Data Loss Prevention with Microsoft Purview
How to implement DLP with Microsoft Purview: sensitivity labels, protection policies and prevention of data leakage.
The challenge of protecting sensitive data
Sensitive data no longer sits on a single server. It travels through email, chats, cloud files, devices and third-party apps. Protecting this data requires understanding where it is, how it is used and where it goes. That is exactly the purpose of Microsoft Purview and its data loss prevention (DLP) capabilities.
DLP is the set of controls that identifies sensitive information and prevents it from being shared, copied or leaked inappropriately, whether by malicious action or by mistake.
The three steps of information protection
A data protection strategy in Purview rests on three chained movements:
- Know your data. Discover and classify sensitive information using sensitive information types and trainable classifiers.
- Protect your data. Apply sensitivity labels that carry encryption and usage restrictions.
- Prevent loss. Apply DLP policies that monitor and block inappropriate sharing.
Sensitive information types
Purview recognizes sensitive data through sensitive information types, which are predefined or custom patterns. Examples include ID document numbers, credit card data, health information and credentials. For the Brazilian context this is especially relevant for LGPD compliance, just as corresponding types support requirements in the US.
Beyond fixed patterns, trainable classifiers use machine learning to recognize content categories, such as contracts or source code, that do not follow a rigid format.
Sensitivity labels
Sensitivity labels are the heart of information protection. A label classifies the document or email and can apply automatic protections.
| Label | Typical use | Protection |
|---|---|---|
| Public | Marketing material | None |
| Internal | Internal communication | Watermark |
| Confidential | Business data | Encryption and restriction |
| Highly confidential | Regulated data | Encryption and restricted access |
Labels can be applied manually by the user, recommended automatically based on content or applied automatically by policy. Protection travels with the file: even if it leaves the organization, the restrictions remain.
DLP policies
DLP policies define what happens when sensitive information is detected in a given context. A policy combines:
- Locations: email, sites, chats, devices and cloud storage.
- Conditions: which type of sensitive information and in what volume.
- Actions: block, alert, require justification or simply audit.
A concrete example: a policy can block sending an email containing multiple card numbers to external recipients, showing the sender an explanation and the option to justify if legitimate.
Start in audit mode
As with Conditional Access, the biggest risk in DLP is interrupting legitimate workflows. The best practice is to deploy policies first in audit mode or with policy tips only, observing what would be blocked, adjusting the rules and only then enabling actual blocking.
The recommended flow:
- Define which data is critical and where it lives.
- Create policies in audit mode.
- Analyze matches and false positives.
- Refine conditions and thresholds.
- Enable blocking actions gradually.
- Educate users about policy tips.
DLP on endpoints and in the cloud
Purview DLP goes beyond Microsoft 365 email and files. Endpoint DLP extends protections to devices, monitoring actions such as copying to removable drives, printing or pasting into disallowed apps. This closes common leakage vectors that occur locally, out of reach of cloud services.
The human factor
Technology alone does not solve it. Most leaks happen by mistake, not malice. Policy tips that educate the user at the moment of action are among the most effective tools, because they correct behavior without relying solely on blocks. Combining DLP with awareness training significantly reduces incidents.
Key takeaways
- Purview protects data in three steps: know, protect and prevent loss.
- Sensitivity labels carry encryption and restrictions that travel with the file.
- DLP policies monitor and block inappropriate sharing by context.
- Start in audit mode to avoid interrupting legitimate flows.
- Endpoint DLP closes local vectors such as copying to removable drives.
RHC, a Microsoft Solutions Partner, helps map sensitive data and implement DLP with Purview aligned to LGPD and US regulatory requirements.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.