Attending Microsoft Ignite this year, we noticed how many new features were released for Microsoft Teams alone. We have covered Information Barriers, which is a brand-new feature for Teams, on another blog article. But Microsoft is also extending existing services into Teams as well.

In this article, we wanted to cover the data loss prevention policy within Teams and how to set it up. If you have not heard of the term DLP before, it stands for data loss prevention. In a nutshell, DLP allows the ability to prevent the disclosure of sensitive information and comply with business standards. Examples of sensitive information would be financial data, personally identifiable information (PII) which includes credit card numbers, social security numbers, or even health records.

Data loss prevention policies have existed within Office 365 for the past few years and help identify and prevent the sharing of sensitive data. This capability is now available within Teams. This is true for both IM communications and documents located within Teams (SharePoint). The policies created under data loss prevention can contain where you want to protect the content, such as Exchange Online or Teams for example. You also need to specify the conditions that need to match, for the policy to be enforced, as well as the actions to take place once that condition is matched.

For a quick tutorial for how to set up a data loss prevention policy, please see below:

1. Login to the Office 365 Security & Compliance Center.

2. Select Data Loss Prevention on the left-hand pane.

3. Select Policy.

4. Select a policy and click Policy Settings.

5. Create or edit a rule.

6. Select the User Notifications tab.

7. Select Customize the email text and/or Customize the policy tip text.

8. Enter the text you wish to use and select Save.

9. Within the Policy Settings tab, click Save.

 

4 Ways to Leverage the Power of your Microsoft Teams Investment

 

Now that you completed these steps, you will need to add Microsoft Teams as an available location for the DLP policies.

1. Select Data Loss Prevention on the left-hand pane.

2. Select Policy.

3. Select a policy and confirm that Teams and channel messages appear under Locations. If they do not appear, click Edit.

4. Toggle the status “on” for Teams and channel messages.

5. Click Save.

Once completed and saved, you will now see the DLP policy take effect once the condition of the policy has been met. For example, if your policy is meant to block social security numbers from being sent in Teams, if an end-user sends a number in chat that matches the length or even contains similar hyphens like a social security number, it will be blocked from sending. The end-user will be sent a message like the following:

The sender can then choose the “What can I do?” option and see what the DLP policy will allow. An example of this can be seen below:

In this scenario the DLP policy allows this block to be overridden but they must either report this to an admin or provide justification for why this should be sent. Other policies may be stricter and not even allow these options. In another scenario, a user may be trying to upload a Word document into their files within Teams, but as the document is uploaded it is declined due to a social security number being located from within the document. An admin can be notified of the event and determine if the document does indeed contain sensitive information, and what next steps may be. These are just a few examples of what DLP policies can do to protect your employees. We highly recommend looking into these policies further to see how they can benefit your organization’s security posture.

 

Note: The Microsoft Security & Compliance center is being separated into two different portals. There is now a Microsoft 365 Security Center and a Microsoft 365 Compliance Center. I will provide the links to these portals below as we are not currently sure of the lifespan of the legacy Security & Compliance portal.

Microsoft 365 security center

Microsoft 365 compliance center