The volume of corporate and personal data within your Microsoft 365 environment is rapidly increasing, leading to frequent occurrences of sensitive information being inadvertently overshared. Employees may use public generative AI applications alongside both sensitive and outdated data, raising the risk of exposure.
When Microsoft 365 Copilot accesses and processes this information, it can unintentionally share data with unauthorized individuals. This not only presents significant data security concerns but also undermines overall adoption of Microsoft 365 Copilot across the organization.
These challenges seem difficult to overcome, there is hope on the horizon! In the second part of this series, we focus on managing and monitoring your sensitive data with the help of Data Loss Prevention (DLP). We focus on Data Loss Prevention for Microsoft 365 and Endpoint, while looking at options to govern your wider information across M365.
In our previous article, we discussed the challenge of receiving funding for the implementation of sensitivity labels. This also applies for Data Loss Prevention. We can use the same business scenarios but this time scoped for Data Loss Prevention.
Your employees must authenticate and be authorized to work with data stored in Microsoft 365. This also applies for your external partners. Once successfully authenticated, employees or external partners can download and share sensitive data with unauthorized people. Previously we discussed how sensitivity labels add an additional layer of security (with encryption) to restrict the available actions to a specific groups of people. Data Loss Prevention also plays an important role in this scenario. Based upon specific conditions you can restrict access to the detected sensitive data:
This is an helpful way to reduce unauthorized access, even for sensitive data without a sensitivity label. This can be extended to Endpoint devices and Cloud Apps. Especially useful to reduce data leaks and shadow A.I. We dive more into the monitoring options in the dedicated chapter.
We previously covered sensitivity labels for identifying sensitive information in prompt results. Microsoft Purview Data Loss Prevention integrates with Microsoft 365 Copilot, featuring a specific policy: when content has a designated sensitivity label, it triggers an action for Microsoft 365 Copilot.
The action restricts the processing of sensitive data with the attached sensitivity label. The following statement is very important:
“Identified items still appear in the citations of the response, but the content of the item isn't used in the response.”
Don’t forget, Microsoft 365 Copilot respects permissions, so if your colleagues aren’t included in the sensitivity label permissions, they won’t see the content in the results.
Both business scenarios show the power of sensitivity labels in reducing unauthorized access to sensitive content and preventing potential data leaks. This should provide you with enough ammunition to secure funding for your project.
We aren’t going to delve into the detailed configuration of Data Loss Prevention here. However, we need to discuss the foundation of your Data Loss Prevention policies: Sensitive Information classifiers and corresponding policies. We provide our recommendations in the following paragraph.
We touched upon sensitive information in our previous article about sensitivity labels and automatic labeling. Your organization needs to define their sensitive information and translate these to sensitive information types, trainable classifiers, document fingerprinting or exact data match. There is generic, and spanning all organizations, sensitive information. For example,
These have their own and unique structure. Microsoft Purview provides over 300 pre-defined Sensitive Information Types you can use in your Data Loss Prevention policies as conditions. The exact rules and conditions should be extracted from your Data Security policies. In case those don’t exists, its strongly recommended to discuss these with the corresponding stakeholders. For example, information managers, CISO, risk and compliance officers.
The following topics are essential for the effective management of your DLP policies:
A brief overview of these areas will be provided below.
During the configuration of your Data Loss Prevention policy, there is a selection for a specific location. For example,
Although you can combine multiple locations, we don’t recommend it. You won’t be able to use all the actions, you normally receive when selecting a location. For example, Exchange comes with many actions that won’t all appear when you also select SharePoint and OneDrive. We advise combining SharePoint & OneDrive and create separate policies for the other locations.
For your Data Loss Prevention policy, begin in simulation mode without sub options. Use Activity Explorer and Alerts to monitor results for a few weeks. Are you happy with the results? Gradually enable notifications, then activate the policy. Start with a small group before expanding organization-wide.
After creating multiple Data Loss Prevention policies, there is a priority order. For example:
The priority order controls which policy takes effect first when multiple policies could apply to the same activity. We recommend the following:
Remember: within a single policy, rule evaluation is independent — priority only applies across different policies.
Each rule, in your Data Loss Prevention policy, contains an option for receiving alerts and notifications. For example,
Figure 9: View SharePoint Sites with specific labels
We advise to use alerts and notifications only for specific situations, such as highly sensitive content. Otherwise, frequent notifications may result in an excessive number of messages in your inbox. Believe us, we have been there!
Activity explorer enables you to monitor what's being done with your labeled data by providing a historical view of activities on your labeled data. The information is gathered from the Microsoft 365 unified audit logs, transformed, and displayed in the user interface. Unfortunately, the data only goes back up to 30 days. To preserve a longer timeframe, you have to export audit logs and use these in a dedicated analytics tool.
Adoption around Data Loss Prevention resolves around explaining the goal and advantages of the actions & communication enabled by the policies. Otherwise you are receiving a lot of pushback that hurts your adoption in the short and long term. We recommend being careful with strict Data Loss Prevention Policies. For example, selecting all the following options:
Especially, the last option blocks employees from sending e-mails. We encountered a customer who received this pop-up for each e-mail. This will hurt and damage the adoption of Data Loss Prevention in your organization. Only use these in specific and rare business cases. Combined with rigorous testing to reduce false positives.
For effective education, we recommend organizing training sessions, either online or on-site. Unfortunately, Microsoft does not offer a wealth of training materials on this topic.
While Microsoft Purview excels at data security by protecting and managing the content inside documents, messages, and records, it is limited. You want to address the broader context in which that data lives moves.
This is where Rencore Governance operates, providing visibility and control over the services that hold and process the data.
To truly control your Microsoft 365 and AI ecosystem, you need both:
Enterprises that successfully combine data and service governance tools create an environment where data protection is consistently enforced and compliance is maintained across all systems. This approach ensures that sensitive information is handled securely, reducing risk and supporting regulatory alignment.
At the same time, services remain efficient, well-maintained, and cost-effective. By bridging the gap between these two governance areas, organizations gain better visibility and control over their digital operations, enabling smarter decision-making and long-term sustainability.
If you would like to learn more about how to stay in control and secure across all workloads, get in touch with Rencore today.