Data Loss Prevention for SharePoint On-Premises and Online

Data Loss Prevention for SharePoint On-Premises and Online

One of the core features that many organizations need before looking into a cloud service, is the ability to protect data they own. Knowing that you as an organization can control the flow of data in and out of the company, will not only ensure that content is controlled but also ensure that IT are being more proactive than reactive.


One feature that has been around for quite some time within Office 365 is Data Loss Protection.


What is Data Loss Prevention (DLP)?

Data Loss Prevention is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.


What is Office 365 Data Loss Prevention (DLP)?

To help you as an organization comply with business standards and industry regulations, you need to protect sensitive information and prevent its inadvertent disclosure. The types of content could include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. Data Loss Prevention (DLP) within Office 365 Security & Compliance Center, can help identify, monitor, and automatically protect sensitive information across Office 365.


Creating a DLP policy within Office 365 will allow you as an organization to perform the following tasks:


  • Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business.
  • Prevent the accidental sharing of sensitive information.
  • Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
  • Help users learn how to stay compliant without interrupting their workflow.
  • View DLP reports showing content that matches your organization’s DLP policies.


A DLP policy is comprised of a few pieces of information.

Microsoft States: “You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation. For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that’s shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

To create a policy, we need to access the “Security and Compliance” center within Office 365 or for an On-Premises SharePoint 2016 Environment, we can use the “e-Discovery Center” template and choose the “Create DLP Query”.

The first step in creating the policy, is defining what content that you want to protect.

Selecting one of the predefined options will allow you as an organization to select country specific rules. 

Once the type of content has been defined, next we need to choose the locations. For Office 365 we can set the policy for SharePoint Online and OneDrive for Business, or even drill further and define specific sites for each.

To ensure that the right content is captured, we can then customize the rules that came within the selected template. 

Each rule allows for the conditions, actions, reports and some core general settings to be modified.

Block People

Notify Users


Using this granular approach existing rules or even custom rules can be created, modified and monitored easily allowing for content flow to be controlled easily. Now the question becomes, “How do our end users know that something matched a DLP rule?

DLP utilizes SharePoint Search. And as such takes time to run, but once completed it will start presenting messages to the end users, when content is out of compliance. DLP policies can be applied to Exchange also, which provides even greater protection, ensuring that content does not leave the organization by email.

SharePoint Online and OneDrive for Business also support the policy tips that Exchange users, as well as changing the icons defined for that content.

DLP components within both SharePoint Online and On-Premises SharePoint 2016 are a great way to control the flow of content within your organization.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.