Skip to main content


Data Loss Prevention (DLP) Overview for Microsoft Teams

Nearshore Agile Teams

Protecting your data has become one of the utmost important aspects within Information Technology. Luckily, with recent advancements in Microsoft Teams you now have the capability of implementing data loss prevention policies for both your chat and channel messages! In today’s article we’ll discuss what DLP is and why you should extend this capability into Microsoft Teams.

Data Loss Prevention (DLP) Overview

In this day and age organizations need to be extremely careful with how they share their data. This often means monitoring the users in that organization to ensure they comply with business standards and industry regulations. Lucky for you DLP policies are here to make your job that much easier! Essentially DLP policies are used across the entire Office 365 suite  (Exchange Online, OneDrive for Business, SharePoint Online, and now Teams) to prevent accidental leaks of sensitive information, such as financial information, health-related information, personally identifying information, and other types of confidential information. Now that we’ve covered what DLP entails, let’s dig in a bit deeper by discussing what these DLP policies are comprised of.

Data Loss Prevention Policies

Simply put, DLP policies are comprised of a few things that help protect your sensitive data:

  • Locations – Exchange Online, SharePoint Online, OneDrive for Business sites, and Teams chat and channel messages
  • Rules – Rules dictate what is and isn’t allowed to be shared. Each rule consists of 2 things:
    • Conditions – Meaning content must be matched before that rule is applied.
      • For example, a rule configured to look for content containing credit card numbers or SSN’s being shared with anyone outside of your organization.
    • Actions – Meaning the course of action taken automatically by the rule when content matches that condition.
      • For example, a rule configured to block access to a specific document and in turn send the user and compliance officer an email notification.

Now we know what DLP policies are and what they contain, but how does Microsoft Teams use DLP? Let’s discuss that now.

How does Teams use DLP?

If you organization is using DLP then you should seriously consider extending this into Microsoft Teams. With the latest updates to Microsoft Teams you can now define DLP policies to prevent the sharing of sensitive information in Teams channels and chat sessions. Some examples of this would include:

  • Protecting sensitive information in Teams messages
    • Example: Someone tries to share their credit card number in a Teams chat or channel with guests (external users). With a DLP policy defined to prevent this, the message that contained the sensitive information would be automatically deleted.
  • Protecting sensitive information in documents
    • Example: Someone shares a document with a guest in Microsoft Teams channel or chat message which contains SSN’s. With a DLP policy defined to prevent this, the document would be locked down so the guest would be unable to open it.

Note: For circumstances like this, please be aware that the DLP policy will need to include SharePoint and OneDrive to protect against this scenario.

As you can see DLP bleeds into many products across the Office 365 suite so it is important to cover all bases when implementing DLP policies such as this. As mentioned earlier, DLP policies will block sensitive information in Microsoft Teams, but under what circumstances? These circumstances include when information is shared with users whom have:

  1. Guest access in teams and channels
  2. External access in meetings and chat sessions

Note: DLP for external chat sessions will only work if both the sender and receiver are in TEAMS ONLY mode and using Microsoft Teams native federation. Please note that this means DLP for Teams won’t block messages in interop mode between Teams and Skype for Business.

Now that you understand how DLP can be leveraged within Teams, let’s wrap things up by discussing what requirements you’ll need to utilize for this recent update to Teams in your organization.

Microsoft Teams DLP Requirements

All you will need from a licensing perspective to start leveraging DLP within Microsoft Teams will include one of the following license types:

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Office 365 Advanced Compliance

Once users have been assigned one of the licenses above, the administrator will have the ability to customize whom this service is applied to:

  • Certain Locations/Workloads
  • Included users
  • Excluded users

This can all be done within the Office 365 Security and Compliance center under the “Data Loss Prevention” > “Locations”.

This concludes our high level overview of DLP and how you can now leverage this within Microsoft Teams. In a follow-up article we’ll discuss Microsoft Teams Security and Compliance which will directly correlate with what we’ve discussed today. I hope you have found this article informative and if you would like a deep dive on DLP, I encourage you to check out all the in’s and out’s on this topic here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Brian Siefferman

Brian is a Technical Consultant for Perficient’s Unified Communications practice focusing primarily on Skype for Business and Microsoft Teams workloads. He has been in this role since December 2017 and has an active presence blogging about all things Teams related. Currently, Brian resides in the suburbs of Chicago and enjoys running, swimming, weight lifting, and playing soccer in his free time.

More from this Author

Follow Us