of our M365 security service. We configure policies based on your industry, test them, and tune them so they catch real risks without annoying your team with false positives.