Create a DLP policy from a template

  • Commodity
  • 4 minutes to read

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information nigh Microsoft Purview, meet the blog announcement and the What is Microsoft Purview? article.

The easiest, most mutual way to become started with DLP policies is to use one of the templates included in the Microsoft Purview compliance portal. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.

Microsoft 365 includes over xl set-to-use templates that can assistance you meet a wide range of mutual regulatory and business organization policy needs. Encounter; Policy templates for a complete list.

You can fine tune a template by modifying any of its existing rules or adding new ones. For example, yous can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, let people to override the deportment in a rule by providing a business organization justification, or alter who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.

You tin can besides cull the Custom template, which has no default rules, and configure your DLP policy from scratch, to come across the specific compliance requirements for your organization.

Permissions

Members of your compliance squad who volition create DLP policies need permissions to the Compliance Center. Past default, your tenant admin volition take access can give compliance officers and other people admission. Follow these steps:

  1. Create a group in Microsoft 365 and add compliance officers to it.

  2. Create a role group on the Permissions page of the Microsoft Purview compliance portal.

  3. While creating the role group, use the Cull Roles section to add the following role to the part group: DLP Compliance Management.

  4. Apply the Choose Members department to add the Microsoft 365 group you created before to the function group.

Use the View-Only DLP Compliance Management role to create role group with view-only privileges to the DLP policies and DLP reports.

For more information, see Permissions in the Microsoft Purview compliance portal.

These permissions are required to create and apply a DLP policy not to enforce policies.

Roles and Role Groups in preview

There are roles and role groups in preview that you can exam out to fine melody your access controls.

Here'due south a list of applicative roles. To larn more than about them, see Permissions in the Microsoft Purview compliance portal

  • Information Protection Admin
  • Information Protection Annotator
  • Data Protection Investigator
  • Data Protection Reader

Here'due south a list of applicable role groups. To larn more than well-nigh the, see Permissions in the Microsoft Purview compliance portal

  • Data Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Create the DLP policy from a template

  1. Sign in to the Microsoft Purview compliance portal.

  2. In the Microsoft Purview compliance portal > left navigation > Solutions > Data loss prevention > Policies > + Create policy.

  3. Choose the DLP policy template that protects the types of sensitive data that you demand > Adjacent.

  4. Name the policy > Adjacent.

  1. To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, Locations for scoping options.

  2. Choose > Next.

  3. Do one of the following:

    • Choose All locations in Function 365 > Next.
    • Choose Let me choose specific locations > Next. For this instance, choose this.

    To include or exclude an entire location such every bit all Exchange electronic mail or all OneDrive accounts, switch the Condition of that location on or off.

    To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links nether Include to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

    Options for locations where a DLP policy can be applied.

    In this example, to protect sensitive information stored in all OneDrive for Business accounts, plough off the Condition for both Exchange e-mail and SharePoint sites, and leave the Condition on for OneDrive accounts.

  4. Choose Review and customize default settings from the template > Adjacent.

  5. A DLP policy template contains predefined rules with conditions and actions that discover and deed upon specific types of sensitive information. You tin can edit, delete, or turn off whatever of the existing rules, or add together new ones. When done, click Side by side.

    Rules expanded in US PII policy template.

  6. Choose to detect when this content is shared inside your organisation or outside your organization if you have selected any of these locations:

    1. Exchange
    2. SharePoint
    3. OneDrive
    4. Teams Chat and Channel Messages

  7. Choose Next.

  8. On the Protection actions folio if yous desire, yous can customize the policy tip notifications and notification emails. Enable When content matches the policy conditions, show policy tips to users and send them an email notification, then choose Customize the tip and email.

  9. Cull Next.