Microsoft Endpoint DLP Interactive Guide


Unified DLP is an integral component of our Microsoft 365 Information Protection suite that gives you broad visibility and control over the lifecycle of your sensitive information as it's used and shared by your users across your organization. Our data loss prevention solution works across various Cloud services. After completing this interactive guide, you will understand how to configure our endpoint data-loss prevention capabilities as an administrator and subsequently validate them as an end-user.

Exercise 1: Overview of the Microsoft 365 Compliance Center

    • Password: Password
    • On stay signed in dialogue box, click Yes.

    (Note: You may get a Save Password dialogue box at the top right. Just click on Never.)

Congratulations, you have seen a quick overview of the Microsoft 365 compliance center.

Exercise 2: Review of Endpoint DLP Settings

Before you start configuring a specific DLP policy, you should set up your global DLP settings applied to all DLP policies for devices. You must configure these if you intend to create policies that enforce cloud egress restrictions, unallowed apps restrictions, or need to exclude noisy file paths from monitoring. This exercise will walk you through how to check for these global settings.

Congratulations, you have completed Exercise 2 - Review of Endpoint DLP Settings

Exercise 3: Creating and Reviewing DLP Policy for Endpoints

Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in the Activity Explorer, and you can enforce protective actions on those items via DLP policies.

Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft 365 compliance solutions like Endpoint DLP and Insider Risk management. You'll need to onboard all devices you want to use as locations in DLP policies.

This exercise will take you through configuring your organization’s DLP policies. We will walk through both the Template-Simple Path View (Note: This includes about 80% of what a typical administrator would do.) and an overview of the Custom section.

3.1 Configuration Using the Template

    • Exchange email
    • SharePoint sites
    • OneDrive accounts
    • Teams chat and channel messages
    • Microsoft Cloud App Security
    • On-Premises Scanner
  1. A few notes here: The higher the accuracy percentage, the more precision you wil have with fewer false positives. If you lower the accuracy, you might catch numbers that look like a credit card but are not a credit card number. Your organization gets to select the accuracy level to indicate how broad or how narrow they want the scope of the detection. The instance count is specific to the number of unique instances that data is detected.

  2. Review your policy on the Review your policy and create it page. Note this is for any Windows Devices that have been onboarded to this group.

3.2 Overview of Custom Configuration

  1. Note: This will take you back through what you have already created in the template until we submit. So, it will be just a review.

Congratulations, you have configured the DLP policy for Endpoint Devices.

Click on the Congratulations Box to move to Exercise 4.

Exercise 4 Validation of the User Experience

This section will show you the experience on a Windows 10 device when users are interacting with the sensitive data subject to the Contoso PCI Data Security Standard (PCI DSS) DLP Policy you just created.

In this exercise, you are Irvin Sayers in the Contoso organization. You will experience what occurs when Irvin, who has been onboarded to the Contoso Group, tries to perform functions with Highly Confidential data that has been identified through previously setting up DLP policies in exercise 3.1 Configuration Using the Template. You will try to print, copy sections and full files using a PDF Obsidian file and a Microsoft Word Obsidian file. They both contain Highly Confidential information.

Exercise 4.1 – Printing a Confidential PDF File in Edge

Exercise 4.2 – Copying Data from a Confidential PDF File

Exercise 4.3 – Opening a Confidential PDF File in a third-party browser or application

Exercise 4.4 - Copying Data from a Confidential Microsoft Word File to another Document.

Exercise 4.5 Printing a Confidential Microsoft Word File

Exercise 4.6 – Copying a Confidential Microsoft Word File to as USB Drive

Congratulations you have completed Exercise 4 Validation of User Experience

Click on the Congratulations Box to move to Exercise 5

Exercise 5: Review of Data Classification

As a Microsoft 365 compliance administrator, you can evaluate and then tag content in your organization to control where it goes, protect it no matter where it is, and ensure that it is preserved and deleted according to your organization’s needs. You do this through the application of sensitivity labels, retention labels, and sensitive information type classification.

The data classification section shows you how out of the box from the moment you have deployed Endpoint DLP to your devices, you get immediate visibility into how and where sensitive data is being used from and on those devices. This includes tools like communication compliance, insider risk management, and data loss prevention.

It can show:

  • The number of items that have been classified as a sensitive information type and what those classifications are.
  • The top applied sensitivity labels in both Microsoft 365 and Azure Information Protection
  • The top applied retention labels
  • A summary of activities that users are taking on your sensitive content
  • The locations of your sensitive and retained data

This exercise will show some of the telemetry available after DLP policies have been created and subsequently validated through actual individual activity. In this case, we will review a few of the activities identified from Exercise 4 by the user Irvin Sayers.

Congratulations, you have completed Exercise 5 – Review of Data Classification


To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records.

This Interactive Guide has shown you how to better turn on controls to protect the sensitive data that is exploding and expanding across your organization. As users collaborate and produce more and more sensitive content, you must have the right controls to give you that visibility, understand where and how it's being used, and put in those proactive policies to restrict activity that could affect your organization. With a data loss prevention (DLP) policy in the Microsoft 365 compliance center, you can identify, monitor, and automatically protect sensitive information across Office 365.

Additional Resources:

This Interactive Guide walked you through configuring and validating the Data Loss Prevention policy for Windows devices. Here is another interactive guide: DLP for Teams that takes you through setting up DLP policies for the Microsoft Teams chat and channel messages location.