How to Prevent Data Leakage in Microsoft Teams with Data Loss Prevention

Microsoft Teams

As more employees shift to working remotely, it is more important than ever that organizations prioritize protecting their business-critical and sensitive data across apps, endpoints, and cloud services. Employees will be accessing, sharing, creating, and storing data in new ways than before, meaning the need to make sure this is protected and compliant is more imperative.

And with this massive growth of corporate data exacerbated by increasing remote work and complex regulatory requirements to protect and govern this data, managing risk is essential to digital transformation.

What is Data Loss Prevention?

Data loss prevention (DLP) is the process of preventing sensitive data from being lost, misused, or accessed by unauthorized users. Typically, DLP software identifies violations of policies defined by organizations or driven by regulatory compliance such as HIPAA, NIST Cybersecurity Framework, or GDPR.

In addition, DLP enforces remediation immediately upon detection of violations via alerts, encryption, and other protective measures to ensure end-users do not accidentally or maliciously share data with others that could compromise the organization.

Furthermore, the DLP can provide compliance and audit requirements reporting and identify weaknesses and anomalies in forensic analysis and incident response.

Does Microsoft have a DLP solution?

Microsoft’s DLP solution provides a broad range of capabilities to address the modern workplace and the unique challenges of these very different environments.

One of the key investment areas is providing a unified and comprehensive solution across the many different devices and services where sensitive data is stored and used, including environments native to Microsoft and non-Microsoft services and apps. Microsoft’s DLP solution enables organizations to create policies to prevent or disable sharing of sensitive data, prevent printing notify admins when someone tries to share sensitive data, and the ability to customize policy tips to educate users about sharing sensitive data.

As part of Microsoft’s Office 365 Enterprise license, the E3 version provides DLP capabilities for Exchange Online and SharePoint/OneDrive. Customers who have upgraded to Microsoft 365 E5 can utilize DLP capabilities for Microsoft Teams, Devices, and even on-premises environments.

Can DLP policies be applied to Microsoft Teams?

DLP provides controls to prevent sensitive information (such as credit card numbers or health records) from being leaked unintentionally. For those customers on Office 365 E5 or Microsoft 365 E5, DLP policies are available to Microsoft Teams Chat and Channel messages to prevent sharing sensitive information.

There are already DLP policies available for documents saved in Teams, stored in a SharePoint library; these are now available to chats and channel messages.

Plan and design your Microsoft Teams DLP policy

Since every organization has different requirements, goals, and resources, every organization will implement data loss prevention (DLP) differently. Despite these differences, successful DLP implementations share similar elements.

Sensitive data types

Microsoft Information Protection tools use sensitive data types to locate data in messages and documents. Sensitive data types make it easier to detect sensitive data, which helps organizations apply appropriate policies.

Defining sensitive data types is the first step in planning and designing your Microsoft Teams DLP policy. Microsoft provides templated sensitive data types based on compliance regulations around the world. For example, financial information like credit/debit card numbers, personal information and more. These are in the Microsoft 365 Compliance admin center under Data classification:

Sensitive info types in the Microsoft 365 Compliance center

Figure 1: Sensitive info types in the Microsoft 365 Compliance center

Suppose the pre-configured sensitive data types don’t meet your needs. In that case, you can create your own custom sensitive information types to define your sensitive data elements, such as regex or keywords.

Prevent data leakage

To prevent data leakage in Microsoft Teams, you first need to create a DLP policy and apply it to Teams Chat and Channel messages. Open the Microsoft 365 Admin Compliance center and go to Data Loss Prevention under Solutions.

Create a new policy and choose your Sensitive Data Type. It can be the pre-configured templated ones or a previously created custom one.

New Data Loss Prevention (DLP) Policy in Microsoft 365 Compliance Centre

Figure 2: New DLP Policy in Microsoft 365 Compliance Centre

Choose the locations to apply the policy. Make sure Teams chat and channel messages is selected. You can choose to use this policy for all accounts or select or exclude specific accounts/distribution groups. For example, you might want to apply a DLP policy to prevent the sharing of financial information but add the finance team as an exception as they require the ability to do this as part of their role.

Disable sharing

To disable sharing of sensitive data with external users, define custom advanced rules settings from the template. You can customize the DLP rules to disable sharing of the sensitive info type.

Customize Data Loss Prevention rules when creating a policy

Figure 3: Customize DLP rules when creating a policy

When editing the rule, add an action to restrict access or encrypt. Here you can block peer-to-peer or external sharing of sensitive information (Figure 4).

Restricting access in DLP policy

Figure 4: Restricting access in DLP policy

You can enable alerts to notify you and admins when a policy match occurs. DLP can customize alerts to send a notification when a high volume of matched activities is reached (Figure 5).

Incident reports in DLP Policy

Figure 5: Incident reports in DLP Policy

Implement a DLP policy in test mode

It’s difficult to predict where the risks of data leakage lie, making it even more challenging to implement data loss prevention. DLP policies can be run in “test mode”, letting you assess their effectiveness and accuracy before turning them on.

Before creating the policy, please test it out first and turn on policy tips when testing. Testing lets you see what your policy tips look like to your end-users.

Test policy option in DLP

Figure 6: Test policy option in DLP

If your policy is working, you will see that when users try to share a credit card number through a Teams Channel, it automatically blocks the message and provides a policy tip to the end-user.

Microsoft Teams channel message blocked by DLP

Figure 7: Teams Channel message blocked by DLP

How to report on and monitor usage of data loss prevention in Microsoft Teams

Compliance Centre reporting includes reports and insights that help compliance and security administrators focus on high-priority issues, such as increased suspicious activity or where you need to amend a policy. DLP reporting is available in reports, activity explorer and the alerts dashboard in the Compliance admin center.


View the reports page in your Compliance center to view DLP reports. The reports provide you with an overall view of DLP policy matches, incidents, and false positives across SharePoint Online, Exchange Online, Microsoft Teams and OneDrive for Business. View details to discover what sensitive content is shared and when (figure 8).

Reports in the Compliance admin center

Figure 8: Reports in the Compliance admin center

The report also shows users with most shared files and what files are publicly shared – this is using Defender for Cloud Apps is an E5 feature.

Administrators can use these reports to view DLP policy effectiveness and make improvements based on the type of activity from their end-users.

Activity explorer

The activity explorer is another tool administrators can use to explore any activity where sensitivity labels or sensitive information are applied. Suppose you have sensitive information in your content. In that case, you can review activity for label-containing content, such as what labels are changed, modified files, and more, in the activity explorer.

Activity Explorer in Data Loss Prevention (DLP)

Figure 9: Activity Explorer in DLP

It is essential to understand the actions with your sensitive labelled content, so you can determine how adequate your controls are, such as data loss prevention policies. You may also have to adjust your policies if something unexpected occurs, such as a large number of items marked highly confidential that users downgrade to general. You could change your policies and take new steps to curb the undesired behaviour in these cases.

Alerts dashboard

DLP configures alerts to notify you automatically when there is an action against sensitive information. You can view alerts, events, and associated metadata for DLP policy violations by accessing the DLP alert management dashboard in the Microsoft 365 compliance centre.

Alerts Dashboard in DLP

Figure 10: Alerts Dashboard in DLP

To view an alert in more detail, select it to view the card, which details the DLP policy, location, event count, and time detected.

Alert card in DLP

Figure 11: Alert card in DLP

The alerts dashboard is a helpful reporting tool to see reports in real-time as soon as a policy breach, giving administrators the confidence that they know what is happening with the sensitive data.


In practice, configuring the DLP settings in the Compliance center is relatively easy to do. The critical part is the requirements gathering and discovery. It’s essential to understand what sensitive data you have in your environment, who needs to handle sensitive data, and define what protection actions you want to apply.

Once DLP is up and running, there is not much involved in keeping it on, just reviewing alerts and making changes to policy settings as things progress, so it’s low maintenance but a highly critical tool to turn on.