×

Data Loss Prevention Policy in Microsoft 365 Using SIT

This article explains how Data Loss Prevention (DLP) in Microsoft 365 helps organizations protect sensitive information from unauthorized sharing or misuse. It covers the role of Sensitive Information Types (SITs) in detecting confidential data, demonstrating how DLP policies can be created and applied across workloads.

Data Loss Prevention Policy in Microsoft 365 Using SIT

Data Loss Prevention (DLP) is a data protection control designed to prevent the exposure or misuse of confidential information. Applying defined policies, helps to monitor sensitive data and enforces safeguards across Microsoft 365 platforms, including Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.

Sensitive Info Type (SIT)

Sensitive Information Types (SITs) are used to classify and detect sensitive data by analyzing content patterns and contextual evidence. Microsoft provides a comprehensive set of predefined SITs, while also supporting the creation of custom SITs to address unique compliance and data protection scenarios. DLP policies use SITs (Sensitive Information Types) to identify, classify, and detect specific patterns of sensitive data (like credit card numbers, SSNs, or custom IDs) within content, enabling policies to trigger actions like blocking, alerting, or encrypting to prevent accidental data leakage across cloud services, endpoints, and emails. Essentially, SITs are the criteria that tell the DLP system what sensitive data to look for, allowing it to enforce rules and protect confidential information.

Login to compliance.microsoft.com (with Global admin) - Click on: Solutions - Data loss prevention - Navigate to Classifiers - Sensitive info types

DLP_1.jpg

DLP Policy Creation

Go to: compliance.microsoft.com

Navigate: Solutions - Data loss prevention - Policies Click

DLP_2.jpg

Create Policy

DLP_3.jpg

Select Enterprise application & device

DLP_4.jpg

Select Custom policy.

DLP_5.jpg

Provide a desired name and click next

DLP_6.jpg

You will get the option Assign admin units.

• Configuring admin units requires an E5 license.

• Select Admin units Full directory, then click Next.

DLP_7.jpg

Select the locations Exchange email, OneDrive, and SharePoint, Teams Chat then click Next.

DLP_8.jpg

Select Create or customize advanced DLP rules > Click Next.

DLP_9.jpg

Create a new rule, click Create rule

DLP_10.jpg

Name the Rule : Ex “PAN Card Block”

DLP_11.jpg

Scroll down for Conditions

Select Content is shared from Microsoft 365 - With people outside my organization.

Then Add a Condition

Select Content Contains - Provide a Group name (ex: SIT- PAN Card) - Click add Sensitive Information Type

Search for microsoft predefined Indian Pan card SIT

DLP_12.jpg

Note you can add multiple SIT as per your need.

Under Actions > Block only people outside your organization

DLP_13.jpg

Under User notifications turn ON the > toggle

DLP_14.jpg

Under the Incident reports Turn on Toggle, then Save the setting

DLP_15.jpg

Click on Next

DLP_16.jpg

Click on Turn on the policy immediately and click Next.

DLP_17.jpg

Review the Policy and Submit

DLP_18.jpg

Newly created policy gets marked with a green check mark. Click Done

DLP_19.jpg





Trendy