Unified DLP is an integral component of our Microsoft 365 Information Protection suite that gives
you broad visibility and control over the lifecycle of your sensitive information as it's used
and shared by your users across your organization. Our data loss prevention solution works
across various Cloud services. After completing this interactive guide, you will understand how
to configure our endpoint data-loss prevention capabilities as an administrator and subsequently
validate them as an end-user.
Exercise 1: Overview of the Microsoft 365 Compliance Center
On stay signed in dialogue box, click Yes.
(Note: You may get a Save Password dialogue box at the top right.
Just click on Never.)
Congratulations, you have seen a quick overview of the Microsoft 365 compliance
Exercise 2: Review of Endpoint DLP Settings
Before you start configuring a specific DLP policy, you should set up your global DLP settings
applied to all DLP policies for devices. You must configure these if you intend to create
policies that enforce cloud egress restrictions, unallowed apps restrictions, or need to exclude
noisy file paths from monitoring. This exercise will walk you through how to check for these global
Congratulations, you have completed Exercise 2 - Review of Endpoint DLP Settings
Exercise 3: Creating and Reviewing DLP Policy for Endpoints
Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and
protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices
are onboarded into the Microsoft 365 compliance solutions, the information about what users are
doing with sensitive items is made visible in the Activity
Explorer, and you can enforce protective actions on those items via DLP
Device management is the functionality that enables the collection of telemetry from devices and
brings it into Microsoft 365 compliance solutions like Endpoint DLP and Insider
Risk management. You'll need to onboard all devices you want to use as locations in DLP
This exercise will take you through configuring your organization’s DLP policies. We will walk
through both the Template-Simple Path View (Note: This includes about 80% of what a typical
administrator would do.) and an overview of the Custom section.
3.1 Configuration Using the Template
Teams chat and channel messages
Microsoft Cloud App Security
A few notes here: The higher the accuracy percentage, the more precision you wil have with fewer
false positives. If you lower the accuracy, you might catch numbers that look like a credit
card but are not a credit card number. Your organization gets to select the accuracy level
to indicate how broad or how narrow they want the scope of the detection. The instance count is
specific to the number of unique instances that data is detected.
Review your policy on the Review your policy and create it page. Note this
is for any Windows Devices that have been onboarded to this group.
3.2 Overview of Custom Configuration
Note: This will take you back through what you have already created in the template until we
submit. So, it will be just a review.
Congratulations, you have configured the DLP policy for Endpoint Devices.
Click on the Congratulations Box to move to Exercise 4.
Exercise 4 Validation of the User Experience
This section will show you the experience on a Windows 10 device when users are interacting with
the sensitive data subject to the Contoso PCI Data Security Standard (PCI DSS) DLP Policy you
In this exercise, you are Irvin Sayers in the Contoso organization. You will experience what
occurs when Irvin, who has been onboarded to the Contoso Group, tries to perform functions with
Highly Confidential data that has been identified through previously setting up DLP policies in
exercise 3.1 Configuration Using the Template. You will try to print, copy
sections and full files using a PDF Obsidian file and a Microsoft Word Obsidian file. They both
contain Highly Confidential information.
Exercise 4.1 – Printing a Confidential PDF File in Edge
Exercise 4.2 – Copying Data from a Confidential PDF File
Exercise 4.3 – Opening a Confidential PDF File in a third-party
browser or application
Exercise 4.4 - Copying Data from a Confidential Microsoft Word File to
Exercise 4.5 Printing a Confidential Microsoft Word File
Exercise 4.6 – Copying a Confidential Microsoft Word File to as USB Drive
Congratulations you have completed Exercise 4 Validation of User
Click on the Congratulations Box to move to Exercise 5
Exercise 5: Review of Data Classification
As a Microsoft 365 compliance administrator, you can evaluate and then tag content in your
organization to control where it goes, protect it no matter where it is, and ensure that it is
preserved and deleted according to your organization’s needs. You do this through the
application of sensitivity
labels, and sensitive information type classification.
The data classification section shows you how out of the box from the moment you have deployed
Endpoint DLP to your devices, you get immediate visibility into how and where sensitive data is
being used from and on those devices. This includes tools like communication compliance, insider
risk management, and data loss prevention.
It can show:
The number of items that have been classified as a sensitive information type and what those
The top applied sensitivity labels in both Microsoft 365 and Azure Information Protection
The top applied retention labels
A summary of activities that users are taking on your sensitive content
The locations of your sensitive and retained data
This exercise will show some of the telemetry available after DLP policies have been created and
subsequently validated through actual individual activity. In this case, we will review a few of
the activities identified from Exercise 4 by the user Irvin Sayers.
Congratulations, you have completed Exercise 5 – Review of Data
To comply with business standards and industry regulations, organizations must protect sensitive
information and prevent its inadvertent disclosure. Sensitive information can include financial
data or personally identifiable information (PII) such as credit card numbers, social security
numbers, or health records.
This Interactive Guide has shown you how to better turn on controls to protect the sensitive data
that is exploding and expanding across your organization. As users collaborate and produce more
and more sensitive content, you must have the right controls to give you that visibility,
understand where and how it's being used, and put in those proactive policies to restrict
activity that could affect your organization. With a data loss prevention (DLP) policy in the
Microsoft 365 compliance center, you can identify, monitor, and automatically
protect sensitive information across Office 365.
This Interactive Guide walked you through configuring and validating the Data Loss Prevention policy
for Windows devices. Here is another interactive guide: DLP for Teams that takes you through
setting up DLP policies for the Microsoft Teams chat and channel messages location.